Google Professional Cloud Developer (PCD) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQeasy

Refer to the exhibit. A developer is configuring Cloud Build to build a Docker image from a Cloud Source Repository. The build fails with a permission error. What is the most likely reason?

A.The service account lacks the roles/cloudbuild.builds.builder role
B.The service account is missing the roles/source.reader role to access the repository
C.The Cloud Source Repository does not have the build trigger enabled
D.The build config file is missing the 'source' field
AnswerB

Cloud Build needs source.reader to read the repository.

Why this answer

The build fails with a permission error because the Cloud Build service account does not have the `roles/source.reader` role on the Cloud Source Repository. Without this role, the service account cannot read the source code from the repository, which is required to trigger the build. The error is not about building permissions but about accessing the source.

Exam trap

Cisco often tests the distinction between build execution permissions (roles/cloudbuild.builds.builder) and source access permissions (roles/source.reader), leading candidates to incorrectly choose the builder role when the actual error is about reading the source repository.

How to eliminate wrong answers

Option A is wrong because the `roles/cloudbuild.builds.builder` role is required for executing builds, but the error here is a permission error related to accessing the source repository, not a lack of build execution permissions. Option C is wrong because a build trigger is not required for a manual build from a Cloud Source Repository; the build can be started directly via the API or gcloud command. Option D is wrong because the `source` field is not mandatory in a build config file; the source can be specified in the build trigger or API call, and its absence would cause a different error (e.g., 'source not specified'), not a permission error.

452
Matchingmedium

Match each Kubernetes resource to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Declares desired state for pods and ReplicaSets

Stable network endpoint to access pods

HTTP(S) load balancer for external access

Store non-sensitive configuration data

Store sensitive data like passwords or keys

Why these pairings

These are fundamental Kubernetes objects for running containerized applications.

453
MCQhard

A company receives a Cloud Monitoring alert that a Compute Engine instance's CPU utilization has exceeded 90% for the past 15 minutes. The incident turns out to be a false alarm caused by a scheduled job that runs daily. How can they prevent future false alarms for this recurring pattern?

A.Create a custom metric that excludes the scheduled job's CPU usage and use it in the alert.
B.Switch to 'Metric Absence' type condition.
C.Increase the CPU utilization threshold to 95%.
D.Change the condition's 'for' duration to 30 minutes.
AnswerA

Filters out known noise while keeping sensitivity on application load.

Why this answer

Option A is correct because creating a custom metric that excludes the scheduled job's CPU usage allows the alert to ignore the predictable, recurring spike. This approach uses Cloud Monitoring's custom metrics capability to filter out known noise, ensuring the alert only triggers on unexpected CPU utilization patterns.

Exam trap

The trap here is that candidates often choose to increase the threshold or duration (options C or D) as a quick fix, failing to recognize that these actions only mask the symptom rather than eliminating the false alarm for a predictable, recurring pattern.

How to eliminate wrong answers

Option B is wrong because 'Metric Absence' conditions trigger when a metric stops reporting data, which is the opposite of what is needed (the metric is reporting high CPU). Option C is wrong because increasing the threshold to 95% only shifts the problem; the scheduled job might still exceed that value, and it does not address the root cause of false alarms. Option D is wrong because changing the 'for' duration to 30 minutes would delay the alert but not prevent it; the job runs daily and likely lasts longer than 30 minutes, so the false alarm would still fire.

454
MCQmedium

An operations team has set up a Cloud Monitoring alerting policy that fires when the 99th percentile latency of a service exceeds 200ms for 1 minute. They notice that the alert fires frequently during normal traffic patterns. What is the most likely issue with the alert configuration?

A.The metric's alignment period is set to align by rate instead of mean.
B.The alerting policy uses a rolling window that is too short for the metric's natural variation.
C.The service is actually experiencing high latency, and the threshold should be lowered.
D.The alerting policy is using a forecast threshold instead of a metric threshold.
AnswerB

Correct: a 1-minute window on 99th percentile is highly sensitive to normal variability.

Why this answer

The alert fires frequently during normal traffic because the 1-minute rolling window is too short to smooth out natural latency spikes. A short window captures transient variations as if they were sustained, causing false positives. Lengthening the window (e.g., to 5 minutes) would reduce noise and better reflect true performance trends.

Exam trap

Cisco often tests the misconception that a shorter window makes alerts more responsive, when in fact it increases noise and false positives due to insufficient smoothing of natural metric variation.

How to eliminate wrong answers

Option A is wrong because aligning by rate would compute a per-second change in latency, which is not meaningful for a percentile latency metric; the issue is window duration, not alignment method. Option C is wrong because the team explicitly states the alert fires during normal traffic patterns, so lowering the threshold would worsen false positives, not fix them. Option D is wrong because forecast thresholds predict future values and are not relevant here; the alert uses a metric threshold on actual 99th percentile latency data.

455
Multi-Selecthard

You are designing a CI/CD pipeline using Cloud Build. Which three features can be used to secure the pipeline and enforce compliance? (Choose three.)

Select 3 answers
A.Using Cloud Build's inline substitution variables to inject secrets.
B.Configuring Cloud Build to only run builds from approved source repositories via VPC-SC.
C.Adding approval gates via Cloud Build's built-in approval mechanism.
D.Integrating with Cloud Build's vulnerability scanning for container images.
E.Using Cloud Build worker pools with private IP and service perimeter.
AnswersB, C, E

VPC Service Controls help enforce source restrictions.

Why this answer

Options A, B, and C are correct. A is correct because Cloud Build supports manual approval gates. B is correct because private pools and service perimeters enhance security.

C is correct because VPC Service Controls can restrict builds to approved repositories. D is wrong because substitution variables are not secure for secrets. E is wrong because vulnerability scanning is a separate Artifact Analysis feature.

456
MCQhard

An application on Cloud Run needs to connect to a Cloud SQL instance securely with minimal latency. It also needs to access Cloud Storage buckets in the same region. Which networking configuration should they use?

A.Serverless VPC Access connector with Private Services Access for Cloud SQL
B.Cloud NAT for outbound traffic
C.Direct VPC peering with Cloud SQL
D.Use Cloud SQL Auth Proxy with public IP
AnswerA

This configuration provides low-latency, private connectivity between Cloud Run and Cloud SQL.

Why this answer

Option A is correct because Serverless VPC Access allows Cloud Run to reach VPC resources, and Private Services Access enables Cloud SQL to have an internal IP within the VPC, minimizing latency. Option B is wrong because Cloud NAT is for outbound internet, not internal connectivity. Option C is wrong because direct VPC peering is not directly applicable to Cloud Run.

Option D is wrong because the Cloud SQL Auth Proxy with public IP introduces additional latency and security concerns.

457
Multi-Selecthard

Which THREE steps are required to set up a CI/CD pipeline for Cloud Run using Cloud Build and GitHub? (Choose THREE.)

Select 3 answers
A.Enable the Cloud Build, Cloud Run, and Artifact Registry APIs.
B.Grant the Cloud Build service account permission to deploy to Cloud Run.
C.Create a cloudbuild.yaml file in the repository root.
D.Push the container image to Container Registry.
E.Mirror the GitHub repository to Cloud Source Repositories.
AnswersA, B, C

These APIs must be enabled for the pipeline to work.

Why this answer

Options A, B, and D are required. Option C is optional; Cloud Build can connect to GitHub without a mirror. Option E is wrong because Artifact Registry is used, not Container Registry (deprecated).

458
MCQmedium

A company has a multi-region deployment on GKE and needs to route traffic to the closest regional cluster based on user location. They want to minimize latency. Which approach should they use?

A.Use a global external HTTP(S) Load Balancer with backend services pointing to NEGs in each region.
B.Create separate internal load balancers in each region and use Cloud DNS geo-routing.
C.Configure an external TCP/UDP Network Load Balancer in each region and use Cloud DNS geo-routing.
D.Deploy a single regional cluster and use Cloud CDN to cache content globally.
AnswerA

Global LB with NEGs can route to the nearest backend based on client geography.

Why this answer

A global external HTTP(S) Load Balancer uses Anycast IP addresses and is backed by backend services that reference Network Endpoint Groups (NEGs) in each regional GKE cluster. This allows the load balancer to direct traffic to the closest healthy backend based on the user's geographic location and the load balancer's proximity algorithm, minimizing latency without requiring DNS-based routing.

