CCNA Integrating Gcp Services Questions

66 questions · Integrating Gcp Services topic · All types, answers revealed

1
Multi-Selecteasy

A company is using Cloud Storage to store sensitive customer data. They need to ensure data is encrypted at rest and access is controlled. Which TWO statements are true regarding data protection in Cloud Storage? (Choose two.)

Select 2 answers
A.By default, data in Cloud Storage is encrypted at rest using Google-managed encryption keys.
B.Using a signed URL revokes the underlying object's ACL.
C.Enabling uniform bucket-level access disables encryption at rest.
D.Customer-managed encryption keys (CMEK) can be used to control the encryption keys used to protect data.
E.Bucket-level policies can restrict access to only compute instances with specific service accounts.
AnswersA, D

Cloud Storage automatically encrypts all data at rest with Google-managed keys.

Why this answer

Option A is correct because Cloud Storage automatically encrypts all data at rest using server-side encryption with Google-managed encryption keys by default, without any additional configuration. This ensures that data is protected before it is written to disk and remains encrypted throughout its lifecycle.

Exam trap

Cisco often tests the misconception that uniform bucket-level access affects encryption or that signed URLs modify ACLs, when in fact these features operate on separate layers of the security model.

2
Multi-Selectmedium

Which three are valid ways to authenticate a service account when using the Google Cloud client libraries? (Choose three.)

Select 3 answers
A.Attaching a service account to a Compute Engine instance and letting the metadata server provide credentials.
B.Setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to point to a service account key file.
C.Using OAuth 2.0 client IDs for web applications.
D.Using the gcloud CLI default application credentials.
E.Using an API key in the client library initialization.
AnswersA, B, D

This is the automatic method on Compute Engine.

Why this answer

Options A, B, and C are correct. These are the standard methods for Application Default Credentials (ADC). Option D is wrong because API keys are not used for service account authentication.

Option E is wrong because OAuth 2.0 client IDs are for user authentication.

3
MCQeasy

A developer sets environment variables for a Cloud Function as shown. What is the security concern?

A.The variable name FOO is too short and does not follow naming conventions.
B.The variable DB_PASS should be set as a build variable instead.
C.There is no encryption applied to environment variables.
D.The password is exposed in plain text and should be stored in Secret Manager.
AnswerD

Secrets should never be in plain text environment variables.

Why this answer

Option B is correct because the password is exposed in plain text in environment variables. Option A is wrong because the variable name is acceptable. Option C is wrong because build variables are for build time, not runtime.

Option D is wrong because encryption at rest is not the issue; the problem is visibility.

4
Multi-Selectmedium

A company is deploying a containerized application on Cloud Run that needs to connect to a Cloud SQL (MySQL) database. The database must not be accessible from the public internet. Which two steps should the company take to secure the connection?

Select 2 answers
A.Enable automatic IAM database authentication for Cloud SQL.
B.Create a Cloud NAT gateway for outbound traffic from Cloud Run.
C.Use Cloud SQL Auth proxy within the Cloud Run container.
D.Set Cloud SQL to have a private IP address only.
E.Configure a VPC Serverless Access connector and attach it to the Cloud Run service.
AnswersD, E

A private IP ensures the database is not exposed to the public internet, meeting the security requirement.

Why this answer

Setting Cloud SQL to have a private IP address only (Option D) ensures the database is accessible only within the VPC network, not from the public internet. This eliminates exposure to external threats and is a fundamental security best practice for private database access.

Exam trap

The trap here is that candidates often think Cloud SQL Auth proxy alone is sufficient for security, but it does not prevent public internet access to the database; the proxy only encrypts the connection, while the database's IP address remains publicly reachable unless explicitly set to private.

5
MCQhard

You are designing a system that ingests high-velocity event streams from IoT devices using Pub/Sub. Each event must be processed exactly once to update a Firestore database. However, due to the distributed nature, at-least-once delivery is guaranteed by Pub/Sub. Which design pattern should you use to achieve exactly-once processing?

A.Use a Cloud Function with a retry policy to ensure delivery, and deduplicate using a Cloud Bigtable row key.
B.Use Cloud Dataflow with exactly-once processing mode and write to Firestore using a custom sink.
C.Use a Cloud Run service to pull messages and write to Firestore; rely on Firestore's built-in deduplication using document IDs.
D.Make the message processor idempotent by using a unique event ID as the Firestore document ID, and perform upsert operations.
AnswerD

Idempotent processing with upsert ensures exactly-once effect.

Why this answer

Option D is correct because making the processor idempotent using a unique event ID as the Firestore document ID ensures that duplicate writes are harmless. Option A is wrong because Firestore does not provide built-in deduplication. Option B is wrong because Dataflow's exactly-once mode still requires idempotent sinks.

Option C is wrong because Bigtable row keys can help but idempotency is the key.

6
MCQhard

A company uses Cloud Build to build Docker images and push to Artifact Registry. They want to trigger builds automatically when code is pushed to a Cloud Source Repository branch. They also need to ensure that only builds from the repository's main branch are allowed to push to the production Artifact Registry repository. What is the best way to implement this?

A.Use Cloud Source Repository webhooks and a Cloud Function to call Cloud Build
B.Use Cloud Build triggers and configure separate service accounts for each branch
C.Use Cloud Build triggers with branch filter and use IAM conditions on the Artifact Registry to restrict push based on the Cloud Build service account
D.Use Cloud Build triggers with substitution variables and separate build configurations
AnswerC

This approach allows you to create a trigger for the main branch with a dedicated service account that has write access to the production repository.

Why this answer

Option A is correct because creating a Cloud Build trigger with a branch filter for the main branch and using a dedicated service account for that trigger with appropriate permissions on the production repository ensures only main branch builds can push to production. Option B does not restrict access per branch, option C is unnecessarily complex, and option D uses multiple service accounts but is less straightforward.

7
MCQeasy

A company has a hybrid cloud setup with on-premises applications that need to send messages to a Pub/Sub topic. The on-premises network is connected via Cloud VPN. What is the recommended way to publish messages?

A.Use a Cloud NAT instance to route traffic
B.Expose Pub/Sub publicly and use authentication via OAuth2 tokens
C.Use VPC Service Controls and Private Google Access
D.Use Cloud Router to establish BGP sessions for direct connectivity
AnswerC

Private Google Access enables on-premises to reach Google APIs via VPN, and VPC Service Controls provides security.

Why this answer

Option A is correct because to allow on-premises access to Pub/Sub via VPN, you need to enable Private Google Access and use VPC Service Controls for security. Option B is for dynamic routing, not for accessing Pub/Sub. Option C is for dynamic routing, not for Pub/Sub access.

Option D is for outbound internet access, not for private access to Google APIs.

8
MCQmedium

A company uses Cloud SQL for PostgreSQL and wants to run periodic analytical queries on the data without impacting the transactional workload. The data is updated frequently. Which integration approach is most suitable?

A.Use Cloud Composer to schedule ETL jobs that copy data to BigQuery every minute.
B.Migrate the database to Cloud Spanner and use strong reads for analytics.
C.Export the Cloud SQL data to Cloud Storage and then load into BigQuery for analysis.
D.Create a read replica of the Cloud SQL instance and point analytical queries to the replica.
AnswerD

Read replicas handle read traffic without impacting the main database's write performance.

Why this answer

Option B is correct because Cloud SQL read replicas allow offloading read queries without affecting the primary instance's performance. Option A is wrong as export/import is batch and not real-time. Option C is wrong because Cloud Spanner is a different database.

Option D is wrong because Cloud Composer is an orchestration tool, not a direct solution.

9
MCQhard

You are a developer at a company that runs a critical pricing engine on Compute Engine instances in a managed instance group (MIG) behind an internal TCP load balancer. The pricing engine is a stateful application that stores state in memory and also writes to a Cloud Bigtable instance for persistence. The application uses a custom port 8080. You need to migrate this application to Cloud Run for better scalability and reduced operational overhead. The application must maintain session affinity so that requests from the same client are routed to the same instance (since the in-memory state is not yet fully externalized). The application currently uses a health check on /healthz that returns 200 OK. You have containerized the application. When you deploy to Cloud Run, you notice that traffic is not sticky; every request might go to a different revision. You also need to ensure that Bigtable writes are performed asynchronously to avoid slowing down the pricing calculations. What should you do?

A.Implement a custom health check on TCP port 8080 in Cloud Run to ensure only healthy instances receive traffic.
B.Increase the container concurrency setting to 1 to force each container to handle one request at a time.
C.Use Cloud Run with an HTTP(S) External Load Balancer and enable session affinity on the backend service.
D.Deploy the application on Cloud Run and configure an Internal TCP/UDP Load Balancer in front of it with session affinity.
AnswerC

External load balancer provides session affinity; Cloud Run itself does not.

