CCNA Building and testing applications Questions

75 of 117 questions · Page 1/2 · Building and testing applications · Answers revealed

1
MCQhard

An organization uses Cloud Build to deploy multiple microservices to GKE. They want to ensure that the deployment process can be audited and that each deployment can be rolled back to a previous version. What is the recommended approach?

A.Use Kubernetes Deployment history to rollback by specifying a revision.
B.Use Cloud Deploy to manage deployments with rollback capabilities and audit logs.
C.Store each manifest version in Artifact Registry and manually apply kubectl.
D.Use Cloud Build to redeploy a previous image tag when rollback is needed.
AnswerB

Cloud Deploy provides automated rollback and deployment history.

Why this answer

Cloud Deploy is the recommended service for managing progressive deliveries and rollbacks on GKE, as it provides built-in rollback capabilities, audit logging, and delivery pipeline management. Unlike raw Kubernetes Deployment history, Cloud Deploy integrates with Cloud Build and offers a controlled, auditable deployment process with the ability to roll back to any previous release revision.

Exam trap

Cisco often tests the misconception that Kubernetes native rollback mechanisms (like `kubectl rollout undo`) are sufficient for enterprise audit requirements, but the exam expects candidates to recognize that Cloud Deploy provides the necessary audit logs and structured rollback workflows for production environments.

How to eliminate wrong answers

Option A is wrong because Kubernetes Deployment history only supports rollback via `kubectl rollout undo` to a specific revision, but it lacks native audit logging and does not provide a centralized, auditable deployment pipeline across multiple microservices. Option C is wrong because manually applying manifests from Artifact Registry bypasses automated deployment pipelines, introduces human error, and does not provide rollback capabilities or audit trails. Option D is wrong because using Cloud Build to redeploy a previous image tag is a manual workaround that does not offer structured rollback management, release tracking, or audit logs; it also requires rebuilding or re-tagging, which can lead to inconsistencies.

2
MCQhard

Refer to the exhibit. The function returns 'Error' even though the document exists. What is the most likely reason?

A.The document ID in the query parameter is URL-encoded and needs to be decoded using `decodeURIComponent`.
B.The function has insufficient IAM permissions for Firestore.
C.The Firestore emulator is not running.
D.The `update` method requires that the document exists.
AnswerA

Spaces and special characters in query strings are encoded; decoding is necessary to form the correct document path.

Why this answer

The most likely reason is that the document ID in the query parameter is URL-encoded, and the function does not decode it before using it as a Firestore document reference. Firestore document IDs are case-sensitive and must match exactly; a URL-encoded string like 'doc%20name' will not match the actual document 'doc name', causing the update to fail and return 'Error'. Using `decodeURIComponent` on the parameter before passing it to Firestore resolves this.

Exam trap

Cisco often tests the subtle distinction between a document not existing and a document ID mismatch due to encoding, leading candidates to incorrectly choose the 'document must exist' option (D) when the real issue is a URL-encoded ID not being decoded.

How to eliminate wrong answers

Option B is wrong because insufficient IAM permissions would typically result in a permission-denied error (HTTP 403) or an exception, not a generic 'Error' return from the function, and the question states the document exists, implying the function can access Firestore. Option C is wrong because if the Firestore emulator were not running, the function would fail to connect entirely, throwing a network or connection error, not a conditional 'Error' after checking document existence. Option D is wrong because the `update` method in Firestore does require the document to exist, but the question explicitly states the document exists, so this is not the cause of the error; the issue is the mismatch due to URL encoding.

3
Multi-Selecthard

Which TWO actions should a developer take to ensure that a Cloud Run service can access a Cloud SQL instance securely?

Select 2 answers
A.Use a Cloud NAT to provide outbound internet access for the service.
B.Assign a public IP to the Cloud SQL instance and allow all traffic from Cloud Run.
C.Use the Cloud SQL Auth Proxy as a sidecar container in the same pod.
D.Configure the service with a VPC connector and use private IP for Cloud SQL.
E.Create a service account with the cloudsql.instances.connect permission.
AnswersC, D

Correct; Cloud SQL Auth Proxy provides secure IAM-based access.

Why this answer

Option C is correct because the Cloud SQL Auth Proxy, when deployed as a sidecar container in the same pod, provides encrypted connections and IAM-based authentication to Cloud SQL without requiring a public IP or complex network configuration. It automatically handles TLS 1.3 encryption and uses the service account's IAM permissions to authorize connections, ensuring secure access from Cloud Run.

Exam trap

Cisco often tests the misconception that a service account permission alone (Option E) is sufficient for secure access, when in reality the permission must be paired with a connectivity method like the Cloud SQL Auth Proxy or a VPC connector to actually establish the encrypted channel.

4
MCQhard

An application running on Compute Engine uses Cloud Storage for storing user-uploaded images. During load testing, the application experiences high latency when reading images. The developer suspects that the application is making too many small read requests. Which approach should the developer take to optimize performance?

A.Enable Cloud CDN to cache the images at edge locations.
B.Rewrite the objects to use a different storage class.
C.Increase the read size to reduce the number of API requests.
D.Mount the Cloud Storage bucket using Cloud Storage FUSE and read files from the local filesystem.
AnswerC

Reading larger chunks reduces the number of HTTP requests and improves throughput, especially for sequential access patterns.

Why this answer

Option C is correct because the high latency is caused by many small read requests, each incurring API overhead. By increasing the read size (e.g., reading larger chunks or using range requests), the application reduces the number of API calls, which lowers cumulative latency and improves throughput. This directly addresses the root cause of excessive small reads.

Exam trap

Google Cloud often tests the misconception that caching (Cloud CDN) or filesystem mounting (FUSE) solves performance issues caused by small read patterns, when the real fix is to reduce the number of API calls by increasing the read size.

How to eliminate wrong answers

Option A is wrong because Cloud CDN caches content at edge locations to reduce latency for repeated reads, but it does not reduce the number of small read requests the application makes; it only serves cached responses for subsequent requests, not the initial small-read pattern. Option B is wrong because changing the storage class (e.g., to Nearline or Coldline) affects cost and retrieval latency for infrequently accessed data, but it does not optimize the read size or reduce the number of API requests for small reads. Option D is wrong because Cloud Storage FUSE mounts the bucket as a local filesystem, but it still translates file operations into API calls; small reads from the filesystem still generate many underlying API requests, and FUSE can introduce additional overhead, not reduce it.

5
MCQhard

Refer to the exhibit. A developer deployed a Cloud Run service with the above command. They notice that the service's latency is higher than expected under load. The service performs CPU-intensive tasks. What is the most likely reason for the high latency?

A.The service is using gen2, which does not support CPU-intensive workloads
B.The service should be deployed with --max-instances set to a lower number
C.The execution environment is gen2, which only allocates CPU during request processing by default; the high concurrency causes CPU contention
D.The memory is insufficient for the concurrency level
AnswerC

Gen2 CPU is only allocated during request processing unless CPU always on is set.

Why this answer

Cloud Run (gen2) allocates CPU based on request processing. With concurrency 80, and CPU-intensive tasks, the CPU may be throttled between requests. Option A is correct: gen2 only allocates CPU during request processing if not using CPU always on.

Option B is incorrect because gen2 supports CPU-intensive tasks. Option C is incorrect because 4Gi memory should be sufficient. Option D is incorrect because scaling to 10 instances could help but doesn't address concurrency issue.

6
Multi-Selecthard

A Cloud SQL for PostgreSQL instance is experiencing high query latency. The database has a high number of read replicas and is used for reporting. The team has identified that index scans are not being used effectively. Which THREE actions should they take to improve query performance?

Select 3 answers
A.Analyze table statistics using VACUUM ANALYZE.
B.Increase the number of CPUs on the primary instance.
C.Enable automatic storage increase.
D.Use pg_stat_statements to identify slow queries.
E.Create additional read replicas.
AnswersA, B, D

Updating statistics helps the query planner choose index scans over sequential scans.

Why this answer

Option A is correct because `VACUUM ANALYZE` updates table statistics that the PostgreSQL query planner relies on to choose efficient index scans. Stale statistics can cause the planner to underestimate the selectivity of index conditions, leading to sequential scans instead of index scans, which increases latency. Regular analysis ensures the planner has accurate data distribution information to optimize query execution plans.

Exam trap

Cisco often tests the distinction between symptom mitigation (adding replicas or CPUs) and root-cause resolution (updating statistics), leading candidates to choose resource scaling options instead of the correct maintenance operation.

7
Multi-Selectmedium

Which TWO are best practices for testing containerized applications on Google Cloud?

Select 2 answers
A.Use Kubernetes for testing only.
B.Use Distroless images for testing.
C.Use Cloud Build to build and test containers.
D.Use a different base image for testing than production.
E.Run tests inside the container as a separate layer using Docker multi-stage builds.
AnswersC, E

Cloud Build integrates seamlessly with container workflows.

Why this answer

Cloud Build is a managed CI/CD platform that can build container images from source code and execute tests as part of the build pipeline. It integrates natively with Google Cloud services like Container Registry and Artifact Registry, and supports custom build steps, making it an ideal tool for building and testing containerized applications in a consistent, automated environment.

Exam trap

Cisco often tests the misconception that testing should use a different base image to avoid production bloat, but the correct practice is to use the same base image for testing and production to ensure consistency, while leveraging multi-stage builds to separate build and test dependencies from the final runtime image.

8
Multi-Selecthard

Which THREE of the following are valid reasons to use Cloud Deploy instead of manually applying kubectl commands in a CI/CD pipeline?

Select 3 answers
A.Cloud Deploy automatically containerizes applications.
B.Cloud Deploy maintains a deployment history for auditing.
C.Cloud Deploy enforces IAM roles on Kubernetes clusters.
D.Cloud Deploy provides automatic rollbacks on deployment failure.
E.Cloud Deploy supports canary and blue-green deployments out of the box.
AnswersB, D, E

Audit trail is built-in.

Why this answer

Option B is correct because Cloud Deploy automatically maintains a detailed deployment history, including the state of each rollout, approvals, and metadata. This history is stored in the Cloud Deploy API and can be queried for auditing, compliance, and troubleshooting purposes, which is not natively provided by manual kubectl commands in a CI/CD pipeline.

Exam trap

The trap here is that candidates may confuse Cloud Deploy's role in the CI/CD pipeline with containerization or cluster-level security, assuming it handles build or IAM enforcement, when in fact it is a continuous delivery service focused on rollout strategies and auditability.

9
Multi-Selectmedium

A team is implementing a CI/CD pipeline for a Cloud Function using Cloud Build. Which three steps should they include in their cloudbuild.yaml? (Choose 3)

Select 3 answers
A.Static code analysis
B.Deploy the function
C.Run unit tests
D.Build a container image
E.Manual approval step
AnswersA, B, C

Static analysis (linting, security scanning) is a good practice to include in the pipeline.

Why this answer

Static code analysis (A) is correct because it helps identify code quality issues, security vulnerabilities, and adherence to coding standards early in the pipeline, which is a best practice for Cloud Functions. Running unit tests (C) is essential to validate function logic before deployment. Deploying the function (B) is the final step that pushes the validated code to Cloud Functions, making it a required step in the CI/CD pipeline.

Exam trap

Cisco often tests the misconception that Cloud Functions require building a container image for all runtimes, but in reality, only custom container runtimes (e.g., using Dockerfile) need that step, while the default runtimes use source-based deployment.

10
MCQeasy

A developer wants to containerize a Node.js application and deploy it to Cloud Run. They need to ensure the container is as small as possible. What should they do?

A.Use a full Ubuntu base image with all dependencies.
B.Use a multi-stage Dockerfile with a distroless base image.
C.Use a node:latest image and remove unnecessary files.
D.Use a simple FROM scratch image.
AnswerB

Multi-stage builds copy only runtime dependencies, and distroless images are minimal.

Why this answer

Option B is correct because a multi-stage Dockerfile allows you to separate the build environment from the runtime environment. By using a distroless base image (e.g., gcr.io/distroless/nodejs), you include only the application and its runtime dependencies, omitting package managers, shells, and other OS utilities. This results in a significantly smaller container image, which reduces attack surface and improves deployment speed on Cloud Run.

Exam trap

Cisco often tests the misconception that 'FROM scratch' is the smallest possible image for any application, but candidates must recognize that scratch images lack the runtime libraries required by interpreted languages like Node.js, making distroless the correct minimal choice.

How to eliminate wrong answers

Option A is wrong because using a full Ubuntu base image with all dependencies results in a large image (hundreds of MB) that includes unnecessary OS utilities, increasing attack surface and deployment time. Option C is wrong because using node:latest and removing unnecessary files is inefficient; the image still contains the full OS layer and package manager, and manual removal is error-prone and does not achieve the minimal size of a distroless image. Option D is wrong because a FROM scratch image provides no base filesystem or runtime libraries, and Node.js applications require the Node.js runtime and system libraries (e.g., libc, libstdc++) that are not present in a scratch image, causing the container to fail to start.