Exam trap

Cisco often tests the misconception that DNS-based geo-routing (e.g., Cloud DNS geo-routing) is the optimal solution for global traffic steering, but the trap here is that DNS-based methods suffer from client-side caching and lack the sub-second failover and true anycast proximity of a global load balancer with NEGs.

How to eliminate wrong answers

Option B is wrong because internal load balancers are only reachable from within the same VPC network and cannot serve external user traffic; Cloud DNS geo-routing would still require public endpoints and does not provide the same anycast-based proximity optimization. Option C is wrong because external TCP/UDP Network Load Balancers are regional, not global, and using multiple regional load balancers with DNS geo-routing introduces DNS caching and failover delays, and lacks the single anycast IP and automatic failover of a global load balancer. Option D is wrong because a single regional cluster cannot minimize latency for users far from that region, and Cloud CDN only caches static content, not dynamic application traffic, so it does not solve the need for low-latency routing to the closest cluster.

459
Multi-Selectmedium

A company is using Cloud Build for CI/CD. They want to automatically trigger builds when code is pushed to a Cloud Source Repository and store the resulting Docker images in a secure, immutable artifact store. Which TWO services should they use? (Choose 2)

Select 2 answers
A.Cloud Source Repository
B.Cloud Storage
C.Artifact Registry
D.Cloud Functions
E.Container Registry
AnswersA, C

Cloud Source Repository is a Git repository that can trigger Cloud Build.

Why this answer

Cloud Source Repository hosts the code and can trigger Cloud Build. Artifact Registry is the recommended immutable artifact store for Docker images. Container Registry is deprecated.

Cloud Storage and Cloud Functions are not directly involved.

460
MCQmedium

A developer runs the command above and receives the error. The developer has just been granted the 'roles/cloudbuild.builds.editor' role on the project. What is the most likely reason for the permission error?

A.The project ID 'my-project' does not exist or the developer typed it incorrectly.
B.The container registry (gcr.io) is incorrect; should use us.gcr.io.
C.The Cloud Build API is not enabled for the project.
D.The developer is using the wrong region; Cloud Build must be enabled per region.
AnswerC

Correct: If the API is not enabled, even with proper IAM roles, the call is denied.

Why this answer

The error occurs because the Cloud Build API has not been enabled for the project. Even with the 'roles/cloudbuild.builds.editor' IAM role, the Cloud Build service itself must be explicitly enabled via the Google Cloud Console or using the `gcloud services enable cloudbuild.googleapis.com` command. Without enabling the API, any attempt to run a build will fail with a permission error, as the service is not available to process the request.

Exam trap

Cisco often tests the distinction between IAM role assignments and API enablement, as candidates may assume that granting a role automatically enables the underlying service, which is not the case in Google Cloud.

How to eliminate wrong answers

Option A is wrong because if the project ID 'my-project' did not exist or was typed incorrectly, the error would typically indicate an invalid project ID or a 404 error, not a permission error. Option B is wrong because the container registry hostname (gcr.io) is correct for global access; using a regional registry like us.gcr.io would only be necessary for specific regional requirements or to reduce latency, and the error is not related to registry location. Option D is wrong because Cloud Build is a global service and does not need to be enabled per region; it operates at the project level and can be used in any region once the API is enabled.

461
Multi-Selecteasy

Which TWO actions are best practices for managing application performance monitoring in Google Cloud?

Select 2 answers
A.Set appropriate sampling rates for Cloud Trace to balance cost and insight.
B.Enable debug logging in production to capture detailed errors.
C.Log all application activity at INFO level for complete visibility.
D.Use structured logging (JSON) to enable easier querying and analysis.
E.Configure alerts to send emails to the entire development team.
AnswersA, D

Sampling controls trace volume while retaining representative data.

Why this answer

Option A is correct because Cloud Trace charges based on the number of spans ingested and retained. Setting an appropriate sampling rate (e.g., 1 in 10 requests for high-traffic services) reduces cost while still providing statistically significant latency data for performance analysis. This balances the need for actionable insights against budget constraints.

Exam trap

Google Cloud often tests the misconception that 'more logging is always better' — the trap here is that candidates confuse debugging completeness with operational best practices, failing to recognize that excessive logging degrades performance and increases costs in a pay-per-ingest model like Cloud Logging.

462
MCQhard

A team is deploying a critical microservice on GKE. They want to minimize risk by gradually shifting traffic from old to new version. They use a Deployment with a single Service. What deployment strategy should they implement?

A.Use a rolling update with maxSurge=1 and maxUnavailable=0.
B.Use a single Deployment with a readinessProbe that fails for the new version until ready.
C.Create two separate Deployments and switch the Service selector to the new version after testing.
D.Create two Deployments (stable and canary) with different numbers of replicas and use the same Service label.
AnswerD

Canary with multiple Deployments allows traffic splitting based on replica count.

Why this answer

Option D is correct because it implements a canary deployment pattern on GKE: two separate Deployments (stable and canary) share the same Service label, allowing the Service to distribute traffic to both based on replica counts. This enables gradual traffic shifting by adjusting the number of canary replicas, minimizing risk while the new version is validated.

Exam trap

Cisco often tests the distinction between a rolling update (which is automatic and immediate) and a canary deployment (which requires manual or tool-driven replica scaling to control traffic percentage), leading candidates to mistakenly choose a rolling update option when gradual traffic shifting is explicitly required.

How to eliminate wrong answers

Option A is wrong because a rolling update with maxSurge=1 and maxUnavailable=0 shifts traffic automatically and immediately as pods are replaced, without a controlled gradual shift or the ability to hold traffic at a small percentage for validation. Option B is wrong because a readinessProbe that fails for the new version until ready would prevent the new version from receiving traffic at all, defeating the purpose of gradually shifting traffic; it does not enable a canary-style incremental rollout. Option C is wrong because switching the Service selector to the new version after testing causes an abrupt cutover, not a gradual traffic shift, and the old version becomes unreachable immediately.

463
MCQmedium

A developer ran the following command: `gcloud compute instances list --filter='labels.env=prod'`. The command returned no instances even though there are instances with label env=prod. What is the most likely reason?

A.Instances are in a different project.
B.The user lacks compute.instances.list permission.
C.The filter syntax is incorrect; should use `labels.env:prod`.
D.The instances are stopped.
AnswerC

The equals sign is not the correct delimiter for label filters in gcloud.

Why this answer

Option B is correct because the correct filter syntax for labels uses a colon (:) instead of an equals sign. The proper filter is `labels.env:prod`. Option A is wrong because if the project were different, a different error would appear.

Option C is wrong because permission errors produce a different message. Option D is wrong because stopped instances are still listed.

464
MCQeasy

Refer to the exhibit. A developer writes the above Dockerfile for a Cloud Run service. The service fails to start. The logs indicate that the container exited immediately. What is the most likely cause?

A.The WORKDIR is set to a directory that doesn't exist
B.The server.js file is missing from the build context
C.The CMD instruction is incorrectly formatted
D.The EXPOSE 8080 instruction is unnecessary and may cause conflicts
AnswerB

If server.js is not copied into the image (e.g., it's in a different directory or excluded by .dockerignore), the container has no entrypoint and exits immediately.

Why this answer

The most likely cause is that the server.js file is missing from the build context. When the Dockerfile contains a COPY command (e.g., COPY . .) to copy application files, the server.js file must exist in the source directory from which the build is run. If it is absent, the container will have no entry point, and the CMD instruction (e.g., CMD ["node", "server.js"]) will fail because the file does not exist inside the image, causing the container to exit immediately.

Cloud Run requires the container to start a listening process; without server.js, no process runs.

Exam trap

Cisco often tests the misconception that a missing WORKDIR or an incorrect CMD format is the root cause, but the real issue is that the application file (server.js) is not copied into the image, leading to an immediate container exit.

How to eliminate wrong answers

Option A is wrong because the WORKDIR instruction creates the directory if it does not exist, so setting it to a non-existent directory does not cause a failure. Option C is wrong because the CMD instruction is correctly formatted as a JSON array (e.g., CMD ["node", "server.js"]), which is the proper exec form; an incorrectly formatted CMD would typically produce a syntax error during build, not a runtime exit. Option D is wrong because the EXPOSE 8080 instruction is purely documentation and does not cause conflicts; Cloud Run ignores EXPOSE and uses the PORT environment variable, so it is harmless.