Why this answer

Option B is correct because Cloud Run does not support session affinity natively; to achieve stickiness, you need to set the session affinity feature on the external HTTP(S) load balancer and place Cloud Run behind it. Option A is wrong because increasing concurrency does not affect stickiness. Option C is wrong because even with an internal load balancer, Cloud Run does not support session affinity directly; you need an external load balancer with session affinity.

Option D is wrong because Cloud Run does not support custom health checks with TCP; it only supports HTTP health checks.

10
MCQhard

A company is migrating a monolithic application to microservices on Google Cloud. They have strict requirements for service-to-service communication: requests must be authenticated, authorized, and encrypted in transit. They also need to enforce fine-grained access control based on the requesting service identity. Which Google Cloud service should they use to achieve these goals?

A.Cloud Run with ingress control
B.Cloud Armor with IAM
C.Cloud Service Mesh (Anthos Service Mesh)
D.Cloud Endpoints with API keys
AnswerC

Cloud Service Mesh provides mutual TLS and policy-based access control for microservices.

Why this answer

Option C is correct because Cloud Service Mesh (Anthos Service Mesh) provides mutual TLS, fine-grained authorization policies, and service identity. Option A is for API management, option B is for DDoS protection, and option D is for serverless ingress control.

11
MCQmedium

Refer to the exhibit. A developer runs the command and sees that the Cloud Run service is publicly accessible. The security team requires that only authenticated requests from a specific service account in the same project are allowed. What should the developer do to modify the IAM policy?

A.Add a new binding with the service account as the only member of roles/run.invoker
B.Update the IAM policy to remove the allUsers member from the roles/run.invoker binding
C.Change the service's ingress settings to "Internal and Cloud Load Balancing"
D.Remove the roles/run.viewer binding and add the service account to roles/run.invoker
AnswerB

Removing allUsers revokes public access. Then ensure the service account has invoker role.

Why this answer

Option B is correct because removing the allUsers member from the invoker role revokes public access. The service account already has the viewer role, but needs invoker to actually invoke the service. Option A changes ingress, which is not necessary.

Option C removes the viewer role, which is not needed. Option D adds a binding but does not remove allUsers.

12
MCQeasy

A developer needs to store configuration parameters for a Cloud Run service, such as database connection strings and API keys. The values must be encrypted at rest and in transit. Which service should be used?

A.Cloud SQL
B.Cloud Storage
C.Firestore
D.Secret Manager
AnswerD

Secret Manager is a secure and convenient storage system for secrets.

Why this answer

Option B is correct because Secret Manager is designed for storing secrets with encryption at rest and in transit. Option A is for object storage, option C is a database, and option D is a relational database.

13
MCQhard

A company has a Cloud Run service that ingests messages from a Cloud Pub/Sub subscription. The service uses automatic scaling based on CPU. Recently, the team noticed that when message volume spikes, the service scales up slowly, causing a backlog. What is the most effective solution to reduce the time to scale out?

A.Increase the max instances for the Cloud Run service to 100.
B.Use Cloud Tasks to buffer messages and configure a Cloud Scheduler job to pull from the queue.
C.Set a minimum number of instances on the Cloud Run service to 5.
D.Change the subscription type from pull to push and set the Cloud Run service as the push endpoint.
AnswerD

Push subscriptions invoke the service directly upon message delivery, reducing latency and improving scaling speed.

Why this answer

Option A is correct because Cloud Run can use direct Pub/Sub push subscriptions to trigger invocations, which reduces the polling interval and improves scaling responsiveness compared to pull subscriptions with CPU-based scaling. Option B is wrong because min-instances causes idle cost but does not improve scale-up speed when below min; it only ensures a base level. Option C is wrong because Cloud Tasks adds another queueing layer without solving the scaling delay.

Option D is wrong because increasing max instances helps during high load but does not speed initial scaling.

14
MCQmedium

An application running on GKE needs to access a Cloud SQL instance. The team wants to avoid using Cloud SQL Auth Proxy to reduce complexity. What is the most secure alternative?

A.Whitelist the GKE node external IPs in Cloud SQL authorized networks.
B.Use a Cloud SQL read replica with a public IP.
C.Use Private Service Connect to connect privately.
D.Configure Cloud SQL to allow all traffic from the VPC.
AnswerC

Private Service Connect offers secure private connectivity.

Why this answer

Option A is correct because Private Service Connect provides private, secure connectivity without the need for a proxy. Option B is wrong because whitelisting node IPs is insecure due to shared IPs. Option C is wrong because read replicas with public IP are less secure.

Option D is wrong because allowing all VPC traffic is too permissive.

15
Multi-Selecteasy

A company stores sensitive user data in Cloud Storage. They want to ensure that only authenticated users with the appropriate permissions can access the data, and that data is encrypted at rest. Which two steps should they take? (Choose TWO.)

Select 2 answers
A.Configure a Customer-Managed Encryption Key (CMEK) in Cloud KMS.
B.Enable default encryption on the bucket using Google-managed keys.
C.Use IAM roles to grant access to specific users and groups.
D.Set bucket-level public access prevention.
E.Enable VPC Service Controls to restrict data access.
AnswersB, C

Default server-side encryption is already enabled.

Why this answer

Option B is correct because Cloud Storage buckets are encrypted at rest by default using Google-managed keys, which satisfies the requirement for data encryption without additional configuration. Option C is correct because IAM roles provide fine-grained access control, ensuring only authenticated users with appropriate permissions can access the data.

Exam trap

Cisco often tests the misconception that enabling default encryption or using CMEK is optional or that public access prevention alone satisfies access control, when in fact IAM is the primary mechanism for user-level authorization and default encryption is already enabled.

16
MCQeasy

A developer wants to store application logs from Compute Engine instances in a centralized logging system. Which service should they use?

A.Cloud Monitoring
B.Cloud Trace
C.Cloud Debugger
D.Cloud Logging
AnswerD

Cloud Logging is designed to store, search, and analyze log data.

Why this answer

Option A is correct because Cloud Logging is the centralized logging service for Google Cloud. Option B is for monitoring metrics, option C is for tracing, and option D is for debugging.

17
MCQmedium

You are a cloud architect at a financial services company. The company is deploying a new application on Google Kubernetes Engine (GKE) that processes sensitive financial transactions. The application must be highly available across two regions (us-central1 and europe-west1) and must fail over automatically if one region becomes unavailable. The application uses Cloud Spanner as its primary database. Additionally, the application needs to send audit logs to a centralized Cloud Storage bucket for compliance. The current design uses GKE clusters in each region with a global HTTP(S) load balancer. However, during a recent test, when the us-central1 cluster was deliberately taken down, the load balancer continued to send traffic to that region, causing errors. You need to troubleshoot and fix the issue. What is the most likely cause and the best solution?

A.The load balancer is configured with only one backend service. Solution: Create a separate backend service for each region.
B.The load balancer backend lacks a health check that marks the backend as unhealthy when the cluster is down. Solution: Configure a health check on the backend service that points to a readiness endpoint on the GKE cluster.
C.The Cloud Spanner instance is not configured with multi-region replication, causing write failures. Solution: Configure Cloud Spanner as a multi-region instance.
D.The GKE clusters are not configured as network endpoint groups (NEGs). Solution: Create NEGs for each cluster and use them as backends.
AnswerB

Health checks are required for the load balancer to stop routing traffic to unhealthy backends.

Why this answer

The issue is that the global HTTP(S) load balancer continues to send traffic to the us-central1 region because its backend service lacks a health check that can detect when the GKE cluster is down. By configuring a health check on the backend service that probes a readiness endpoint (e.g., /healthz) on the GKE cluster, the load balancer will automatically stop routing traffic to the unhealthy region and fail over to the healthy region. This ensures high availability across the two regions as required.

Exam trap

The trap here is that candidates often confuse infrastructure-level health checks (e.g., instance group health) with application-level health checks, or assume that GKE's built-in ingress controller automatically configures health checks for regional failover, when in fact the load balancer backend service must have an explicit health check configured to detect a complete regional cluster outage.

How to eliminate wrong answers

Option A is wrong because creating separate backend services for each region does not solve the problem; the load balancer already uses separate backends (one per region) via the GKE ingress, but without proper health checks, it cannot detect regional failure. Option C is wrong because the issue is about traffic routing from the load balancer, not database write failures; Cloud Spanner multi-region replication is important for database availability but does not affect load balancer traffic distribution. Option D is wrong because while NEGs are a best practice for GKE with load balancers, the core issue is the absence of health checks, not the use of NEGs; NEGs alone do not enable automatic failover without health checks.

