Google Professional Cloud Developer (PCD) — Questions 526600

980 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

A developer needs to connect to a Cloud SQL for PostgreSQL instance from a Compute Engine VM without adding the VM's IP to an authorized networks list. Which method should they use?

A.Connect via Cloud Shell
B.Configure direct IP connection with SSL
C.Use Cloud SQL Auth Proxy
D.Set up VPC peering and use private IP
AnswerC

Cloud SQL Auth Proxy uses IAM for authentication and does not require IP allowlisting.

Why this answer

The Cloud SQL Auth Proxy is the recommended method for securely connecting to a Cloud SQL instance from a Compute Engine VM without adding the VM's IP to an authorized networks list. It uses mutual TLS (mTLS) to authenticate and encrypt traffic, and it handles IAM-based authorization, so the VM only needs the Cloud SQL Client role and outbound access to the Cloud SQL API (port 443). This avoids exposing the database to the public internet or requiring static IP management.

Exam trap

Cisco often tests the distinction between 'authorized networks' (which only apply to public IP connections) and private IP connectivity; the trap here is that candidates may assume VPC peering (Option D) is required for private access, but the Cloud SQL Auth Proxy works with both public and private IP and is the simplest way to avoid managing IP whitelists.

How to eliminate wrong answers

Option A is wrong because Cloud Shell is an interactive browser-based terminal that runs on a temporary VM; it cannot be used as a persistent connection method from a Compute Engine VM, and it still requires the Cloud Shell's ephemeral IP to be authorized. Option B is wrong because configuring a direct IP connection with SSL still requires the VM's IP address to be added to the authorized networks list, which the question explicitly states must be avoided. Option D is wrong because setting up VPC peering and using private IP is a valid approach for private connectivity, but it requires the Cloud SQL instance to be configured with a private IP and the VPC networks to be peered, which is a more complex networking setup; the question asks for the method to use without adding the VM's IP to authorized networks, and the Cloud SQL Auth Proxy is the simplest and most secure solution that works with both public and private IP configurations.

527
MCQeasy

A developer is setting up a Cloud Build configuration file for a Node.js application. They want to ensure that build steps are executed only when changes are pushed to the 'main' branch. What is the correct approach?

A.Use a script in the build step to check the branch name
B.Use Cloud Scheduler to trigger builds based on time intervals
C.Use a condition in the build config file
D.Use a build trigger with a branch filter
AnswerD

Cloud Build triggers allow filtering by branch, making this the intended solution.

Why this answer

Option D is correct because Cloud Build triggers can be configured with a branch filter (e.g., `^main$`) that ensures builds are only initiated when changes are pushed to the specified branch. This is the native, declarative way to control build execution based on Git branch events, without requiring custom scripting or external scheduling.

Exam trap

The PCD exam often tests the distinction between trigger-level configuration (branch filters) and build-step-level logic, leading candidates to incorrectly think they can use conditional statements in the build config file itself.

How to eliminate wrong answers

Option A is wrong because using a script to check the branch name inside a build step is an anti-pattern; the build would still be triggered for all branches, wasting resources and time, and it does not prevent the trigger from firing. Option B is wrong because Cloud Scheduler triggers builds based on time intervals, not Git push events, so it cannot conditionally execute builds only when changes are pushed to the 'main' branch. Option C is wrong because Cloud Build's build config file (cloudbuild.yaml) does not support conditional execution based on branch names; branch filtering must be configured at the trigger level, not within the build steps.

528
MCQhard

A company deploys a microservice on Google Kubernetes Engine (GKE) with a Cloud Deploy delivery pipeline. The application uses a custom container image stored in Artifact Registry. After a successful deployment to a staging cluster, the production deployment fails with 'ImagePullErr: image not found'. The staging and production clusters are in different projects. What is the most likely cause?

A.The Cloud Deploy service account lacks permission to create pods in the production cluster.
B.Cloud Deploy is not configured to use Artifact Registry and still references Container Registry.
C.The production cluster's node pool has not been granted access to pull images from Artifact Registry in the staging project.
D.The container image tag used in production is different from the staging tag.
AnswerC

Cross-project image pulling requires appropriate IAM on the registry.

Why this answer

Option C is correct because the production cluster's node pool, which runs in a different project, does not have the necessary permissions to pull the custom container image from Artifact Registry in the staging project. By default, GKE node pools use the Compute Engine default service account, which only has access to images in the same project. To pull images across projects, the node pool's service account must be granted the Artifact Registry Reader role (roles/artifactregistry.reader) on the repository in the staging project.

Exam trap

The PCD exam often tests the misconception that Cloud Deploy handles cross-project image access automatically, when in reality the node pool's service account must be explicitly granted permissions on the Artifact Registry repository in the source project.

How to eliminate wrong answers

Option A is wrong because the Cloud Deploy service account does not need permission to create pods; Cloud Deploy creates a release and rollout, which triggers a Kubernetes manifest apply via the GKE cluster's credentials, not by directly creating pods. Option B is wrong because Cloud Deploy does not have a configuration to switch between Artifact Registry and Container Registry; it references the image path as specified in the manifest, and if the path uses Artifact Registry, it will use it regardless of Cloud Deploy settings. Option D is wrong because the question states the same application is deployed, and a different tag would cause a different error (e.g., 'ErrImagePull' for a non-existent tag) or a successful deployment with a different version, not 'ImagePullErr: image not found' which indicates the image location is inaccessible.

529
MCQeasy

A developer notices that a Cloud Function is timing out after 60 seconds. The function makes an external API call that occasionally takes longer than the timeout. What is the best practice to handle this?

A.Implement retry logic without changing the timeout
B.Increase the timeout for all Cloud Functions in the project
C.Increase the timeout for the specific Cloud Function to a higher value
D.Decrease the timeout to fail fast and implement retry logic
AnswerC

Adjusting the timeout for the specific function allows the external call to complete.

Why this answer

Option C is correct because Cloud Functions have a configurable timeout per function (up to 540 seconds for HTTP functions). Increasing the timeout for the specific function that makes the slow external API call directly addresses the timeout issue without affecting other functions or introducing unnecessary retry overhead. This is the most targeted and efficient solution.

Exam trap

Google Cloud often tests the misconception that retry logic alone can solve timeout issues, but the trap here is that retries do not extend the execution window—the function must complete within the configured timeout for any single invocation to succeed.

How to eliminate wrong answers

Option A is wrong because retry logic does not prevent the function from timing out; if the function times out after 60 seconds, retries will also fail unless the timeout is increased. Option B is wrong because increasing the timeout for all Cloud Functions in the project is unnecessarily broad and could mask performance issues in other functions, violating the principle of least privilege and granular configuration. Option D is wrong because decreasing the timeout to fail fast would cause the function to fail even more frequently, and implementing retry logic would not help if the external API call inherently takes longer than the reduced timeout.

530
MCQmedium

During an Oracle to PostgreSQL migration using Database Migration Service (DMS), the continuous replication fails with an error about unsupported data types. The source table uses Oracle's RAW data type. How should this be handled?

A.Convert RAW to VARCHAR2 before migration using a trigger.
B.Raw data type is not supported by DMS; you must drop the column and re-add as BYTEA after migration.
C.Verify DMS supports RAW to BYTEA mapping; if not, use a manual export/import for that table.
D.Use Cloud Dataflow to transform the data as it streams.
AnswerC

DMS does support this mapping, but if it fails, manual intervention may be needed.

Why this answer

Oracle RAW type maps to PostgreSQL BYTEA. DMS should handle this conversion automatically. If it fails, it may be due to version incompatibility or configuration.

The correct action is to check DMS logs and ensure the mapping is correct; if DMS cannot handle it, a manual workaround is to convert RAW to BYTEA using a custom script.

531
MCQeasy

A developer is writing unit tests for a Cloud Function that reads from Firestore. They want to avoid real Firestore calls in tests. Which approach is best?

A.Use Cloud Functions local emulator with Firestore emulator
B.Create a test project with real Firestore and use real calls
C.Mock the Firestore client library in the test code
D.Use Firestore emulator for tests
AnswerC

Mocking isolates the function code and is the standard unit testing approach.

Why this answer

Mocking the Firestore client library allows testing the function logic without dependencies on external services, which is the essence of unit testing.

532
Multi-Selectmedium

A financial services company is migrating an Oracle database to Cloud SQL for PostgreSQL using Database Migration Service (DMS). They have completed the full dump and CDC is ongoing. The migration team now needs to perform a cutover with minimal downtime. Which TWO actions should they take?

Select 2 answers
A.Stop the Database Migration Service job before promotion.
B.Modify the source connection profile to point to the Cloud SQL instance.
C.Start a second migration job to the same Cloud SQL instance.
D.Promote the Cloud SQL for PostgreSQL replica.
E.Stop all writes to the source Oracle database.
AnswersD, E

Promotion converts the Cloud SQL replica into a standalone primary instance that applications can connect to.

Why this answer

Option D is correct because promoting the Cloud SQL for PostgreSQL replica is the standard cutover step in a DMS migration: it converts the continuous replication target into a standalone, writable database. This action finalizes the migration with minimal downtime because the replica has been kept in sync via CDC from the source Oracle database.

Exam trap

Cisco often tests the misconception that stopping the DMS job is required before promotion, but in reality the job must remain active to complete the final replication of in-flight transactions, and stopping it prematurely would cause data loss.

533
MCQeasy

A developer deployed the above Cloud Run service YAML. The service deploys successfully but any request fails with a 503 error. What is the most likely cause?

A.The container is not listening on the expected port.
B.The service has no ingress setting.
C.The container image has a different entrypoint.
D.containerConcurrency is set too high.
AnswerA

Cloud Run requires the container to listen on the port specified by the PORT environment variable (default 8080). If the container listens on a different port, requests time out or fail.

Why this answer

A 503 error from Cloud Run indicates that the service is failing to respond to health checks or requests. The most common cause is that the container is not listening on the port specified in the `containerPort` field of the YAML (default 8080). Cloud Run sends requests to that port, and if the application is bound to a different port (e.g., 3000 or 80), the request never reaches the application, resulting in a 503.

Exam trap

The PCD exam often tests the distinction between a container that fails to start (which would show a different error) and a container that runs but is unreachable on the expected port (which causes 503 errors).

How to eliminate wrong answers

Option B is wrong because Cloud Run services have a default ingress setting of 'all' (allowing all traffic) when not explicitly set, so missing ingress does not cause a 503. Option C is wrong because a different entrypoint would cause the container to fail to start or crash, resulting in a different error (e.g., 'Container failed to start' or 'CrashLoopBackOff'), not a 503 response. Option D is wrong because setting `containerConcurrency` too high (e.g., 80 or more) could cause performance degradation or timeouts under load, but it would not cause every request to fail with a 503; the service would still respond to some requests.

534
MCQmedium

A team is deploying a containerized application to Google Kubernetes Engine using a Deployment and a Service of type LoadBalancer. The application is a web server that should be accessible on port 80. After deployment, the external IP is assigned, but when they try to access http://<EXTERNAL_IP>:80, they get a connection timeout. The pods are running, and the logs show the web server is listening on port 8080. The team has verified that the cluster firewall rules allow traffic on port 80. They have also confirmed that the pods are healthy and no network policies are in place. What is the most likely cause?