465
MCQhard

A financial services company uses Cloud Spanner for transactional data. They need to perform complex analytical queries that aggregate large volumes of data without affecting the performance of transaction processing. Which approach should they take?

A.Use Spanner's read-only transactions to run analytic queries.
B.Enable Cloud Spanner's query optimizer for analytical workloads.
C.Export data from Spanner to BigQuery periodically and run analytic queries there.
D.Create secondary indexes on the Spanner tables to speed up analytical queries.
AnswerC

This offloads analytical workloads to BigQuery, which is optimized for large-scale analytics, and does not affect Spanner's transactional performance.

Why this answer

Option C is correct because BigQuery is a serverless, highly scalable data warehouse designed for complex analytical queries on large datasets. By exporting Spanner transactional data to BigQuery, the company can run heavy aggregations without impacting Spanner's OLTP performance, as Spanner is optimized for high-throughput, low-latency transactions, not analytical workloads.

Exam trap

Cisco often tests the misconception that Spanner's read-only transactions or indexing can handle analytical workloads without performance degradation, but the key trap is that Spanner is an OLTP database, not an OLAP system, and mixing workloads violates the principle of separating concerns for scalability and reliability.

How to eliminate wrong answers

Option A is wrong because Spanner's read-only transactions still consume Spanner's internal resources (CPU, memory, I/O) and can cause contention with transactional writes, especially under heavy analytical query loads. Option B is wrong because Cloud Spanner does not have a dedicated 'query optimizer for analytical workloads'; its optimizer is designed for transactional queries, and enabling it cannot magically make Spanner handle complex aggregations without performance impact. Option D is wrong because secondary indexes improve point lookups and simple range scans, not complex analytical aggregations (e.g., GROUP BY, JOINs on large datasets), and they still add write overhead and storage cost without offloading the analytical processing.

466
MCQmedium

A company uses Cloud Functions to process events from Pub/Sub. They notice that occasionally the same message is processed more than once. What can they do to ensure idempotent processing?

A.Make the function idempotent using a deduplication field
B.Configure retry policies to only retry once
C.Use Cloud Tasks instead
D.Use Cloud Scheduler
E.Increase the acknowledgement deadline for the subscription
AnswerA

Ensures that processing a duplicate message has no effect.

Why this answer

Option A is correct because making the function idempotent using a deduplication field ensures that even if the same Pub/Sub message is delivered more than once (Pub/Sub offers at-least-once delivery), the function processes it only once. By checking a unique message ID or a custom deduplication key before processing, the function can skip or safely reapply the operation, preventing duplicate side effects.

Exam trap

The trap here is that candidates often think increasing the acknowledgement deadline or reducing retries will prevent duplicate processing, but they fail to understand that Pub/Sub's at-least-once delivery guarantee means duplicates can still occur due to network issues or subscriber crashes, making idempotency the only reliable solution.

How to eliminate wrong answers

Option B is wrong because configuring retry policies to only retry once does not prevent duplicate processing; Pub/Sub may redeliver a message even without a retry (e.g., due to ack deadline expiry or subscriber crash), and limiting retries does not guarantee idempotency. Option C is wrong because Cloud Tasks also provides at-least-once delivery and does not inherently solve duplicate processing; the application must still be idempotent. Option D is wrong because Cloud Scheduler is a cron-like job scheduler for triggering HTTP endpoints at fixed intervals, not a mechanism for handling duplicate event processing.

Option E is wrong because increasing the acknowledgement deadline only gives the subscriber more time to process a message before it becomes eligible for redelivery; it does not prevent duplicate processing if the function crashes or if the message is delivered to multiple subscribers.

467
MCQhard

An application uses Cloud SQL for read-heavy workloads. To scale reads, which configuration is best?

A.Use connection pooling
B.Enable high availability with standby
C.Add read replicas across zones
D.Enable automatic storage increase
AnswerC

Read replicas offload read traffic from the primary, scaling read capacity.

Why this answer

Read replicas in Cloud SQL allow you to offload read traffic from the primary instance to one or more replica instances, which are kept in sync using asynchronous replication. This configuration directly scales read capacity by distributing SELECT queries across replicas, making it the best choice for read-heavy workloads.

Exam trap

Cisco often tests the misconception that high availability (standby) or connection pooling can scale read capacity, when in fact they serve different purposes—HA ensures durability, pooling reduces connection churn, and only read replicas directly increase read throughput.

How to eliminate wrong answers

Option A is wrong because connection pooling manages database connections efficiently but does not increase read throughput; it reduces connection overhead, not read load. Option B is wrong because high availability with a standby instance provides failover for durability and uptime, but the standby does not serve read traffic and thus does not scale reads. Option D is wrong because automatic storage increase handles disk space growth, not read performance or concurrency.

468
MCQhard

A team uses Cloud Monitoring alerting policies with multiple conditions. They want to notify only when both CPU utilization is above 80% and error rate is above 5% for 5 minutes. Which type of condition should be used?

A.A log-based metric condition
B.Single condition with AND logic
C.Two separate conditions with OR logic
D.A condition with a custom predicate
AnswerB

You can create one alerting policy with two conditions, and set the combiner to 'AND' so the alert fires only when both conditions are met.

Why this answer

Option B is correct because Cloud Monitoring alerting policies support a single condition with multiple threshold expressions combined using AND logic. This allows you to trigger a notification only when both CPU utilization exceeds 80% and the error rate exceeds 5% simultaneously for the specified 5-minute duration.

Exam trap

The trap here is that candidates often confuse the use of multiple conditions with OR logic (which triggers on any single condition) versus a single condition with AND logic (which requires all thresholds to be met), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because a log-based metric condition is used for monitoring log data, not for combining multiple metric thresholds with AND logic. Option C is wrong because two separate conditions with OR logic would trigger an alert if either CPU utilization is above 80% OR error rate is above 5%, which does not satisfy the requirement for both conditions to be true. Option D is wrong because a condition with a custom predicate is used for advanced filtering using Monitoring Query Language (MQL), but the standard AND logic within a single condition is the correct and simpler approach for this requirement.

469
MCQhard

Your company runs a multi-tier web application on Google Kubernetes Engine (GKE). The application consists of a frontend service, a backend API service, and a PostgreSQL database managed by Cloud SQL. Recently, users have been reporting intermittent slow response times during peak hours (10 AM - 12 PM). You have set up Cloud Monitoring dashboards and alerts. Cloud Trace shows that the backend API service has high latency, but only for certain requests. You notice that the backend service's CPU utilization is around 60% during peak hours, and memory usage is normal. The Cloud SQL instance's CPU utilization is at 90% and the query latency is high. You have also observed that the backend service makes multiple database queries per request, some of which are repeated. What is the most effective course of action to reduce latency?

A.Increase the CPU and memory of the Cloud SQL instance to handle the load
B.Scale up the backend API service by increasing the number of replicas
C.Scale up the frontend service by increasing the number of replicas
D.Implement a caching layer using Memorystore for Redis to cache database query results
AnswerA

The database is at 90% CPU, so increasing its resources directly reduces query latency.

Why this answer

The primary bottleneck is the Cloud SQL instance, which is running at 90% CPU with high query latency. Since the backend service's CPU is only at 60% and memory is normal, scaling the database directly addresses the root cause. Increasing the Cloud SQL instance's CPU and memory provides more processing power and connection capacity to handle the peak load, reducing query latency and overall response times.

Exam trap

Google Cloud often tests the misconception that scaling application replicas (horizontal scaling) always improves performance, but here the bottleneck is the database, not the application, so vertical scaling of the database is required.

How to eliminate wrong answers

Option B is wrong because scaling the backend API service replicas would increase the number of concurrent database connections, further stressing the already overloaded Cloud SQL instance and potentially worsening latency. Option C is wrong because the frontend service is not the bottleneck; Cloud Trace indicates high latency originates from the backend API and database, not the frontend. Option D is wrong because while caching can reduce repeated queries, the database CPU is at 90% and query latency is high for all requests, not just repeated ones; caching would not alleviate the underlying CPU saturation on the Cloud SQL instance.

470
MCQhard

A security engineer applied the IAM policy above to a Cloud Storage bucket. The service account "my-sa" is used by an application that needs to read and write files to the bucket. The application reports that it cannot write files. What is the issue?