18
MCQhard

You are designing a data pipeline that ingests streaming data from IoT devices using Cloud IoT Core, processes it with Dataflow, and stores results in BigQuery. The data volume is expected to be 10 GB per day with occasional spikes. You need to minimize processing latency and cost. Which configuration should you choose for the Dataflow pipeline?

A.Use streaming mode with autoscaling and maximum workers set to 10.
B.Use Dataflow Prime for automatic optimization.
C.Use streaming mode with streaming engine enabled and 2 workers.
D.Use batch mode with a fixed number of workers to reduce cost.
AnswerC

Streaming engine reduces latency and cost for moderate throughput.

Why this answer

Option C is correct because streaming mode with Streaming Engine is designed for low-latency, continuous data ingestion from IoT Core, and setting 2 workers minimizes cost while handling the expected 10 GB/day volume with occasional spikes through autoscaling. Streaming Engine offloads state management to the backend, reducing worker overhead and improving latency, making it ideal for this use case.

Exam trap

Google Cloud often tests the misconception that batch mode is cheaper for streaming data, but the trap here is that batch mode incurs higher latency and requires manual triggering, making it unsuitable for real-time IoT pipelines despite lower compute cost per GB.

How to eliminate wrong answers

Option A is wrong because setting maximum workers to 10 may over-provision resources for a 10 GB/day workload, increasing cost without latency benefit, and autoscaling alone doesn't guarantee the low-latency optimization that Streaming Engine provides. Option B is wrong because Dataflow Prime is a premium feature that adds cost for automatic optimization, which is unnecessary for this predictable, moderate-volume streaming workload and does not inherently minimize latency or cost compared to Streaming Engine. Option D is wrong because batch mode is designed for finite, bounded data and introduces higher latency (minutes to hours) due to windowing and triggering, which is unsuitable for real-time IoT streaming data that requires low processing latency.

19
Multi-Selectmedium

A company is deploying a containerized application on Cloud Run that requires access to a Cloud SQL PostgreSQL instance. The application needs to connect to the database using private IP to minimize latency and avoid public internet exposure. The Cloud Run service and Cloud SQL instance are in the same region and project. The database user and password are stored in Secret Manager. Which two steps should the developer take to enable the connection? (Choose TWO.)

Select 2 answers
A.Grant the Cloud Run service account the Cloud SQL Client role.
B.Set the CLOUD_SQL_CONNECTION_NAME environment variable in the Cloud Run service.
C.Enable the Cloud SQL Admin API.
D.Configure the Cloud Run service to use a VPC connector and set up a private services access connection for Cloud SQL.
E.Deploy the Cloud SQL Auth proxy as a sidecar container in Cloud Run.
AnswersA, D

The Cloud SQL Client role allows the service account to connect to Cloud SQL instances.

Why this answer

Option C is correct because Cloud Run requires a VPC connector to access resources on a VPC network, and Private Services Access must be configured to allow Cloud Run to reach the Cloud SQL private IP. Option D is correct because the Cloud Run service account needs the Cloud SQL Client role to authenticate with Cloud SQL. Option A is incorrect because enabling the Cloud SQL Admin API is a prerequisite but not a direct step for the connection itself; it is often already enabled.

Option B is incorrect because the Cloud SQL Auth proxy is not needed when using private IP. Option E is incorrect because the CLOUD_SQL_CONNECTION_NAME environment variable is used with the Cloud SQL Auth proxy, not with private IP.

20
Multi-Selectmedium

A developer is building a serverless application that processes user-uploaded images. The images are stored in Cloud Storage, and each upload should trigger a Cloud Function that performs image analysis and stores the result in Firestore. Which TWO Google Cloud services are essential for this integration? (Choose 2)

Select 2 answers
A.Cloud Pub/Sub
B.Cloud Storage
C.Cloud Tasks
D.Eventarc
E.Cloud Scheduler
AnswersA, B

Cloud Pub/Sub receives storage notifications and triggers the Cloud Function.

Why this answer

Cloud Storage is the source of events (uploaded images). Cloud Pub/Sub is used to deliver notifications from Cloud Storage to the Cloud Function. Cloud Tasks, Cloud Scheduler, and Eventarc are not required for this pattern.

21
MCQeasy

You want to deploy a containerized application on Google Cloud that requires no server management and automatically scales based on HTTP traffic. Which service should you use?

A.Cloud Run.
B.Compute Engine.
C.Google Kubernetes Engine.
D.App Engine Flexible Environment.
AnswerA

Cloud Run is serverless and autoscales based on HTTP requests.

Why this answer

Option C is correct because Cloud Run is serverless, autoscaling, and HTTP-driven. Option A is wrong because Compute Engine requires server management. Option B is wrong because GKE requires cluster management.

Option D is wrong because App Engine Flexible Environment still uses VMs.

22
MCQhard

You are designing a multi-region disaster recovery strategy for a Cloud Spanner database. The application requires read-your-writes consistency globally after failover. Which configuration should you choose?

A.Multi-region placement with two read-write regions and a witness.
B.Enterprise edition with multi-region configuration and default leader optimization.
C.Single region with multiple zones.
D.Multi-region placement with one read-write region and two read-only replicas.
AnswerD

This is the standard multi-region configuration for strong consistency and disaster recovery.

Why this answer

Option D is correct because a multi-region placement with one read-write region and two read-only replicas provides strong consistency and failover capability. Option A is wrong because single region does not provide disaster recovery. Option B is wrong because Enterprise edition with leader optimization is a feature, not a configuration.

Option C is wrong because two read-write regions would introduce write conflicts.

23
MCQmedium

A company uses Cloud SQL for MySQL. They need to export data to Cloud Storage regularly. What is the recommended method?

A.Use Dataflow to read from Cloud SQL and write to Cloud Storage.
B.Use a cron job on Cloud SQL instance to write to Cloud Storage.
C.Use mysqldump command from a Compute Engine instance.
D.Use Cloud SQL export feature to export to Cloud Storage.
AnswerD

Cloud SQL export is the recommended method.

Why this answer

Option A is correct because Cloud SQL provides a built-in export feature that writes directly to Cloud Storage. Option B is wrong because mysqldump from Compute Engine is manual and less secure. Option C is wrong because Cloud SQL does not support cron jobs.

Option D is wrong because Dataflow is overkill for simple exports.

24
Multi-Selecthard

You are designing a serverless application using Cloud Functions that processes events from Cloud Storage and Cloud Pub/Sub. The function must be idempotent and handle duplicate events. Which three best practices should you implement? (Choose THREE.)

Select 3 answers
A.Generate a unique idempotency key for each event and store processed keys in a database.
B.Invoke the function synchronously to avoid duplicates.
C.Implement a deduplication logic that checks the event's publish time against a threshold.
D.Use Cloud Firestore to record the state of each processed event.
E.Set the function timeout to maximum (540 seconds) to ensure processing completes.
AnswersA, C, D

Idempotency keys prevent duplicate processing.

Why this answer

Option A is correct because generating a unique idempotency key for each event and storing processed keys in a database (such as Cloud Firestore) ensures that if the same event is delivered multiple times (e.g., due to at-least-once delivery semantics in Cloud Pub/Sub or Cloud Storage notifications), the function can check the key before processing and skip duplicates. This pattern is essential for idempotent serverless functions, as Cloud Functions may be retried on failure or receive duplicate events from the source.

Exam trap

The trap here is that candidates often confuse timeout settings or synchronous invocation with duplicate prevention, but neither addresses the root cause of duplicate events from at-least-once delivery systems.

25
Multi-Selectmedium

A team is building a microservices architecture on Google Cloud. They want services to communicate asynchronously to avoid tight coupling. They also need to guarantee at-least-once delivery of messages. Which two services should they use together? (Choose TWO.)

Select 2 answers
A.Cloud Run (HTTP)
B.Cloud Endpoints
C.Cloud Tasks
D.Cloud Pub/Sub
E.Cloud Datastore
AnswersC, D

Cloud Tasks provides asynchronous task queues with retry and at-least-once delivery.

Why this answer

Option A (Cloud Pub/Sub) is correct for asynchronous messaging with at-least-once delivery. Option D (Cloud Tasks) is also correct for asynchronous task execution with retries. Options B and C are synchronous, so they don't fit.

Option E (Cloud Datastore) is a database, not a messaging service.

26
MCQeasy

A team wants to use Cloud Scheduler to trigger a Cloud Function that calls an external API every hour. The Cloud Function requires an API key for the external service. How should the team securely provide the API key to the function?