A.The cluster has a network policy that blocks incoming traffic.
B.The Deployment's containerPort is set to 8080, but the Service's port is set to 80 and targetPort is not specified.
C.The Service is missing the externalTrafficPolicy: Local setting.
D.The Service's targetPort is set to 80 instead of 8080.
AnswerB

Without targetPort, the Service forwards to the same port number, causing mismatch.

Why this answer

Option B is correct because if the Service's targetPort is not specified, it defaults to the same value as the port (80). However, the container is listening on port 8080, so traffic forwarded to port 80 on the pod results in a connection timeout. Option A is incorrect because having targetPort set to 80 would be incorrect; it should be 8080.

Option C is incorrect because externalTrafficPolicy: Local affects client IP preservation, not basic connectivity. Option D is incorrect because network policies are not in place and firewall rules allow traffic.

535
MCQhard

A company has an AlloyDB cluster in us-central1. They want to replicate data to a secondary region for disaster recovery with a recovery point objective (RPO) of less than 1 second. Which AlloyDB feature should they use?

A.Use AlloyDB Omni to replicate to an instance in the secondary region
B.Export the database to Cloud Storage and import in the secondary region
C.Configure a Cloud SQL for PostgreSQL read replica in the secondary region
D.Create a cross-region read replica in the secondary region
AnswerA

AlloyDB Omni supports cross-region replication for DR.

Why this answer

AlloyDB supports cross-region replication using AlloyDB Omni, which is a downloadable edition that can run on-premises or in other clouds. For cross-region DR, you can set up an AlloyDB Omni instance in another region that asynchronously replicates from the primary cluster. Note: The official AlloyDB cross-region replication uses AlloyDB Omni as the target.

This is the correct feature.

536
Multi-Selectmedium

A company is building a polyglot persistence architecture. They need to choose the correct Google Cloud databases for the following requirements: (1) ACID transactions for financial orders, (2) high-throughput time-series sensor data, and (3) real-time session cache. Which THREE databases should they choose? (Choose 3)

Select 3 answers
A.Memorystore
B.Cloud Spanner
C.Cloud SQL
D.Cloud Bigtable
E.Firestore
AnswersA, B, D

Memorystore (Redis) is ideal for session caching.

Why this answer

Cloud Spanner provides ACID transactions globally, Bigtable for time-series, and Memorystore for caching. Firestore is document-oriented, not ideal for time-series.

537
MCQeasy

A company is migrating an on-premises MySQL 8.0 OLTP application to Google Cloud. The application requires high availability with automatic failover and zero RPO. Which Google Cloud database and configuration should they use?

A.Cloud Spanner with multi-region configuration
B.Cloud SQL for MySQL with read replicas
C.AlloyDB for PostgreSQL with HA
D.Cloud SQL for MySQL with HA configuration
AnswerD

HA configuration uses synchronous replication to a standby in the same zone/region, automatic failover, and zero RPO.

Why this answer

Cloud SQL for MySQL with HA configuration provides synchronous replication to a standby instance in the same region, automatic failover, and zero RPO.

538
Multi-Selecthard

A company runs a stateful application on Compute Engine. They need to achieve an RPO of less than 15 minutes and an RTO of less than 30 minutes for a regional disaster. Which three steps should they include in their disaster recovery plan? (Select exactly 3.)

Select 3 answers
A.Use a managed instance group in multiple zones within the same region
B.Develop custom scripts to replicate application data asynchronously to another region
C.Configure persistent disk snapshots to a different region
D.Use regional persistent disks to replicate data within the region
E.Configure Cloud DNS with geo-routing to direct traffic to a healthy region
AnswersB, C, E

Asynchronous replication to another region can meet RPO and allow failover to that region.

Why this answer

Option B is correct because asynchronous replication of application data to another region can achieve an RPO of less than 15 minutes and an RTO of less than 30 minutes, as it allows the application to fail over to a secondary region with minimal data loss. Custom scripts can control replication frequency and ensure data consistency, meeting the strict RPO requirement.

Exam trap

The PCD exam often tests the distinction between regional and multi-region disaster recovery, where candidates mistakenly choose intra-region solutions like regional persistent disks or multi-zone instance groups for a regional disaster scenario.

539
MCQmedium

A company uses Cloud Spanner for global transaction processing. They need to export a full database backup to GCS in a portable format for long-term archival. Which method should they use?

A.Use gcloud beta spanner databases export command to export to GCS in CSV format.
B.Use Dataflow to read the Spanner database and write to GCS in JSON format.
C.Use Cloud Spanner backups (built-in) which export to GCS in Avro format.
D.Use Cloud SQL export to GCS.
AnswerC

Cloud Spanner's managed backup feature exports the entire database to GCS in Avro files, which is portable.

540
MCQmedium

A team is migrating a Snowflake data warehouse to BigQuery. They need to move historical data and set up a one-time batch transfer. Which method is most appropriate?

A.Export data from Snowflake to GCS, then load into BigQuery.
B.Use BigQuery Data Transfer Service for Snowflake.
C.Use Cloud Data Fusion with Snowflake connector.
D.Use Database Migration Service with Snowflake endpoint.
AnswerA

Common pattern: export to GCS (e.g., Parquet) and then load into BigQuery.

Why this answer

Exporting data from Snowflake to GCS (Google Cloud Storage) as files (e.g., Parquet, Avro, or CSV) and then loading them into BigQuery is the most appropriate method for a one-time batch transfer of historical data. This approach leverages Snowflake's native UNLOAD command to export data efficiently and BigQuery's batch load jobs to ingest the files, providing full control over the migration without requiring ongoing connectivity or complex tooling.

Exam trap

Cisco often tests the misconception that BigQuery Data Transfer Service can handle one-time batch migrations, but it is actually designed for recurring scheduled transfers and requires the source to support continuous replication, which Snowflake does not natively provide for historical data dumps.

How to eliminate wrong answers

Option B is wrong because BigQuery Data Transfer Service for Snowflake is designed for scheduled, incremental transfers, not for one-time batch migrations; it requires ongoing configuration and is not optimized for a single historical data dump. Option C is wrong because Cloud Data Fusion with a Snowflake connector is intended for ETL/ELT pipelines and continuous data integration, not for a simple one-time batch transfer; it adds unnecessary complexity and cost for a single migration. Option D is wrong because Database Migration Service (DMS) does not support Snowflake as a source endpoint; DMS is designed for homogeneous migrations (e.g., MySQL to Cloud SQL) and does not have a Snowflake connector.

541
MCQmedium

A company is running a global application on Cloud Spanner. They notice high write latency on a specific table because a frequently updated row is being accessed by many clients simultaneously. Which design pattern should they implement to distribute writes across multiple nodes and reduce contention?

A.Increase the number of nodes in the Cloud Spanner instance.
B.Use interleaved tables to co-locate related data.
C.Add a hash suffix to the primary key of the hot row to split it into multiple rows.
D.Migrate the table to Cloud Bigtable which handles hotspots better.
AnswerC

This distributes writes across multiple splits.

Why this answer

Option C is correct because adding a hash suffix to the primary key of the hot row splits the single heavily contended row into multiple logical rows, each with a different primary key. This distributes the write load across multiple Cloud Spanner splits and nodes, reducing lock contention and write latency. Cloud Spanner uses a distributed, synchronous replication architecture where a single row is managed by a single split; splitting the hot row into multiple rows allows parallel writes to different splits.

Exam trap

The PCD exam often tests the misconception that scaling up the instance (adding nodes) solves single-row contention, but the trap here is that Cloud Spanner's architecture requires splitting the hot row's key to distribute writes across splits, not just adding more nodes.

How to eliminate wrong answers

Option A is wrong because increasing the number of nodes in Cloud Spanner increases overall throughput and storage capacity, but does not resolve contention on a single hot row—that row is still managed by one split and one leader, so write latency remains high. Option B is wrong because interleaved tables co-locate parent and child rows for efficient joins and strong consistency, but they do not help with write contention on a single frequently updated row; they actually increase the likelihood of contention if the parent row is the hot row. Option D is wrong because migrating to Cloud Bigtable is not a recommended design pattern for this scenario; Bigtable handles hotspots via automatic sharding, but the question asks for a design pattern within Cloud Spanner, and Bigtable does not support global, strongly consistent transactions or SQL queries, which the application likely requires.

542
MCQmedium

Refer to the exhibit. The Cloud Run service is experiencing high tail latency under moderate load. Which change would most effectively reduce latency?

A.Increase CPU limit to 2.
B.Increase containerConcurrency to 250.
C.Increase timeoutSeconds to 600.
D.Reduce containerConcurrency to 10.
AnswerD

Lower concurrency reduces request queuing per container, improving tail latency under load.

Why this answer

High tail latency under moderate load often indicates that requests are queuing behind each other due to excessive concurrency. Reducing `containerConcurrency` to 10 limits the number of simultaneous requests each container instance handles, which reduces queueing delay and improves per-request response time. This is the most effective change because it directly controls the request multiplexing level, preventing a single instance from being overwhelmed.

Exam trap

The PCD exam often tests the misconception that increasing resources (CPU/memory) or timeouts always improves performance, when in fact controlling concurrency is the key to reducing tail latency in serverless platforms like Cloud Run.

How to eliminate wrong answers

Option A is wrong because increasing the CPU limit to 2 does not address the root cause of tail latency; it may reduce compute-bound delays but does not control request queuing or concurrency pressure. Option B is wrong because increasing `containerConcurrency` to 250 would exacerbate the problem by allowing more simultaneous requests per instance, increasing queueing and tail latency. Option C is wrong because increasing `timeoutSeconds` to 600 only extends the maximum request duration, which does not reduce latency; it may even mask underlying performance issues by allowing slow requests to linger longer.

543
MCQhard

A company is migrating a legacy Java application to Cloud Run. The application requires a specific Java version (Java 11) and writes temporary files to disk. The application also uses a proprietary library that is not available in public repositories. The team has created a Dockerfile that installs Java 11, copies the JAR file, and sets the entrypoint. They are using Cloud Build to build the container and deploying to Cloud Run. The deployment succeeds, but when they send requests, the application fails with a "Permission denied" error when trying to write to /tmp. The team has verified that the Cloud Run service has the correct permissions via a service account. They have also checked that the filesystem is writable at /tmp by default. What is the most likely cause of the error?

A.Add a RUN chmod 777 /tmp command in the Dockerfile before the entrypoint.
B.Increase the memory limit of the Cloud Run service.
C.Change the base image to one that includes Java 11 and ensures the /tmp directory is writable.
D.Use a Cloud Storage FUSE mount for temporary storage.
AnswerC

A proper base image with the correct filesystem permissions resolves the issue.

Why this answer

Option B is correct because the base image used might not have the proper filesystem layout or permissions for /tmp. Using a standard base image like gcr.io/distroless/java or an official OpenJDK image ensures that /tmp is writable. Option A is incorrect because memory limits do not affect write permissions.