A.The policy is missing the "roles/storage.objectAdmin" role.
B.The "roles/storage.objectCreator" role only allows creating new objects, but not overwriting existing ones.
C.The service account lacks permission to list bucket contents.
D.The policy has duplicate bindings that cause a conflict.
AnswerB

objectCreator allows creating new objects but not modifying or overwriting existing objects. To overwrite, the service account needs objectAdmin or objectOwner.

Why this answer

The 'roles/storage.objectCreator' role grants permission to create new objects in a Cloud Storage bucket, but it does not allow overwriting existing objects. To overwrite objects, the 'roles/storage.objectAdmin' or 'roles/storage.legacyObjectOwner' role is required, which includes the storage.objects.update permission. Since the application needs to both read and write (including overwrite) files, the objectCreator role is insufficient.

Exam trap

Cisco often tests the distinction between create and update permissions in Cloud Storage IAM roles, trapping candidates who assume that 'write' access includes overwriting existing objects.

How to eliminate wrong answers

Option A is wrong because 'roles/storage.objectAdmin' is not missing; the issue is that the current role (objectCreator) lacks the update permission, not that a different role is absent. Option C is wrong because listing bucket contents (storage.objects.list) is not required for writing files; the application's inability to write is due to missing update permission, not list permission. Option D is wrong because duplicate bindings in an IAM policy do not cause conflicts; IAM policies are additive and duplicates are simply ignored, so they would not prevent write operations.

471
MCQeasy

A company uses Cloud SQL for MySQL to store customer data. They have enabled automatic backups and a read replica for reporting. The application experiences timeouts during peak hours because the primary instance cannot handle the write load. The team needs to improve write performance without losing the ability to read from replicas. What should they do?

A.Increase the size of the read replica to handle writes.
B.Promote the read replica to a standalone instance and redirect writes.
C.Increase the number of vCPUs on the primary instance.
D.Use Cloud Spanner instead of Cloud SQL for better write scalability.
AnswerC

Scaling up the primary instance improves write throughput.

Why this answer

Option C is correct because increasing the number of vCPUs on the primary Cloud SQL for MySQL instance directly improves its processing capacity to handle higher write throughput. This addresses the root cause of timeouts during peak hours without disrupting the existing read replica architecture, which continues to serve reporting queries. Cloud SQL allows vertical scaling of the primary instance by adjusting machine type, and this change does not affect the ability to read from replicas.

Exam trap

The trap here is that candidates may assume read replicas can be used to offload writes (Option A) or that promoting a replica is a valid scaling strategy (Option B), but Cloud SQL read replicas are strictly read-only and cannot accept write traffic, making these options invalid for improving write performance.

How to eliminate wrong answers

Option A is wrong because read replicas in Cloud SQL for MySQL are read-only and cannot accept write traffic; increasing their size does not improve write performance on the primary instance. Option B is wrong because promoting the read replica to a standalone instance and redirecting writes would eliminate the read replica's ability to serve reporting queries, breaking the requirement to retain read capability from replicas. Option D is wrong because migrating to Cloud Spanner is an unnecessary and complex architectural change; the problem can be solved by vertically scaling the existing Cloud SQL primary instance, which is a simpler and more cost-effective solution.

472
Multi-Selecteasy

A company is designing a web application that must scale horizontally to handle variable traffic. Which two practices should they implement to ensure the application is stateless and can scale without issues?

Select 2 answers
A.Persist session data in Cloud SQL to ensure durability.
B.Offload session state to the user's browser using encrypted cookies.
C.Deploy the application across multiple regional managed instance groups.
D.Store session state in an external cache such as Memorystore.
E.Use sticky sessions to maintain client affinity.
AnswersB, D

Storing session data on the client side through cookies eliminates server-side state, making the application fully stateless.

Why this answer

To achieve statelessness, session state should either be stored in an external cache (e.g., Memorystore) or offloaded to the client (e.g., using cookies). Sticky sessions tie a client to a specific instance, preventing scaling. Using a database like Cloud SQL for session persistence creates a bottleneck.

Regional managed instance groups improve availability but do not directly address statelessness.

473
MCQmedium

A company uses Cloud Monitoring to create an uptime check for their external HTTP endpoint. The check fails periodically even though the service is healthy. What is the most likely cause?

A.The service is down during those periods
B.The SSL certificate is expired
C.The firewall is blocking the uptime check IP ranges
D.The endpoint has high latency
AnswerC

Uptime checks come from specific Google IP ranges that must be allowed.

Why this answer

The most likely cause is that the firewall is blocking the uptime check IP ranges. Cloud Monitoring uses specific source IP ranges for its uptime checks, and if these are not explicitly allowed through the firewall, the checks will fail even though the service itself is healthy. This is a common configuration issue where the firewall rules are not updated to include the monitoring system's probe IPs.

Exam trap

The trap here is that candidates often assume an expired SSL certificate is the cause, but the periodic nature of the failure points to a network filtering issue rather than a consistent certificate problem.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the service is healthy, so the failure is not due to the service being down. Option B is wrong because an expired SSL certificate would cause a TLS handshake failure, which would be a consistent error, not a periodic one, and the check would likely report a certificate error rather than a simple failure. Option D is wrong because high latency would cause the check to be slow or timeout, but it would not cause a periodic failure; the check would still succeed if the endpoint responds within the timeout period.

474
MCQeasy

A startup has deployed a Python web application on Compute Engine. They have installed the Cloud Monitoring agent and can see basic system metrics like CPU and disk usage. However, they want to track custom application metrics, such as number of active users and request latency, to monitor performance. They have added OpenCensus code to export metrics but notice that custom metrics are not appearing in Cloud Monitoring. The application runs under a custom service account with the 'Monitoring Metric Writer' role assigned. What is the most likely cause?

A.The OpenCensus exporter is not configured to send to the Cloud Monitoring endpoint.
B.The Cloud Monitoring agent needs to be restarted after adding OpenCensus.
C.The service account has not been granted the 'Monitoring Viewer' role.
D.The application is not exporting metrics to the correct Cloud Monitoring project.
AnswerA

Without correct exporter configuration, metrics are not sent to Cloud Monitoring, even with the correct service account.

Why this answer

Option A is correct because OpenCensus requires explicit configuration to export metrics to a specific backend. Even though the service account has the 'Monitoring Metric Writer' role, the OpenCensus exporter must be configured with the correct Cloud Monitoring endpoint (e.g., 'monitoring.googleapis.com') and project ID. Without this configuration, the metrics are collected by OpenCensus but never sent to Cloud Monitoring.

Exam trap

Cisco often tests the misconception that assigning IAM roles alone is sufficient for custom metric export, when in fact the application code must explicitly configure the exporter to send data to the correct endpoint.

How to eliminate wrong answers

Option B is wrong because the Cloud Monitoring agent is not involved in custom metric collection via OpenCensus; OpenCensus exports directly to the Cloud Monitoring API via gRPC, independent of the agent. Option C is wrong because the 'Monitoring Viewer' role is only needed to read/view metrics in the Cloud Monitoring console, not to write custom metrics; the 'Monitoring Metric Writer' role is sufficient for exporting. Option D is wrong because the question states the application runs under a custom service account with the correct role, and there is no indication the metrics are being sent to the wrong project; the most likely issue is the exporter configuration, not the project destination.

475
MCQeasy

A developer deploys a containerized application on Cloud Run. The application needs to access a Cloud SQL instance securely without exposing it to the internet. What is the best practice?

A.Whitelist the Cloud Run IP range in Cloud SQL authorized networks.
B.Use Cloud Run's VPC connector and configure private IP for Cloud SQL.
C.Use a Cloud SQL proxy sidecar container in the same pod.
D.Use Cloud NAT to route traffic.
AnswerB

This is the best practice for secure access.

Why this answer

Option B is correct because Cloud Run services cannot directly connect to Cloud SQL using private IP without a VPC connector. The VPC connector allows Cloud Run to send traffic to a VPC network, where the Cloud SQL instance with a private IP resides, ensuring traffic never traverses the public internet. This is the recommended pattern for secure, low-latency access to Cloud SQL from serverless environments.

Exam trap

Cisco often tests the misconception that Cloud SQL proxy can be run as a sidecar in Cloud Run, but Cloud Run's single-container-per-instance model means the proxy must be bundled into the same container image or deployed as a separate service, not as a sidecar in the Kubernetes sense.