A.Pass the API key as an environment variable in the function's runtime environment.
B.Store the API key in Secret Manager and access it via the Secret Manager API in the function code.
C.Hardcode the API key in the Cloud Function source code.
D.Store the key in Cloud Storage with customer-supplied encryption key (CSEK).
AnswerB

Secret Manager provides secure storage and access control for secrets.

Why this answer

Option D is correct because Secret Manager is designed for storing secrets like API keys and integrates easily with Cloud Functions. Option A is wrong because hardcoding in code is insecure. Option B is wrong because environment variables are visible in the function configuration.

Option C is wrong while encrypted, it's not a standard practice and harder to manage than Secret Manager.

27
MCQmedium

A developer is integrating a legacy on-premises application with Cloud Storage. The application generates files that must be uploaded to a bucket. The developer cannot install any additional software on the on-premises server. Which approach should the developer use?

A.Use the gcloud CLI to copy files to the bucket.
B.Generate a signed URL and use an HTTP PUT request from the application.
C.Mount the bucket using Cloud Storage FUSE.
D.Deploy a Cloud Function that accepts file uploads and writes to the bucket.
AnswerB

A signed URL provides time-limited access to upload objects without additional software.

Why this answer

Option C is correct because using a signed URL allows the application to upload files directly via HTTP without needing a Google Cloud SDK or library. Option A is wrong because the gcloud CLI may not be installed. Option B is wrong because Cloud Storage FUSE requires a FUSE driver installation.

Option D is wrong because Cloud Functions is an additional service, not a direct upload method.

28
MCQeasy

A company wants to send events from a custom application to Cloud Pub/Sub, then process them with a Cloud Run service. The application runs on Compute Engine. What is the simplest way for the application to authenticate to Pub/Sub?

A.Use an API key for the Pub/Sub API.
B.Embed a service account JSON key in the application code.
C.Set up Cloud Endpoints to proxy the Pub/Sub requests.
D.Attach a service account to the Compute Engine instance with necessary Pub/Sub roles.
AnswerD

Compute Engine instances can use attached service accounts to authenticate to Google Cloud APIs automatically.

Why this answer

Option B is correct because using a service account attached to the Compute Engine instance allows automatic authentication via the instance metadata server, which is the simplest and most secure approach. Option A is wrong because storing a JSON key in the application code is not best practice. Option C is wrong because an API key does not provide identity-based access control for Pub/Sub.

Option D is wrong because while Cloud Endpoints is an option, it adds unnecessary complexity.

29
Multi-Selecteasy

Which two statements are true about Cloud Load Balancing? (Choose two.)

Select 2 answers
A.All load balancers support IPv6 client traffic.
B.SSL proxy load balancer supports non-HTTP traffic.
C.Global external HTTP(S) load balancer can distribute traffic across multiple regions.
D.Internal TCP/UDP load balancer can be used for traffic within a VPC.
E.Network load balancer can only balance TCP traffic.
AnswersC, D

This is a key feature of global load balancers.

Why this answer

Options A and B are correct. A is correct because global external HTTP(S) load balancers can distribute traffic across multiple regions. B is correct because internal TCP/UDP load balancers operate within a VPC.

C is wrong because SSL proxy load balancers only support TCP with SSL. D is wrong because network load balancers support both TCP and UDP. E is wrong because not all load balancers support IPv6.

30
MCQmedium

A team uses Cloud Build to deploy a microservice to Cloud Run. They want to enforce that only builds from the main branch trigger deployments to the production Cloud Run service. What is the best approach?

A.Configure Cloud Run to only accept revisions from a specific source repository.
B.Use IAM conditions on the Cloud Run service account to allow only main branch builds.
C.Use Cloud Build triggers with a branch filter set to ^main$.
D.Create a separate Cloud Build trigger for each branch and manually disable non-main triggers.
AnswerC

Branch filters in triggers exactly match this requirement.

Why this answer

Option A is correct because Cloud Build triggers support branch filters to specify which branches trigger builds. Option B is wrong because Cloud Run cannot filter deployments by branch. Option C is wrong because IAM conditions apply to principals, not build sources.

Option D is wrong because manual management is error-prone.

31
MCQhard

A team is designing a data pipeline that uses Cloud Storage for input files, Cloud Functions to process each file, and writes results to BigQuery. The pipeline must guarantee exactly-once processing of each file, even if the function fails and retries. Which approach should the team take?

A.Use Cloud Storage triggers with event filters and configure the function to delete the file after successful processing
B.Use Cloud Pub/Sub to store file notification events and use Dataflow for processing with exactly-once guarantees
C.Use Cloud Tasks to queue file processing tasks and configure retries with deduplication
D.Use Cloud Workflows to orchestrate the pipeline and use idempotent writes to BigQuery
AnswerB

Dataflow provides exactly-once processing semantics when used with Pub/Sub.

Why this answer

Option B is correct because using Cloud Pub/Sub to store file notification events and Dataflow for processing provides exactly-once guarantees. Option A may lead to duplicates because Cloud Storage triggers are at-least-once. Option C with Cloud Tasks can deduplicate tasks but processing may still be at-least-once if not idempotent.

Option D with Cloud Workflows does not inherently provide exactly-once.

32
MCQhard

A security audit reveals that a service account has been granted excessive permissions. The exhibit shows the IAM policy for a project. Which statement best describes the security issue?

A.The policy is missing an explicit deny for public access.
B.The service account has more permissions than necessary because objectAdmin includes all objectViewer permissions.
C.The service account should have roles/storage.admin instead.
D.The service account has both admin and viewer roles, causing a conflict.
AnswerB

The viewer role is redundant and indicates excessive permissions.

Why this answer

Option C is correct because the objectAdmin role includes all permissions of objectViewer, making the viewer role redundant and indicating over-permissioning. Option A is wrong because there is no conflict. Option B is wrong because the policy is syntactically correct.

Option D is wrong because storage.admin would be even more permissive.

33
MCQmedium

Refer to the exhibit. A Cloud Run service is unable to connect to a Cloud SQL instance. The log entry shows the following. What is the most likely cause?

A.The Cloud Run service account lacks the Cloud SQL Client role.
B.The database user credentials are incorrect.
C.The Cloud SQL instance is in a different region than the Cloud Run service.
D.The Cloud SQL instance has a public IP assigned.
AnswerA

Without the cloudsql.client role, the VPC connector cannot authorize the connection, leading to a connection refused error.

Why this answer

The Cloud Run service needs the Cloud SQL Client role (roles/cloudsql.client) on its service account to authorize connections to Cloud SQL. Without this IAM permission, the connection attempt is denied, resulting in the 'unable to connect' error shown in the log. This is the most common cause of connectivity failures between Cloud Run and Cloud SQL.

Exam trap

Cisco often tests the misconception that database credentials (Option B) are the primary cause of Cloud Run-to-Cloud SQL failures, but the actual issue is almost always missing IAM permissions on the service account.

How to eliminate wrong answers

Option B is wrong because incorrect database user credentials would produce an authentication error (e.g., 'Access denied for user') rather than a connection-level failure, and the log entry does not indicate an authentication failure. Option C is wrong because Cloud Run and Cloud SQL can connect across regions using the private IP path or Cloud SQL proxy; region mismatch does not inherently block connectivity. Option D is wrong because a public IP on the Cloud SQL instance does not prevent Cloud Run from connecting — in fact, Cloud Run can connect to public IP instances via the Cloud SQL proxy or authorized networks, and the issue is about IAM permissions, not IP type.

34
Multi-Selecthard

A company has a Cloud Function that processes events from Cloud Pub/Sub. The function uses HTTP client libraries to call external APIs. The team notices that the function sometimes times out during high traffic. Which THREE actions should they take to improve reliability? (Choose THREE.)

Select 3 answers
A.Increase the allocated memory to 2GB.
B.Use Cloud Tasks to queue the API call invocations and process them asynchronously from the function.
C.Implement retry logic with exponential backoff for external API calls.
D.Increase the Cloud Function timeout to 540 seconds (max).
E.Reduce the maximum number of concurrent function instances.
AnswersB, C, D

Decouples the calling logic, allowing the function to ack messages quickly and process later.

Why this answer

Option A (increase timeout) is correct to allow more processing time. Option D (implement retry with exponential backoff) is correct to handle transient API failures. Option E (use Cloud Tasks for internal queueing) is correct to decouple API calls from the function.

Option B (increase memory) may help speed up, but not directly address timeout due to external dependencies. Option C (reduce concurrency) could reduce load but not timeout issue.