Option C is incorrect because if the filesystem is read-only, chmod will also fail; moreover, Cloud Run's security constraints may prevent such changes. Option D is incorrect because Cloud Storage FUSE is not needed and adds complexity; the issue is with the base image.

544
MCQhard

A company uses Cloud SQL for PostgreSQL with a cross-region replica for disaster recovery. They need to perform a regional failover with minimal data loss. What configuration is required?

A.Use Database Migration Service instead
B.Promote the cross-region replica to a primary instance
C.Take a manual backup of the primary and restore to the replica
D.Enable synchronous replication
AnswerB

Promotion makes the replica a standalone instance, and data up to the promotion point is preserved.

Why this answer

Cloud SQL cross-region replicas use asynchronous replication, so some data loss is possible. To minimize loss, ensure that the replication lag is low and that automated backups are taken frequently. However, the key is to promote the replica to a standalone instance, which will stop replication and make it writable.

545
MCQhard

A large e-commerce platform uses Cloud Bigtable to store user session data and product recommendations. They have a single cluster in a single zone. During a recent zone outage, the application became unavailable for 30 minutes because Cloud Bigtable was unreachable. The team needs to ensure high availability for the session data with a Recovery Time Objective (RTO) of less than 5 minutes and a Recovery Point Objective (RPO) of zero (no data loss). What should they do?

A.Migrate the session data to Cloud Memorystore for Redis with persistence and replication.
B.Add a second cluster in a different zone within the same region and use multi-cluster routing to automatically failover.
C.Configure replication to a second cluster in a different region and use global routing to failover.
D.Use Cloud Bigtable's single-cluster replication to a different zone.
AnswerB

Multi-cluster within region provides zone-level HA with fast replication.

Why this answer

Option B is correct because adding a second Cloud Bigtable cluster in a different zone within the same region and enabling multi-cluster routing provides automatic failover with an RTO of under 5 minutes and an RPO of zero. Multi-cluster routing directs read and write requests to the nearest healthy cluster, and replication between clusters is synchronous within a region, ensuring no data loss during a zone outage.

Exam trap

The PCD exam often tests the misconception that cross-region replication can achieve an RPO of zero, but candidates must remember that only intra-region replication is synchronous, while cross-region replication is asynchronous and introduces data loss risk.

How to eliminate wrong answers

Option A is wrong because Cloud Memorystore for Redis with persistence and replication does not guarantee an RPO of zero; asynchronous replication can lose recent writes during a failover, and it is not designed for the same throughput and latency characteristics as Cloud Bigtable for session data. Option C is wrong because configuring replication to a second cluster in a different region uses asynchronous replication, which cannot achieve an RPO of zero due to cross-region replication lag, and global routing introduces higher latency and potential data inconsistency. Option D is wrong because Cloud Bigtable does not support single-cluster replication; replication is always between two or more clusters, and the term 'single-cluster replication' is a misnomer that does not exist in Cloud Bigtable's architecture.

546
MCQeasy

A company wants to monitor the CPU utilization of their Compute Engine instances and automatically trigger scaling actions if utilization exceeds 80% for 5 minutes. Which service should they use?

A.Managed instance group autoscaler
B.Cloud Monitoring
C.Cloud Scheduler
D.Cloud Load Balancing
AnswerA

Autoscaler uses monitoring metrics to trigger scaling actions.

Why this answer

Managed instance group (MIG) autoscaler is the correct service because it is designed to automatically adjust the number of Compute Engine instances based on configured utilization metrics. By setting a target CPU utilization of 80% over a 5-minute window, the autoscaler will add or remove instances to maintain that threshold, directly meeting the requirement for automatic scaling actions.

Exam trap

The PCD exam often tests the distinction between monitoring services (Cloud Monitoring) and action-oriented services (autoscaler), leading candidates to pick Cloud Monitoring because they confuse alerting with automatic scaling.

How to eliminate wrong answers

Option B is wrong because Cloud Monitoring is a monitoring and alerting service that collects metrics, logs, and events, but it does not perform automatic scaling actions; it can trigger alerts but not directly add or remove instances. Option C is wrong because Cloud Scheduler is a cron job service for scheduling tasks at specified times, not for reacting to real-time CPU utilization thresholds. Option D is wrong because Cloud Load Balancing distributes traffic across instances but does not monitor CPU utilization or trigger scaling actions; it works in conjunction with autoscalers but does not perform scaling itself.

547
MCQmedium

A developer deploying a new version of a microservice sees a sudden increase in error logs in Cloud Logging. The errors are 500 responses from the service. What is the most efficient way to investigate the root cause?

A.Use Cloud Trace to view the trace of failed requests
B.Revert to the previous version immediately
C.Check the CPU and memory metrics in Cloud Monitoring
D.Analyze the error logs using Log Analytics and create a log-based metric
AnswerA

Cloud Trace records traces for each request, including errors, allowing you to see the exact step that failed.

Why this answer

Cloud Trace provides end-to-end latency data and can capture detailed spans for individual requests, including those that resulted in 500 errors. By filtering traces to failed requests, you can pinpoint the exact service or function call that caused the error, making it the most efficient root-cause investigation method without requiring code changes or additional instrumentation.

Exam trap

The PCD exam often tests the misconception that log analysis alone is sufficient for debugging distributed systems, but the trap here is that Cloud Trace provides request-scoped context that logs lack, making it the most efficient first step for 500 errors in a microservice deployment.

How to eliminate wrong answers

Option B is wrong because reverting immediately is a reactive rollback that does not identify the root cause; it may resolve symptoms but wastes time if the issue is not version-related. Option C is wrong because CPU and memory metrics show resource utilization but cannot reveal application-level logic errors, such as a null pointer exception or a failed database query, that cause 500 responses. Option D is wrong because analyzing error logs and creating a log-based metric is useful for monitoring trends but is less efficient for pinpointing the specific failing request path; Cloud Trace directly correlates traces with error status codes for faster diagnosis.

548
Multi-Selecteasy

Which TWO of the following are valid ways to export Cloud Logging logs to BigQuery?

Select 2 answers
A.Use the Logging API to write logs directly to BigQuery
B.Use a Dataflow pipeline to stream logs from Pub/Sub to BigQuery
C.Create a log sink with destination set to BigQuery dataset
D.Use the BigQuery Data Transfer Service for Cloud Logging
E.Use Cloud Monitoring to send logs to BigQuery
AnswersB, C

This is a valid alternative path for exporting logs to BigQuery.

Why this answer

Option B is correct because you can use a Dataflow pipeline to read Cloud Logging logs from a Pub/Sub topic (where logs are routed via a log sink) and stream them into BigQuery for real-time analysis. This is a common pattern for custom log processing and transformation before loading into BigQuery. Option C is correct because Cloud Logging allows you to create a log sink directly with a destination of a BigQuery dataset, which automatically exports logs in near real-time without additional infrastructure.

Exam trap

The PCD exam often tests the distinction between direct sink destinations (BigQuery, Pub/Sub, Cloud Storage) and indirect methods like Dataflow or custom code, leading candidates to mistakenly think the Logging API or BigQuery Data Transfer Service can be used for export.

549
MCQmedium

A development team is using Cloud Build to deploy containerized applications to GKE. They want to ensure that only containers that have passed security scans and unit tests are deployed to production. Which approach should they use?

A.Deploy to a staging cluster first, then manually promote to production using kubectl.
B.Use Cloud Build with a multi-step pipeline that includes test and security scan steps, and only promote to production after successful completion.
C.Use Cloud Deploy to automate delivery with approval gates.
D.Configure Cloud Build triggers to deploy directly to production on every push.
AnswerB

This ensures that only containers that pass all checks are deployed, maintaining quality and security.

Why this answer

Using a multi-step Cloud Build pipeline with test and security scan steps, and then promoting to production only after success, ensures only validated containers are deployed. Direct deployment to production on every push is risky. Manual promotion defeats automation.

Cloud Deploy adds unnecessary complexity for this simple requirement. Thus, option B is correct.

550
MCQmedium

A company runs a global stock trading platform that requires strong consistency across regions. They need to read the latest account balance after each trade. Which Cloud Spanner read mode should they use?

A.Strong reads
B.Read-only transactions with external consistency
C.Stale reads with bounded staleness of 10 seconds
D.Bounded staleness reads with max staleness of 1 second
AnswerA

Strong reads always return the most recent committed data with global consistency, required for financial transactions.

Why this answer

Strong reads provide the latest committed data with global consistency. Stale reads (bounded staleness) may return older data. External consistency is a Spanner property but not a read mode.

551
MCQmedium

A company is planning to migrate from Snowflake to BigQuery. They have existing complex SQL transformations using Snowflake-specific functions like LISTAGG and PIVOT. What is the best approach to handle these differences?

A.Use BigQuery Data Transfer Service to automatically convert Snowflake functions.
B.Keep Snowflake for complex queries and use BigQuery only for simple analytics.
C.Use Cloud Spanner as an intermediary to translate queries.
D.Rewrite the SQL queries to use BigQuery equivalent functions and syntax.
AnswerD

Manual or tool-assisted rewriting is necessary as there is no automatic conversion.

Why this answer

Snowflake and BigQuery have different SQL dialects. The best approach is to use a migration assessment tool to identify incompatible syntax, rewrite queries to BigQuery-compatible syntax (e.g., use STRING_AGG instead of LISTAGG), and test thoroughly. BigQuery does not support PIVOT natively; use conditional aggregation.

552
Multi-Selectmedium

A company is deploying a globally distributed user authentication service using Cloud Spanner. They need strong consistency for all reads and writes. Which two features should they use? (Choose two.)

Select 2 answers
A.Enable read-your-writes consistency
B.Use stale reads to reduce latency
C.Use strong reads (read timestamp = now)
D.Use mutations API with commit timestamps
E.Use bounded staleness reads
AnswersC, D

Strong reads return the latest committed data.

Why this answer

Strong reads (read timestamp = now) and mutations API with commit timestamp are used for strong consistency. Stale reads and bounded staleness are for weaker consistency. Read-write transactions also provide strong consistency, but the question asks for features.

The two correct are: strong reads and using commit timestamps for writes.

553
MCQmedium

A company needs to store petabytes of time-series IoT sensor data and query it with single-digit millisecond latency at millions of reads per second. The data has a simple key-value structure with timestamps. Which Google Cloud database is MOST appropriate?

A.Firestore
B.BigQuery
C.Cloud Bigtable
D.Cloud Spanner
AnswerC

Correct: wide-column NoSQL, designed for time-series/IoT, single-digit ms latency, millions of QPS.

Why this answer

Cloud Bigtable is designed for petabyte-scale, low-latency, high-throughput NoSQL storage for time-series, IoT, and financial data. It scales horizontally by adding nodes. BigQuery is for analytics (seconds-to-minutes latency), Cloud SQL for OLTP (limited throughput), Firestore for document data.

554
MCQhard

A Cloud Spanner instance is experiencing high latency for global secondary index queries. The team notices that queries on the secondary index are performing full table scans instead of index scans. What is the most likely cause?