11
MCQeasy

A developer wants to quickly test changes to a containerized web application that will run on Cloud Run, without building and deploying a new container. Which approach should they use?

A.Deploy to a staging Cloud Run service
B.Run locally with Docker
C.Use traffic splitting to test a new revision
D.Use Cloud Run for Anthos
AnswerB

Running the container locally with Docker provides the fastest feedback loop as it avoids deployment steps.

Why this answer

Running locally with Docker allows rapid iteration without the overhead of building and pushing to a registry and redeploying. Staging deployment is slower. Traffic splitting is for production traffic management.

Cloud Run for Anthos is for hybrid deployments.

12
MCQhard

Refer to the exhibit. A developer creates this cloudbuild.yaml for a Cloud Build pipeline. When they run the build, they get an error that the image push failed. What is the most likely cause?

A.The project ID 'my-project' does not exist.
B.The Artifact Registry repository 'my-repo' has not been created.
C.The Dockerfile is missing in the repository.
D.Cloud Run service 'my-service' already exists and needs to be deleted.
E.The gcloud command requires the '--platform managed' flag.
AnswerB

The push step requires the repository to exist; otherwise, the push fails.

Why this answer

The error occurs because the cloudbuild.yaml references an Artifact Registry repository 'my-repo' that does not exist in the project. Cloud Build attempts to push the Docker image to the specified repository, and if the repository has not been created, the push fails with a permission or not-found error. The repository must be created before the build runs, as Cloud Build does not automatically create repositories.

Exam trap

Cisco often tests the distinction between build-time errors (e.g., missing Dockerfile) and push-time errors (e.g., missing repository), and candidates may confuse a missing repository with a missing project or a deployment flag issue.

How to eliminate wrong answers

Option A is wrong because if the project ID 'my-project' did not exist, the build would fail earlier with a project-level authentication or resource-not-found error, not specifically an image push failure. Option C is wrong because a missing Dockerfile would cause a build failure during the image build step, not during the push step. Option D is wrong because the Cloud Run service already existing is not an error; Cloud Run deployments can update existing services, and the error is about image push, not deployment.

Option E is wrong because the '--platform managed' flag is required for Cloud Run deployments, not for image pushes to Artifact Registry; the push failure is unrelated to this flag.

13
Multi-Selecteasy

A company wants to deploy a containerized application to Cloud Run. Which two approaches are supported? (Choose two.)

Select 2 answers
A.Use gcloud beta run deploy with --source flag to build and deploy from source
B.Use Cloud Functions to package the container as a function
C.Upload a Dockerfile to Cloud Run console and let it build
D.Use Kubernetes Engine to deploy the container and then migrate to Cloud Run
E.Build the container locally and push to Artifact Registry, then deploy with gcloud
AnswersA, E

This allows building and deploying directly from source code.

Why this answer

Cloud Run supports source-based deployment with the `--source` flag and building/pushing to Artifact Registry then deploying. Other options are not valid deployment methods.

14
MCQhard

A developer created a Cloud Function that makes an HTTP request to an external API. The above error occurs intermittently. The external API is working correctly. What is the most likely cause?

A.The request to the external API has incorrect headers or payload
B.The function is not handling network retries properly
C.The Cloud Function is not deployed in the same region as the API
D.The function is timing out due to long response time
AnswerA

An invalid argument error strongly suggests the request parameters are incorrect.

Why this answer

The 'INVALID_ARGUMENT' error indicates the request payload or headers are malformed. Intermittent occurrence suggests a data-dependent issue rather than a permanent config problem.

15
MCQhard

A company deploys a Java application on Compute Engine with a preemptible VM instance group managed by an instance template. The application writes critical state to local SSD. After a preemption event, the new instance starts fresh and loses state. What is the best practice to ensure state persistence?

A.Modify the startup script to recover state from a snapshot
B.Refactor the application to write state to a persistent service like Cloud Storage
C.Configure the managed instance group as stateful to preserve local SSD data
D.Use a regular (non-preemptible) VM instead of preemptible
AnswerB

This decouples state from the instance, ensuring durability across preemptions.

Why this answer

Option B is correct because local SSD data is ephemeral and lost on VM preemption or termination. Refactoring the application to write critical state to a persistent service like Cloud Storage ensures data durability independent of the VM lifecycle. This aligns with the best practice of designing preemptible workloads to be stateless, where state is stored externally.

Exam trap

Cisco often tests the misconception that local SSD can be made persistent through MIG stateful configuration, but stateful MIGs do not protect against preemption—they only preserve instance name and metadata, not local SSD data on termination.

How to eliminate wrong answers

Option A is wrong because snapshots capture disk state at a point in time, but they are not designed for real-time state recovery; the startup script would need to restore from a snapshot, which adds latency and complexity, and the snapshot itself may be stale if not taken frequently. Option C is wrong because managed instance groups (MIGs) with stateful configuration preserve local SSD data only for specific instances, not for preemptible VMs which are terminated and recreated; stateful MIGs are intended for regular VMs where instance identity is preserved. Option D is wrong because using a non-preemptible VM avoids preemption but increases cost and defeats the purpose of using preemptible VMs for cost savings; the question asks for best practice to ensure state persistence, not to avoid preemption.

16
MCQhard

A team uses Cloud Build to deploy applications that need to access a Cloud SQL database in a VPC. They want to avoid exposing the database to the public internet. Which configuration is required?

A.Configure Cloud Build to use a private pool in the same VPC as the database
B.Enable VPC Network Peering between Cloud Build and the database VPC
C.Use Cloud SQL Proxy in a Cloud Build step
D.Use a public IP on Cloud SQL and restrict by IP whitelist
AnswerA

Private pools run inside a VPC, enabling internal access to Cloud SQL.

Why this answer

Cloud Build private pools run in a customer-managed VPC, allowing workers to directly access resources like Cloud SQL instances via private IP without traversing the public internet. This configuration ensures the database is never exposed to the public internet, meeting the security requirement.

Exam trap

Cisco often tests the misconception that VPC peering or Cloud SQL Proxy can replace the need for placing Cloud Build workers inside the same VPC, but private pools are the only native way to run Cloud Build in your own VPC without public internet exposure.

How to eliminate wrong answers

Option B is wrong because VPC Network Peering is used to connect two VPC networks, but Cloud Build does not have its own VPC to peer; private pools are the correct mechanism to place Cloud Build workers inside the customer's VPC. Option C is wrong because Cloud SQL Proxy still requires a public IP or a private IP connection; while it can connect via private IP, it does not eliminate the need for the database to be accessible from the Cloud Build environment, and using a proxy in a Cloud Build step does not inherently avoid public exposure if the database has a public IP. Option D is wrong because using a public IP on Cloud SQL and restricting by IP whitelist still exposes the database to the public internet, albeit with access controls, which violates the requirement to avoid public exposure entirely.

17
MCQeasy

Refer to the exhibit. You run the above command to build and push a Docker image to Container Registry. The build fails with an error: 'denied: Unauthenticated access'. What should you do to resolve this?

A.Grant the Cloud Build service account the Storage Object Admin role on the project
B.Grant the Cloud Build service account the Project Editor role
C.Grant the Compute Engine default service account the Storage Object Creator role
D.Run gcloud auth login as the project owner before submitting the build
AnswerA

This allows push to Container Registry, which is backed by Cloud Storage.

Why this answer

The error 'denied: Unauthenticated access' indicates that the Cloud Build service account does not have permission to push images to Container Registry. By default, Cloud Build uses the Cloud Build service account (service-[PROJECT_NUMBER]@cloudbuild.gserviceaccount.com) to execute builds. Granting the Storage Object Admin role (roles/storage.admin) to this service account provides the necessary permissions to write objects (Docker image layers) to the Container Registry bucket in Cloud Storage, resolving the authentication failure.

Exam trap

Cisco often tests the distinction between the Cloud Build service account and the Compute Engine default service account, leading candidates to incorrectly choose Option C because they confuse the service account used by Cloud Build with the one used by Compute Engine instances.

How to eliminate wrong answers

Option B is wrong because granting the Project Editor role (roles/editor) is overly permissive and violates the principle of least privilege; it includes many unnecessary permissions beyond what is required for pushing images. Option C is wrong because the Compute Engine default service account is not used by Cloud Build; Cloud Build uses its own dedicated service account, and granting roles to the Compute Engine default service account would not resolve the build's authentication error. Option D is wrong because 'gcloud auth login' authenticates the user running the command, not the Cloud Build service account; the build runs in a non-interactive environment and relies on the service account's credentials, not the user's OAuth tokens.

18
MCQhard

A developer is writing unit tests for a Python Cloud Run service that uses Cloud Firestore. They want to avoid hitting the real Firestore during tests. What should they use?

A.Use a real Firestore database but with a test project.
B.Mock the Firestore client using a library like unittest.mock.
C.Disable network access during tests.
D.Use the Firestore emulator for unit tests.
AnswerB

Mocking isolates the unit of code from external services.

Why this answer

Option B is correct because unit tests should isolate the code under test from external dependencies. Using `unittest.mock` to mock the Firestore client allows the developer to simulate Firestore calls and return controlled responses without any network I/O, ensuring tests are fast, deterministic, and independent of the real Firestore service.

Exam trap

The trap here is that candidates often confuse the Firestore emulator (a local integration testing tool) with a proper unit testing mock, leading them to choose option D even though the emulator is not suitable for isolated unit tests.

How to eliminate wrong answers

Option A is wrong because using a real Firestore database, even in a test project, still incurs network latency, potential costs, and dependency on the Firestore service being available, which violates the principle of unit test isolation. Option C is wrong because disabling network access during tests does not automatically prevent the Firestore client from attempting to connect; it would likely cause connection errors rather than gracefully simulating Firestore behavior. Option D is wrong because the Firestore emulator is intended for integration tests or end-to-end testing, not for pure unit tests; it still requires running a local emulator process and introduces external state management that unit tests should avoid.

19
MCQhard

During a Cloud Build run, a developer sees the error: "Step #0: error: failed to fetch metadata: connection refused". The build is trying to access a private Docker registry in a different project. What is the most likely cause?

A.The registry does not exist
B.The build environment cannot reach the registry due to network restrictions
C.The build service account lacks IAM permissions to the registry
D.The build is using a public pool with no access to internal networks
AnswerB

Connection refused typically means the target is actively refusing the connection, often due to firewalls or VPC Service Controls preventing access.

Why this answer

The error message indicates a network connectivity issue, not authentication. The most common cause is that the build environment cannot reach the registry due to VPC Service Controls, firewall rules, or the registry being in a different network. Authentication errors typically show "denied" or "unauthorized".

20
MCQmedium

Refer to the exhibit. You have the above cloudbuild.yaml file. The build succeeds but the call to the function fails with a permission error. What is the most likely cause?

A.The function is using the wrong trigger type
B.The runtime 'nodejs16' is not supported
C.The '--allow-unauthenticated' flag is not allowed in Cloud Build
D.The function call is occurring before the deployment is fully complete, and the function is not yet ready to serve requests
AnswerD

The function may still be provisioning; add a sleep or check status.

Why this answer

The most likely cause is that the Cloud Build step deploys the function, but the subsequent test call occurs before the function's HTTP endpoint is fully provisioned and serving requests. Cloud Functions deployment is asynchronous; after the `gcloud functions deploy` command returns, the function may still be in a 'DEPLOYING' or 'ACTIVE' state but not yet ready to handle traffic. A permission error in this context typically arises because the function's IAM policy (e.g., `--allow-unauthenticated`) is applied only after the deployment completes, and the function's runtime endpoint may return a 403 until fully ready.

Exam trap

Cisco often tests the misconception that a successful `gcloud functions deploy` output means the function is immediately ready to serve requests, when in reality the deployment is asynchronous and the function may not be fully operational for several seconds.

How to eliminate wrong answers

Option A is wrong because the trigger type (HTTP trigger via `--trigger-http`) is correctly specified for a function that is called via HTTP; a permission error is unrelated to trigger type. Option B is wrong because `nodejs16` is a supported runtime in Cloud Functions (deprecated but still functional during the transition period), and a runtime error would manifest as a build failure, not a permission error. Option C is wrong because `--allow-unauthenticated` is a valid flag in `gcloud functions deploy` and is allowed in Cloud Build; it grants allUsers the `roles/cloudfunctions.invoker` role, and its absence would cause a permission error, but the flag itself is not disallowed.

21
MCQeasy

A team uses Cloud Build to deploy a containerized application to Cloud Run. The build step fails intermittently with the error 'Failed to trigger build: Build timed out'. What is the most likely cause?