How to eliminate wrong answers

Option A is wrong because Cloud Run does not have a static, whitelistable IP range; its egress IPs are ephemeral and shared, making IP-based allowlisting unreliable and insecure. Option C is wrong because Cloud Run does not support sidecar containers in the same pod; it runs a single container per instance, and the Cloud SQL proxy must be deployed as a separate service or within the same container image, not as a sidecar. Option D is wrong because Cloud NAT is used for outbound internet access from private VMs, not for routing traffic to Cloud SQL private IP; it does not enable connectivity from serverless services like Cloud Run to a VPC.

476
MCQmedium

You are building a data pipeline that ingests streaming data from thousands of IoT devices. The devices send JSON payloads to a Cloud Pub/Sub topic. You want to process the data in near real-time and store the results in BigQuery for analytics. You also need to handle occasional schema changes in the incoming data (new fields added) without manual intervention. You have set up a Dataflow streaming pipeline using Apache Beam to read from Pub/Sub and write to BigQuery. The pipeline uses the `WriteToBigQuery` transform with `createDisposition=CREATE_NEVER` and `writeDisposition=WRITE_APPEND`. Recently, a batch of devices started sending a new field `temperature_celsius` that does not exist in the BigQuery schema. The pipeline logs errors and the data is not written. You need to modify the pipeline to automatically handle such schema evolution. What should you do?

A.Change `createDisposition` to `CREATE_IF_NEEDED` and ensure the BigQuery table schema has `autodetect=true` or is updated to allow new fields.
B.Manually update the BigQuery table schema to include the new field and then restart the pipeline.
C.Write the raw JSON payloads to Cloud Storage and use a Cloud Function to load them into BigQuery every 10 minutes with schema autodetect.
D.Use a `ParDo` transform to flatten all JSON fields into a fixed schema by ignoring unknown fields.
AnswerA

`CREATE_IF_NEEDED` will add new columns automatically if the schema is flexible.

Why this answer

Option A is correct because with `createDisposition=CREATE_IF_NEEDED`, BigQuery will automatically add new fields if the schema allows updates. This is the simplest approach. Option B is wrong because storing raw data in Cloud Storage and then loading later loses real-time capability.

Option C is wrong because Dataflow does not have a transform that automatically flattens schemas without modification. Option D is wrong because updating the table schema manually defeats the purpose of automation.

477
MCQhard

What conclusion can be drawn from these traces?

A.The overall request latency is 300ms.
B.The sendConfirmation span is failing.
C.The processPayment span is the bottleneck.
D.The validateCart span has errors.
AnswerC

It accounts for half the total latency, making it the primary contributor.

Why this answer

The trace shows that the 'processPayment' span has the longest duration (300ms) compared to the other spans, indicating it is the primary contributor to the overall latency. In distributed tracing, the span with the highest execution time is typically the bottleneck, as it delays the completion of the entire request. The other spans complete quickly, so optimizing 'processPayment' would yield the greatest performance improvement.

Exam trap

Cisco often tests the misconception that the longest span in a trace is always the bottleneck, but the trap here is that candidates might confuse total request latency with span duration or overlook parallel execution, leading them to pick the overall latency value (Option A) instead of identifying the specific slow span.

How to eliminate wrong answers

Option A is wrong because the overall request latency is the sum of the spans' durations, but the trace shows overlapping spans (e.g., 'validateCart' and 'sendConfirmation' run in parallel), so the total latency is not simply 300ms; it is the end-to-end time from the root span start to finish, which is 300ms in this case, but the question asks for a conclusion about bottlenecks, not a direct latency value. Option B is wrong because the 'sendConfirmation' span completes successfully with no error status or exception logged; a failing span would show an error tag or a non-zero status code. Option D is wrong because the 'validateCart' span has no error indicators (e.g., no error tag, no exception, and its duration is normal), so there is no evidence of errors in that span.

478
MCQmedium

You are designing a CI/CD pipeline using Cloud Build. You want to automatically trigger a build when code is pushed to a specific branch in Cloud Source Repositories. What is the correct configuration?

A.Create a Cloud Function that invokes Cloud Build via API when a push event occurs.
B.Add a build step in cloudbuild.yaml that polls the repository.
C.Configure a Cloud Pub/Sub topic to notify Cloud Build on push events.
D.Create a build trigger in Cloud Build with a regex pattern for the branch name.
AnswerD

Build triggers with branch patterns are the correct approach.

Why this answer

Option D is correct because Cloud Build natively supports build triggers that can be configured to automatically start a build when code is pushed to a specific branch in Cloud Source Repositories. The trigger uses a regex pattern to match the branch name, and Cloud Build listens for repository push events directly without requiring additional services.

Exam trap

Cisco often tests the misconception that Cloud Pub/Sub is always required for event-driven triggers, but Cloud Build has a native trigger integration with Cloud Source Repositories that bypasses Pub/Sub entirely.

How to eliminate wrong answers

Option A is wrong because creating a Cloud Function to invoke Cloud Build via API is an unnecessary workaround; Cloud Build already has built-in trigger functionality for Cloud Source Repositories. Option B is wrong because adding a build step that polls the repository is inefficient and violates the event-driven design of CI/CD; Cloud Build triggers are event-driven, not polling-based. Option C is wrong because while Cloud Pub/Sub can be used with Cloud Build, it is not required for Cloud Source Repositories; Cloud Build directly integrates with Cloud Source Repositories via its own trigger system without needing a Pub/Sub topic.

479
Multi-Selectmedium

A company is building a data processing pipeline that needs to ingest events from multiple sources, process them in order, and handle failures with retry. They also need to schedule periodic tasks. Which THREE services should they use? (Choose 3)

Select 3 answers
A.Cloud Scheduler
B.Cloud Tasks
C.Cloud Workflows
D.Cloud Pub/Sub
E.Cloud Logging
AnswersA, B, D

Cloud Scheduler can trigger periodic tasks.

Why this answer

Cloud Pub/Sub for ingesting events with ordering, Cloud Tasks for retry handling, and Cloud Scheduler for scheduling periodic tasks. Cloud Workflows is for orchestration, Cloud Logging is for logs.

480
MCQhard

You are deploying a critical application on Compute Engine. The application requires high availability and must survive a zonal failure. You have created a managed instance group (MIG) with autoscaling across two zones. The application state is stored in a Cloud SQL instance with a read replica in another region. The application also uses a shared static IP address for client access. During a test, you simulate a failure of zone us-central1-a. You observe that the MIG automatically creates new instances in the remaining zone, but the application becomes unreachable for several minutes. What is the most likely cause of the downtime?

A.The load balancer's health check interval and timeout caused a delay in marking the backend instances as unhealthy and routing traffic to the new zone.
B.The static IP address was not configured to failover to the remaining zone.
C.The Cloud SQL read replica did not promote to primary quickly enough.
D.The managed instance group's autoscaler took too long to create new instances in the remaining zone.
AnswerA

Health checks need time to detect failure and update routing.

Why this answer

The most likely cause is that the load balancer's health check interval and timeout delayed the detection of unhealthy instances in the failed zone, preventing traffic from being rerouted to the new instances in the remaining zone. Even though the MIG created new instances quickly, the load balancer continued sending requests to the failed zone until the health check marked those backends as unhealthy, causing the application to be unreachable during that window.

Exam trap

The trap here is that candidates often assume the MIG's autoscaling speed is the bottleneck, but Cisco tests the understanding that the load balancer's health check configuration is the critical factor in traffic rerouting during a zonal failure.

How to eliminate wrong answers

Option B is wrong because a static IP address is regional and does not require failover configuration; it is associated with the load balancer, which handles traffic distribution across zones. Option C is wrong because the Cloud SQL read replica is in another region and is used for read scaling or disaster recovery, not for immediate failover during a zonal failure; the primary instance in the same region remains unaffected. Option D is wrong because the MIG's autoscaler created new instances in the remaining zone as observed, so the delay was not due to instance creation time but due to the load balancer's health check configuration.

481
MCQmedium

A team created the instance template above and used it in a managed instance group. However, instances fail to serve web traffic. What is the most likely cause?

A.The startup script does not configure a firewall rule to allow HTTP traffic.
B.The image family debian-11 does not have the necessary packages.
C.The machine type e2-medium is too small for Nginx.
D.The instance template is missing a service account.
AnswerA

The default VPC firewall rules only allow SSH and ICMP. An ingress rule for HTTP (port 80) is needed for Nginx to serve traffic.