A.The index is a local index without the STORING clause
B.The Spanner instance is under-provisioned
C.The index is a global index without the STORING clause, causing index join
D.The index is defined on a composite key that is not selective
AnswerC

Global indexes require a join with the base table to retrieve columns not stored in the index, leading to scans.

Why this answer

In Cloud Spanner, secondary indexes can be local (interleaved with parent) or global (non-interleaved). If an index is defined as a global index, queries might still need to join with the base table unless the index includes all needed columns. Without the `STORING` clause, Spanner must fetch additional columns from the base table, causing the query to scan the base table.

555
MCQhard

You are a site reliability engineer for a fintech company that runs a latency-sensitive trading application on Google Kubernetes Engine (GKE). The application is instrumented with OpenTelemetry and exports traces and metrics to Cloud Monitoring and Cloud Logging. Recently, the team observed a gradual increase in p99 latency from 50ms to 500ms over the past week, and error rates have spiked to 5% from a baseline of 0.1%. You review the Cloud Monitoring dashboards and notice that the 'container/cpu/utilization' metric shows normal usage, but the 'container/memory/bytes_used' metric shows a steady climb, reaching 90% of the memory limit on several pods. The application logs contain many 'OutOfMemoryError' exceptions and 'GC overhead limit exceeded' messages. You also see that the HPA (Horizontal Pod Autoscaler) has not triggered any scale-up events because the 'custom/googleapis.com|container/cpu/utilization' metric is below the target utilization threshold. The cluster autoscaler is enabled and has sufficient node pool capacity. What is the most likely root cause and the best immediate action to resolve the issue?

A.Enable the Vertical Pod Autoscaler (VPA) in update mode to automatically adjust memory requests.
B.Switch the HPA to use the default 'container/cpu/utilization' metric instead of the custom metric.
C.Increase the memory request and limit for the pods to allow more memory usage.
D.Add a custom metric for memory utilization to the HPA and configure the target to scale when memory exceeds 70%.
AnswerD

This allows the HPA to react to memory pressure, scaling out pods to distribute memory load and reduce OOM errors.

Why this answer

The gradual memory increase and OutOfMemoryError exceptions indicate that the application is memory-bound, not CPU-bound. Since the HPA is configured to scale only on CPU utilization, it never triggers scale-up despite memory pressure. Adding a custom memory utilization metric to the HPA (option D) directly addresses the root cause by scaling pods when memory exceeds 70%, preventing OOM errors and reducing latency.

Exam trap

The PCD exam often tests the misconception that CPU is the only metric for HPA scaling, or that increasing resource limits alone solves memory pressure, when in fact memory-bound applications require scaling based on memory utilization to avoid OOM and latency degradation.

How to eliminate wrong answers

Option A is wrong because the Vertical Pod Autoscaler (VPA) adjusts resource requests/limits but does not scale the number of pods; it also cannot be used with HPA on the same metric, and update mode may cause pod restarts. Option B is wrong because switching to the default CPU metric would not help; CPU utilization is already normal, so the HPA would still not scale. Option C is wrong because simply increasing memory requests/limits without scaling out does not resolve the underlying issue of insufficient total memory capacity; pods will still hit the new limit eventually, and it does not address the latency spike caused by GC overhead.

556
MCQeasy

To monitor Cloud SQL query performance, which metric should an engineer examine to see the rate of queries being executed?

A.database/disk/bytes_used
B.database/queries
C.database/memory/utilization
D.database/cpu/utilization
AnswerB

This metric shows query throughput.

Why this answer

The metric 'database/queries' tracks the number of queries executed per second. CPU/memory/disk utilization metrics are resource-oriented, not query-oriented.

557
Multi-Selectmedium

A company needs to run HTAP (hybrid transactional/analytical processing) workloads on PostgreSQL. They require 4x faster OLTP performance than standard PostgreSQL and the ability to run analytical queries directly on transactional data without ETL. Which TWO Google Cloud databases should they consider? (Choose two)

Select 2 answers
A.Cloud Spanner
B.Cloud SQL for PostgreSQL
C.AlloyDB with BigQuery Omni
D.AlloyDB
E.BigQuery
AnswersC, D

BigQuery Omni allows querying AlloyDB data, but AlloyDB alone provides HTAP. However, the combination is also valid. Since the question asks for databases, AlloyDB is the primary. (If considering Omni, it's an option, but the best answer is E? Actually, AlloyDB is the core. I'll keep A and E as correct.)

Why this answer

AlloyDB is designed for HTAP, with a columnar engine for fast analytics and 4x faster OLTP. Cloud SQL is not optimized for analytics. BigQuery is for analytics but not transactional.

Spanner is globally distributed but not specifically for HTAP.

558
Multi-Selecthard

A company is using Cloud Monitoring to set up an SLO for a latency-sensitive API. They have defined a custom SLI: the proportion of requests with latency under 200ms. Which three components must they define to create a complete SLO configuration? (Choose three.)

Select 3 answers
A.A target (e.g., 99.9%)
B.An SLI definition with a good/bad time series
C.A burn rate alert policy
D.A metric threshold alert
E.A window of compliance (e.g., 30 days)
AnswersA, B, E

Correct: the desired success rate.

Why this answer

Option A is correct because a target (e.g., 99.9%) defines the desired proportion of good events over a compliance window, which is essential for an SLO. In Cloud Monitoring, the target is the threshold against which the SLI is measured to determine if the SLO is met.

Exam trap

The PCD exam often tests that candidates confuse optional alerting policies (burn rate alerts, metric threshold alerts) with the mandatory components of an SLO configuration, which are strictly the SLI, target, and compliance window.

559
MCQeasy

A developer needs to store session state for a user in a cloud-native application. Which storage solution is most appropriate?

A.Cloud SQL
B.Memorystore
C.Cloud Storage
D.Bigtable
AnswerB

Memorystore provides fast, in-memory caching for session data.

Why this answer

Memorystore (Redis) is the most appropriate solution for storing session state in a cloud-native application because it provides an in-memory data store with sub-millisecond latency, which is critical for fast session reads and writes. Session state is ephemeral, key-value data that requires high throughput and low latency, and Memorystore supports features like TTL (time-to-live) for automatic session expiration and persistence options for durability. This aligns with the cloud-native principle of stateless application tiers offloading state to a managed caching layer.

Exam trap

The PCD exam often tests the misconception that any managed database (like Cloud SQL or Bigtable) can handle session state, but the trap is that session state requires in-memory speed and automatic expiration, which only a caching solution like Memorystore provides, not disk-based or analytical databases.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a relational database designed for structured, transactional data with ACID compliance, not for high-speed ephemeral session state; its disk-based storage and connection overhead introduce latency unsuitable for frequent session lookups. Option C is wrong because Cloud Storage is an object store for blobs and files, not a low-latency key-value store; it lacks the sub-millisecond read/write performance and TTL-based expiration needed for session management. Option D is wrong because Bigtable is a wide-column NoSQL database optimized for analytical workloads with high throughput on large datasets, not for small, transient session records; its design for batch and streaming analytics makes it overkill and inefficient for per-request session operations.

560
Multi-Selecthard

An engineer is designing a disaster recovery plan for a production AlloyDB cluster. The primary cluster is in us-central1. They need a cross-region replica that can be promoted to primary in the event of a regional failure. The replica should also be able to handle read traffic in the secondary region. Which THREE steps should they take? (Choose 3.)

Select 3 answers
A.Promote the secondary cluster to primary during a disaster.
B.Configure an instance-level read pool in the secondary cluster.
C.Enable AlloyDB Omni on the secondary cluster.
D.Create a secondary cluster in us-west1 using cross-region replication from the primary cluster.
E.Add a read pool to the secondary cluster to handle read traffic.
AnswersA, D, E

Promotion is the standard DR procedure for cross-region replication.

Why this answer

AlloyDB cross-region replication is achieved by creating a secondary cluster in another region with an external read pool. The secondary cluster can be promoted for failover. Instance-level read pool does not exist; read pools are cluster-level.

AlloyDB Omni is for on-premises, not cross-region replication.

561
MCQhard

A company is migrating from MySQL 5.7 to Cloud SQL for MySQL 8.0. After migration, a legacy application that uses the 'GROUP BY' clause with implicit sorting stops working correctly. What is the most likely cause?

A.MySQL 8.0 changed the default collation, affecting string comparison.
B.MySQL 8.0 no longer supports the 'GROUP BY' clause.
C.The 'ONLY_FULL_GROUP_BY' SQL mode is enabled by default.
D.MySQL 8.0 removed the implicit sorting of GROUP BY results.
AnswerD

MySQL 8.0 no longer sorts GROUP BY results implicitly; an ORDER BY clause must be added to guarantee sort order.

Why this answer

MySQL 8.0 removed the implicit sorting of GROUP BY that was present in MySQL 5.7. Applications relying on this behavior must explicitly use ORDER BY to guarantee sort order.

562
Multi-Selecteasy

A company deploys a microservice on Cloud Run and wants to minimize cold starts during traffic spikes. Which two steps should they take? (Select exactly 2.)

Select 2 answers
A.Enable CPU always allocated
B.Use Cloud CDN
C.Set max_instances to a high value
D.Set concurrency to 1
E.Set min_instances to a value greater than 0
AnswersA, E

CPU always allocated ensures instances are active and ready to serve requests immediately.

Why this answer

Enabling CPU always allocated (option A) prevents the CPU from being throttled when the container is not handling requests, which reduces cold start latency because the runtime environment remains warm and ready to process incoming traffic immediately. This is particularly effective for minimizing cold starts during traffic spikes because the container's CPU is always active, eliminating the need to spin up resources from a cold state.

Exam trap

The PCD exam often tests the distinction between scaling limits (max_instances) and proactive instance provisioning (min_instances), so the trap here is that candidates mistakenly think setting a high max_instances prevents cold starts, when in fact it only caps the maximum scale and does nothing to keep instances warm.

563
Multi-Selecthard

A company has a multi-module repository. They want to build only the modules that have changes. Which two features can they combine to achieve this? (Choose 2)

Select 2 answers
A.Cloud Build queue
B.Build scripts that detect changes
C.Cloud Build substitutions
D.Cloud Build triggers with filepath filters
E.Cloud Source Repositories mirror
AnswersB, D

A build step can run a script (e.g., `git diff`) to identify changed modules and conditionally execute subsequent steps.

Why this answer

Option B is correct because build scripts can be written to compare the current commit hash against the previous build's commit hash, or use git diff to detect which files have changed, and then conditionally execute build steps only for the affected modules. This approach gives fine-grained control over the build process and can be integrated into any CI/CD pipeline.

Exam trap

The PCD exam often tests the distinction between features that trigger builds (like triggers with filepath filters) and features that manage build execution or configuration (like substitutions or queues), leading candidates to mistakenly select options that sound related but do not actually detect changes.

564
MCQmedium

A company needs to run analytics on their Cloud SQL database without affecting OLTP performance. They want to use a read replica. What is the BEST practice?

A.Run analytics directly on the primary instance
B.Export the data to BigQuery periodically
C.Create a read replica in the same or different region and route analytics queries to it
D.Use Cloud SQL's HA instance for analytics
AnswerC

Read replicas allow offloading read queries without affecting the primary.