A.The build exceeds the default Cloud Build timeout.
B.The build machine has insufficient memory.
C.The Dockerfile contains invalid syntax.
D.The Cloud Build service account lacks permissions to deploy to Cloud Run.
AnswerA

Default timeout is 10 minutes; exceeding it causes build timeout.

Why this answer

The error 'Failed to trigger build: Build timed out' indicates that the Cloud Build execution exceeded the maximum allowed duration. By default, Cloud Build has a timeout of 10 minutes for build steps. If the build process (e.g., pulling dependencies, building the container image) takes longer than this default timeout, the build is automatically terminated, resulting in this intermittent failure.

Increasing the timeout in the build configuration or using a larger machine type can resolve this.

Exam trap

Cisco often tests the distinction between timeout errors and resource or permission errors, so candidates mistakenly attribute a timeout to insufficient memory or permissions when the error message explicitly points to duration limits.

How to eliminate wrong answers

Option B is wrong because insufficient memory on the build machine would typically cause an out-of-memory (OOM) error or a build failure with a different message, not a timeout error. Option C is wrong because invalid Dockerfile syntax would cause a build failure during the Docker build step with a syntax error message, not a timeout. Option D is wrong because a lack of permissions for the Cloud Build service account to deploy to Cloud Run would result in a permission denied or authorization error, not a build timeout.

22
MCQmedium

A company is developing a microservices application on Google Cloud. Each service is deployed as a Docker container on Cloud Run. The development team wants to ensure that inter-service communication is encrypted and authenticated. What is the best approach?

A.Use Cloud Run's built-in IAM-based authentication and automatic TLS for internal requests.
B.Configure mutual TLS (mTLS) between services using Cloud Endpoints.
C.Deploy a sidecar proxy on each Cloud Run service to handle TLS termination.
D.Assign a service account to each service and use its private key to sign requests.
AnswerA

Cloud Run uses IAM to authenticate requests between services and automatically provisions TLS certificates.

Why this answer

Cloud Run automatically provisions TLS certificates for all incoming requests and supports IAM-based authentication for internal requests between services in the same Google Cloud project. This means inter-service communication is encrypted by default via HTTPS and can be authenticated by configuring the receiving service to require a valid IAM token from the caller, without any additional infrastructure or sidecar proxies.

Exam trap

Cisco often tests the misconception that you need to manually configure mTLS or deploy sidecar proxies for encryption and authentication in Cloud Run, when in fact Cloud Run's built-in IAM and automatic TLS handle both requirements natively.

How to eliminate wrong answers

Option B is wrong because Cloud Endpoints is an API management service for external-facing APIs, not designed for internal service-to-service mTLS on Cloud Run; Cloud Run already handles TLS termination natively. Option C is wrong because deploying a sidecar proxy on Cloud Run is unnecessary and adds complexity — Cloud Run automatically terminates TLS at the ingress and supports IAM-based authentication without requiring a separate proxy. Option D is wrong because using a service account's private key to sign requests is not a built-in Cloud Run feature; Cloud Run uses IAM tokens (e.g., OIDC tokens) for authentication, not raw private key signing.

23
Matchingmedium

Match each command-line tool to its primary use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manage Google Cloud resources

Interact with Cloud Storage

Run BigQuery queries and manage datasets

Manage Kubernetes clusters

Continuous development for Kubernetes applications

Why these pairings

These CLI tools are essential for developers working on Google Cloud.

24
MCQhard

Your team is using Cloud Build to build and test a Java application. The build includes unit tests, integration tests, and static code analysis. The build is failing intermittently due to flaky tests. You want to automatically retry the failed steps without rebuilding everything. Which Cloud Build feature should you use?

A.Configure a Cloud Build trigger to rerun the build on failure
B.Set the 'allowFailure: false' and 'retry: 2' options on the test steps in the cloudbuild.yaml
C.Use build substitutions to pass different test parameters on failure
D.Increase the timeout for the build to allow retries
AnswerB

Cloud Build supports step-level retry with 'retry' field.

Why this answer

Option B is correct because Cloud Build supports the `retry` option on individual build steps, which allows a step to be automatically retried a specified number of times upon failure without re-executing previous steps. This is ideal for handling flaky tests, as it only reruns the failed step, preserving build artifacts and avoiding a full rebuild.

Exam trap

Cisco often tests the misconception that retrying a build must involve the entire pipeline (trigger or timeout), when in fact Cloud Build provides a step-level retry option that preserves previous step outputs and avoids full rebuilds.

How to eliminate wrong answers

Option A is wrong because configuring a Cloud Build trigger to rerun the entire build on failure would rebuild everything from scratch, including steps that succeeded, which is inefficient and does not target only the flaky test step. Option C is wrong because build substitutions are used to parameterize build configurations at submission time, not to trigger retries on failure; they cannot automatically rerun a failed step. Option D is wrong because increasing the build timeout only extends the maximum duration allowed for the build, it does not provide any retry mechanism for failed steps.

25
MCQmedium

A development team wants to implement a CI/CD pipeline for a containerized application on Google Cloud. They are using Cloud Build and Cloud Deploy. The application requires canary deployments with automatic rollback if the error rate increases by more than 10% within 5 minutes after deployment. Which Cloud Deploy feature should they configure?

A.Define a Cloud Deploy deployment policy with a rollout policy that uses a canary strategy and a verification phase with automated rollback
B.Configure a Pub/Sub notification on the rollout to trigger a rollback via a Cloud Function
C.Use Cloud Monitoring to create an alert policy that triggers a Cloud Function to rollback the deployment
D.Set up a Cloud Build trigger to rebuild the previous image on error
AnswerA

Cloud Deploy deployment policies can automate rollback based on criteria like error rate thresholds.

Why this answer

Option A is correct because Cloud Deploy's deployment policies allow you to define a canary rollout strategy with an automated verification phase. When the verification phase detects that the error rate exceeds the defined threshold (e.g., 10% increase within 5 minutes), Cloud Deploy automatically initiates a rollback to the previous stable revision, meeting the team's requirement without additional custom code.

Exam trap

The trap here is that candidates often assume external monitoring and custom functions (Options B and C) are required for automated rollbacks, overlooking Cloud Deploy's native deployment policy feature that directly supports canary rollouts with automated rollback based on verification phase conditions.

How to eliminate wrong answers

Option B is wrong because while Pub/Sub notifications can be used to trigger external actions, this approach requires a custom Cloud Function to interpret the notification and perform the rollback, which is not a native Cloud Deploy feature and adds unnecessary complexity and latency. Option C is wrong because Cloud Monitoring alert policies can trigger Cloud Functions, but this is an external workaround that does not leverage Cloud Deploy's built-in automated rollback capabilities; it also introduces a dependency on external monitoring and custom rollback logic. Option D is wrong because Cloud Build triggers are designed for building and testing, not for managing deployment rollbacks; rebuilding a previous image does not automatically revert the running deployment and ignores Cloud Deploy's rollout management.

26
MCQmedium

A company uses Cloud Deploy for continuous delivery with multiple targets (dev, staging, prod). After a successful promotion to staging, the team discovers a critical bug and needs to roll back the production target to the previous release. The production target has already been promoted to the current release, but the staging target should remain on the current release. How should the team roll back the production target?

A.Create a new release with the same image tag as the previous release and promote it to production.
B.Use the 'gcloud deploy rollback' command targeting the production target.
C.Redeploy the previous release by running the previous Cloud Deploy command.
D.Manually delete the current release and then promote the previous release again.
AnswerB

Rollback creates a new release with the previous rollout's configuration and deploys it to the target.

Why this answer

Option B is correct because the 'gcloud deploy rollback' command is specifically designed to roll back a Cloud Deploy target to its previous successful release without affecting other targets. This command reverts the production target to the prior release while leaving the staging target on the current release, as required. It operates by redeploying the last known good release to the specified target, ensuring minimal disruption and preserving the promotion history.

Exam trap

Cisco often tests the misconception that rolling back a target requires creating a new release or manually manipulating releases, when in fact Cloud Deploy provides a dedicated rollback command that handles the process cleanly without affecting other targets or the release history.

How to eliminate wrong answers

Option A is wrong because creating a new release with the same image tag as the previous release would create a duplicate release in the pipeline, not a true rollback; it would also require a new promotion, which could trigger unintended side effects like re-running tests or approvals. Option C is wrong because rerunning the previous Cloud Deploy command would attempt to create a new release or promotion from scratch, not revert the production target to a prior state, and it could overwrite the current release history. Option D is wrong because manually deleting the current release is not supported in Cloud Deploy—releases are immutable once created—and promoting the previous release again would require it to still exist in the pipeline, which it does, but the manual deletion step is invalid and could break the deployment pipeline.

27
Multi-Selectmedium

A team uses GitHub for source control. They want to automatically trigger Cloud Build builds on pull request creation. Which two actions are required? (Choose two.)

Select 2 answers
A.Install the Cloud Build GitHub app in the repository
B.Create a Cloud Build trigger that listens to 'pull_request' event
C.Configure a webhook in GitHub to send push events to Cloud Build
D.Use Cloud Source Repositories as a mirror of GitHub
E.In the Cloud Build trigger, set the event to 'push' and branch filter to 'pull-request/*'
AnswersA, B

The app is required to allow Cloud Build to receive webhook events from GitHub.

Why this answer

Installing the Cloud Build GitHub app and creating a trigger with the 'pull_request' event are the two necessary steps. Other options are either not needed or incorrect.

28
MCQeasy

A developer runs the above command and receives a successful deployment. However, the service is not accessible from the internet. The service is intended to be public. What should the developer check next?

A.The region us-central1 is not available
B.The Cloud Run service has a custom domain mapped
C.The container image is healthy
D.The service IAM policy to ensure allUsers has Cloud Run Invoker role
AnswerD

This is the most common reason for a publicly inaccessible Cloud Run service after successful deployment.

Why this answer

Option D is correct because Cloud Run services are private by default; even after a successful deployment, the service will not be accessible from the internet unless the IAM policy explicitly grants the `roles/run.invoker` role to `allUsers`. Without this permission, any HTTP request from outside the project will be denied with a 403 Forbidden error, regardless of the service's health or region.

Exam trap

Cisco often tests the misconception that a successful deployment or a healthy container automatically makes a service publicly accessible, when in fact Cloud Run requires an explicit IAM binding to allow unauthenticated invocations.

How to eliminate wrong answers

Option A is wrong because `us-central1` is a standard, fully available Google Cloud region; region unavailability would cause a deployment failure, not a post-deployment accessibility issue. Option B is wrong because a custom domain is optional for public access — Cloud Run automatically provides a `*.run.app` URL that is publicly resolvable; the issue is IAM, not DNS. Option C is wrong because a healthy container image is required for a successful deployment, but it does not control network-level access; the container could be perfectly healthy yet still unreachable if IAM denies unauthenticated invocations.

29
MCQmedium

A team is using Cloud Source Repositories and wants to enforce code reviews before merging. What tool should they use?

A.Cloud Source Repositories pull requests without restrictions.
B.Cloud Deploy with manual approval.
C.Cloud Source Repositories with branch protection rules that require pull request reviews and passing status checks.
D.Cloud Build triggers with approval gates.
AnswerC

Enforces mandatory code reviews and CI checks.

Why this answer

Cloud Source Repositories (CSR) integrates with Cloud Build and Git. To enforce mandatory code reviews before merging, you configure branch protection rules on the CSR repository. These rules require pull request reviews and passing status checks (e.g., from Cloud Build), preventing direct pushes to protected branches.

This is the native Git-based mechanism for enforcing review workflows.

Exam trap

The trap here is confusing deployment approval gates (Cloud Deploy or Cloud Build) with repository-level merge controls, leading candidates to pick a CI/CD tool instead of the correct branch protection feature within Cloud Source Repositories.

How to eliminate wrong answers

Option A is wrong because CSR pull requests without restrictions do not enforce code reviews; they allow merging without any approval, defeating the requirement. Option B is wrong because Cloud Deploy is a continuous delivery service for deploying to GKE, Cloud Run, etc., not a code review or repository management tool; its manual approval gates apply to deployment pipelines, not to merging code. Option D is wrong because Cloud Build triggers with approval gates control whether a build runs after a commit, not whether a pull request can be merged; they do not enforce code review requirements on the repository itself.

30
Matchingmedium

Match each Cloud Storage class to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequently accessed data

Data accessed less than once a month

Data accessed less than once a quarter

Long-term archival data accessed less than once a year

Automatic transition between classes based on access patterns

Why these pairings

Cloud Storage offers different storage classes for cost optimization.

31
MCQhard

A team is deploying a microservices application on Cloud Run and needs to implement canary deployments with traffic splitting. They are using Cloud Deploy. What is the correct configuration to gradually shift traffic from the old revision to the new revision?