Why this answer

The instance template likely includes a startup script that installs and starts Nginx, but does not configure a firewall rule (e.g., via `gcloud compute firewall-rules create` or `iptables`) to allow inbound HTTP traffic on port 80. By default, GCP VPC firewall rules deny all ingress traffic unless explicitly allowed, so even if Nginx is running, external requests will be blocked. This is the most common reason why a managed instance group fails to serve web traffic despite the application being installed.

Exam trap

Cisco often tests the misconception that installing and starting a web server (like Nginx) is sufficient to serve traffic, ignoring the separate requirement for network-level firewall rules to allow inbound connections.

How to eliminate wrong answers

Option B is wrong because the Debian 11 image family includes all necessary packages to install Nginx via `apt-get`, and the startup script can install them; the image itself does not need to have Nginx pre-installed. Option C is wrong because e2-medium (2 vCPUs, 4 GB memory) is more than sufficient to run Nginx, which has minimal resource requirements. Option D is wrong because a service account is not required for a startup script to install and run Nginx; it is only needed if the script needs to call GCP APIs (e.g., to create firewall rules), but the failure to serve traffic is due to missing firewall rules, not the absence of a service account.

482
MCQmedium

A team notices that a Cloud Run service occasionally returns HTTP 500 errors. They have enabled Cloud Error Reporting. What is the best way to rapidly diagnose the root cause of these errors?

A.Search Cloud Logging manually for '500' events.
B.View the Cloud Trace dashboard for error traces.
C.Create a Cloud Monitoring dashboard for 5xx metrics.
D.Examine the error group details in Cloud Error Reporting.
AnswerD

Error Reporting aggregates errors and links to Stackdriver.

Why this answer

Cloud Error Reporting automatically groups similar errors (like HTTP 500s) into error groups, providing stack traces, request details, and occurrence timelines. Examining the error group details is the fastest path to root cause because it surfaces the exact exception and context without requiring manual log filtering or metric setup.

Exam trap

Cisco often tests the distinction between monitoring (Cloud Monitoring metrics) and error diagnosis (Cloud Error Reporting), tempting candidates to choose a metric dashboard when the question explicitly asks for rapid root cause diagnosis.

How to eliminate wrong answers

Option A is wrong because manually searching Cloud Logging for '500' events is time-consuming and lacks automatic grouping, stack traces, and deduplication that Error Reporting provides. Option B is wrong because Cloud Trace focuses on latency and distributed tracing for requests, not on aggregating or diagnosing HTTP 500 error details. Option C is wrong because a Cloud Monitoring dashboard for 5xx metrics shows trends and alerting but does not provide the specific error messages, stack traces, or request context needed to identify the root cause.

483
MCQhard

You are building a data pipeline using Cloud Dataflow (Apache Beam). The pipeline reads from Pub/Sub, performs aggregations, and writes to BigQuery. Occasionally, you see duplicates in the BigQuery output, even though the pipeline uses .withInsertId() in the BigQuery write transform. What could be causing these duplicates?

A.You are not using the exactly-once sink option for BigQuery
B.You have set .withOutputParallelization() to false
C.The pipeline is using at-least-once mode and bundles are being retried, but the insertId is not being reused across retry attempts
D.You need to enable Dataflow's built-in deduplication using the .withIdAttribute() in Pub/Sub read
AnswerC

If the insertId is generated per element per attempt, duplicates can occur on retry.

Why this answer

Option C is correct because Cloud Dataflow (Apache Beam) operates in at-least-once mode by default, meaning bundles may be retried during processing. When a bundle is retried, the insertId set via .withInsertId() must be reused across retry attempts to enable BigQuery's deduplication. If the insertId is not reused (e.g., because it's generated per attempt or not properly propagated), BigQuery treats each write as a separate row, resulting in duplicates.

Exam trap

Cisco often tests the misconception that .withInsertId() alone guarantees exactly-once delivery, when in fact it requires the insertId to be stable across retries, and candidates may overlook the default at-least-once processing mode of Dataflow.

How to eliminate wrong answers

Option A is wrong because BigQuery's exactly-once sink is not a configurable option; BigQuery uses insertId-based deduplication for streaming inserts, and there is no separate 'exactly-once sink' toggle. Option B is wrong because .withOutputParallelization() controls whether output is parallelized across workers, not retry behavior or deduplication; setting it to false would not cause duplicates. Option D is wrong because .withIdAttribute() in Pub/Sub read is used to extract a unique message ID for deduplication within the pipeline, but the question specifically states duplicates appear in BigQuery output despite using .withInsertId(), indicating the issue is with insertId reuse across retries, not with Pub/Sub message deduplication.

484
MCQmedium

A team is investigating increased latency in a web application deployed on Google Kubernetes Engine (GKE). They want to identify which specific service calls are slow. Which Google Cloud tool should they use?

A.Cloud Trace
B.Cloud Monitoring dashboards
C.Cloud Profiler
D.Cloud Logging
AnswerA

Trace enables end-to-end latency analysis across services.

Why this answer

Cloud Trace is the correct tool because it provides end-to-end latency tracking for requests in distributed systems, including GKE. It captures detailed spans for each service call, allowing the team to pinpoint which specific microservice or API call is causing the increased latency. This aligns directly with the need to identify slow service calls in a web application.

Exam trap

The trap here is that candidates confuse Cloud Monitoring dashboards (which show aggregate metrics) with Cloud Trace (which provides per-request latency breakdowns), leading them to choose a tool that cannot isolate specific slow service calls.

How to eliminate wrong answers

Option B is wrong because Cloud Monitoring dashboards aggregate metrics like CPU, memory, and request counts but do not provide per-request trace data or identify which specific service calls are slow. Option C is wrong because Cloud Profiler focuses on identifying CPU and memory hotspots within application code, not on tracing the latency of individual service calls across distributed services. Option D is wrong because Cloud Logging collects and stores log entries but lacks the distributed tracing capability to correlate latency across service boundaries.

485
MCQeasy

A company is migrating a stateful application to Google Cloud. They need high availability with automatic failover across zones within a region. Which compute option should they choose?

A.App Engine Standard Environment
B.Cloud Run
C.Google Kubernetes Engine with Regional Persistent Disk
D.Compute Engine with standard persistent disk
AnswerC

Regional Persistent Disk provides synchronous replication across zones, enabling automatic failover for stateful workloads on GKE.

Why this answer

Google Kubernetes Engine (GKE) with Regional Persistent Disk is the correct choice because it provides synchronous replication of data across multiple zones within a region, enabling automatic failover for stateful applications. When a pod or node fails in one zone, the Regional Persistent Disk can be immediately attached to a pod in another zone, ensuring high availability without data loss. This meets the requirement for stateful workloads that need zone-level resilience.

Exam trap

Cisco often tests the misconception that any managed service (like Cloud Run or App Engine) inherently provides high availability for stateful workloads, but candidates must remember that stateful applications require persistent, zone-redundant storage, which only GKE with Regional Persistent Disk offers among these options.

How to eliminate wrong answers

Option A is wrong because App Engine Standard Environment is a fully managed, stateless platform that does not support persistent storage or automatic failover across zones for stateful applications. Option B is wrong because Cloud Run is a serverless compute platform designed for stateless containers; it lacks native support for persistent disks and automatic cross-zone failover for stateful data. Option D is wrong because Compute Engine with standard persistent disk stores data only within a single zone; if that zone fails, the disk becomes inaccessible, and there is no built-in automatic failover mechanism.

486
MCQhard

A company is using Cloud Monitoring to track custom metrics published from an on-premises application using the Monitoring API. The metrics are published every 30 seconds. The team wants to create an alert that fires if the metric goes below a threshold for more than 1 minute. Which alert condition type should they use?

A.Metric type: custom.googleapis.com, condition: metric lower bound, duration: 60s
B.Metric type: custom.googleapis.com, condition: metric change, duration: 60s
C.Metric type: custom.googleapis.com, condition: metric absence, duration: 60s
D.Metric type: custom.googleapis.com, condition: metric threshold (below value), duration: 60s
AnswerD

Threshold condition with direction 'below' and duration 60s works for a value below threshold for 1 minute.

Why this answer

Option D is correct because the requirement is to fire an alert when the metric value goes below a threshold for more than 1 minute. The 'metric threshold (below value)' condition type directly monitors a metric against a lower bound and evaluates the condition over the specified duration (60s) before triggering. This aligns with the need to detect sustained low values, not just a single data point.

