Google Professional Cloud DevOps Engineer (PCDOE) — Questions 676750

987 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
Multi-Selectmedium

You are responding to an incident where a new release has caused increased error rates. Which TWO actions should you take immediately?

Select 2 answers
A.Disable the alert.
B.Notify stakeholders.
C.Push a hotfix without testing.
D.Roll back the release.
E.Create a post-mortem document.
AnswersB, D

Keeping stakeholders informed is critical during an incident.

Why this answer

Option B is correct because immediately notifying stakeholders (such as product owners, support teams, and affected users) is a critical first step in incident management. It ensures transparency, sets expectations, and allows coordinated response efforts. In the PCDOE framework, stakeholder communication is prioritized to maintain trust and align business impact with technical remediation.

Exam trap

Google Cloud often tests the distinction between immediate containment actions (rollback, notification) versus post-incident tasks (post-mortem) or harmful actions (disabling alerts, untested hotfixes) to see if candidates understand the priority of stopping user impact over preserving data or process.

677
MCQmedium

A Cloud SQL for PostgreSQL instance is experiencing high read traffic. You need to offload read queries and ensure the solution can survive a regional outage. What should you do?

A.Set up Cloud Memorystore as a cache in front of the database.
B.Increase the machine type of the primary instance to handle the load.
C.Create a read replica in the same region and use it for read queries.
D.Create a cross-region read replica and direct read traffic to it.
AnswerD

Cross-region replica offloads reads and can be promoted for regional failover.

Why this answer

Cross-region read replicas serve read traffic and provide disaster recovery if the primary fails. Creating a cross-region read replica reduces read load and can be promoted if the primary region fails. Option D is correct.

Option A (same-region replica) does not survive a regional outage. Option B (increasing tier) helps performance but not regional failover. Option C (cache) reduces latency but not a full recovery solution.

678
MCQmedium

A company runs an e-commerce platform on Cloud SQL for PostgreSQL. They need to perform point-in-time recovery (PITR) to recover from a user error that occurred 30 minutes ago. Which configuration is required to enable PITR?

A.Enable automated backups and configure a retention of 1-7 days; PITR uses WAL archiving automatically.
B.Enable binary logging and set a backup retention of 1-7 days.
C.Set up cross-region backup replicas and configure a retention of 1-7 days.
D.Enable PITR by setting the 'pitr_enabled' flag to true in the database flags.
AnswerA

In Cloud SQL for PostgreSQL, PITR is enabled by automated backups with a retention of 1-7 days; WAL archiving is handled automatically.

679
Multi-Selectmedium

A company is designing a disaster recovery strategy for a Cloud SQL for PostgreSQL instance. They require an RPO of less than 5 minutes and an RTO of less than 2 minutes in the event of a regional outage. Which three components should they include in their solution? (Choose three.)

Select 3 answers
A.Cross-region read replica
B.Global external HTTP(S) load balancer with backend health checks
C.Automated promotion script (e.g., using Cloud Functions)
D.Point-in-time recovery enabled with 7-day retention
E.Automated backup with 5-minute frequency
AnswersA, B, C

A read replica in another region provides asynchronous replication, achieving RPO of seconds to minutes.

Why this answer

To achieve RPO <5 minutes and RTO <2 minutes across regions, you need a solution that can recover quickly with minimal data loss. Cloud SQL cross-region read replicas replicate asynchronously, so RPO is the replication lag (which can be <5 minutes if the network is fast). Promoting a read replica manually takes minutes, but you can automate the promotion using Cloud Functions or scripts to reduce RTO.

Alternatively, you could use a standby instance in another region with synchronous replication (but Cloud SQL does not support that). The best approach is to use a cross-region read replica with automated promotion (e.g., via Cloud Functions triggered by a health check). Additionally, you need to update application connection strings to point to the new primary.

Using a load balancer with health checks can also help route traffic. The three correct components are: cross-region read replica, automated promotion script, and a global load balancer to redirect traffic.

680
MCQhard

Your team manages a CI/CD pipeline for a microservices application deployed on Google Kubernetes Engine (GKE). The pipeline uses Cloud Build to build container images and push them to Artifact Registry, then uses a Cloud Build step with kubectl to apply Kubernetes manifests stored in a separate 'manifests' repository. Recently, the team has experienced issues: sometimes a new image is deployed to production even though the corresponding pull request (PR) has not been merged into the main branch of the manifests repository. Also, rollbacks are slow because the previous image tag is overwritten. The team wants to ensure that only code that passes all tests and is merged to main is deployed, and that each deployment uses a unique immutable image tag. What should the team do?