A.Use Cloud Build to deploy with a script that gradually increases traffic using the Cloud Run API.
B.Use a Cloud Deploy pipeline with a blue-green strategy that swaps all traffic at once.
C.Use a Cloud Deploy delivery pipeline with a canary strategy that specifies percentages like [5, 10, 50, 100] and includes a verification step.
D.Use Cloud Run's built-in traffic splitting with `gcloud run deploy --traffic` and manage manually.
AnswerC

This leverages Cloud Deploy's built-in canary deployment capability with progressive traffic shifting.

Why this answer

Option C is correct because Cloud Deploy natively supports canary deployments with traffic splitting for Cloud Run. By defining a canary strategy with incremental percentages (e.g., [5, 10, 50, 100]) and including a verification step, the pipeline automatically shifts traffic in stages, pausing for verification at each phase to ensure the new revision is healthy before progressing. This approach integrates directly with Cloud Deploy's delivery pipeline, eliminating the need for manual scripts or external API calls.

Exam trap

The trap here is that candidates often confuse Cloud Run's manual traffic splitting (`gcloud run deploy --traffic`) with Cloud Deploy's automated canary pipeline, assuming manual commands are sufficient for gradual shifts, but the exam requires understanding that Cloud Deploy provides the orchestration, verification, and rollback needed for production canary deployments.

How to eliminate wrong answers

Option A is wrong because using Cloud Build with a script to gradually increase traffic via the Cloud Run API bypasses Cloud Deploy's native canary support, adding unnecessary complexity and losing pipeline observability and rollback capabilities. Option B is wrong because a blue-green strategy swaps all traffic at once, which contradicts the requirement for gradual traffic shifting; it does not support incremental percentages. Option D is wrong because using `gcloud run deploy --traffic` manually requires ongoing manual intervention and does not leverage Cloud Deploy's automated pipeline, verification steps, or rollback mechanisms.

32
MCQeasy

During a code review, a developer notices that the application's Cloud Storage client library is using the default credentials of the Compute Engine instance. What is a more secure alternative for a production environment?

A.Create a dedicated service account with minimal permissions and attach it to the instance
B.Store user credentials in a configuration file
C.Use an API key for Cloud Storage
D.Generate an access token and embed it in the code
AnswerA

This follows the principle of least privilege and avoids using default credentials.

Why this answer

Option A is correct because creating a dedicated service account with minimal permissions and attaching it to the Compute Engine instance follows the principle of least privilege. This avoids using the overly permissive default Compute Engine service account, which often has broad access to many Google Cloud services. By scoping the service account to only the required Cloud Storage permissions (e.g., roles/storage.objectViewer), you reduce the attack surface and adhere to production security best practices.

Exam trap

Cisco often tests the misconception that the default Compute Engine service account is acceptable for production, when in fact it is overly permissive and should be replaced with a custom service account scoped to the minimum required roles.

How to eliminate wrong answers

Option B is wrong because storing user credentials in a configuration file on the instance is insecure; credentials can be exposed via file read vulnerabilities or accidental commits, and user credentials are not designed for server-to-server service calls. Option C is wrong because API keys are a simplistic authentication mechanism that do not support fine-grained access control, are tied to the project rather than a specific identity, and are vulnerable to leakage in URLs or logs. Option D is wrong because embedding an access token directly in code is a severe security anti-pattern; tokens expire and require rotation, and hardcoding them makes them impossible to revoke or rotate without redeploying the application.

33
MCQmedium

Refer to the exhibit. A Cloud Build config deploys a new image to GKE. After the build succeeds, the pods restart with the new image but the application configuration is unchanged. What is the most likely cause?

A.The ConfigMap is not updated with the new configuration values.
B.The deployment rollout strategy is set to Recreate, causing downtime.
C.The new image is not being pulled because of imagePullPolicy: IfNotPresent.
D.The GKE cluster does not have sufficient permissions to pull from Container Registry.
AnswerA

Correct; the application config is stored in a ConfigMap that is not refreshed during deployment.

Why this answer

A is correct because a Cloud Build config that deploys a new image to GKE does not automatically update the ConfigMap. The pods restart with the new image, but the application configuration remains unchanged because the ConfigMap still holds the old values. To apply new configuration, the ConfigMap must be updated separately, and the pods must be restarted or redeployed to pick up the changes.

Exam trap

Cisco often tests the misconception that deploying a new image automatically updates the application configuration, when in fact ConfigMaps and Secrets must be updated independently.

How to eliminate wrong answers

Option B is wrong because the Recreate rollout strategy would cause downtime, but it would still apply the new image and any updated configuration; the question states the application configuration is unchanged, not that there is downtime. Option C is wrong because imagePullPolicy: IfNotPresent only affects whether the image is pulled if it already exists locally; it does not prevent the new image from being pulled if the tag is different (e.g., a new digest or tag). Option D is wrong because if the GKE cluster lacked permissions to pull from Container Registry, the build would fail or the pods would fail to start with an ImagePullBackOff error, not simply restart with unchanged configuration.

34
MCQeasy

A developer is building a CI/CD pipeline for a microservices application. The pipeline should build a container image, run unit tests, and deploy to Google Kubernetes Engine (GKE) only if all tests pass. Which Google Cloud service is best suited for orchestrating this pipeline?

A.Cloud Build
B.Compute Engine
C.Cloud Run
D.Cloud Functions
AnswerA

Cloud Build is the native CI/CD service for building, testing, and deploying on Google Cloud.

Why this answer

Cloud Build is the correct choice because it is a fully managed CI/CD platform that natively supports building container images, running unit tests, and deploying to GKE. It can be configured with a cloudbuild.yaml file to define steps for building, testing, and deploying, and it only proceeds to the deploy step if all prior steps (including tests) succeed. This makes it the best fit for orchestrating the entire pipeline in a single, integrated service.

Exam trap

The trap here is that candidates may confuse Cloud Run (a deployment target) with a CI/CD orchestrator, or assume Compute Engine is needed for custom CI/CD tools, but Cloud Build is the native, fully managed service for this exact pipeline workflow.

How to eliminate wrong answers

Option B (Compute Engine) is wrong because it provides raw virtual machines, not a CI/CD orchestration service; you would need to manually install and manage CI/CD tools like Jenkins or GitLab Runner, which adds overhead and lacks native integration with GKE. Option C (Cloud Run) is wrong because it is a serverless compute platform for running stateless containers, not a CI/CD pipeline orchestrator; it cannot build images or run tests as part of a pipeline. Option D (Cloud Functions) is wrong because it is an event-driven compute service for single-purpose functions, not designed for multi-step CI/CD workflows; it lacks built-in support for building container images or deploying to GKE.

35
MCQmedium

A team is setting up a CI/CD pipeline for a Node.js App Engine application using Cloud Build. The source code is in Cloud Source Repositories. What must be configured to automatically run unit tests before deployment?

A.Enable Cloud Build triggers on the repository
B.Use the App Engine deployment wizard
C.Add a cloudbuild.yaml file with a test step
D.Use a Dockerfile to run tests
AnswerC

The build config defines the steps, including running tests; a trigger can then invoke it on push.

Why this answer

Option C is correct because Cloud Build uses a cloudbuild.yaml file to define build steps, and adding a test step ensures unit tests run automatically before deployment. Without this configuration, Cloud Build will not execute tests; it only runs the steps explicitly defined in the build configuration file.

Exam trap

Cisco often tests the misconception that enabling a trigger alone is sufficient to run tests, when in fact the trigger only initiates the build; the actual test execution must be explicitly defined in the build configuration file.

How to eliminate wrong answers

Option A is wrong because enabling Cloud Build triggers on the repository only starts the build process on code changes, but does not define what steps (like tests) to run; triggers alone do not execute tests. Option B is wrong because the App Engine deployment wizard is a manual GUI tool in the Google Cloud Console, not an automated CI/CD pipeline component, and it does not integrate with Cloud Build to run tests. Option D is wrong because a Dockerfile is used to build a container image, not to define CI/CD pipeline steps; Cloud Build ignores Dockerfiles for pipeline logic and requires a cloudbuild.yaml for test execution.

36
Multi-Selectmedium

Which THREE of the following are best practices for building secure applications on Google Cloud?

Select 3 answers
A.Use Secret Manager to manage sensitive configuration values.
B.Disable authentication on a test Cloud Run service for end-user testing.
C.Use a single service account for all Cloud Functions to simplify permissions.
D.Enable VPC Service Controls to prevent data exfiltration.
E.Store source code in Cloud Source Repositories with IAM restrictions.
AnswersA, D, E

Secret Manager securely stores and accesses secrets.

Why this answer

Option A is correct because Secret Manager provides a centralized and secure way to store and manage sensitive configuration values such as API keys, database passwords, and certificates. By using Secret Manager, you avoid hardcoding secrets in source code or configuration files, reducing the risk of exposure. It integrates with IAM for fine-grained access control and supports automatic rotation, ensuring that secrets are protected at rest and in transit.

Exam trap

Cisco often tests the principle of least privilege and the misconception that simplifying permissions by using a single service account is acceptable, when in fact it creates a single point of failure and broad attack surface.

37
Multi-Selectmedium

A developer is deploying a new version of a microservice to Cloud Run. The developer wants to ensure that the new revision is tested with a small percentage of traffic before rolling out to all users. Which TWO approaches can the developer use?

Select 2 answers
A.Use the 'gcloud run deploy' command with '--no-traffic' and then use 'gcloud run services update-traffic --to-revisions=REVISION=5' to send 5% of traffic.
B.Use the 'gcloud run deploy' command with '--no-traffic' to deploy without serving traffic, then use 'gcloud run services update-traffic' to gradually increase traffic.
C.Set the 'max-instances' parameter to limit the number of instances handling requests.
D.Use the 'gcloud run deploy' command with '--tag' to assign a tag to the new revision, then direct test traffic to that tag.
E.Deploy the new revision with the same revision name as the old one to overwrite it, then roll back if issues occur.
AnswersA, B

This directly sets a specific percentage of traffic to the new revision.

Why this answer

Option A is correct because the '--no-traffic' flag deploys the new revision without serving any traffic, and then 'gcloud run services update-traffic --to-revisions=REVISION=5' allows you to send exactly 5% of traffic to that revision for canary testing. Option B is also correct because it describes the same two-step process: deploy with '--no-traffic' to avoid immediate traffic, then use 'update-traffic' to gradually increase the percentage, which is the standard canary deployment pattern on Cloud Run.

Exam trap

Google Cloud often tests the distinction between traffic splitting (percentage-based routing) and direct access via tags; candidates mistakenly think tagging alone can serve a percentage of production traffic, but tags only provide a separate URL for testing without affecting the main service's traffic distribution.

38
MCQmedium

A company needs to build a CI/CD pipeline for a microservices architecture. They want to run unit tests quickly by only testing code that has changed. Which approach should they use?

A.Use Cloud Build with a step that caches test results based on file hashes.
B.Use Cloud Build with a step that runs all tests in parallel.
C.Use Cloud Build with a step that uses `git log` to find changed files and run tests.
D.Use Cloud Build with a step that checks `git diff` against the previous commit and runs tests only on affected modules using a test runner that supports file-based filtering.
AnswerD

This approach directly targets changed files, minimizing test execution time.

Why this answer

Option D is correct because using a custom builder to check the diff and run only relevant tests is a best practice for fast CI. Option A is suboptimal because running all tests in parallel is not selective. Option B is not a built-in feature and can be unreliable.

Option C is not as efficient as a custom diff-based approach.

39
Drag & Dropmedium

Drag and drop the steps to set up a Cloud Build trigger for continuous deployment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

A Cloud Build trigger is set up by connecting a repository and configuring the conditions for automatic builds.

40
MCQmedium

A team uses Cloud Source Repositories for version control and Cloud Build for CI. The build configuration file (cloudbuild.yaml) includes a step that runs unit tests. The team wants to ensure that the build fails if any test fails. What should the developer do?

A.Use Cloud Build's built-in test runner that automatically fails the build on test failure.
B.Ensure the test command in the build step returns a non-zero exit code when tests fail.
C.Create a custom builder that runs tests and emits a non-zero exit code on failure.
D.Add a pre-build step that checks test results and triggers a build failure if needed.
AnswerB

Cloud Build treats any non-zero exit code as a failure, causing the build to fail.

Why this answer

Option B is correct because Cloud Build executes each step as a container, and the build step's success or failure is determined by the exit code of the command run inside that container. If the test command (e.g., `npm test` or `pytest`) returns a non-zero exit code when tests fail, Cloud Build will automatically mark that step as failed and stop the build. No special configuration or custom builder is required beyond ensuring the test command itself propagates the failure exit code.