Why this answer

Using a cross-region read replica can offload analytics queries without impacting the primary instance, but for read scalability within region, an in-region replica works too.

565
MCQmedium

An e-commerce company is migrating its on-premises MySQL database to Cloud SQL. They require synchronous replication to a standby instance in the same region for automatic failover with zero RPO. Which Cloud SQL configuration should they use?

A.Use Cloud Spanner instead, as it provides built-in HA across regions
B.Deploy two standalone Cloud SQL instances and configure MySQL native replication between them
C.Create a Cloud SQL for MySQL HA instance in the chosen region
D.Create a Cloud SQL for MySQL instance with a read replica in a different region
AnswerC

HA instances use synchronous replication to a standby in a different zone within the region, ensuring automatic failover and 0 RPO.

Why this answer

Cloud SQL HA instances use synchronous replication to a standby in a different zone within the same region, providing automatic failover and 0 RPO.

566
MCQhard

A team is using Cloud Build to build a Go application. They want to cache Go module dependencies across builds to speed up builds. Which configuration should they add to cloudbuild.yaml?

A.Use a custom builder that pre-installs dependencies
B.Set up a bucket for caching and use substitutions
C.Use a Kaniko cache with a remote repository
D.Use Cloud Build's built-in caching feature by specifying a volume
AnswerD

Specifying a volume (e.g., `volumes: [{name: 'go-mod', path: '/go/pkg/mod'}]`) persists the directory across build steps and triggers, avoiding re-downloads.

Why this answer

Cloud Build provides a built-in caching feature that allows you to persist directories across build steps by specifying a volume in the `cloudbuild.yaml` configuration. By mounting a volume (e.g., `/go/pkg/mod`) and using the `cache` option, the Go module cache is retained between builds, significantly reducing dependency download time. This approach is native to Cloud Build and requires no external services or custom builders.

Exam trap

The PCD exam often tests the distinction between container image caching (Kaniko) and application dependency caching (Cloud Build volumes), leading candidates to confuse the purpose of Kaniko cache with the need for dependency caching.

How to eliminate wrong answers

Option A is wrong because using a custom builder that pre-installs dependencies does not leverage Cloud Build's native caching mechanism; it only shifts the dependency installation to a custom image, which still requires rebuilding the image for each dependency change and does not persist the cache across separate builds. Option B is wrong because setting up a bucket for caching and using substitutions is not a built-in Cloud Build feature for caching dependencies; while Cloud Storage can be used for artifact storage, it requires manual scripting to upload/download the cache and does not integrate with Cloud Build's volume-based caching. Option C is wrong because Kaniko cache with a remote repository is designed for caching container image layers, not for caching Go module dependencies; Kaniko is a tool for building container images, and its cache stores intermediate layers, not application-level dependency caches like Go modules.

567
MCQmedium

A company needs to migrate a self-managed PostgreSQL database (version 12) to Cloud SQL for PostgreSQL with minimal downtime. They plan to use Database Migration Service (DMS). What is the correct set of steps?

A.Create a DMS connection profile for the source; create a migration job with 'Full dump + CDC'; configure source for logical replication; promote destination when ready.
B.Create a DMS connection profile for the source; create a migration job with 'Full dump' only; promote the destination after dump completes.
C.Create a DMS connection profile for the source; set up Cloud SQL for PostgreSQL; use pg_dump and pg_restore manually.
D.Create a DMS connection profile for the source; create a migration job with 'CDC' only; no initial dump is needed.
AnswerA

DMS continuous migration uses full dump then CDC (logical replication) to keep source and destination in sync with minimal downtime.

568
Multi-Selectmedium

An organization is migrating a critical application to Google Cloud and needs to ensure high availability and disaster recovery. The application runs on Compute Engine and uses a stateful database. Which three design choices should they make? (Choose three.)

Select 3 answers
A.Use managed instance groups distributed across multiple zones.
B.Use regional persistent disks for the database.
C.Use a global load balancer to route traffic to the closest healthy region.
D.Use preemptible VMs to reduce costs for the database layer.
E.Deploy all instances in a single zone and use snapshots for backup.
AnswersA, B, C

MIGs across zones provide auto-healing and high availability.

Why this answer

Option A is correct because managed instance groups (MIGs) distributed across multiple zones provide automatic failover and self-healing for the Compute Engine instances. If a zone fails, the MIG automatically recreates instances in healthy zones, ensuring high availability for the application layer. This aligns with Google Cloud's best practices for regional resilience.

Exam trap

The PCD exam often tests the misconception that cost-saving measures like preemptible VMs can be applied to stateful workloads, but the trap here is that preemptible VMs are not guaranteed to run and thus cannot support a stateful database requiring persistent uptime and data integrity.

569
MCQhard

A company is deploying a microservices architecture on GKE. They need to expose a set of related microservices under a single external IP address with path-based routing. Which Kubernetes resource should they use?

A.Service of type NodePort
B.NetworkPolicy
C.Service of type LoadBalancer
D.Ingress resource
AnswerD

Ingress provides path-based routing to multiple Services under one IP.

Why this answer

An Ingress resource is the correct choice because it provides HTTP/HTTPS layer-7 routing to expose multiple services under a single external IP address, using path-based or host-based rules. This directly meets the requirement of exposing a set of related microservices with path-based routing on GKE, whereas a Service of type LoadBalancer would create a separate external IP per service.

Exam trap

The trap here is that candidates often confuse a Service of type LoadBalancer with the ability to do path-based routing, but LoadBalancer only provides layer-4 TCP/UDP load balancing with a single external IP per service, not layer-7 path-based routing.

How to eliminate wrong answers

Option A is wrong because a Service of type NodePort exposes each service on a high-port on every node's IP, requiring clients to know the node IP and port, and does not provide a single external IP or path-based routing. Option B is wrong because a NetworkPolicy is a firewall rule that controls ingress and egress traffic between pods, not a mechanism for exposing services externally or routing traffic. Option C is wrong because a Service of type LoadBalancer provisions a separate external load balancer (and thus a separate external IP) for each service, failing the requirement to expose multiple services under a single IP with path-based routing.

570
Multi-Selectmedium

A financial services company is migrating from Oracle to Cloud SQL for PostgreSQL. They need to ensure data consistency during the migration and minimize downtime. Which two actions should they take? (Choose 2)

Select 2 answers
A.Manually convert the Oracle schema to PostgreSQL using DDL statements.
B.Use DMS preview job to test migration before executing the full job.
C.Use Database Migration Service with continuous migration (CDC) to replicate ongoing changes.
D.Perform a full export using Oracle Data Pump and import directly into Cloud SQL.
E.Create connection profiles for both source and target databases in DMS.
AnswersC, E

CDC ensures near-zero downtime by replicating changes after the initial dump.

Why this answer

DMS continuous migration with CDC ensures minimal downtime by replicating changes. Connection profiles are necessary to configure source and target. Testing with DMS preview jobs is not a standard feature; DMS provides test jobs.

Manual schema conversion is not recommended; use Ora2Pg.

571
MCQhard

A retail company processes customer orders through a pipeline. New orders are written to a Cloud Storage bucket as JSON files. A Cloud Function (currently triggered directly by Cloud Storage finalize events) parses the order and sends it to a third-party fulfillment service via an HTTP POST. As order volume grows, the team observes that the Cloud Function often times out (60s default) because the fulfillment service is slow. The team wants to decouple the processing to improve reliability. The order must be attempted at least once, and if the fulfillment service fails, retries should be exponential with a maximum of 5 attempts. Which solution should the team implement?

A.Use Cloud Tasks to create a queue that targets the Cloud Function. Configure the queue with exponential backoff and max retries of 5. Set the Cloud Function trigger to be HTTP instead of Cloud Storage.
B.Keep the Cloud Storage trigger, but increase the Cloud Function timeout to 540 seconds and add retry logic in the function code.
C.Use Pub/Sub notifications from Cloud Storage to a Pub/Sub topic, with a subscription that pushes to the Cloud Function. Enable dead letter topics for failed deliveries.
D.Replace the Cloud Function with a Cloud Run job that polls Cloud Storage for new files and sends orders to the fulfillment service. Use Cloud Scheduler to run the job every 5 minutes.
AnswerA

Cloud Tasks provides configurable retries, decouples the processing, and ensures at-least-once delivery. The HTTP-triggered function processes tasks from the queue.

Why this answer

Option B is correct because Cloud Tasks provides the exact retry semantics required (exponential backoff, max attempts) and decouples the HTTP call from the Cloud Function. Option A is flawed because increasing timeout does not provide retries and 540s is still not infinite. Option C introduces polling, which is inefficient and not real-time.

Option D uses Pub/Sub push, but Pub/Sub's retry is not as configurable and lacks max attempts without a dead letter queue; Cloud Tasks is the appropriate service for HTTP-targeted retry logic.

572
MCQeasy

A company uses Cloud Spanner for its global transactional database and needs to create a consistent backup that can be restored to a different region. What is the recommended approach?

A.Use the Cloud Console to take a managed backup of the Spanner instance
B.Create a read replica in the target region and promote it
C.Export the Spanner database to Avro files in Cloud Storage using gcloud spanner databases export
D.Use Cloud Spanner's incremental backup feature to capture daily changes
AnswerC

The export command creates a consistent snapshot as Avro files in GCS, which can be imported into another instance.

Why this answer

Option C is correct because exporting a Cloud Spanner database to Avro files in Cloud Storage using the gcloud spanner databases export command creates a full, consistent snapshot that can be restored to any region. This approach ensures transactional consistency across all tables and supports cross-region restoration, which is required when the backup must be available in a different region than the source.

Exam trap

Cisco often tests the misconception that managed backups or read replicas can be used for cross-region restoration, but Cloud Spanner requires explicit export/import to move backups between regions.

How to eliminate wrong answers

Option A is wrong because Cloud Console managed backups are regionally scoped and cannot be directly restored to a different region; they are tied to the instance's regional or multi-regional configuration. Option B is wrong because Cloud Spanner does not support read replicas that can be promoted to a primary instance; Spanner uses a single writable instance with built-in replication, not a replica promotion model. Option D is wrong because Cloud Spanner does not have an incremental backup feature; backups are always full consistent snapshots, and incremental backups are not supported.

573
Multi-Selectmedium

An organization needs to secure Cloud SQL for MySQL instances. Which two measures should they implement to restrict network access? (Choose TWO.)

Select 2 answers
A.Enable SSL enforcement (require_ssl flag)
B.Use IAM database authentication
C.Assign a public IP and configure authorized networks
D.Disable automatic storage increase
E.Use Private IP (VPC-only connectivity)
AnswersA, E

SSL enforcement ensures encrypted connections and is a security measure.

Why this answer

Using Private IP restricts access to the VPC network, and enabling the 'require_ssl' flag ensures encrypted connections. IAM authentication controls user access but does not restrict network access. Public IP with authorized networks allows network access from authorized IP addresses but is still public.

VPC Service Controls can restrict access, but the option is not listed; Private IP is the correct VPC-centric method.