35
MCQhard

A retail company processes customer orders through a pipeline. New orders are written to a Cloud Storage bucket as JSON files. A Cloud Function (currently triggered directly by Cloud Storage finalize events) parses the order and sends it to a third-party fulfillment service via an HTTP POST. As order volume grows, the team observes that the Cloud Function often times out (60s default) because the fulfillment service is slow. The team wants to decouple the processing to improve reliability. The order must be attempted at least once, and if the fulfillment service fails, retries should be exponential with a maximum of 5 attempts. Which solution should the team implement?

A.Use Cloud Tasks to create a queue that targets the Cloud Function. Configure the queue with exponential backoff and max retries of 5. Set the Cloud Function trigger to be HTTP instead of Cloud Storage.
B.Keep the Cloud Storage trigger, but increase the Cloud Function timeout to 540 seconds and add retry logic in the function code.
C.Use Pub/Sub notifications from Cloud Storage to a Pub/Sub topic, with a subscription that pushes to the Cloud Function. Enable dead letter topics for failed deliveries.
D.Replace the Cloud Function with a Cloud Run job that polls Cloud Storage for new files and sends orders to the fulfillment service. Use Cloud Scheduler to run the job every 5 minutes.
AnswerA

Cloud Tasks provides configurable retries, decouples the processing, and ensures at-least-once delivery. The HTTP-triggered function processes tasks from the queue.

Why this answer

Option B is correct because Cloud Tasks provides the exact retry semantics required (exponential backoff, max attempts) and decouples the HTTP call from the Cloud Function. Option A is flawed because increasing timeout does not provide retries and 540s is still not infinite. Option C introduces polling, which is inefficient and not real-time.

Option D uses Pub/Sub push, but Pub/Sub's retry is not as configurable and lacks max attempts without a dead letter queue; Cloud Tasks is the appropriate service for HTTP-targeted retry logic.

36
Drag & Dropmedium

Drag and drop the steps to troubleshoot a failed Cloud Build in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting involves reviewing logs and configuration, then fixing and re-running.

37
MCQhard

A DevOps team is designing a CI/CD pipeline for a microservices application deployed on Google Kubernetes Engine (GKE). They want to automatically build and deploy each service when a new tag is pushed to its repository. They also need to run integration tests against a staging environment before promoting to production. Which service should they use to orchestrate the pipeline?

A.Deployment Manager with a template
B.Cloud Deploy with a delivery pipeline
C.Cloud Build with a build trigger on tag push
D.Cloud Run with continuous deployment
AnswerC

Cloud Build can be triggered by a tag push, build the container, and deploy to GKE. It also supports running tests.

Why this answer

Cloud Build with a build trigger on tag push is the correct choice because it natively supports event-driven pipelines triggered by Git tags, enabling automatic build and deployment of each microservice. Combined with Cloud Build's ability to run integration tests in a staging environment and then promote to production, it provides a complete CI/CD solution for GKE without additional orchestration services.

Exam trap

Google Cloud often tests the distinction between CI/CD orchestration (Cloud Build) and delivery/rollout management (Cloud Deploy), leading candidates to choose Cloud Deploy because it sounds like a pipeline orchestrator, but it requires an external CI trigger to start the process.

How to eliminate wrong answers

Option A is wrong because Deployment Manager is an infrastructure-as-code tool for provisioning GCP resources, not a CI/CD pipeline orchestrator; it cannot trigger builds or deployments based on Git tag pushes. Option B is wrong because Cloud Deploy is a continuous delivery service that manages rollout strategies (e.g., canary, blue/green) but relies on an external CI system like Cloud Build to trigger the pipeline; it does not natively handle build triggers on tag push. Option D is wrong because Cloud Run with continuous deployment is designed for serverless container deployments, not for orchestrating multi-service CI/CD pipelines on GKE, and it lacks native support for tag-based triggers and staging-to-production promotion workflows.

38
MCQmedium

A company is migrating a legacy monolithic application to Google Cloud. They want to minimize code changes and operational overhead while improving scalability. The application currently uses a relational database and stores user-uploaded images on a local filesystem. Which combination of Google Cloud services should they use?

A.Cloud Spanner for the database and Cloud Storage for images
B.Cloud Firestore for the database and Cloud Storage with Cloud CDN for images
C.Cloud SQL for the database and Cloud Storage with Cloud CDN for images
D.Compute Engine with attached SSD persistent disks for both database and images
AnswerC

Cloud SQL provides a managed relational database with minimal changes, and Cloud Storage with CDN serves images efficiently at scale.

Why this answer

Option C is correct because Cloud SQL provides a fully managed relational database that requires minimal code changes when migrating from an existing relational database, while Cloud Storage with Cloud CDN handles user-uploaded images with scalable object storage and low-latency content delivery. This combination minimizes operational overhead by eliminating the need to manage database servers or file servers, and improves scalability through automatic replication and global edge caching.

Exam trap

Google Cloud often tests the misconception that any fully managed database (like Spanner or Firestore) is suitable for a legacy relational migration, but the trap here is that candidates overlook the requirement to minimize code changes and choose a NoSQL or globally distributed database that forces significant application rewrites.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner is a globally distributed, horizontally scalable database designed for high-availability and strong consistency across regions, which introduces unnecessary complexity and cost for a legacy application that likely does not require global scale; it also requires significant code changes to adapt to Spanner's specific SQL dialect and consistency model. Option B is wrong because Cloud Firestore is a NoSQL document database that does not support relational queries, joins, or ACID transactions in the same way as a traditional relational database, forcing major application rewrites. Option D is wrong because Compute Engine with attached SSD persistent disks requires manual management of database software, backups, and failover, and does not provide the scalability or operational simplicity of managed services; it also lacks a CDN for image delivery, leading to higher latency and operational overhead.

39
MCQhard

Refer to the exhibit. A team is deploying a Cloud Function that needs to connect to a Cloud SQL instance in a VPC. They have set up a VPC connector. After deployment, the function fails to connect to the database. What is the most likely cause?

A.The VPC connector is in a different region than the function
B.The function's service account does not have permissions to use the VPC connector
C.The environment variable DB_HOST is misspelled
D.The database firewall rules do not allow traffic from the VPC connector's subnet
AnswerA

The VPC connector and Cloud Function must be in the same region.

Why this answer

Option A is correct because the VPC connector must be in the same region as the Cloud Function. If they are in different regions, the function cannot use the connector. Option B is less likely because Cloud SQL private IP uses VPC peering, not firewall rules.

Option C is possible but usually the default service account has the necessary permissions. Option D is a possible typo but less likely given the exhibit shows 'DB_HOST'.

40
MCQeasy

A developer is deploying a 2nd gen Cloud Function that needs to connect to a Cloud SQL MySQL instance. The Cloud SQL instance is configured with a private IP only. The Cloud Function is deployed with a VPC connector that is connected to the same VPC network as the Cloud SQL instance. The developer has granted the Cloud Function's service account the Cloud SQL Client role. However, when the function is invoked, connection attempts to the Cloud SQL instance time out. The Cloud Function code uses the MySQL connector with the private IP address of the Cloud SQL instance. The developer has verified that the VPC connector is healthy and that the Cloud SQL instance is running. Which additional configuration is most likely required?

A.Modify the connection string to require SSL/TLS.
B.Deploy the Cloud SQL Auth proxy as an additional container in the Cloud Function.
C.Configure Private Services Access to establish a VPC peering between the VPC network and the Cloud SQL service network.
D.Assign a public IP to the Cloud SQL instance and configure the function to use it.
AnswerC

Private Services Access creates the necessary route for the VPC connector to reach the Cloud SQL private IP range.

Why this answer

Option A is correct. Even though the VPC connector is on the same VPC network as Cloud SQL, the Cloud SQL private IP address is allocated from a private services access range that is not automatically routed. You must set up Private Services Access to create a route from the VPC to the Cloud SQL private IP range.

Without this, traffic from the VPC connector cannot reach the Cloud SQL instance. Option B is incorrect because the Cloud Function is using a VPC connector, so it does not need or use a public IP. Option C is incorrect because the Cloud SQL Auth proxy is not needed for private IP connections.

Option D is incorrect because SSL/TLS configuration would cause a TLS handshake error, not a timeout.

41
MCQhard

A developer is integrating an App Engine standard environment app with Cloud Storage. The app needs to read objects from a bucket that is in a different project. The developer has granted the App Engine service account the Storage Object Viewer role on the bucket. However, the app still gets a 403 error when trying to read objects. What is the most likely cause?