Exam trap

Cisco often tests the misconception that Cloud Build has a built-in test runner or that you need a custom builder to handle test failures, when in fact the standard exit code mechanism is all that is required.

How to eliminate wrong answers

Option A is wrong because Cloud Build does not have a built-in test runner; it relies on the exit code of the command you specify in the step. Option C is wrong because creating a custom builder is unnecessary; the standard language images (e.g., node, python) already include test runners that return non-zero exit codes on failure. Option D is wrong because a pre-build step cannot check test results that haven't been generated yet; the test step itself must fail the build by returning a non-zero exit code.

41
MCQeasy

A developer is writing unit tests for a Python application that will run on Cloud Functions. The function makes HTTP requests to an external API. The developer wants to avoid making actual network calls during tests. What should the developer use?

A.Use a test double to replace the entire function.
B.Use dependency injection to pass a fallback URL.
C.Deploy the function to Cloud Functions and run integration tests.
D.Mock the HTTP requests using a library like unittest.mock.
AnswerD

Mocking prevents actual HTTP calls.

Why this answer

Option D is correct because `unittest.mock` allows the developer to replace the actual HTTP request calls (e.g., `requests.get`) with mock objects that return controlled responses, preventing any real network traffic. This is essential for unit testing Cloud Functions where external API calls must be isolated to ensure tests are fast, deterministic, and do not depend on external services.

Exam trap

The trap here is that candidates may confuse integration testing (Option C) with unit testing, or think that dependency injection (Option B) inherently avoids network calls, when in fact it only changes the endpoint without eliminating the call itself.

How to eliminate wrong answers

Option A is wrong because replacing the entire function with a test double would defeat the purpose of unit testing the function's logic; it would test the double, not the actual code. Option B is wrong because dependency injection with a fallback URL still requires making an HTTP request to that URL, which does not avoid actual network calls. Option C is wrong because deploying to Cloud Functions and running integration tests involves real network calls and is the opposite of what the developer wants—unit tests should avoid external dependencies.

42
Multi-Selectmedium

Which TWO practices should be followed when integrating Cloud Endpoints with a Cloud Run service to enforce API authentication and rate limiting?

Select 2 answers
A.Use API keys to authenticate end users
B.Set the audience field in the Endpoints service configuration to the Cloud Run service URL
C.Configure rate limiting in the OpenAPI specification using extension properties
D.Deploy Cloud Endpoints as a sidecar container in the same Cloud Run instance
E.Configure Cloud Armor rules to enforce rate limiting before requests reach Endpoints
AnswersB, C

This ensures the JWT token is validated for the correct audience.

Why this answer

Option B is correct because the `audience` field in the Endpoints service configuration must match the Cloud Run service URL (e.g., `https://myservice-xxxxx-uc.a.run.app`). This ensures that the JWT tokens issued by Google's authentication system are validated against the intended recipient, preventing token reuse across different services. Without this match, authentication will fail because the token's `aud` claim will not match the expected audience.

Exam trap

Cisco often tests the distinction between authentication mechanisms (API keys vs. JWT/OAuth2) and deployment models (sidecar vs. managed proxy), expecting candidates to know that API keys do not authenticate users and that Cloud Run uses a managed proxy, not a sidecar.

43
MCQhard

A team is building a mobile backend on Google Cloud using Cloud Endpoints with Firebase Authentication. They want to protect their API from abuse by implementing rate limiting per user. What approach should they take?

A.Implement rate limiting in the backend code and enforce it via Cloud Endpoints.
B.Use Apigee API Management as a proxy to enforce rate limiting per developer app.
C.Configure Cloud Armor with a rule to block requests from users exceeding a threshold.
D.Use Cloud CDN with a cache key based on the user ID.
AnswerB

Apigee can rate limit based on API keys or tokens associated with users.

Why this answer

Apigee API Management is the correct choice because it provides built-in rate limiting policies that can be enforced per developer app, which maps directly to per-user rate limiting when Firebase Authentication is used. Cloud Endpoints does not natively support per-user rate limiting; it relies on the backend to implement such logic, which is not a managed solution. Apigee acts as a proxy that can inspect the Firebase-issued JWT token to identify the user and apply rate limits accordingly, offloading this concern from the backend code.

Exam trap

Google Cloud often tests the misconception that Cloud Endpoints can handle rate limiting natively, but in reality, it only provides authentication and logging, while Apigee is the dedicated API management solution for rate limiting and monetization.

How to eliminate wrong answers

Option A is wrong because Cloud Endpoints does not provide built-in rate limiting capabilities; it only handles API management, authentication, and logging, leaving rate limiting to be implemented in the backend code, which is not a managed or scalable approach. Option C is wrong because Cloud Armor is a network security service that operates at the edge (layer 3-7) and cannot inspect per-user tokens or enforce rate limits based on user identity; it is designed for DDoS protection and IP-based rules, not per-user quotas. Option D is wrong because Cloud CDN is a content delivery network that caches responses based on cache keys, but it does not enforce rate limiting; it can only improve latency and reduce backend load, not block abusive users.

44
MCQmedium

Refer to the exhibit. The developer receives an error when creating the delivery pipeline. What is the most likely cause?

A.The prod target is missing a verification step.
B.The dev target has four percentages, but only two are allowed.
C.The canary percentages for the prod target do not sum to 100.
D.The pipeline name is too long.
AnswerC

The increments should sum to 100; here they sum to 90, causing validation error.

Why this answer

Option C is correct because the sum of the percentages in the prod stage is 10+20+60=90, and the last value 100 is not an increment but the final full rollout. The increments must sum to 100. Option A is incorrect because four percentages are allowed.

Option B is not a requirement for pipeline creation. Option D is unlikely.

45
MCQhard

Your organization uses Cloud Functions (1st gen) to process events from Cloud Storage. Recently, you migrated to Cloud Functions (2nd gen) to take advantage of longer timeouts and concurrency. After the migration, some invocations fail with 'DeadlineExceeded' errors even though the total execution time is below the 60-minute limit. What is the most likely cause?

A.The function does not have enough memory allocated for the new workload
B.The function is processing multiple concurrent requests per instance, causing a single request to exceed the HTTP timeout due to contention
C.The function is being cold-started more frequently due to reduced min instances
D.The function timeout is still set to the 1st gen default of 9 minutes
AnswerB

2nd gen enables concurrency; if function code is not thread-safe or uses blocking operations, concurrent requests can cause delays.

Why this answer

Option B is correct because Cloud Functions (2nd gen) supports concurrent request processing per instance. When multiple requests are handled simultaneously by the same instance, they share the instance's resources, including the HTTP timeout. If one request consumes excessive time due to contention (e.g., waiting for CPU or I/O), other concurrent requests may hit the HTTP request timeout (default 60 minutes for 2nd gen) even if their individual execution time is shorter.

This is a common issue when migrating from 1st gen (which processes one request at a time) to 2nd gen with concurrency enabled.

Exam trap

Cisco often tests the misconception that 'DeadlineExceeded' errors are always due to the function timeout setting, but here the trap is that the error arises from concurrent request contention within a single instance, not from an insufficient timeout value.

How to eliminate wrong answers

Option A is wrong because insufficient memory typically causes out-of-memory errors or performance degradation, not 'DeadlineExceeded' errors, which are timeout-related. Option C is wrong because cold starts affect initial latency but do not cause 'DeadlineExceeded' errors for requests that are already running; cold starts may increase latency but not exceed the 60-minute timeout. Option D is wrong because Cloud Functions (2nd gen) has a maximum timeout of 60 minutes by default, and the question states the total execution time is below that limit, so the timeout setting is not the issue; the error is due to concurrent request contention, not a misconfigured timeout.

46
MCQmedium

A company is using Cloud Build for CI and wants to store build artifacts in Artifact Registry. They want to ensure that only successful builds are promoted to production. What should they do?

A.Use Cloud Build to deploy to a staging environment, then manually promote to production.
B.Use Cloud Build steps that push to Artifact Registry only if all previous steps succeed by using `waitFor` and checking exit codes.
C.Use Cloud Build triggers with a condition that only builds on the main branch are deployed.
D.Use Cloud Build with a custom script that pushes regardless of build status.
AnswerB

Cloud Build inherently stops on failure, ensuring only successful builds push artifacts.

Why this answer

Option B is correct because Cloud Build steps run sequentially and only if previous steps succeed by default, so pushing to Artifact Registry only if tests pass. Option A is not sufficient because builds on main can still fail. Option C involves manual intervention.

Option D is incorrect as it ignores build status.

47
Drag & Dropmedium

Drag and drop the steps to configure a Cloud CDN with a Cloud Load Balancer in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Cloud CDN is enabled on a backend bucket of a load balancer, then DNS is configured.

48
MCQmedium

A Cloud Run service experiences high latency under load. The service is a Node.js Express app that processes requests sequentially due to a global mutex. What is the most effective solution?

A.Remove the mutex and ensure request handling is asynchronous
B.Use Cloud Run for Anthos to handle load
C.Increase the number of CPUs per container
D.Increase the 'max-instances' setting
AnswerA

This directly addresses the bottleneck by allowing parallel processing.

Why this answer

The root cause is that the global mutex forces sequential processing, negating Node.js's asynchronous event loop. Removing the mutex and ensuring asynchronous request handling (e.g., using async/await or Promises) allows the single-threaded event loop to interleave I/O-bound tasks, dramatically reducing latency under concurrent load. This directly addresses the bottleneck without changing the underlying infrastructure.

Exam trap

Cisco often tests the misconception that scaling infrastructure (more CPUs, more instances) can fix application-level concurrency bugs, when the real solution is to fix the code to be non-blocking.

How to eliminate wrong answers

Option B is wrong because Cloud Run for Anthos adds Kubernetes orchestration but does not fix the application-level sequential processing caused by the mutex; it would still suffer from the same bottleneck. Option C is wrong because increasing CPUs per container does not help a single-threaded Node.js process that is blocked by a mutex; Node.js uses one event loop per container, and extra CPUs are underutilized. Option D is wrong because increasing 'max-instances' creates more containers, but each container still has the mutex, so each instance processes requests sequentially; the overall throughput may improve linearly but latency per request remains high due to queuing within each instance.

49
MCQhard

A team is migrating a monolithic .NET application to Cloud Run. The application uses .NET Framework 4.8 and depends on Windows-specific libraries. What is the recommended approach to containerize and deploy this application?

A.Deploy the application on Compute Engine with Windows Server
B.Use Cloud Run for Anthos on a Windows node pool
C.Port the application to .NET Core/.NET 6+ and run on Linux
D.Use a Windows base image and deploy to Cloud Run
AnswerC

This is the recommended approach to make the application compatible with Cloud Run.

Why this answer

Cloud Run only supports Linux containers, so a .NET Framework 4.8 application that depends on Windows-specific libraries cannot be directly deployed. The recommended approach is to port the application to .NET Core/.NET 6+ (now .NET 8/9), which is cross-platform and can run on Linux containers, enabling deployment to Cloud Run. This aligns with Google's guidance for modernizing legacy .NET applications to leverage serverless platforms.

Exam trap

Cisco often tests the misconception that Cloud Run can run any container image, including Windows-based ones, but the platform strictly supports only Linux containers, making option D a common trap for candidates unfamiliar with Cloud Run's runtime constraints.

How to eliminate wrong answers

Option A is wrong because deploying on Compute Engine with Windows Server is a lift-and-shift approach that does not leverage Cloud Run's serverless benefits and incurs higher operational overhead and cost. Option B is wrong because Cloud Run for Anthos does not support Windows node pools; it only supports Linux containers on GKE clusters. Option D is wrong because Cloud Run does not support Windows base images; it only runs Linux containers, and using a Windows base image would cause the deployment to fail.

50
Multi-Selectmedium

Which THREE steps are required to set up end-to-end testing for a Cloud Run service that uses Firestore and Pub/Sub?

Select 3 answers
A.Automate the teardown of test resources after test completion
B.Use the Cloud Run emulator to run the service locally
C.Provision dedicated Pub/Sub topics and subscriptions for the test environment
D.Use the Firestore emulator to simulate Firestore operations
E.Create a separate Google Cloud project for testing
AnswersA, C, E

Prevents lingering resources and cost.

Why this answer

Option A is correct because end-to-end testing of a Cloud Run service that interacts with Firestore and Pub/Sub must include automated teardown of test resources (e.g., Pub/Sub topics, subscriptions, Firestore documents) to prevent resource leaks and avoid incurring ongoing costs. Without teardown, leftover resources can cause quota exhaustion and interfere with subsequent test runs, making automation essential for reliable CI/CD pipelines.

Exam trap

Cisco often tests the distinction between emulators (suitable for unit/integration tests) and real services (required for end-to-end testing), leading candidates to incorrectly select the Firestore emulator as a valid step for end-to-end testing.