574
MCQhard

A company is migrating a PostgreSQL application to AlloyDB for improved OLTP performance and the ability to run analytical queries on the same data. Which feature of AlloyDB BEST supports this hybrid HTAP workload?

A.In-database ML inference
B.Cross-region replication
C.Columnar engine
D.Automatic storage scaling
AnswerC

The columnar engine accelerates analytical queries on transactional data, enabling HTAP.

Why this answer

AlloyDB's columnar engine is specifically designed to accelerate analytical queries by storing data in a column-oriented format, which allows for faster scans and aggregations on large datasets. This enables the same database to handle both OLTP (row-oriented) and OLAP (column-oriented) workloads without requiring a separate analytics system, directly supporting the hybrid HTAP requirement described in the question.

Exam trap

Cisco often tests the misconception that automatic storage scaling or replication features can address performance for mixed workloads, when in fact the columnar engine is the dedicated HTAP enabler in AlloyDB.

How to eliminate wrong answers

Option A is wrong because in-database ML inference is a feature for running machine learning models within the database, not a mechanism for improving analytical query performance on transactional data. Option B is wrong because cross-region replication is a disaster recovery and high availability feature that replicates data to another region, not a performance optimization for HTAP workloads. Option D is wrong because automatic storage scaling handles capacity management by adding storage as needed, but it does not change the storage format or query execution engine to support analytical queries.

575
MCQmedium

You are deploying a Cassandra database on GKE. Which resource type should you use to ensure stable network identities and persistent storage per pod?

A.Job with persistent disk
B.Deployment with persistent volume claims
C.StatefulSet with volumeClaimTemplates
D.DaemonSet with hostPath volumes
AnswerC

Provides stable identities and persistent storage.

Why this answer

StatefulSet is the correct resource because it provides stable, unique network identities (via headless Service and ordinal pod names) and persistent storage per pod through volumeClaimTemplates, which dynamically create PersistentVolumeClaims for each replica. This is essential for Cassandra, which requires stable node identities and dedicated storage to maintain cluster state and data consistency.

Exam trap

The PCD exam often tests the misconception that Deployments can handle stateful workloads by attaching PersistentVolumeClaims, but the trap is that Deployments lack stable network identities and per-pod storage binding, which are required for databases like Cassandra to maintain cluster membership and data integrity.

How to eliminate wrong answers

Option A is wrong because a Job is designed for batch processing tasks that run to completion, not for long-running stateful applications like Cassandra, and it does not provide stable network identities or persistent storage per pod. Option B is wrong because a Deployment provides replicas with ephemeral identities (random pod names) and shared PersistentVolumeClaims, which cannot guarantee stable network identities or dedicated storage per pod, leading to data conflicts and cluster instability for Cassandra. Option D is wrong because a DaemonSet runs one pod per node, which does not provide stable per-pod identities or dedicated persistent storage; hostPath volumes tie data to a specific node, causing data loss if the pod is rescheduled to a different node, and they lack the dynamic provisioning needed for Cassandra.

576
Multi-Selectmedium

Which TWO statements are true about Cloud Functions? (Choose two.)

Select 2 answers
A.Cloud Functions automatically scale based on the number of incoming events
B.Cloud Functions require you to provide a container image from Container Registry
C.Cloud Functions are stateless by design
D.Cloud Functions can only be triggered by HTTP requests
E.Cloud Functions have a maximum execution timeout of 9 minutes for all runtimes
AnswersA, C

Cloud Functions scale out to handle multiple events concurrently.

Why this answer

Cloud Functions automatically scale horizontally based on the number of incoming events, such as HTTP requests or Pub/Sub messages. The platform handles this scaling transparently, spinning up new function instances as needed to handle concurrent invocations, and scaling down to zero when idle. This is a key serverless characteristic that eliminates the need for manual capacity planning.

Exam trap

The PCD exam often tests the misconception that Cloud Functions are limited to HTTP triggers or that the 9-minute timeout applies to all runtimes and trigger types, when in fact event-driven functions have a significantly longer timeout and multiple trigger options exist.

577
MCQhard

A company is migrating a critical on-premises PostgreSQL database to Cloud SQL. They need to test the migration with production data shape without affecting the source. What is the recommended testing strategy?

A.Run shadow writes from the application to both source and Cloud SQL concurrently.
B.Export the production data using pg_dump and import into a test Cloud SQL instance.
C.Use Cloud SQL's clone feature to create a copy of the source after migration.
D.Use Database Migration Service to set up a continuous migration job and perform a dry run cutover.
AnswerD

DMS allows creating a migration job that can be stopped before cutover; this provides a replica with continuous sync for testing.

Why this answer

To test migration with production data shape, one approach is to take a snapshot of the source, restore it in a test environment, and then perform the migration to Cloud SQL. Alternatively, use shadow writes (dual-writes) to both old and new DBs in a test environment. Comparing query results and load testing are also part of validation.

578
MCQmedium

A team is deploying a containerized application to Cloud Run. The application needs to process large files (up to 500 MB) uploaded by users. Which storage approach should they use to avoid Cloud Run's request size limit?

A.Upload files directly to Cloud Run
B.Mount a Cloud Filestore volume
C.Use Cloud Functions as a proxy for uploads
D.Use signed URLs to upload to Cloud Storage
AnswerD

Signed URLs enable direct client-to-Cloud Storage uploads, bypassing Cloud Run's request size limit.

Why this answer

Cloud Run has a default request size limit of 32 MB, which is far below the 500 MB files the application needs to process. Using signed URLs allows users to upload files directly to Cloud Storage, bypassing Cloud Run entirely. This approach avoids the request size limit and offloads the storage and retrieval of large files to a scalable, managed service.

Exam trap

The PCD exam often tests the misconception that Cloud Run can handle large request payloads by scaling, but the actual trap is that Cloud Run's request size is hard-limited to 32 MB, and candidates may overlook the need to offload uploads to a dedicated storage service like Cloud Storage.

How to eliminate wrong answers

Option A is wrong because Cloud Run enforces a 32 MB request size limit (configurable up to 32 MB), so uploading files directly to the container would fail for files up to 500 MB. Option B is wrong because Cloud Filestore is a network file system for GCE and GKE, not supported as a mounted volume in Cloud Run; Cloud Run only supports mounting Cloud Storage buckets via FUSE or NFS-like volumes. Option C is wrong because Cloud Functions also has a request size limit (10 MB for HTTP triggers), so using it as a proxy would still be constrained and adds unnecessary latency and complexity without solving the size limitation.

579
MCQeasy

A company runs a web application on Google Kubernetes Engine (GKE) that uses Cloud SQL for its database. The application is deployed via Cloud Build and uses a custom container image stored in Artifact Registry. Recently, the development team noticed that new deployments are failing with a 'CrashLoopBackOff' error in the pod logs. The logs indicate that the application cannot connect to the Cloud SQL instance. The application uses the Cloud SQL Proxy sidecar container to connect. The Cloud SQL Proxy configuration has not changed recently. The GKE cluster is in region us-central1, and the Cloud SQL instance is in us-central1 as well. The team verified that the Cloud SQL instance is running and accepting connections from authorized networks. They also confirmed that the service account used by the pod has the 'Cloud SQL Client' role. The application has been running stable for months until a recent GKE cluster upgrade. The deployment YAML uses environment variables for database connection. The Cloud SQL Proxy is deployed as a sidecar container with command: '/cloud_sql_proxy -instances=<instance-connection-name>=tcp:5432'. The pod logs show the proxy attempting to connect but timing out. The network team confirms that there are no firewall rules blocking the connection. The Cloud SQL instance has an authorized network entry for the GKE cluster's nodes' IP range. What is the most likely cause of the connection failure?

A.The Cloud SQL Proxy container is using an outdated version that is incompatible with the current Cloud SQL API.
B.The application is using a wrong database password in the connection string.
C.The pod's namespace does not have the Cloud SQL Proxy configuration correctly set up.
D.The Cloud SQL instance is configured with a private IP and the GKE cluster is VPC-native but the Cloud SQL Proxy is configured to connect via public IP.
AnswerD

The proxy defaults to public IP; with a private IP instance and no public IP, connection times out.

Why this answer

Option D is correct because the Cloud SQL Proxy sidecar is configured to connect via public IP (using the instance connection name without the `-private-ip` flag), but the Cloud SQL instance is configured with a private IP. Since the GKE cluster is VPC-native, the pod can reach the private IP within the VPC, but the proxy is attempting a public IP connection, which fails because the instance's authorized networks only include the GKE nodes' IP range (public IPs of nodes), not the pod's private IP range. The recent GKE cluster upgrade may have changed the node's public IP or networking configuration, exacerbating the mismatch.

Exam trap

The PCD exam often tests the distinction between public and private IP connectivity for Cloud SQL Proxy, where candidates assume the proxy automatically uses the correct IP based on the instance configuration, but it requires an explicit flag to use private IP.

How to eliminate wrong answers

Option A is wrong because the Cloud SQL Proxy version compatibility with the Cloud SQL API is not a common cause of timeout errors; the proxy uses the same SQL protocol and API version regardless of minor version changes. Option B is wrong because the error is a connection timeout, not an authentication failure; a wrong password would result in an 'access denied' error, not a timeout. Option C is wrong because the Cloud SQL Proxy configuration is defined in the pod spec, not at the namespace level; the proxy's command-line arguments are set in the container definition, and the namespace does not affect proxy connectivity.

580
MCQmedium

A team wants to monitor custom application metrics from a Compute Engine instance. They use the Cloud Monitoring agent. Which metric type should they use to report a gauge measurement like current memory usage?

A.histogram
B.delta
C.cumulative
D.gauge
AnswerD

Gauge metric type reports instantaneous values.

Why this answer

Option D is correct because a gauge metric type is specifically designed to report a value that can arbitrarily increase or decrease over time, such as current memory usage. The Cloud Monitoring agent supports gauge metrics for point-in-time measurements, and they are reported as a single data point without any aggregation window, making them ideal for snapshot-like observations.

Exam trap

Google Cloud often tests the distinction between metric types by presenting a scenario where a value can go up or down, and candidates mistakenly choose cumulative because they associate it with 'total usage' over time, forgetting that cumulative metrics must be monotonically increasing.

How to eliminate wrong answers

Option A is wrong because histogram metrics are used to capture the distribution of values over a time window (e.g., request latency percentiles), not a single instantaneous value like current memory usage. Option B is wrong because delta metrics represent the change in a value between two time points (e.g., requests per second), but current memory usage is not a rate or difference; it is an absolute snapshot. Option C is wrong because cumulative metrics monotonically increase over time (e.g., total bytes sent), and memory usage can decrease, which violates the monotonic property required for cumulative metrics.

581
MCQmedium

A company is migrating an on-premises Oracle database to Cloud SQL for PostgreSQL. They require a deployment that supports up to 30,000 transactions per second (TPS) and provides automatic storage scaling. Which instance configuration should they choose?