A.Keep the current architecture but modify Cloud Build triggers to only run on the main branch of both repositories. Use the short SHA ($SHORT_SHA) as the image tag.
B.Consolidate application code and Kubernetes manifests into a single repository. Configure Cloud Build triggers to build and run tests on all branches, but only deploy to GKE when changes are merged to the main branch. Use the full commit SHA as the image tag.
C.Move all source code and manifests into a single repository. Use Cloud Build triggers to build and test on every push, and deploy only on pushes to the main branch. Use the commit SHA ($COMMIT_SHA) as the image tag.
D.Keep application and manifests in separate repositories. Use Cloud Build triggers to build on changes to the app repo, and use a separate trigger on the manifests repo to deploy. Use the 'latest' tag for the image.
AnswerB

This ensures that only merged code triggers deployments, and the full commit SHA provides an immutable unique tag for easy rollback.

Why this answer

Option B is correct because consolidating the application code and Kubernetes manifests into a single repository ensures that the image tag (full commit SHA) is uniquely tied to the exact code and manifest changes that passed all tests. By configuring Cloud Build triggers to deploy only on merges to the main branch, the team guarantees that only fully tested, merged code reaches production. Using the full commit SHA as the image tag provides immutability and enables fast, precise rollbacks by referencing the exact image from Artifact Registry.

Exam trap

Google Cloud often tests the misconception that separate repositories with branch-based triggers are sufficient for deployment integrity, when in reality the atomicity of code and manifest changes in a single repository is required to prevent untested code from reaching production.

How to eliminate wrong answers

Option A is wrong because keeping separate repositories with triggers on the main branch of both does not solve the root cause: a PR merged into the manifests repo could reference an image tag (short SHA) that was built from unmerged app code, leading to deployment of untested code. Option C is wrong because deploying on every push to main (rather than only on merges) could still deploy code that hasn't passed all tests if the trigger is misconfigured or if tests are run in parallel; also, using $COMMIT_SHA is correct but the trigger condition is insufficiently strict. Option D is wrong because using the 'latest' tag violates immutability and makes rollbacks impossible, and separate repositories with separate triggers do not enforce the atomicity of code and manifest changes, allowing mismatched deployments.

681
MCQhard

An organization is using Cloud Source Repositories and wants to enforce that all commits are signed with a verified GPG key. How can they enforce this?

A.Use a branch protection rule in Cloud Source Repositories.
B.Use Cloud Functions to validate commits after push.
C.Enable the Signed Commits policy in the repository settings.
D.Use a pre-receive hook in Cloud Source Repositories.
AnswerC

Native feature to require GPG-signed commits.

Why this answer

Option C is correct because Cloud Source Repositories provides a built-in 'Signed Commits' policy in the repository settings that, when enabled, rejects any push containing commits that are not signed with a verified GPG key. This policy is enforced server-side at the repository level, ensuring that only signed commits are accepted without requiring external tools or custom scripts.

Exam trap

The trap here is that candidates confuse branch protection rules (which control merge behavior) with commit signing enforcement, or assume pre-receive hooks are available in Cloud Source Repositories when they are not supported in this managed service.

How to eliminate wrong answers

Option A is wrong because branch protection rules in Cloud Source Repositories control merge requirements (e.g., required reviews, status checks) but do not enforce commit signing; they operate on pull request merges, not on individual commits pushed directly. Option B is wrong because Cloud Functions can validate commits after push, but this is an asynchronous, post-hoc approach that cannot prevent the push from being accepted; the commits would already be in the repository, violating the enforcement requirement. Option D is wrong because Cloud Source Repositories does not support pre-receive hooks; this feature is available in self-managed Git servers (e.g., GitHub Enterprise, GitLab) but not in Google Cloud's managed repository service.

682
MCQeasy

You need to monitor the replication lag between a Cloud SQL for MySQL primary instance and its read replica. Which metric should you use to set up an alert?

A.cloudsql.googleapis.com/database/replication/replica_count
B.cloudsql.googleapis.com/database/cpu/utilization
C.cloudsql.googleapis.com/database/memory/utilization
D.cloudsql.googleapis.com/database/replication/replication_lag
AnswerD

This is the correct metric for replication lag.