51
MCQeasy

A team is developing a microservice that needs to store user profile images in Cloud Storage. The service is deployed on Cloud Run and will be invoked by other services via HTTP. The images are uploaded by users and the service must validate that the file is an image (e.g., JPEG, PNG) before storing it. The team wants to minimize costs and operational overhead while ensuring that only valid images are stored. The current implementation uploads the file directly to Cloud Storage from the client, but the team wants to add validation in the service. Which approach should the team take?

A.Create a separate Cloud Function that receives the file, validates it, and uploads it to Cloud Storage. Invoke the Cloud Function from the client.
B.Have the client send the file to the Cloud Run service, validate the file on the server side, and then upload it to Cloud Storage using the Google Cloud Storage client library.
C.Validate the file on the client side before uploading directly to Cloud Storage, and rely on client-side validation.
D.Upload the file to Cloud Storage, then trigger a Cloud Function using Cloud Storage events to validate the file and delete it if invalid.
AnswerB

Correct; validates before upload, keeps architecture simple.

Why this answer

Option B is correct because it keeps the validation logic within the Cloud Run service, which is already deployed and handling HTTP requests. The service can receive the file via HTTP, validate its MIME type and magic bytes on the server side, and then upload it to Cloud Storage using the Google Cloud Storage client library. This minimizes costs (no additional compute services) and operational overhead (single service to manage), while ensuring only valid images are stored.

Exam trap

Cisco often tests the misconception that client-side validation is sufficient for security, or that adding extra serverless functions is always the best way to add validation, when in fact the simplest and most cost-effective approach is to validate within the existing service.

How to eliminate wrong answers

Option A is wrong because it introduces an unnecessary separate Cloud Function, increasing operational overhead and cost, and the client would need to invoke a different endpoint, complicating the architecture. Option C is wrong because client-side validation alone is insufficient for security; a malicious client can bypass it and upload non-image files directly to Cloud Storage. Option D is wrong because it allows invalid files to be stored temporarily in Cloud Storage before validation, which wastes storage costs and creates a window where invalid data exists; it also adds complexity with a Cloud Function triggered by events.

52
MCQhard

Refer to the exhibit. A developer runs the above command to deploy a Cloud Function triggered by Pub/Sub. The function fails to execute when a message is published. The logs show: "Function execution took 60001 ms, finished with status: 'timeout'". What should the developer do?

A.Change the trigger to HTTP
B.Reduce the number of function instances
C.Check the function code for long-running operations
D.Increase the function timeout to 9 minutes
AnswerC

The timeout indicates the function is taking too long; the proper fix is to optimize the code to complete within the allowed time.

Why this answer

The timeout error indicates the Cloud Function is exceeding its maximum execution duration. The default timeout for Cloud Functions is 60 seconds, and the logs confirm the function ran for 60001 ms before being forcibly terminated. The most likely cause is that the function code contains long-running operations (e.g., synchronous HTTP calls, database queries, or heavy computation) that do not complete within the allotted time.

Therefore, the developer should inspect and optimize the function code to reduce execution time, such as by using asynchronous processing or breaking the work into smaller chunks.

Exam trap

Cisco often tests the misconception that increasing the timeout is the correct fix for any timeout error, but the trap here is that the default timeout is 60 seconds and the logs show exactly 60001 ms, indicating the function is hitting the default limit — the correct first step is to optimize the code, not blindly extend the timeout.

How to eliminate wrong answers

Option A is wrong because changing the trigger to HTTP does not change the timeout behavior; Cloud Functions have the same maximum timeout (up to 9 minutes) regardless of trigger type, and the issue is execution duration, not the trigger mechanism. Option B is wrong because reducing the number of function instances does not affect the timeout of a single invocation; instances handle concurrency, not execution time per request, and fewer instances could even increase latency under load. Option D is wrong because while increasing the timeout to 9 minutes is possible (the maximum is 540 seconds), it is not the recommended first step; the logs show the function is timing out at the default 60 seconds, and simply extending the timeout without addressing the underlying long-running code would mask the problem and could lead to higher costs and resource consumption.

53
MCQmedium

Refer to the exhibit. A developer uses the above cloudbuild.yaml for a Cloud Run service. The trigger is set to run on pushes to the main branch. After a push, the build succeeds but the deployment fails with a permission error. What is the most likely issue?

A.The Cloud Build service account lacks permission to deploy to Cloud Run
B.The region 'us-central1' is incorrect
C.The container image tag ${SHORT_SHA} is invalid
D.The Cloud Run service name 'my-service' is misspelled
AnswerA

Deploying to Cloud Run requires specific IAM roles (e.g., Cloud Run Admin, Service Account User) that might not be granted to the default Cloud Build service account.

Why this answer

The Cloud Build service account (typically the default compute engine service account or a user-specified service account) does not have the required IAM roles (e.g., roles/run.admin or roles/run.invoker) to deploy to Cloud Run. Even though the build step succeeds, the deployment step fails because the service account lacks the `run.services.create` or `run.services.update` permission for the target Cloud Run service.

Exam trap

Cisco often tests the misconception that a build success implies all subsequent steps will succeed, but the trap here is that the deployment step uses a different set of permissions (Cloud Run IAM) than the build step (Cloud Build IAM), and candidates may overlook the need to grant the Cloud Build service account the `roles/run.admin` role.

How to eliminate wrong answers

Option B is wrong because if the region 'us-central1' were incorrect, the deployment would fail with a region-not-found or resource-location error, not a permission error. Option C is wrong because the container image tag ${SHORT_SHA} is a valid Cloud Build substitution variable that resolves to the short commit SHA; an invalid tag would cause an image-not-found error, not a permission error. Option D is wrong because if the service name 'my-service' were misspelled, the deployment would fail with a resource-not-found error, not a permission error.

54
MCQeasy

A team wants to implement automated testing for a Python application deployed on Cloud Run. They want the tests to run as part of the CI/CD pipeline after the image is built but before it is deployed. Which approach should they use?

A.Use Cloud Function to run tests triggered by a Pub/Sub message after the image is published
B.Run unit tests before building the image using Cloud Build, but skip integration tests
C.Add a test step in Cloud Build that uses the built image to run integration tests before deploying
D.Deploy the image to a staging environment, run tests, and then promote to production
AnswerC

Cloud Build allows running containers from the built image as part of the pipeline.

Why this answer

Option C is correct because Cloud Build allows you to add a test step that runs the built container image before deploying it to Cloud Run. This ensures integration tests validate the application in an environment identical to production, catching issues early in the CI/CD pipeline. Running tests after the image is built but before deployment is a standard practice for shift-left testing.

Exam trap

Cisco often tests the misconception that integration tests must be run in a separate staging environment or after deployment, when in fact Cloud Build can run them directly from the built image before deployment.

How to eliminate wrong answers

Option A is wrong because using a Cloud Function triggered by a Pub/Sub message after the image is published introduces unnecessary latency and complexity, and tests would run after the image is already available, not before deployment. Option B is wrong because it suggests skipping integration tests entirely, which would miss critical runtime and dependency issues that only surface in the containerized environment. Option D is wrong because deploying to a staging environment before testing violates the requirement to run tests before deployment; it also adds extra infrastructure cost and delay without leveraging Cloud Build's built-in test capabilities.

55
Multi-Selecteasy

A developer is building a containerized application on Cloud Run. They want to test the application locally before deploying. Which two tools should they use? (Choose 2)

Select 2 answers
A.Functions Framework
B.Docker Desktop
C.Cloud Build
D.Cloud Code for VS Code
E.Cloud Run for Anthos
AnswersB, D

Docker Desktop allows you to run the container locally exactly as it will run on Cloud Run.

Why this answer

Docker Desktop allows running the container locally. Cloud Code (for VS Code or IntelliJ) provides integrated debugging, local emulation, and one-click deployment to Cloud Run. Cloud Build is for CI/CD, not local testing.

Functions Framework is for Cloud Functions, not Cloud Run. Cloud Run for Anthos is for hybrid environments.

56
MCQeasy

A team is developing a REST API on Cloud Run. They need to ensure that only authenticated requests from their corporate domain (example.com) are allowed. Which configuration should they use?

A.Set the Cloud Run service to require authentication and allow only the domain 'example.com' in the IAM policy
B.Implement custom authentication using Firestore to validate user tokens
C.Use Cloud Endpoints with an API key that is shared only with corporate users
D.Use Cloud Armor to deny traffic except from the corporate IP range
AnswerA

IAM policy with 'domain:example.com' on the service's roles/run.invoker restricts access.

Why this answer

Option A is correct because Cloud Run's IAM integration allows you to require authentication (via the `--no-allow-unauthenticated` flag) and then use IAM conditions to restrict access to principals from a specific domain (e.g., `request.auth.claims.email` ends with `@example.com`). This ensures only authenticated requests from the corporate domain are permitted, leveraging Google Cloud's identity-aware proxy (IAP) capabilities without additional infrastructure.

Exam trap

Cisco often tests the distinction between authentication (verifying identity) and authorization (controlling access), and the trap here is that candidates confuse IP-based controls (Cloud Armor) with identity-based controls (IAM conditions), leading them to choose option D despite its inability to handle authenticated domain restrictions.

How to eliminate wrong answers

Option B is wrong because implementing custom authentication with Firestore to validate user tokens is unnecessary and adds complexity; Cloud Run natively supports token validation via IAM and does not require a separate database for token verification. Option C is wrong because Cloud Endpoints with an API key does not authenticate the user's identity or domain; API keys are for project identification, not user authentication, and sharing a key with corporate users would not restrict access to a specific domain. Option D is wrong because Cloud Armor filters traffic based on IP addresses, not user identity or domain; corporate IP ranges can change, and this approach would not handle mobile or remote users outside the corporate network.

57
Multi-Selecteasy

Which TWO of the following are valid strategies for testing Cloud Functions locally before deployment?

Select 2 answers
A.Write unit tests that mock the HTTP request and response objects.
B.Use the Cloud Console to invoke the function with test events.
C.Use the Cloud Functions emulator provided by gcloud beta emulators.
D.Use the Functions Framework to start a local server that serves the function.
E.Deploy the function to a staging Cloud Functions project and test via HTTP invocations.
AnswersC, D

The emulator runs locally and simulates the Cloud Functions environment.

Why this answer

Option C is correct because the `gcloud beta emulators` command includes a Cloud Functions emulator that allows you to run your functions locally in a simulated environment, enabling testing without deploying to the cloud. Option D is correct because the Functions Framework is an open-source library that starts a local HTTP server (typically on port 8080) and serves your function, matching the Cloud Functions runtime environment exactly.

Exam trap

Cisco often tests the distinction between 'local testing' and 'cloud-based testing' — the trap here is that candidates may think deploying to a staging project (Option E) qualifies as local testing, when in fact it is a remote deployment strategy that does not provide the speed or isolation of a local emulator.

58
MCQmedium

Your team has developed a containerized application that processes streaming data from Pub/Sub. The application is deployed on Cloud Run. Under normal load, it processes messages within seconds. However, during spikes, processing time increases and some messages are not acknowledged before the Cloud Run request timeout of 60 minutes. You need to ensure that all messages are processed reliably without losing data. You have the following options: A) Increase the Cloud Run request timeout to 120 minutes. B) Use Cloud Run jobs instead of services to handle the processing asynchronously. C) Set up a second subscription to Pub/Sub with a different push endpoint to parallelize processing. D) Use a Cloud Tasks queue to decouple the Pub/Sub push and process messages with retries. Which option should you choose?

A.Use a Cloud Tasks queue to decouple the Pub/Sub push and process messages with retries.
B.Increase the Cloud Run request timeout to 120 minutes.
C.Use Cloud Run jobs instead of services to handle the processing asynchronously.
D.Set up a second subscription to Pub/Sub with a different push endpoint to parallelize processing.
AnswerC

Cloud Run jobs can run for up to 24 hours, suitable for long processing, and they don't have a request timeout.

Why this answer

Option C is correct because Cloud Run jobs are designed for asynchronous, batch-style processing that can run longer than the 60-minute request timeout of Cloud Run services. By using a job, you can pull messages from Pub/Sub, process them without a hard timeout, and acknowledge them only after successful processing, ensuring reliable message handling during spikes.

Exam trap

The trap here is that candidates confuse Cloud Run services (which have a 60-minute timeout and are request-driven) with Cloud Run jobs (which are asynchronous and have no such timeout), leading them to incorrectly choose increasing the timeout or adding subscriptions instead of switching to the job execution model.