A.The service account needs to be downloaded as a JSON key and added to the app configuration.
B.The bucket has uniform bucket-level access disabled, so ACLs may override IAM permissions.
C.The bucket is in a VPC Service Controls perimeter that blocks access from the App Engine service account.
D.The service account is from the app's project, not the bucket's project, and the bucket's IAM policy may not include the service account.
AnswerD

Cross-project IAM requires adding the service account from the source project to the bucket's IAM policy in the destination project.

Why this answer

Option A is correct because cross-project access requires the service account to be granted access at the bucket level in the source project, but the App Engine service account is in the same project as the app; the bucket is in another project, so the role must be assigned in the bucket's project. The error might persist if the bucket's IAM policy doesn't include the service account. Option B is wrong as no need for service account key.

Option C is wrong because VPC-SC could block, but that would be a different error. Option D is wrong because public access disabled is fine for explicit IAM.

42
MCQeasy

You need to monitor the CPU usage of a Compute Engine instance and trigger an alert when it exceeds 80% for 5 minutes. Which Google Cloud service should you use?

A.Cloud Debugger
B.Cloud Monitoring
C.Cloud Logging
D.Error Reporting
AnswerB

Cloud Monitoring provides metrics and alerting.

Why this answer

Cloud Monitoring (formerly Stackdriver Monitoring) is the correct service because it provides metrics, dashboards, and alerting policies for Compute Engine instances. You can create a metric-based alert condition that triggers when the CPU utilization metric exceeds 80% for a duration of 5 minutes, using the MQL or policy builder.

Exam trap

The trap here is that candidates confuse Cloud Logging with Cloud Monitoring because both are part of the Google Cloud operations suite, but Logging handles logs while Monitoring handles metrics and alerts.

How to eliminate wrong answers

Option A is wrong because Cloud Debugger is used to inspect the state of a running application in production without stopping it, not for monitoring CPU usage or triggering alerts. Option C is wrong because Cloud Logging collects and stores log data (e.g., application logs, system logs), but it does not natively support metric-based alerting on CPU utilization thresholds over time. Option D is wrong because Error Reporting aggregates and analyzes application errors (e.g., stack traces), not system-level metrics like CPU usage.

43
MCQmedium

Your organization runs a multi-region application on Cloud Run that serves an API. The API is consumed by clients worldwide. You want to reduce latency by routing users to the nearest regional Cloud Run service. Currently, all traffic goes to a single Cloud Run service in us-central1. You have set up additional Cloud Run services in europe-west1 and asia-east1. Each service is fronted by an external HTTPS load balancer with a regional backend. You want to use a single global anycast IP address that automatically directs users to the closest healthy backend. You also need to support HTTPS with a custom domain and a Google-managed certificate. What should you do?

A.Create a global external HTTPS load balancer with serverless NEGs pointing to each regional Cloud Run service, and attach a Google-managed certificate.
B.Enable anycast on the Cloud Run service by selecting the 'global' setting in the Cloud Run region selection.
C.Use Cloud DNS with geo-routing policy to point users to the appropriate regional load balancer IP based on their location.
D.Configure Cloud CDN in front of the Cloud Run services to cache responses at edge locations.
AnswerA

The global load balancer uses anycast IP and routes to the closest healthy backend, and serverless NEGs integrate with Cloud Run.

Why this answer

Option D is correct because an External HTTPS Load Balancer with a global backend service can route traffic to the closest backend via the Google Front Ends (GFE). The regional Cloud Run services can be added as backends with the appropriate network endpoint groups (NEGs). Option A is wrong because Cloud CDN caches content but does not route based on locality.

Option B is wrong because Cloud DNS with geo-routing can direct to different IPs, but that is not a single anycast IP. Option C is wrong because Cloud Run does not support anycast itself.

44
MCQeasy

A developer is building a microservices application on Cloud Run. One service needs to make authenticated HTTP requests to another Cloud Run service in the same project. What is the best practice for authentication?

A.Use API keys
B.Use Cloud Run's built-in service-to-service authentication with the default compute service account
C.Use OAuth2 client credentials
D.Use IAM roles on the target service and call it with the appropriate identity token from the metadata server
AnswerD

This is the recommended approach: use a service account with the roles/run.invoker role on the target service and obtain an identity token from the metadata server.

Why this answer

Option D is correct because Cloud Run service-to-service authentication is best done using an identity token from the metadata server and setting IAM on the target service. Option A is not recommended as API keys are for external clients. Option B uses OAuth2 client credentials which are for external applications.

Option C uses the default compute service account which may have broader permissions than needed.

45
Multi-Selectmedium

A company is integrating a legacy application with Google Cloud using Cloud VPN. The application must be accessed from multiple remote offices over the internet. Which TWO technologies should the company use to ensure secure and reliable connectivity? (Choose TWO.)

Select 2 answers
A.Cloud Interconnect
B.Private Google Access
C.Cloud NAT
D.Direct Peering
E.Cloud VPN
AnswersA, E

Provides dedicated, low-latency connections, ideal for reliable access.

Why this answer

Option A (Cloud VPN) is correct for site-to-site VPN connectivity. Option C (Cloud Interconnect) is correct for dedicated, reliable connectivity. Option B (Direct Peering) is not recommended for multi-office since it's for on-prem to Google, not hub-spoke.

Option D (Cloud NAT) is for outbound internet. Option E (Private Google Access) is for on-prem to Google APIs.

46
MCQeasy

A developer wants to allow a Compute Engine instance to send messages to a Pub/Sub topic. What is the recommended way to grant permissions?

A.Generate an API key for the instance and include it in HTTP requests.
B.Create a service account and assign the Pub/Sub Publisher role; attach the service account to the instance.
C.Use the instance's default Compute Engine service account and assign the Pub/Sub Publisher role to it.
D.Store the service account key file directly on the instance.
AnswerC

The default service account is convenient and secure.

Why this answer

Option B is correct because using the default Compute Engine service account and assigning the Pub/Sub Publisher role is the simplest and recommended approach. Option A works but is less efficient. Option C is wrong because API keys are not for service-to-service auth.

Option D is insecure.

47
MCQmedium

A company is running a critical application on Google Kubernetes Engine (GKE) that stores state in a Cloud SQL PostgreSQL instance. The application's latency-sensitive frontend needs to read data from Cloud SQL with minimal latency. The team wants to reduce read latency and offload read traffic from the primary database. What should they do?

A.Migrate the database to Cloud Spanner for better read scalability.
B.Use Memorystore for Redis as a cache layer between the application and Cloud SQL.
C.Create a read replica of the Cloud SQL instance and direct read traffic to the replica.
D.Use Cloud CDN to cache database responses.
AnswerC

Read replicas handle read-only queries, reducing load on the primary and improving read latency.

Why this answer

Option C is correct because creating a read replica of the Cloud SQL PostgreSQL instance allows read-heavy, latency-sensitive traffic to be offloaded from the primary database. The replica handles SELECT queries independently, reducing load on the primary and lowering read latency for the frontend, as replicas are typically in the same region and can serve data with minimal additional delay.

Exam trap

Cisco often tests the misconception that caching (Memorystore or CDN) is the only way to reduce read latency, but the question specifically asks to offload read traffic from the primary database, which a read replica achieves directly without introducing cache coherence complexity.

How to eliminate wrong answers

Option A is wrong because migrating to Cloud Spanner would introduce unnecessary complexity and cost for a workload that only needs read offloading; Spanner is designed for global, strongly consistent transactions, not simply reducing read latency from a single-region PostgreSQL instance. Option B is wrong because Memorystore for Redis adds a caching layer that requires application code changes to manage cache invalidation and consistency, and it does not directly offload read traffic from Cloud SQL—it caches data, but stale reads can occur if not carefully managed. Option D is wrong because Cloud CDN caches static content at edge locations and is not designed to cache dynamic database query responses; it would not reduce read latency for application-level database reads and would introduce staleness issues.

48
MCQeasy

A company wants to trigger a Cloud Run job every time a new file is uploaded to a Cloud Storage bucket. Which integration should be used?

A.Use Cloud Pub/Sub notifications from the bucket and create a push subscription to the Cloud Run job.
B.Use Cloud Scheduler to poll the bucket and invoke the Cloud Run job every minute.
C.Use Eventarc to create a trigger that routes Cloud Storage events to the Cloud Run job.
D.Use Cloud Functions to listen for storage events and then call the Cloud Run job via HTTP.
AnswerC

Eventarc listens to events and delivers them to Cloud Run jobs.

Why this answer

Option C is correct because Eventarc can route Cloud Storage events (like object finalize) to Cloud Run jobs via CloudEvents. Option A is wrong because Cloud Scheduler is time-based, not event-based. Option B is wrong because Cloud Functions can be triggered by storage events, but the question asks for Cloud Run job.