A.Standard machine type with HDD and storage auto-increase enabled
B.High-memory machine type with SSD and storage auto-increase enabled
C.Custom machine type with 4 vCPUs and 15 GB memory, SSD, and storage auto-increase enabled
D.Lightweight machine type with SSD and storage auto-increase disabled
AnswerB

High-memory instances provide more memory per core, improving performance for PostgreSQL. SSD ensures low latency, and storage auto-increase prevents out-of-disk issues.

Why this answer

Cloud SQL supports storage auto-increase regardless of machine type. For high TPS, a high-memory machine type (e.g., highmem) provides more memory per CPU, which can improve performance for database workloads. SSD is required for consistent performance.

HDD is not recommended for production.

582
MCQmedium

A Cloud Spanner query that uses a secondary index is taking longer than expected. The index includes a large payload column. How can the query performance be improved?

A.Use a composite key instead of an index
B.Change the index to a global index
C.Remove the index and use a full table scan
D.Add the payload column to the index using the STORING clause
AnswerD

STORING clause stores the column in the index, avoiding a join to the base table.

Why this answer

Using the STORING clause in a secondary index stores the specified columns in the index, allowing queries to be satisfied from the index alone without a join back to the base table. This reduces read latency.

583
MCQmedium

A company is migrating an on-premises MySQL database to Cloud SQL. They want to minimize downtime and ensure data consistency using a one-time migration. Which approach should they use?

A.Set up a Cloud SQL replica and promote it
B.Use BigQuery Data Transfer Service
C.Create a Cloud SQL instance and use Database Migration Service with continuous replication
D.Export the database using mysqldump and import into Cloud SQL
AnswerC

DMS replicates data with minimal downtime and ensures consistency.

Why this answer

Database Migration Service (DMS) supports one-time migration with continuous replication until cutover, minimizing downtime.

584
MCQmedium

An organization is migrating a large Oracle database to Cloud Spanner using Database Migration Service. They need to convert stored procedures and functions from PL/SQL to Spanner's SQL dialect. What is the best approach?

A.Use Ora2Pg to convert PL/SQL to PL/pgSQL and deploy to Cloud Spanner.
B.Migrate the PL/SQL code as-is; Cloud Spanner supports Oracle PL/SQL.
C.Manually rewrite PL/SQL as Spanner stored procedures.
D.Refactor the application to handle business logic outside the database using client libraries.
AnswerD

Since Spanner does not support stored procedures, the best practice is to move the logic to the application layer.

Why this answer

Spanner does not support stored procedures; the recommended approach is to migrate business logic to the application layer using client libraries, which provides better scalability and maintainability.

585
MCQhard

A company has a monorepo with multiple services. They want to only build and test the services that have changed in a given commit. Which Cloud Build feature should they use?

A.Build triggers with filepath filters
B.Use a custom builder image
C.Build triggers with branch filters
D.Use Cloud Build substitutions
AnswerA

Filepath filters (included_files/ignored_files) limit the trigger to specific paths, enabling per-service builds.

Why this answer

Cloud Build triggers with filepath filters allow you to specify glob patterns that match changed files in a commit. When a commit includes changes only to files matching the filter, the trigger runs; otherwise, it is skipped. This enables selective building and testing of only the services that have changed in a monorepo, avoiding unnecessary builds for unaffected services.

Exam trap

Cisco often tests the distinction between filepath filters (which conditionally trigger builds based on changed files) and branch filters (which trigger builds based on branch names), leading candidates to mistakenly choose branch filters when the requirement is to build only changed services.

How to eliminate wrong answers

Option B is wrong because a custom builder image customizes the build environment (e.g., pre-installed tools) but does not provide any mechanism to conditionally trigger builds based on which files changed. Option C is wrong because branch filters trigger builds on specific branches (e.g., main or feature branches) regardless of which files changed, so they cannot restrict builds to only changed services. Option D is wrong because Cloud Build substitutions are user-defined variables that can be passed into build steps, but they do not control trigger conditions or filter builds based on file changes.

586
MCQeasy

A company is migrating an on-premises MySQL 5.7 database to Cloud SQL for MySQL 8.0. The database includes MyISAM tables. What is the required action for these tables?

A.Use a MySQL 5.7 compatible Cloud SQL instance
B.Keep MyISAM tables as is
C.Migrate to Cloud Spanner instead
D.Convert MyISAM tables to InnoDB
AnswerD

Cloud SQL requires InnoDB; MyISAM is not supported.

Why this answer

Cloud SQL for MySQL 8.0 does not support MyISAM as the default storage engine; MyISAM tables must be converted to InnoDB. InnoDB provides ACID compliance, row-level locking, and crash recovery.

587
MCQmedium

A developer deploys a service on Cloud Run with a concurrency setting of 1. The service makes external API calls. Under heavy load, the service starts returning 503 errors. What is the most likely cause?

A.The container image is too large.
B.The Cloud Run service is hitting the maximum number of requests per second limit.
C.The API endpoint rate limits the requests.
D.Instance concurrency is too low causing request queuing and timeout.
AnswerD

Low concurrency forces many instances, potentially hitting max instances and causing 503s.

Why this answer

With concurrency set to 1, each Cloud Run instance can handle only one request at a time. Under heavy load, new requests must wait for an available instance, and if the queue wait time exceeds the request timeout (default 5 minutes, max 60 minutes), the requests are dropped with a 503 HTTP status. This is the most direct cause of the 503 errors, as the service cannot scale fast enough or the queue depth exceeds limits.

Exam trap

Cisco often tests the misconception that 503 errors are always caused by external dependencies or rate limits, when in fact they can stem from internal Cloud Run configuration like concurrency and request queuing timeouts.

How to eliminate wrong answers

Option A is wrong because container image size affects cold start latency but does not directly cause 503 errors under load; large images may increase startup time but not request queuing. Option B is wrong because Cloud Run does not have a hard 'maximum requests per second' limit; it scales instances based on concurrency and CPU utilization, and 503s from request rate limits are not a native Cloud Run behavior. Option C is wrong because the external API rate limiting would cause errors from that API (e.g., 429 or 503 from the API), not from the Cloud Run service itself; the question states the service returns 503, implying the issue is within the Cloud Run deployment.

588
MCQmedium

You are deploying a Node.js application on Cloud Run. The container image is stored in Artifact Registry. After deploying with gcloud run deploy, the revision fails with 'Container failed to start. Failed to start and then listen on the port defined by the PORT environment variable.' The application listens on port 8080 by default. The Dockerfile uses EXPOSE 8080. The Cloud Run service is configured with container port 8080. You have verified that the container starts locally using docker run -p 8080:8080. What is the most likely cause of the startup failure?

A.The application is hardcoded to listen on port 8080 but the Cloud Run environment variable PORT may override it to a different value.
B.The application is trying to bind to a privileged port.
C.The Cloud Run service is configured with container port 443 by default.
D.The container does not have a proper HEALTHCHECK instruction.
AnswerA

Cloud Run sets the PORT variable; the app must read it.

Why this answer

Option A is correct because Cloud Run sets the PORT environment variable to 8080 by default, but if the application is hardcoded to listen on 8080 instead of reading PORT, it may fail if the variable is not set or incorrect. Option B is wrong because the DEFAULT port variable is not used. Option C is wrong because the container port is set correctly.

Option D is wrong because port 8080 is not privileged.

589
MCQhard

A company is migrating from Oracle to Cloud SQL for PostgreSQL. They have a stored procedure that uses Oracle's DBMS_OUTPUT.PUT_LINE for logging. How should they convert this to PostgreSQL?

A.Use RAISE EXCEPTION to output messages.
B.Use dbms_output package (installed via extension) to convert.
C.Use DBMS_OUTPUT.PUT_LINE as is; PostgreSQL supports it via the orafce extension.
D.Use RAISE NOTICE to output messages.
AnswerD

RAISE NOTICE is the PostgreSQL equivalent of DBMS_OUTPUT.PUT_LINE for logging.

Why this answer

PostgreSQL does not have DBMS_OUTPUT. The equivalent is RAISE NOTICE, which sends messages to the client. Alternatively, they can log to a table using INSERT.

RAISE is the most direct replacement. RAISE EXCEPTION is for errors, and dbms_output is not available.

590
MCQmedium

A company is migrating a MySQL database with MyISAM tables to Cloud SQL for MySQL. They want to ensure the target database uses InnoDB for better transactional support and crash recovery. What should they do?

A.Run ALTER TABLE table_name ENGINE=InnoDB on each MyISAM table before migration.
B.Set the default_storage_engine flag to InnoDB on the source MySQL instance.
C.Enable the skip_myisam flag in Cloud SQL to automatically convert MyISAM to InnoDB.
D.Use mysqldump with the --compatible=innodb option.
AnswerA

This converts the table storage engine to InnoDB on the source, ensuring the dump/import uses InnoDB.

Why this answer

MyISAM tables must be converted to InnoDB before or during migration. The ALTER TABLE statement is the standard way to change the storage engine in MySQL.

591
MCQhard

A company uses Cloud SQL for PostgreSQL as its primary database. They want to query this data from BigQuery for analytics without moving the data. They also need to ensure that BigQuery queries see the most recent data (within seconds of changes). Which approach is most suitable?

A.Create a Cloud Function that queries Cloud SQL every 5 seconds and writes results to BigQuery.
B.Use BigQuery federated queries to create an external table connected to Cloud SQL.
C.Use a scheduled query in BigQuery that exports Cloud SQL data to Cloud Storage and loads into BigQuery.
D.Set up Datastream to continuously replicate data from Cloud SQL to BigQuery, then query BigQuery tables.
AnswerD

Datastream provides near real-time CDC replication to BigQuery, ensuring data freshness within seconds.

Why this answer

BigQuery federated queries via external tables can directly query Cloud SQL without data movement. However, for near real-time freshness, the best approach is to use Datastream to replicate changes from Cloud SQL to BigQuery in near real-time. Federated queries alone have higher latency (minutes) and are not suitable for sub-second freshness.

592
MCQeasy

A company is designing a cloud-native application on Google Cloud that requires low-latency access to a global user base. The application serves static content and dynamic APIs. Which strategy best minimizes latency while maintaining high availability?

A.Deploy the application in a single region and use Cloud Interconnect for global access.
B.Use Cloud CDN to cache static content and deploy the API across multiple regions with global load balancing.
C.Use Cloud Armor to protect the application and rely on Google's backbone for low latency.
D.Store all content in Cloud Storage and serve directly from there.
AnswerB

Cloud CDN caches at edge locations, and multi-region deployment with global load balancing reduces latency for dynamic content.

Why this answer

Option B is correct because it combines Cloud CDN for caching static content at edge locations worldwide, reducing latency for static assets, and deploys the dynamic API across multiple regions with global load balancing (using Google Cloud's global external HTTP(S) load balancer) to route users to the nearest healthy backend, minimizing latency for dynamic requests while ensuring high availability through regional redundancy.

Exam trap

The trap here is that candidates may think Cloud Interconnect or Cloud Armor alone can solve global latency, overlooking the need for edge caching and multi-region deployment to reduce physical distance and provide redundancy.