How to eliminate wrong answers

Option A is wrong because increasing the Cloud Run request timeout to 120 minutes only delays the failure; it does not solve the underlying issue of messages not being acknowledged within the timeout, and Cloud Run services have a maximum timeout of 60 minutes (cannot be set to 120). Option B is wrong because Cloud Run jobs are the correct asynchronous solution, not services; the option incorrectly suggests using services for async processing. Option D is wrong because adding a second subscription with a different push endpoint does not address the acknowledgment timeout issue; it merely parallelizes the same push model, which still requires messages to be acknowledged within the Cloud Run service timeout.

59
MCQhard

A developer runs the above command and cloudbuild.yaml. The build fails at the deploy step with a permission error. The developer has the Cloud Build Editor role on the project. What is the likely cause?

A.The Cloud Build service account lacks the Cloud Run Admin role.
B.The Cloud Build Editor role does not have permission to submit builds.
C.The Docker image is not in a format compatible with Cloud Run.
D.The build step uses the 'gcloud' command without authentication.
AnswerA

The Cloud Build service account needs Cloud Run Admin (or roles/run.admin) to deploy services.

Why this answer

The Cloud Build Editor role grants permissions to submit builds and execute build steps, but the actual execution of those steps (including the deploy step) runs under the Cloud Build service account. By default, this service account does not have the Cloud Run Admin role, which is required to deploy to Cloud Run. Without this role, the `gcloud run deploy` command fails with a permission error.

Exam trap

Cisco often tests the distinction between the permissions of the user who triggers a build (e.g., Cloud Build Editor) and the permissions of the service account that executes the build steps, leading candidates to incorrectly assume the user's role applies to all build actions.

How to eliminate wrong answers

Option B is wrong because the Cloud Build Editor role explicitly includes the `cloudbuild.builds.create` permission, which allows submitting builds; the error occurs during the deploy step, not during build submission. Option C is wrong because Cloud Run accepts standard OCI-compliant Docker images, and an incompatible image format would cause a different error (e.g., 'Image format not recognized'), not a permission error. Option D is wrong because the `gcloud` command in a Cloud Build step automatically uses the Cloud Build service account's credentials via the metadata server; no explicit authentication is needed, and a missing authentication would result in an 'unauthenticated' error, not a permission error.

60
MCQeasy

A developer needs to test a Cloud Function locally before deploying. Which tool should they use?

A.Docker container with a custom entrypoint.
B.gcloud functions call command.
C.Cloud Code for VS Code or IntelliJ.
D.Functions Framework for your language.
AnswerD

Functions Framework provides a local server for testing Cloud Functions.

Why this answer

The Functions Framework is the correct tool because it is an open-source library that allows you to run Cloud Functions locally on your machine, emulating the Cloud Functions runtime environment. This enables you to test your function's behavior, including HTTP triggers and event handling, without deploying to Google Cloud. Option D is correct because the Functions Framework is specifically designed for local development and testing of Cloud Functions.

Exam trap

The trap here is that candidates often confuse the 'gcloud functions call' command (which is for remote invocation) with a local testing tool, or they assume that Cloud Code is the standalone tool rather than recognizing that it depends on the Functions Framework for local execution.

How to eliminate wrong answers

Option A is wrong because using a Docker container with a custom entrypoint is an overly complex and non-standard approach; while you could theoretically run a function in a container, the Functions Framework provides a simpler, purpose-built solution that directly emulates the Cloud Functions environment. Option B is wrong because the 'gcloud functions call' command is used to invoke a deployed Cloud Function remotely, not to test locally; it requires the function to already be deployed in the cloud. Option C is wrong because Cloud Code for VS Code or IntelliJ is an IDE extension that provides tools for developing and deploying Cloud Functions, but it relies on the Functions Framework under the hood for local testing; the question asks for the specific tool to use, and the Functions Framework is the core component.

61
Multi-Selecthard

Which THREE are best practices for building applications on GKE? (Choose three.)

Select 3 answers
A.Set resource requests and limits for CPU and memory
B.Use nodeSelector to pin pods to specific node instances for performance consistency
C.Define readiness and liveness probes for your containers
D.Use StatefulSets for all applications to preserve state across restarts
E.Use Google-managed SSL certificates for HTTPS ingress
AnswersA, C, E

Prevents resource starvation and ensures fair scheduling.

Why this answer

Setting resource requests and limits for CPU and memory is a best practice because it allows Kubernetes to make informed scheduling decisions and ensures that pods do not exceed their allocated resources, preventing resource starvation for other workloads. Requests guarantee a minimum amount of resources for the pod, while limits cap the maximum, enabling the cluster autoscaler and scheduler to optimize node utilization and maintain stability.

Exam trap

Cisco often tests the misconception that nodeSelector is a best practice for performance consistency, when in fact it reduces scheduling flexibility and is discouraged in favor of node affinity or taints/tolerations for more granular control.

62
MCQmedium

A company is building a microservice that processes incoming HTTP requests, performs some business logic, and writes results to Firestore. The service has variable traffic with occasional spikes. The development team wants to minimize cold start latency and prefers to use a containerized application with a custom runtime. Which compute option should they choose?

A.Compute Engine
B.Cloud Run
C.App Engine Standard
D.Cloud Functions (1st gen)
AnswerB

Cloud Run supports containers, autoscaling, and can minimize cold starts via min instances.

Why this answer

Cloud Run is the correct choice because it runs containerized applications in a fully managed, serverless environment that automatically scales to zero and can handle variable traffic with occasional spikes. It minimizes cold start latency by keeping instances warm when traffic is expected, and it supports custom runtimes via Docker containers, meeting the team's requirement for a containerized application with a custom runtime.

Exam trap

Cisco often tests the distinction between serverless container services (Cloud Run) and serverless functions (Cloud Functions), where candidates mistakenly choose Cloud Functions for any serverless need, overlooking the requirement for a custom runtime and containerized application.

How to eliminate wrong answers

Option A is wrong because Compute Engine requires manual management of virtual machines, does not automatically scale to zero, and would incur cold start latency from provisioning and booting VMs, making it unsuitable for minimizing cold start latency with variable traffic. Option C is wrong because App Engine Standard uses pre-defined runtimes (e.g., Python, Java, Go) and does not support custom runtimes via containers, which violates the team's preference for a containerized application with a custom runtime. Option D is wrong because Cloud Functions (1st gen) is not containerized; it uses a function-as-a-service model with limited runtime support and does not allow custom runtime configurations via Docker containers, failing the containerized application requirement.

63
Multi-Selectmedium

A development team is building a containerized application on Google Cloud. They want to implement a CI/CD pipeline that automatically builds and tests their application on every push to the main branch. Which TWO actions should they take to achieve this?

Select 2 answers
A.Configure a Cloud Build trigger to run on push events to the main branch.
B.Add a cloudbuild.yaml file to the repository that defines build steps and tests.
C.Enable Cloud Run for Anthos to automatically deploy after build.
D.Use Cloud Scheduler to trigger a Cloud Build trigger every 5 minutes.
E.Create a Cloud Source Repository and use Cloud Functions to build on push.
AnswersA, B

Cloud Build triggers on push events enable automatic builds and tests.

Why this answer

Option A is correct because Cloud Build triggers can be configured to automatically start a build whenever a push event occurs on a specific branch, such as main. This is the standard way to initiate a CI/CD pipeline in response to code changes in Google Cloud.

Exam trap

The trap here is that candidates may confuse deployment targets (like Cloud Run) or time-based schedulers (like Cloud Scheduler) with event-driven CI/CD triggers, missing that only a push-based trigger combined with a build configuration file directly achieves the requirement.

64
MCQmedium

A company is migrating a monolithic Java application to microservices on Google Kubernetes Engine (GKE). The application uses a shared MySQL database. The team wants to adopt a testing strategy that validates service interactions without deploying to a full cluster. Which testing approach is most appropriate?

A.Load testing to simulate production traffic.
B.Unit testing with mocked dependencies.
C.Consumer-driven contract testing with tools like Spring Cloud Contract.
D.End-to-end testing in a staging environment.
AnswerC

Contract testing validates that services adhere to agreed-upon contracts without full deployment.

Why this answer

Consumer-driven contract testing (CDC) with tools like Spring Cloud Contract validates the interactions between microservices by defining and verifying API contracts (e.g., request/response formats, headers, status codes) without requiring a full GKE cluster. This approach is ideal for a migration from a monolithic Java application because it ensures that each service adheres to its expected behavior when communicating over HTTP or messaging, catching integration issues early in the development cycle. It does not require deploying to a cluster, making it faster and more lightweight than end-to-end testing.

Exam trap

Cisco often tests the distinction between testing levels in a microservices context; the trap here is that candidates confuse 'validating service interactions without a full cluster' with end-to-end testing, but the key constraint is avoiding full deployment, which CDC satisfies by using contract stubs and provider verification in isolated environments.

How to eliminate wrong answers

Option A is wrong because load testing simulates production traffic to measure performance and scalability, not to validate service interactions or contract adherence; it requires a deployed environment and does not verify individual API contracts. Option B is wrong because unit testing with mocked dependencies isolates a single class or method, but it cannot validate real service-to-service interactions, HTTP semantics, or message formats across microservices boundaries. Option D is wrong because end-to-end testing in a staging environment validates the entire system flow but requires a full cluster deployment, which contradicts the requirement to test without deploying to a full cluster.

65
MCQmedium

A team is developing a microservice that processes messages from Pub/Sub. The service is deployed on Cloud Run and uses Cloud Firestore to store processed data. During load testing, the service frequently fails with 'DeadlineExceeded' errors from Firestore. What is the most likely cause and best practice to fix it?

A.Increase the Cloud Run container instance request timeout
B.Increase the Pub/Sub subscription acknowledgment deadline
C.Enable CPU always allocation for the Cloud Run service
D.Add retry logic with exponential backoff for Firestore operations
AnswerA

This extends the time a request can run, preventing premature termination.

Why this answer

The 'DeadlineExceeded' error from Firestore indicates that the Firestore client-side timeout has been exceeded, not the Cloud Run request timeout. However, the most likely cause is that the Cloud Run container instance request timeout (default 5 minutes) is too short for the processing time required, causing the instance to be terminated before the Firestore operation completes. Increasing the Cloud Run request timeout allows the container to wait longer for Firestore responses, preventing premature termination.

Exam trap

Google Cloud often tests the distinction between client-side timeouts (e.g., Firestore SDK timeout) and infrastructure-level timeouts (e.g., Cloud Run request timeout), and candidates mistakenly assume that increasing the Firestore client timeout or adding retries will solve a problem caused by the container being terminated.

How to eliminate wrong answers

Option B is wrong because increasing the Pub/Sub subscription acknowledgment deadline only affects how long Pub/Sub waits for an ack, not the Firestore client timeout or Cloud Run instance lifecycle; it does not address the root cause of Firestore deadline exceeded errors. Option C is wrong because enabling CPU always allocation keeps the CPU active even during idle periods, which helps with cold starts but does not extend the request timeout or fix Firestore-specific timeouts. Option D is wrong because adding retry logic with exponential backoff is a best practice for transient failures, but the 'DeadlineExceeded' error here is likely due to the Cloud Run request timeout being hit before the Firestore operation can complete, not due to transient Firestore unavailability; retries would not help if the container is terminated.

66
MCQeasy

A developer needs to build a CI/CD pipeline that automatically tests and deploys a Node.js application to Cloud Run whenever a pull request is merged to the main branch. Which Google Cloud service should be used to trigger the pipeline?

A.Cloud Functions
B.Cloud Deploy
C.Cloud Build
D.App Engine
AnswerC

Cloud Build triggers integrate with source repositories to start builds on events.

Why this answer

Cloud Build is the correct service because it is Google Cloud's fully managed CI/CD platform that can automatically trigger pipeline executions in response to repository events, such as a pull request merge to the main branch. By configuring a Cloud Build trigger with a source repository (e.g., Cloud Source Repositories, GitHub, or Bitbucket), the developer can define build steps to test the Node.js application and deploy it to Cloud Run using the `gcloud run deploy` command or a dedicated builder. This makes Cloud Build the native and most direct choice for building, testing, and deploying to Cloud Run in a single automated pipeline.

Exam trap

The trap here is that candidates may confuse Cloud Deploy (a delivery-only service) with a full CI/CD pipeline, overlooking that Cloud Build is the service that actually performs the build, test, and deployment steps triggered by repository events.

How to eliminate wrong answers

Option A is wrong because Cloud Functions is a serverless compute service for running event-driven code, not a CI/CD pipeline orchestrator; it lacks native support for multi-step build, test, and deploy workflows triggered by repository merge events. Option B is wrong because Cloud Deploy is a continuous delivery service focused on managing rollout strategies (e.g., canary, blue/green) to targets like GKE or Cloud Run, but it does not perform the build or test phases and requires a separate CI system (like Cloud Build) to produce artifacts. Option D is wrong because App Engine is a fully managed platform for hosting applications, not a CI/CD pipeline service; it cannot trigger builds or tests based on repository events.