Option D is wrong because Pub/Sub alone cannot directly trigger a Cloud Run job without a subscription or push endpoint.

49
MCQhard

Refer to the exhibit. A developer configured a Pub/Sub push subscription to a Cloud Run service. Messages are not being delivered to the Cloud Run service. The developer verified that the service is running and the IAM permissions are correct. What is the most likely issue?

A.The service account does not have the pubsub.publisher role
B.The OIDC token audience does not match the Cloud Run service's URL
C.The push endpoint URL is not a valid HTTPS endpoint
D.The ackDeadlineSeconds is too short for the Cloud Run service to process messages
AnswerB

The audience must match the exact URL of the service for authentication to succeed.

Why this answer

Option B is correct because the OIDC token audience must exactly match the URL of the Cloud Run service. In the exhibit, the audience is 'https://my-service.run.app/' which should be the same as the push endpoint, but if the Cloud Run service has a different URL (e.g., with a generated hash), the authentication will fail. Option A is possible but less likely because messages would still be delivered and then acknowledged if processing time is less than 10 seconds.

Option C is incorrect because the endpoint is HTTPS. Option D is incorrect because the service account needs the token creator role, not publisher.

50
MCQhard

A company runs a microservices application on Cloud Run. One service, `order-processor`, is invoked asynchronously via a Cloud Tasks queue. The Cloud Tasks queue is configured with an HTTP target pointing to the `order-processor` service URL. The service requires authentication (no unauthenticated invocations). The service account used by Cloud Tasks to invoke the service is `cloud-tasks-system@project.iam.gserviceaccount.com`. After deploying a new revision of `order-processor` using Cloud Build and Cloud Deploy, the team notices that tasks are failing with a 403 status. The Cloud Run service logs show the requests are reaching the service but returning 403. The previous revision worked fine. What is the most likely cause?

A.The IAM policy binding granting the Cloud Tasks service account the Cloud Run Invoker role was removed during the deployment.
B.The new revision has a bug causing a permission denied error when processing tasks.
C.The Cloud Tasks queue needs to be configured with an OIDC token and audience for the new revision.
D.The Cloud Tasks queue's HTTP target URL needs to be updated to point to the new revision's specific URL.
AnswerA

If the deployment pipeline modifies IAM policies, the binding for the Cloud Tasks service account may have been removed, causing 403 errors.

Why this answer

Option B is correct. When Cloud Run requires authentication, the invoker's service account must be granted the roles/run.invoker role on the Cloud Run service. Although the IAM policy is set on the service, deploying a new revision with Cloud Build and Cloud Deploy may use a different service account or the IAM bindings might be overwritten if the deployment pipeline includes IAM policy updates.

In this scenario, the IAM binding for the Cloud Tasks service account was likely removed or not applied to the new revision, causing the 403 error. Option A is incorrect because the Cloud Tasks queue configuration does not change with revisions; the URL remains the same. Option C is incorrect because the OIDC token is configured on the queue and is independent of the revision.

Option D is incorrect because a permission denied error inside the service would result in a 500 or 503, not 403, and the logs show requests are reaching the service.

51
Matchingmedium

Match each Firebase feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

NoSQL document database with real-time sync

Backend service for user sign-in

Send push notifications across platforms

Change app behavior without publishing updates

Measure app performance from the user's perspective

Why these pairings

Firebase provides backend services for mobile and web apps.

52
MCQeasy

A company is using Cloud Functions (2nd gen) to process files uploaded to Cloud Storage. The function needs to access a Cloud SQL (PostgreSQL) database. What is the most secure way to store and provide the database password to the function?

A.Use Cloud KMS to encrypt the password and store it in environment variables.
B.Hardcode the password in the function code.
C.Use Secret Manager and access it via the Secret Manager API within the function.
D.Store the password in a Cloud Storage bucket and read it at startup.
AnswerC

Secret Manager is the secure way to store and access secrets with fine-grained IAM.

Why this answer

Option C is correct because Secret Manager is the recommended service for storing secrets with IAM controls. Option A is wrong because Cloud Storage buckets may have broader access and are not designed for secrets. Option B is wrong because hardcoding is insecure.

Option D is wrong because KMS encrypts data but Secret Manager provides a simpler and more integrated secret storage solution.

53
Multi-Selecthard

A company is deploying a microservices application on Google Cloud. They want to securely store and access secrets (e.g., API keys, database passwords) across multiple services. They need to minimize operational overhead and ensure secrets are automatically rotated. Which TWO approaches should they use?

Select 2 answers
A.Use Secret Manager with a Cloud Function that automatically rotates secrets on a schedule.
B.Store secrets in Cloud Storage buckets encrypted with Cloud KMS (CMEK).
C.Use Secret Manager to store secrets and enable automatic rotation.
D.Store secrets in a Cloud SQL database and use Cloud Scheduler to rotate them.
E.Store secrets in Cloud Firestore and use Firestore triggers to rotate them.
AnswersA, C

Secret Manager's built-in rotation can be used with Cloud Functions to implement custom rotation logic.

Why this answer

Secret Manager is Google Cloud's native service for storing and managing secrets with built-in support for automatic rotation. By enabling automatic rotation on a secret, you eliminate the need for custom infrastructure like Cloud Functions to handle the rotation logic, thereby minimizing operational overhead. Option A is correct because it uses Secret Manager with a Cloud Function for rotation, which is a valid approach, but Option C is more aligned with the requirement to minimize overhead since automatic rotation is a native feature.

Exam trap

The trap here is that candidates may think a custom rotation mechanism (like a Cloud Function) is always required, overlooking Secret Manager's native automatic rotation feature, which directly reduces operational overhead.

54
Multi-Selectmedium

Your company uses Cloud SQL for MySQL to store transactional data. You need to perform a point-in-time recovery (PITR) to recover from a logical error that occurred 30 minutes ago. Which two prerequisites must be met? (Choose TWO.)

Select 2 answers
A.High availability (HA) is configured.
B.Binary logging is enabled.
C.Automated backups are enabled.
D.The backup window is set to a time before the incident.
E.A read replica is configured.
AnswersB, C

Binary logs enable PITR.

Why this answer

Point-in-time recovery (PITR) for Cloud SQL for MySQL relies on binary logs to replay transactions up to a specific timestamp. Binary logging must be enabled because it records all changes to the database, allowing you to restore to any point within the retention period. Automated backups are also required because PITR uses the most recent full backup as a base, then applies binary logs from that backup to the target time.

Without automated backups, there is no base image to start the recovery process.

Exam trap

Google Cloud often tests the misconception that high availability or read replicas are required for point-in-time recovery, when in fact only binary logging and automated backups are necessary.

55
MCQhard

You are deploying a stateful application on GKE that requires persistent storage with high IOPS. You need to ensure that each pod can failover to a different node and still access the same data. Which volume type should you use?

A.ConfigMap.
B.PersistentVolumeClaim with ReadWriteMany.
C.EmptyDir.
D.PersistentVolumeClaim with ReadWriteOnce.
AnswerB

ReadWriteMany allows access from multiple nodes, enabling failover.

Why this answer

Option D is correct because ReadWriteMany allows multiple nodes to access the same volume simultaneously. Option A is wrong because EmptyDir is ephemeral. Option B is wrong because ConfigMap is for configuration.

Option C is wrong because ReadWriteOnce only allows one node at a time.

56
MCQmedium

Your application runs on Compute Engine and uses Cloud Pub/Sub to receive messages from a third-party service. Recently, the message delivery latency has increased significantly. The third-party reports no issues on their end. You notice that the Pub/Sub subscription's 'ackDeadlineSeconds' is set to 10. What is the most likely cause of the latency?

A.The ackDeadlineSeconds is too short, causing frequent message redelivery.
B.The topic's message retention duration is too long.
C.The push endpoint is not responding, causing Pub/Sub to retry.
D.The subscription has an exponential backoff policy that is too aggressive.
AnswerA

Short ack deadline leads to redelivery before processing completes.

Why this answer

A is correct because a 10-second ackDeadlineSeconds is very short. If your subscriber cannot process and acknowledge messages within 10 seconds, Pub/Sub will consider them unacknowledged and redeliver them. This redelivery causes duplicate processing and increases overall latency as messages are repeatedly sent back to the subscriber, delaying their final consumption.

Exam trap

Google Cloud often tests the distinction between push and pull subscriptions; the trap here is that candidates may incorrectly assume a push endpoint issue (Option C) without recognizing that the question implies a pull subscription by stating 'receives messages' rather than 'receives pushed messages'.