Exam trap

Cisco often tests the distinction between 'metric absence' (no data) and 'metric threshold below' (data exists but is low), leading candidates to mistakenly choose absence when the scenario describes a value-based condition.

How to eliminate wrong answers

Option A is wrong because 'metric lower bound' is not a valid condition type in Cloud Monitoring; the correct term is 'metric threshold' with a 'below' or 'above' comparator. Option B is wrong because 'metric change' condition tracks the rate of change (increase or decrease) between data points, not a static threshold violation, and is used for anomaly detection rather than sustained low values. Option C is wrong because 'metric absence' fires when no data is received for the metric (i.e., missing time series), which is different from the metric value being below a threshold; the question explicitly states the metric is published every 30 seconds, so absence is not the issue.

487
Drag & Dropmedium

Drag and drop the steps to create a Cloud Run service in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Creating a Cloud Run service involves selecting the container image and configuring settings before deployment.

488
MCQmedium

A media streaming company uses Cloud Storage to store video files. Users upload files through a web application, and the files are streamed directly from Cloud Storage. They want to reduce latency for users in different regions. Which configuration should they apply?

A.Enable Object Lifecycle Management to move objects to Nearline storage.
B.Configure Cloud Storage transfer service to replicate data to multiple buckets.
C.Use a multi-region Cloud Storage bucket and enable requester-pays.
D.Set up Cloud CDN with the Cloud Storage bucket as origin.
AnswerD

Cloud CDN caches content at edge locations worldwide, reducing latency for users regardless of their region.

Why this answer

Cloud CDN caches video content at edge locations worldwide, reducing latency for users by serving content from the nearest edge cache instead of the origin Cloud Storage bucket. This directly addresses the requirement to reduce latency for users in different regions without modifying the storage architecture.

Exam trap

Cisco often tests the misconception that multi-region buckets alone solve latency issues, but the trap here is that multi-region storage provides redundancy, not edge caching—only Cloud CDN delivers the low-latency performance needed for global streaming.

How to eliminate wrong answers

Option A is wrong because Object Lifecycle Management moves objects to Nearline storage (which has higher retrieval costs and lower availability for streaming) and does not reduce latency; it only optimizes storage costs for infrequently accessed data. Option B is wrong because Cloud Storage Transfer Service is designed for one-time or scheduled bulk data transfers between buckets, not for real-time replication to reduce latency; it does not provide automatic regional distribution for streaming. Option C is wrong because a multi-region bucket provides geo-redundant storage but does not cache content at edge locations, and enabling requester-pays shifts costs to the user without improving latency; the latency reduction from multi-region is minimal compared to CDN edge caching.

489
MCQeasy

An application running on Compute Engine needs to publish messages to a Pub/Sub topic. The VPC does not have external internet access. What must be configured to allow the instance to publish?

A.Cloud NAT
B.VPC Peering with Pub/Sub
C.Cloud Router with BGP
D.Private Google Access
AnswerD

Private Google Access allows VM instances to use Google APIs via internal IPs.

Why this answer

Option D is correct because Private Google Access enables instances without external IP addresses to call Google APIs and services (including Pub/Sub) using internal IPs. Option A is for NAT to internet, option B is for peering, and option C is for dynamic routing.

490
MCQhard

A company runs a microservices application on Google Kubernetes Engine. They use Cloud SQL for persistent data. Recently, during a traffic spike, the application experienced increased latency and some requests failed with timeout errors. The team observed that the Cloud SQL CPU utilization spiked to 100%, and the GKE pods had high memory usage. They are using a standard Cloud SQL tier (db-n1-standard-2). Which course of action would best improve the application's performance and reliability?

A.Upgrade Cloud SQL to a higher tier with more CPU.
B.Increase the number of replicas in GKE to reduce load per pod.
C.Add read replicas to Cloud SQL.
D.Implement caching with Memorystore for frequently accessed data.
AnswerD

Caching reduces database read load, alleviating CPU pressure and latency.

Why this answer

The correct answer is D because the primary bottleneck is the Cloud SQL CPU spiking to 100% under heavy read traffic. Implementing Memorystore (Redis) caching offloads repeated read queries from the database, reducing CPU load and query latency. This directly addresses the root cause—database CPU exhaustion—without requiring a larger database instance or adding replicas that would still be limited by the same CPU.

Exam trap

Cisco often tests the misconception that scaling compute (pods or database tier) is the only solution to performance issues, when in reality caching is a more cost-effective and architecturally sound approach for read-heavy workloads with spiky traffic patterns.

How to eliminate wrong answers

Option A is wrong because upgrading to a higher Cloud SQL tier (more CPU) only scales the database vertically, which is costly and does not eliminate the underlying issue of repeated expensive queries; it also does not reduce latency for read-heavy workloads as effectively as caching. Option B is wrong because increasing GKE pod replicas distributes application load but does not reduce the number of database queries hitting Cloud SQL; in fact, more pods could increase concurrent connections, worsening CPU contention. Option C is wrong because adding read replicas helps distribute read traffic but does not reduce the CPU load on the primary instance for write-heavy or mixed workloads; the primary still handles all writes and CPU spikes from complex queries, and replicas add replication lag and cost.

491
MCQeasy

An organization wants to design a serverless data processing pipeline that is highly available and can automatically scale based on the number of incoming requests. The pipeline processes JSON messages from a Cloud Pub/Sub topic and writes results to BigQuery. Which service should be used as the compute component?

A.Cloud Dataflow
B.Cloud Run
C.Cloud Functions
D.Compute Engine with managed instance groups
AnswerB

Cloud Run provides automatic scaling, can be triggered via Pub/Sub push, and supports longer processing times.

Why this answer

Cloud Run is the correct compute component because it is a fully managed serverless platform that automatically scales from zero based on incoming HTTP requests, supports event-driven processing via Pub/Sub push subscriptions, and integrates natively with BigQuery. It provides high availability by default across zones and can handle burst traffic without provisioning overhead, making it ideal for a serverless pipeline that processes JSON messages and writes results to BigQuery.

Exam trap

Cisco often tests the distinction between serverless compute services (Cloud Run vs Cloud Functions) by focusing on execution time limits and concurrency; the trap here is that candidates choose Cloud Functions for its simplicity, overlooking the 9-minute timeout and lack of support for long-running or high-concurrency workloads that Cloud Run handles natively.

How to eliminate wrong answers

Option A is wrong because Cloud Dataflow is a batch and stream processing service based on Apache Beam, not a serverless compute service that automatically scales per request; it is designed for complex data transformations and requires managing pipelines, not simple request-driven processing. Option C is wrong because Cloud Functions has a maximum timeout of 9 minutes (540 seconds) and limited memory (up to 32GB), which may not be sufficient for long-running or memory-intensive BigQuery write operations, and it lacks the ability to handle sustained high-throughput streaming from Pub/Sub as efficiently as Cloud Run. Option D is wrong because Compute Engine with managed instance groups is not serverless; it requires managing virtual machines, scaling policies, and infrastructure, which contradicts the requirement for a serverless design and adds operational overhead.

492
MCQhard

A developer is designing a chat application using Cloud Firestore. They need to ensure that updates to messages are propagated to all clients in real-time. Which feature should they use?

A.Firestore indexes
B.Security rules
C.Real-time listeners
D.Offline persistence
AnswerC

Real-time listeners push updates to clients in real-time.

Why this answer

Real-time listeners (onSnapshot) in Cloud Firestore allow clients to subscribe to document or query changes, receiving updates immediately when data is modified. This ensures all connected clients see message updates in real-time without polling, which is essential for a chat application.

Exam trap

Cisco often tests the distinction between features that enable real-time data flow (listeners) versus features that manage data structure or access (indexes, rules, persistence), leading candidates to confuse offline persistence with real-time sync.

How to eliminate wrong answers

Option A is wrong because Firestore indexes are used to optimize query performance, not to propagate real-time updates. Option B is wrong because security rules control access and validation of data, not the delivery of updates to clients. Option D is wrong because offline persistence enables local caching and operation without connectivity, but does not provide real-time synchronization across clients.

493
MCQmedium

An organization uses Cloud SQL for MySQL and wants to set up a read replica in a different region to improve read latency for global users. What is the recommended way to configure network connectivity between the primary and replica?