67
Multi-Selecteasy

Which TWO are benefits of using Cloud Build for your CI/CD pipeline?

Select 2 answers
A.Built-in integration with Cloud Source Repositories, GitHub, and Bitbucket.
B.Provides unlimited free build minutes per day.
C.Supports only Java and Python.
D.Fully managed build service.
E.Requires manual setup for all test runners.
AnswersA, D

Seamless source code connectivity.

Why this answer

Option A is correct because Cloud Build natively integrates with Cloud Source Repositories, GitHub, and Bitbucket, allowing you to automatically trigger builds on code commits without additional configuration. This tight integration streamlines the CI/CD pipeline by eliminating the need for external webhook management or custom connectors.

Exam trap

Cisco often tests the misconception that Cloud Build is limited to specific languages or requires manual setup, when in fact it is a fully managed, polyglot service with automated triggers and no manual test runner configuration needed.

68
MCQhard

A company serves static content (images, CSS) through a Cloud Load Balancer with Cloud CDN enabled. They release a new version of the website with updated image assets. After deployment, users still see old images, even though the new image files are served from the backend. The team has already invalidated the cache for the directory containing the images using the Cloud CDN invalidation feature with a specific path. However, the old images persist. What is the most effective additional step to ensure users see the new images?

A.Set the cache TTL for the image directory to 0 seconds.
B.Use a wildcard in the Cloud CDN invalidation path (e.g., /images/*).
C.Change the load balancer cache mode to 'FORCE_CACHE_ALL'.
D.Configure cache key parameters to ignore query strings.
AnswerB

A wildcard ensures all objects under /images/ are invalidated, even if URLs have query parameters or other variations.

Why this answer

Option B is correct because Cloud CDN cache invalidation requires exact path matching unless a wildcard is used. The team invalidated a specific path but likely missed the exact paths of the cached image files. Using a wildcard like `/images/*` ensures all objects under the `/images/` directory are invalidated, forcing the CDN to fetch the updated images from the backend.

Exam trap

Cisco often tests the nuance that Cloud CDN invalidation requires exact paths or wildcards, and candidates mistakenly think that invalidating a directory path (without a wildcard) will clear all files within it.

How to eliminate wrong answers

Option A is wrong because setting the cache TTL to 0 seconds would require reconfiguring the backend and waiting for the TTL to expire, which is not immediate and does not address the existing cached content; it only affects future caching behavior. Option C is wrong because 'FORCE_CACHE_ALL' mode forces all responses to be cached regardless of Cache-Control headers, which would worsen the problem by caching the old images even more aggressively. Option D is wrong because ignoring query strings in cache keys would not help clear existing cached entries; it only changes how new cache keys are generated and could actually cause the old cached images to persist if query strings were previously used to differentiate versions.

69
Multi-Selectmedium

A team is setting up a CI/CD pipeline using Cloud Build for a Node.js application. They want to ensure that only code from the main branch is deployed to production. Which TWO practices should they implement?

Select 2 answers
A.Store secrets in Cloud Build and use them in build steps.
B.Use Cloud Build substitutions to inject environment variables.
C.Use branch triggers to run tests only on push to main.
D.Use Cloud Build's inverted match with branch pattern to exclude non-main branches.
E.Use a manual approval step in Cloud Deploy before promoting to production.
AnswersC, E

This ensures the pipeline only executes when changes are made to the main branch.

Why this answer

Using a branch trigger that runs only on push to main ensures that only main branch code triggers the pipeline. Adding a manual approval step in Cloud Deploy before promoting to production adds a gate to prevent automatic deployment of untested code. Storing secrets or using substitutions are good practices but do not specifically restrict deployment to the main branch.

70
MCQmedium

A team uses Cloud Build to build a Go application and deploy it to Cloud Run. The build triggers from a GitHub repository. The team wants to ensure that only commits to the 'main' branch trigger a production deployment, while other branches trigger a build but not a deployment. How should they configure this?

A.Configure the GitHub repository to only send push events from the main branch to Cloud Build.
B.Use a conditional step in cloudbuild.yaml that checks the $_BRANCH variable and skips deployment if not main.
C.Use a single Cloud Build trigger with a substitution variable for the branch name, and include a conditional step that runs deployment only when the variable equals 'main'.
D.Create two separate Cloud Build triggers: one for main branch with deployment step, and one for all branches without deployment step.
AnswerC

Use $BRANCH_NAME and condition in build config.

Why this answer

Option C is correct because Cloud Build supports substitution variables like $_BRANCH, which automatically receive the branch name from the trigger event. By using a conditional step in cloudbuild.yaml that checks if $_BRANCH equals 'main', you can run the deployment step only for main branch commits, while still building on all branches. This approach keeps a single trigger and avoids unnecessary duplication or external filtering.

Exam trap

Cisco often tests the distinction between using a single trigger with conditional logic versus multiple triggers, where candidates may incorrectly assume that multiple triggers are required or that GitHub can filter events at the source, when in fact Cloud Build handles branch filtering through substitution variables and conditional steps.

How to eliminate wrong answers

Option A is wrong because GitHub cannot be configured to send only main branch push events to Cloud Build; Cloud Build triggers receive all push events from the repository, and filtering must be done within Cloud Build or the build config. Option B is wrong because $_BRANCH is a substitution variable, not an environment variable; it is available in Cloud Build but must be used with proper syntax (e.g., if [ "$_BRANCH" = "main" ]), and the option incorrectly refers to it as a variable without specifying the correct conditional logic. Option D is wrong because while two triggers could work, it is not the most efficient or recommended approach; it duplicates configuration and requires manual synchronization, whereas a single trigger with a conditional step is simpler and directly addresses the requirement.

71
MCQeasy

A developer is writing integration tests for a Cloud Function that uses Cloud Firestore. The tests must run in a local environment without incurring costs or affecting production data. What should the developer use?

A.Create a separate GCP project for testing and use its Firestore.
B.Mock the Firestore client library calls.
C.Use the Firestore emulator running locally.
D.Run tests against the production Firestore instance with a test prefix.
AnswerC

Emulator provides local, free, and isolated testing.

Why this answer

Option C is correct because the Firestore emulator, part of the Firebase Local Emulator Suite, allows integration tests to run entirely on the local machine without network calls to GCP. This avoids incurring costs and prevents any impact on production data, as all operations are performed against an in-memory Firestore instance that mimics the real service's behavior.

Exam trap

Cisco often tests the distinction between unit testing (mocking) and integration testing (using emulators), and the trap here is that candidates may choose mocking (Option B) thinking it is sufficient for integration tests, but mocking cannot validate the actual Firestore behavior like query ordering, transaction atomicity, or security rule enforcement.

How to eliminate wrong answers

Option A is wrong because creating a separate GCP project for testing still incurs costs for Firestore usage (reads, writes, storage) and requires network connectivity, which contradicts the requirement of a local environment without costs. Option B is wrong because mocking the Firestore client library calls would test only the mock's behavior, not the actual integration with Firestore's query, transaction, or security rule logic, thus failing to validate real integration scenarios. Option D is wrong because running tests against the production Firestore instance with a test prefix still incurs costs for every operation and risks data contamination or accidental deletion, even with a prefix, as production data is still accessed over the network.

72
MCQhard

A development team uses Cloud Build for CI/CD with a monorepo containing multiple microservices. They want to implement a strategy where only the services affected by a commit are built and deployed. Which approach best achieves this?

A.Use a single Cloud Build trigger with a condition to check changed files
B.Use Cloud Functions to detect changes and trigger builds
C.Use a single Cloud Build trigger with a bash script to detect changes
D.Use multiple Cloud Build triggers, one per service, each with a path filter for its directory
AnswerD

This is the recommended pattern: each trigger only activates when files under its path change.

Why this answer

Option D is correct because Cloud Build triggers support path filters that allow you to specify which directories or files should initiate a build. By creating one trigger per microservice directory, only the service whose code has changed will be built and deployed, which is the most efficient and native approach for a monorepo with multiple services.

Exam trap

The trap here is that candidates often think a single trigger with conditional logic (Option A or C) is simpler, but they overlook that Cloud Build triggers natively support path-based filtering, which is the most efficient and correct way to achieve per-service selective builds in a monorepo.

How to eliminate wrong answers

Option A is wrong because a single Cloud Build trigger with a condition to check changed files would still require the trigger to fire on every commit, and the condition logic would need to be implemented externally or via a build step, which is less efficient and not the native way to filter per service. Option B is wrong because using Cloud Functions to detect changes and trigger builds adds unnecessary complexity and latency; Cloud Build triggers already have built-in path filtering that achieves the same goal without an extra serverless function. Option C is wrong because a single Cloud Build trigger with a bash script to detect changes would still fire on every commit, and the script would need to parse the commit diff and conditionally skip builds, which is error-prone and wastes trigger invocations and build minutes.

73
MCQeasy

A developer wants to store secrets (e.g., API keys) for use in Cloud Functions without exposing them in the source code. Which Google Cloud service should they use?

A.Store secrets in a Cloud Storage bucket with encrypted objects and load them at runtime
B.Use Secret Manager to store secrets and reference them via secret environment variables
C.Use Firestore to store secrets in a secure document and access it via the Firestore SDK
D.Use Cloud Key Management Service (Cloud KMS) to create and manage secrets
AnswerB

Secret Manager is designed for secrets and integrates with Cloud Functions.

Why this answer

Secret Manager is the dedicated Google Cloud service for storing sensitive data like API keys, passwords, and certificates. It provides built-in versioning, access control via IAM, and native integration with Cloud Functions through secret environment variables, ensuring secrets are never exposed in source code or configuration files.

Exam trap

Cisco often tests the distinction between a service that stores secrets (Secret Manager) and a service that manages encryption keys (Cloud KMS), leading candidates to confuse key management with secret storage.

How to eliminate wrong answers

Option A is wrong because storing secrets in Cloud Storage, even with encryption, requires managing access policies and encryption keys separately, and loading them at runtime adds latency and complexity without the native secret rotation and audit logging that Secret Manager offers. Option C is wrong because Firestore is a NoSQL document database designed for application data, not for managing secrets; it lacks built-in secret versioning, automatic encryption at rest with customer-managed keys, and IAM roles specific to secret access. Option D is wrong because Cloud KMS is a key management service for creating and managing cryptographic keys, not for storing secrets; it can be used to encrypt secrets stored elsewhere, but it does not provide a native secret storage or retrieval API like Secret Manager.

74
Multi-Selecthard

Which THREE are valid approaches for automating testing in a Cloud Build CI pipeline?

Select 3 answers
A.Use Cloud Build to ship test results to Cloud Monitoring.
B.Use Cloud Build triggers to run tests on every push to a branch.
C.Use Cloud Build to run tests only after manual approval.
D.Use Cloud Build to run tests in parallel across multiple steps.
E.Run tests in a build step using a custom builder.
AnswersB, D, E

Automatically triggers tests on code changes.

Why this answer

Option B is correct because Cloud Build triggers can be configured to automatically start a build (including test steps) on specific events, such as a push to a branch. This enables continuous integration by validating every code change as soon as it is committed, without manual intervention.

Exam trap

Cisco often tests the distinction between automating test execution (triggers, parallel steps, custom builders) and related but non-automation features like monitoring or manual gates, leading candidates to select options that describe observability or approval workflows instead of actual test automation.

75
MCQeasy

A developer is setting up a Cloud Build configuration file for a Node.js application. They want to ensure that build steps are executed only when changes are pushed to the 'main' branch. What is the correct approach?

A.Use a script in the build step to check the branch name
B.Use Cloud Scheduler to trigger builds based on time intervals
C.Use a condition in the build config file
D.Use a build trigger with a branch filter
AnswerD

Cloud Build triggers allow filtering by branch, making this the intended solution.

Why this answer

Option D is correct because Cloud Build triggers can be configured with a branch filter (e.g., `^main$`) that ensures builds are only initiated when changes are pushed to the specified branch. This is the native, declarative way to control build execution based on Git branch events, without requiring custom scripting or external scheduling.

Exam trap

Cisco often tests the distinction between trigger-level configuration (branch filters) and build-step-level logic, leading candidates to incorrectly think they can use conditional statements in the build config file itself.

How to eliminate wrong answers

Option A is wrong because using a script to check the branch name inside a build step is an anti-pattern; the build would still be triggered for all branches, wasting resources and time, and it does not prevent the trigger from firing. Option B is wrong because Cloud Scheduler triggers builds based on time intervals, not Git push events, so it cannot conditionally execute builds only when changes are pushed to the 'main' branch. Option C is wrong because Cloud Build's build config file (cloudbuild.yaml) does not support conditional execution based on branch names; branch filtering must be configured at the trigger level, not within the build steps.

Page 1 of 2 · 117 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Building and testing applications questions.