How to eliminate wrong answers

Option B is wrong because the topic's message retention duration affects how long unacknowledged messages are stored, not delivery latency; a longer retention does not cause delays. Option C is wrong because the question states the application runs on Compute Engine and uses Pub/Sub to receive messages, implying a pull subscription, not a push subscription; a non-responsive push endpoint would cause retries, but the scenario describes a pull-based setup. Option D is wrong because Pub/Sub does not have a configurable exponential backoff policy on subscriptions; the backoff behavior is built into the client libraries and is not a subscription-level setting that would cause latency.

57
Drag & Dropmedium

Drag and drop the steps to set up a Cloud SQL instance with a private IP in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Setting up private IP Cloud SQL requires a VPC, private services access, and creating the instance with private IP.

58
Matchingmedium

Match each Kubernetes resource to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Declares desired state for pods and ReplicaSets

Stable network endpoint to access pods

HTTP(S) load balancer for external access

Store non-sensitive configuration data

Store sensitive data like passwords or keys

Why these pairings

These are fundamental Kubernetes objects for running containerized applications.

59
Multi-Selecthard

You are designing a CI/CD pipeline using Cloud Build. Which three features can be used to secure the pipeline and enforce compliance? (Choose three.)

Select 3 answers
A.Using Cloud Build's inline substitution variables to inject secrets.
B.Configuring Cloud Build to only run builds from approved source repositories via VPC-SC.
C.Adding approval gates via Cloud Build's built-in approval mechanism.
D.Integrating with Cloud Build's vulnerability scanning for container images.
E.Using Cloud Build worker pools with private IP and service perimeter.
AnswersB, C, E

VPC Service Controls help enforce source restrictions.

Why this answer

Options A, B, and C are correct. A is correct because Cloud Build supports manual approval gates. B is correct because private pools and service perimeters enhance security.

C is correct because VPC Service Controls can restrict builds to approved repositories. D is wrong because substitution variables are not secure for secrets. E is wrong because vulnerability scanning is a separate Artifact Analysis feature.

60
Multi-Selectmedium

A company is using Cloud Build for CI/CD. They want to automatically trigger builds when code is pushed to a Cloud Source Repository and store the resulting Docker images in a secure, immutable artifact store. Which TWO services should they use? (Choose 2)

Select 2 answers
A.Cloud Source Repository
B.Cloud Storage
C.Artifact Registry
D.Cloud Functions
E.Container Registry
AnswersA, C

Cloud Source Repository is a Git repository that can trigger Cloud Build.

Why this answer

Cloud Source Repository hosts the code and can trigger Cloud Build. Artifact Registry is the recommended immutable artifact store for Docker images. Container Registry is deprecated.

Cloud Storage and Cloud Functions are not directly involved.

61
MCQmedium

A developer ran the following command: `gcloud compute instances list --filter='labels.env=prod'`. The command returned no instances even though there are instances with label env=prod. What is the most likely reason?

A.Instances are in a different project.
B.The user lacks compute.instances.list permission.
C.The filter syntax is incorrect; should use `labels.env:prod`.
D.The instances are stopped.
AnswerC

The equals sign is not the correct delimiter for label filters in gcloud.

Why this answer

Option B is correct because the correct filter syntax for labels uses a colon (:) instead of an equals sign. The proper filter is `labels.env:prod`. Option A is wrong because if the project were different, a different error would appear.

Option C is wrong because permission errors produce a different message. Option D is wrong because stopped instances are still listed.

62
MCQmedium

You are building a data pipeline that ingests streaming data from thousands of IoT devices. The devices send JSON payloads to a Cloud Pub/Sub topic. You want to process the data in near real-time and store the results in BigQuery for analytics. You also need to handle occasional schema changes in the incoming data (new fields added) without manual intervention. You have set up a Dataflow streaming pipeline using Apache Beam to read from Pub/Sub and write to BigQuery. The pipeline uses the `WriteToBigQuery` transform with `createDisposition=CREATE_NEVER` and `writeDisposition=WRITE_APPEND`. Recently, a batch of devices started sending a new field `temperature_celsius` that does not exist in the BigQuery schema. The pipeline logs errors and the data is not written. You need to modify the pipeline to automatically handle such schema evolution. What should you do?

A.Change `createDisposition` to `CREATE_IF_NEEDED` and ensure the BigQuery table schema has `autodetect=true` or is updated to allow new fields.
B.Manually update the BigQuery table schema to include the new field and then restart the pipeline.
C.Write the raw JSON payloads to Cloud Storage and use a Cloud Function to load them into BigQuery every 10 minutes with schema autodetect.
D.Use a `ParDo` transform to flatten all JSON fields into a fixed schema by ignoring unknown fields.
AnswerA

`CREATE_IF_NEEDED` will add new columns automatically if the schema is flexible.

Why this answer

Option A is correct because with `createDisposition=CREATE_IF_NEEDED`, BigQuery will automatically add new fields if the schema allows updates. This is the simplest approach. Option B is wrong because storing raw data in Cloud Storage and then loading later loses real-time capability.

Option C is wrong because Dataflow does not have a transform that automatically flattens schemas without modification. Option D is wrong because updating the table schema manually defeats the purpose of automation.

63
MCQmedium

You are designing a CI/CD pipeline using Cloud Build. You want to automatically trigger a build when code is pushed to a specific branch in Cloud Source Repositories. What is the correct configuration?

A.Create a Cloud Function that invokes Cloud Build via API when a push event occurs.
B.Add a build step in cloudbuild.yaml that polls the repository.
C.Configure a Cloud Pub/Sub topic to notify Cloud Build on push events.
D.Create a build trigger in Cloud Build with a regex pattern for the branch name.
AnswerD

Build triggers with branch patterns are the correct approach.

Why this answer

Option D is correct because Cloud Build natively supports build triggers that can be configured to automatically start a build when code is pushed to a specific branch in Cloud Source Repositories. The trigger uses a regex pattern to match the branch name, and Cloud Build listens for repository push events directly without requiring additional services.

Exam trap

Cisco often tests the misconception that Cloud Pub/Sub is always required for event-driven triggers, but Cloud Build has a native trigger integration with Cloud Source Repositories that bypasses Pub/Sub entirely.

How to eliminate wrong answers

Option A is wrong because creating a Cloud Function to invoke Cloud Build via API is an unnecessary workaround; Cloud Build already has built-in trigger functionality for Cloud Source Repositories. Option B is wrong because adding a build step that polls the repository is inefficient and violates the event-driven design of CI/CD; Cloud Build triggers are event-driven, not polling-based. Option C is wrong because while Cloud Pub/Sub can be used with Cloud Build, it is not required for Cloud Source Repositories; Cloud Build directly integrates with Cloud Source Repositories via its own trigger system without needing a Pub/Sub topic.

64
Multi-Selectmedium

A company is building a data processing pipeline that needs to ingest events from multiple sources, process them in order, and handle failures with retry. They also need to schedule periodic tasks. Which THREE services should they use? (Choose 3)

Select 3 answers
A.Cloud Scheduler
B.Cloud Tasks
C.Cloud Workflows
D.Cloud Pub/Sub
E.Cloud Logging
AnswersA, B, D

Cloud Scheduler can trigger periodic tasks.

Why this answer

Cloud Pub/Sub for ingesting events with ordering, Cloud Tasks for retry handling, and Cloud Scheduler for scheduling periodic tasks. Cloud Workflows is for orchestration, Cloud Logging is for logs.

65
MCQeasy

An application running on Compute Engine needs to publish messages to a Pub/Sub topic. The VPC does not have external internet access. What must be configured to allow the instance to publish?

A.Cloud NAT
B.VPC Peering with Pub/Sub
C.Cloud Router with BGP
D.Private Google Access
AnswerD

Private Google Access allows VM instances to use Google APIs via internal IPs.

Why this answer

Option D is correct because Private Google Access enables instances without external IP addresses to call Google APIs and services (including Pub/Sub) using internal IPs. Option A is for NAT to internet, option B is for peering, and option C is for dynamic routing.

66
MCQmedium

An organization uses Cloud SQL for MySQL and wants to set up a read replica in a different region to improve read latency for global users. What is the recommended way to configure network connectivity between the primary and replica?

A.Use a Cloud Interconnect
B.Use Cloud VPN with dynamic routing
C.Use VPC peering between the regions
D.Use Private Services Access
AnswerD

Private Services Access allows the Cloud SQL service producer VPC to be peered with the customer VPC.

Why this answer

Option A is correct because cross-region Cloud SQL read replicas require Private Services Access to establish connectivity between the peered VPC and the Cloud SQL service. Option B is for VPN, option C is for dynamic routing, and option D is for high-bandwidth connectivity.

Ready to test yourself?

Try a timed practice session using only Integrating Gcp Services questions.