How to eliminate wrong answers

Option A is wrong because deploying in a single region forces all traffic to traverse potentially long distances, and Cloud Interconnect provides dedicated connectivity to Google's network but does not reduce geographic latency for global users; it also creates a single point of failure. Option C is wrong because Cloud Armor provides DDoS protection and WAF capabilities but does not reduce latency; relying solely on Google's backbone does not address the need for edge caching or multi-region distribution. Option D is wrong because serving all content directly from Cloud Storage without a CDN or global load balancing results in higher latency for users far from the storage region, and Cloud Storage alone does not provide dynamic API serving or global traffic management.

593
MCQhard

A company runs a stateful application on Compute Engine with regional persistent disks. They want to achieve high availability with automatic failover in case of a zone failure. Which architecture meets these requirements?

A.Use Cloud Storage FUSE to mount a multi-regional bucket as a filesystem
B.Use standard persistent disks with scheduled snapshots to a multi-region bucket
C.Use zonal persistent disks with a managed instance group in a single zone
D.Use regional persistent disks with a managed instance group spanning two zones
AnswerD

Regional disks provide synchronous replication; instance group autohealing restarts VMs on failure.

Why this answer

Option D is correct because regional persistent disks synchronously replicate data across two zones, and when combined with a managed instance group (MIG) spanning those same two zones, the application can automatically fail over to the healthy zone if one zone fails. The MIG's autohealing and health-check mechanisms detect the failure and recreate instances in the surviving zone, while the regional PD remains accessible from either zone, ensuring high availability without manual intervention.

Exam trap

The trap here is that candidates confuse zonal persistent disks with regional persistent disks, or assume that snapshots (Option B) provide automatic failover, when in reality snapshots are for backup/DR and require manual recovery steps, not instant zone-failure recovery.

How to eliminate wrong answers

Option A is wrong because Cloud Storage FUSE mounts a multi-regional bucket as a filesystem, but Cloud Storage is an object store with eventual consistency (not POSIX-compliant), and it does not support synchronous replication or automatic failover for stateful applications requiring persistent disk semantics. Option B is wrong because standard persistent disks are zonal resources; scheduled snapshots to a multi-region bucket provide backup and disaster recovery, not automatic failover within minutes, and restoring from a snapshot requires manual or scripted steps, not instant failover. Option C is wrong because zonal persistent disks are tied to a single zone, and a managed instance group in a single zone cannot survive a zone failure—the instances and disks become unavailable simultaneously.

594
MCQeasy

A developer wants to run integration tests against a Cloud Spanner emulator in a local development environment. What is the best way to set up the emulator?

A.Use a mock library instead of an emulator.
B.Use the Cloud Spanner API directly without an emulator.
C.Run the Cloud Spanner emulator Docker container and set the SPANNER_EMULATOR_HOST environment variable.
D.Install the emulator using `gcloud emulators spanner start`.
AnswerC

Docker ensures a consistent environment and easy setup.

Why this answer

Option C is correct because the Cloud Spanner emulator is distributed as a Docker container, and the recommended way to run it locally is to start that container and set the `SPANNER_EMULATOR_HOST` environment variable (e.g., `localhost:9010`) so that the Spanner client library redirects all API calls to the emulator instead of the production service. This provides a fully functional, in-memory Spanner instance for integration testing without incurring costs or requiring network access to GCP.

Exam trap

Cisco often tests the distinction between `gcloud emulators` commands that exist (Datastore, Firestore, Pub/Sub, Bigtable) and those that do not (Spanner), leading candidates to incorrectly assume `gcloud emulators spanner start` is valid when the correct approach is to run the Docker container and set the environment variable.

How to eliminate wrong answers

Option A is wrong because using a mock library (e.g., mocking the Spanner client) would test only the mock's behavior, not the actual Spanner API interactions, and would miss integration issues like schema validation, transaction semantics, or query syntax errors that the emulator catches. Option B is wrong because calling the Cloud Spanner API directly without an emulator would require a live GCP project, incur costs, and introduce network latency and authentication overhead, which defeats the purpose of a local, isolated development environment. Option D is wrong because `gcloud emulators spanner start` is not a valid command; the `gcloud emulators` subcommand supports Datastore, Firestore, Pub/Sub, and Bigtable, but not Spanner — Spanner's emulator is only available as a Docker image.

595
MCQmedium

An engineer is migrating a large on-premises SQL Server database to Cloud SQL for PostgreSQL. They need to continuously replicate changes during the migration to minimize downtime. Which Database Migration Service job type should they use?

A.Bulk migration
B.Scheduled migration
C.Continuous migration
D.One-time migration
AnswerC

Continuous migration includes CDC after the initial dump, allowing near-zero-downtime cutover.

Why this answer

DMS offers continuous migration jobs that perform a full dump followed by CDC, enabling near-zero-downtime cutover.

596
MCQmedium

A company is migrating an on-premises PostgreSQL database to Cloud SQL. They need to ensure minimal downtime and continuous replication during the migration. Which approach should they use?

A.Use Database Migration Service with continuous replication.
B.Use a cross-region replica from an existing Cloud SQL instance.
C.Export the database using pg_dump and import into Cloud SQL.
D.Create a Cloud SQL read replica of the on-premises database.
AnswerA

DMS supports ongoing replication with minimal downtime.

Why this answer

Database Migration Service (DMS) supports continuous replication from source to Cloud SQL using native PostgreSQL replication (logical replication). It minimizes downtime. Import/export involves downtime.

Creating a read replica from on-prem is not directly supported. Cloud SQL does not support cross-region replicas from on-prem.

597
Multi-Selecteasy

Which TWO statements about building container images for Google Cloud Run are correct? (Choose TWO.)

Select 2 answers
A.The container must use HTTP/1.1; HTTP/2 is not supported.
B.The container must respond to health checks on the same port as the main application.
C.The container must be stateless and not rely on local file system persistence.
D.The container must listen on port 8080 by default.
E.The container must run as root user.
AnswersB, C

Health checks are sent to the container's port; the app must respond with 200 OK.

Why this answer

Option B is correct because Cloud Run requires the container to respond to health checks (e.g., HTTP GET /health) on the same port as the main application. Cloud Run uses the same port for both user requests and health check probes; if the health check fails, the container is restarted. This ensures the container is always ready to serve traffic.

Exam trap

The PCD exam often tests the misconception that Cloud Run mandates port 8080 or requires HTTP/1.1, but the actual requirement is that the container must respond to health checks on the same port as the main application and must be stateless.

598
MCQhard

You are a Cloud Developer working for an e-commerce company. The company uses Cloud Build to build and deploy a Python application to App Engine standard environment. The application uses Cloud SQL for its database. The team recently updated the application code and added a new dependency. The build succeeds, but the deployment fails with 'Error Response: [9] Application startup error!' You check the logs and see 'ImportError: No module named requests'. The team uses a requirements.txt file. However, the requirements.txt file has been configured correctly in the past. The team also uses a custom runtime config in app.yaml with a 'entrypoint' field. They did not change any configuration files. What is the most likely cause of this error?

A.The app.yaml file incorrectly specifies 'runtime: python27' but the code uses Python 3, and python27 does not automatically install dependencies from requirements.txt.
B.The custom entrypoint in app.yaml bypasses the automatic installation of dependencies.
C.The app.yaml file specifies 'runtime: python39' which is not supported by App Engine standard.
D.The requirements.txt file is missing from the deployment directory.
AnswerA

Python 2.7 runtime requires manually specifying libraries in app.yaml.

Why this answer

Option A is correct because the error 'ImportError: No module named requests' indicates that the dependency was not installed. In App Engine standard, when using 'runtime: python27', dependencies listed in requirements.txt are not automatically installed; you must use a third-party library or vendor them manually. Since the team uses a custom entrypoint in app.yaml, this does not override the runtime's default behavior for Python 2.7, which does not support automatic dependency installation from requirements.txt.

Exam trap

Cisco often tests the misconception that a custom entrypoint in app.yaml controls dependency installation, when in fact it is the runtime setting that determines whether requirements.txt is processed automatically.

How to eliminate wrong answers

Option B is wrong because the custom entrypoint in app.yaml does not bypass automatic dependency installation; in App Engine standard, the entrypoint defines how to start the application, but dependency installation is handled by the runtime environment based on the runtime setting, not the entrypoint. Option C is wrong because 'runtime: python39' is a supported runtime in App Engine standard (Python 3.9 is supported), and if it were specified, dependencies from requirements.txt would be automatically installed, preventing this error. Option D is wrong because the team has used requirements.txt correctly in the past and did not change any configuration files, so it is still present in the deployment directory; the error is due to the runtime not processing it, not its absence.

599
MCQhard

A company uses Cloud Build to build Docker images and push them to Artifact Registry. They want to ensure that only images built from a specific Cloud Build trigger are deployed to production. Which combination of steps should they implement?

A.Configure IAM roles to restrict push access to Artifact Registry
B.Configure Binary Authorization with a policy requiring attestation from Cloud Build
C.Use Cloud Deploy with a manual approval gate
D.Use Cloud Build's built-in approval mechanism
AnswerB

Binary Authorization can enforce that only images with a valid attestation from Cloud Build are deployed.

Why this answer

Binary Authorization enforces deployment-time policies that require images to have a valid attestation from an approved authority. By configuring Cloud Build to create an attestation for images built from the specific trigger, and setting a Binary Authorization policy that requires that attestation, only those attested images can be deployed to production. This directly ensures that only images from that trigger are used.

Exam trap

The trap here is that candidates often confuse IAM-based access control (Option A) with deployment-time policy enforcement, failing to realize that IAM cannot distinguish images built from different triggers once they are in the registry.

How to eliminate wrong answers

Option A is wrong because IAM roles control who can push to Artifact Registry, not which specific images (e.g., from a particular trigger) are allowed to be deployed; it cannot enforce a policy based on the build source. Option C is wrong because Cloud Deploy with a manual approval gate adds a human review step but does not cryptographically verify that the image originated from a specific Cloud Build trigger; it relies on manual judgment, not automated attestation. Option D is wrong because Cloud Build's built-in approval mechanism only controls whether a build proceeds, not whether the resulting image is allowed to be deployed; it does not provide deployment-time enforcement.

600
MCQmedium

A company is using Database Migration Service to migrate an on-premises PostgreSQL database to Cloud SQL for PostgreSQL. The source database is behind a firewall that does not allow direct connections from Google Cloud. What connectivity option should they use?

A.Use Cloud SQL Auth Proxy on a machine in the source network.
B.Use a Cloud VPN tunnel to connect the on-premises network to Google Cloud.
C.Set up VPC peering between the on-premises network and Google Cloud.
D.Configure a public IP for Cloud SQL and whitelist the source IP.
AnswerA

Cloud SQL Auth Proxy creates an encrypted tunnel and works over the internet, bypassing direct connectivity requirements.

Why this answer

Cloud SQL Auth Proxy provides a secure tunnel and can be run on the source network to connect to Cloud SQL. VPC peering requires direct network connectivity, which may not be possible through a firewall.

Page 7

Page 8 of 14

Page 9
Google Professional Cloud Developer PCD Questions 526–600 | Page 8/14 | Courseiva