A.Use a Cloud Interconnect
B.Use Cloud VPN with dynamic routing
C.Use VPC peering between the regions
D.Use Private Services Access
AnswerD

Private Services Access allows the Cloud SQL service producer VPC to be peered with the customer VPC.

Why this answer

Option A is correct because cross-region Cloud SQL read replicas require Private Services Access to establish connectivity between the peered VPC and the Cloud SQL service. Option B is for VPN, option C is for dynamic routing, and option D is for high-bandwidth connectivity.

494
MCQeasy

Refer to the exhibit. A developer notices that instance-3 is in TERMINATED state. What is the most likely reason?

A.The instance was deleted
B.The instance had automatic restart disabled
C.The instance was preempted
D.The instance's zone was unavailable
AnswerB

With automatic restart disabled, the instance does not restart after failure, resulting in TERMINATED state.

Why this answer

When an instance's 'automatic restart' is disabled, the instance will not be automatically restarted after a host maintenance event or a failure. If the underlying host experiences an issue, the instance transitions to TERMINATED state instead of being migrated or restarted. This is the most likely reason for instance-3 being in TERMINATED state while other instances remain running.

Exam trap

Cisco often tests the distinction between 'automatic restart' (failure recovery) and 'onHostMaintenance' (planned maintenance behavior), causing candidates to confuse preemption or zone unavailability with the actual reason for a TERMINATED state.

How to eliminate wrong answers

Option A is wrong because deleting an instance would remove it from the list entirely or show it as 'DELETED', not 'TERMINATED'. Option C is wrong because preempted instances transition to 'STOPPED' or 'TERMINATED' only if the preemption policy is set to terminate, but preemption is a specific Google Cloud concept for short-lived, low-cost instances, and the question does not indicate preemptible configuration. Option D is wrong because if the zone were unavailable, all instances in that zone would be affected, not just instance-3, and the state would likely be 'UNAVAILABLE' or 'STOPPED', not 'TERMINATED'.

495
MCQmedium

A team is designing a disaster recovery plan for a critical application on Google Cloud. The application runs on Compute Engine with a regional persistent disk. They want to minimize data loss in case of a regional outage. Which strategy should they use?

A.Use persistent disk snapshot replication to another region
B.Create a snapshot schedule and store snapshots in the same region
C.Use synchronous replication across regions
D.Configure a managed instance group with autohealing
AnswerA

Snapshot replication to another region provides off-site backups that can be used to restore the application in a different region.

Why this answer

Persistent disk snapshot replication to another region is the correct strategy because snapshots are stored in Cloud Storage and can be replicated across regions. This allows you to restore the disk from a snapshot in a different region if the primary region experiences an outage, minimizing data loss by ensuring the backup is geographically separate. Regional persistent disks are synchronous within a region but do not provide cross-region replication, so snapshots are the recommended approach for cross-region disaster recovery.

Exam trap

The trap here is that candidates may confuse regional persistent disks' synchronous replication within a region (which is for high availability, not disaster recovery) with cross-region replication, leading them to incorrectly choose synchronous replication across regions, which is not supported for persistent disks.

How to eliminate wrong answers

Option B is wrong because storing snapshots in the same region does not protect against a regional outage; if the entire region fails, both the disk and its snapshots become inaccessible. Option C is wrong because synchronous replication across regions is not supported for persistent disks; Google Cloud offers asynchronous replication via snapshots or disk replication services, but synchronous cross-region replication would introduce unacceptable latency and is not a native feature. Option D is wrong because a managed instance group with autohealing only recovers instances within the same region, not the persistent disk data, and does not address data loss or regional outage scenarios.

496
MCQeasy

A developer wants to run a single test suite across multiple environments (dev, staging, prod) using Cloud Build. What is the best practice?

A.Use Cloud Deploy to run tests in each environment.
B.Use separate branches for each environment.
C.Use a single Cloud Build trigger with substitutions to parameterize the environment.
D.Create separate Cloud Build triggers for each environment.
AnswerC

Substitutions allow dynamic values for environment-specific variables.

Why this answer

Option C is correct because Cloud Build triggers support substitutions (e.g., `$_ENV`) that allow a single trigger to parameterize the environment variable, enabling the same test suite to run across dev, staging, and prod without duplicating configuration. This aligns with Infrastructure as Code (IaC) principles and reduces maintenance overhead.

Exam trap

Cisco often tests the misconception that separate triggers or branches are required for environment isolation, when in fact Cloud Build's substitution mechanism is the recommended approach for parameterizing a single pipeline across multiple environments.

How to eliminate wrong answers

Option A is wrong because Cloud Deploy is designed for continuous delivery (rolling out releases to target environments), not for running test suites; it does not execute Cloud Build steps or test commands. Option B is wrong because using separate branches for each environment violates Git-based best practices (e.g., GitFlow or trunk-based development) and introduces merge conflicts, drift, and manual overhead. Option D is wrong because creating separate triggers for each environment duplicates configuration, increases maintenance burden, and violates DRY (Don't Repeat Yourself) principles; substitutions achieve the same goal more efficiently.

497
MCQmedium

A team uses Cloud Build to build and deploy a Node.js application to App Engine flexible environment. The build succeeds, but the deployment fails with 'ERROR: (gcloud.app.deploy) Error Response: [9] Application startup error!' The team checks logs and sees 'Error: Module not found: 'express''. What is the most likely cause?

A.The build step includes 'npm test' which fails.
B.The Node.js version specified in app.yaml is incompatible with the dependencies.
C.The app.yaml file is missing from the root of the repository.
D.The dependencies are not installed during the build step before deploying.
AnswerD

Dependencies must be installed (e.g., npm install) for the app to run.

Why this answer

Option A is correct because the dependencies must be installed in the build step for them to be available at runtime. Option B is wrong because 'npm test' failure would not cause deployment error in this context. Option C is wrong because app.yaml is not in the root could cause a different error if not specified.

Option D is wrong because Node.js version mismatch would give a different error.

498
MCQeasy

A developer wants to automatically deploy a new version of an application to App Engine Standard every time code is pushed to the main branch of a Cloud Source Repositories repository. Which service should be used?

A.Cloud Build
B.Cloud Run
C.Cloud Scheduler
D.Cloud Deploy
AnswerA

Cloud Build can automatically trigger on source repo pushes and deploy to App Engine.

Why this answer

Cloud Build is the correct service because it is a fully managed CI/CD platform that integrates natively with Cloud Source Repositories and App Engine Standard. You can configure a Cloud Build trigger to automatically build and deploy your application whenever code is pushed to the main branch, using a cloudbuild.yaml file that specifies the build steps and the `gcloud app deploy` command.

Exam trap

The trap here is that candidates confuse Cloud Deploy (which is for GKE/Cloud Run delivery pipelines) with Cloud Build (the actual CI/CD service that can deploy to App Engine), or they mistakenly think Cloud Run can deploy to App Engine Standard when it is a separate compute platform.

How to eliminate wrong answers

Option B (Cloud Run) is wrong because Cloud Run is a serverless compute platform for running containers, not a CI/CD service for building and deploying to App Engine Standard. Option C (Cloud Scheduler) is wrong because Cloud Scheduler is a cron job service for scheduling tasks, not a continuous deployment tool triggered by code pushes. Option D (Cloud Deploy) is wrong because Cloud Deploy is a delivery pipeline service for GKE and Cloud Run, not for App Engine Standard, and it does not directly integrate with Cloud Source Repositories triggers.

499
Drag & Dropmedium

Drag and drop the steps to grant a service account access to a Cloud Storage bucket in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Granting access to a bucket involves adding the service account as a principal with a role.

500
MCQhard

An operations team is configuring a Cloud Monitoring alerting policy for a critical application. They want to ensure that alerts are only fired when an anomaly persists for at least 5 minutes to reduce noise. Which condition configuration should they use?

A.Configure 'Evaluation Missing Data' to '5 minutes'.
B.Use a 'Metric Threshold' condition and set the 'for' parameter to 300 seconds.
C.Set the condition type to 'Metric Absence' with a 5-minute duration.
D.Use 'Never retrigger' state with 5-minute window.
AnswerB

This ensures the alert fires only if condition holds for 5 minutes.

Why this answer

Metric absence or evaluation missing period are not for anomaly persistence. Condition threshold with 'for' parameter sets the duration the condition must be true. Never retrigger state is for notification channels.

Page 6

Page 7 of 7

All pages