Why this answer

Cloud SQL exposes a metric 'replication/replication_lag' (or 'cloudsql.googleapis.com/database/replication/replication_lag') that measures the lag in seconds between the primary and replica. This is the correct metric for alerting.

683
MCQhard

A Memorystore for Redis instance is running out of memory. The application can tolerate some data loss but not crashes. The team wants to ensure the instance remains available without manual intervention. Which eviction policy should they configure?

A.volatile-lru
B.volatile-ttl
C.noeviction
D.allkeys-lru
AnswerD

Correct. This evicts the least recently used keys across all keys, ensuring availability.

Why this answer

Option D (allkeys-lru) is correct because it allows Redis to evict the least recently used keys from the entire keyspace when memory is full, which keeps the instance available without crashing. Since the application can tolerate some data loss but not crashes, this policy ensures memory pressure is relieved automatically, preventing out-of-memory errors that would cause the instance to become unavailable.

Exam trap

Cisco often tests the misconception that volatile policies (like volatile-lru or volatile-ttl) are safer because they only affect keys with TTL, but the trap is that if most keys lack expiration, these policies fail to free memory, leading to crashes—whereas allkeys-lru guarantees eviction across all keys to maintain availability.

How to eliminate wrong answers

Option A (volatile-lru) is wrong because it only evicts keys with an expiration set, leaving keys without TTL untouched; if the majority of data lacks expiration, memory may still fill up and cause instability. Option B (volatile-ttl) is wrong because it evicts keys based on shortest remaining TTL among volatile keys, which is unpredictable and may not free enough memory in time, risking crashes. Option C (noeviction) is wrong because it returns errors on write operations when memory is full, which would cause application crashes or unavailability, directly contradicting the requirement to avoid crashes.

684
MCQmedium

A company is running a Cloud SQL for PostgreSQL instance for an e-commerce application. They need to enable point-in-time recovery (PITR) with a 7-day retention period. What configuration steps must be taken?

A.Create a cross-region backup replica with a 7-day retention.
B.Enable WAL archiving and configure backup retention to 7 days using gcloud sql instances patch --backup-retention-days 7.
C.Enable binary logging and set backup retention to 7 days.
D.Enable automated backups with a 7-day retention; WAL archiving is automatic.
AnswerB

Correct. WAL archiving is needed for PITR, and backup retention is set via the flag.

Why this answer

Option B is correct because Cloud SQL for PostgreSQL uses Write-Ahead Log (WAL) archiving to enable point-in-time recovery (PITR). You must enable automated backups (which automatically enables WAL archiving) and then set the backup retention period to 7 days using the `gcloud sql instances patch --backup-retention-days 7` command. This ensures that WAL logs are retained for the specified duration, allowing PITR within that window.

Exam trap

Cisco often tests the distinction between database-specific recovery mechanisms—candidates mistakenly apply MySQL binary logging concepts to PostgreSQL, where WAL archiving is the correct mechanism, and overlook the explicit command needed to set the retention period.

How to eliminate wrong answers

Option A is wrong because cross-region backup replicas are used for disaster recovery and high availability, not for enabling PITR; they do not provide the WAL log retention required for point-in-time recovery. Option C is wrong because binary logging is a MySQL/MariaDB concept, not applicable to PostgreSQL; PostgreSQL uses WAL (Write-Ahead Log) for PITR, not binary logs. Option D is wrong because while enabling automated backups is necessary, the statement 'WAL archiving is automatic' is misleading; WAL archiving is automatically enabled only when automated backups are turned on, but the retention period must be explicitly configured via the `--backup-retention-days` flag—simply enabling automated backups with a 7-day retention without the patch command does not guarantee the correct configuration.

685
MCQmedium

An engineer needs to create a backup of a Cloud SQL for MySQL instance that is retained for 400 days to meet compliance requirements. What is the correct approach?

A.Use Cloud SQL export to Cloud Storage and store the export for 400 days using object lifecycle management.
B.Set the backup retention to 400 days in the Cloud SQL instance settings.
C.Create a cross-region read replica and use it as a backup source.
D.Use the gcloud command: gcloud sql backups create --instance=myinstance --async and rely on default retention.
AnswerA

Export to Cloud Storage creates a durable backup that can be retained indefinitely via object lifecycle rules, meeting the 400-day requirement.

Why this answer

Cloud SQL for MySQL allows automated backups with a maximum retention of 365 days. To retain a backup for longer, the engineer must create an on-demand export to Cloud Storage. The export can be stored indefinitely.

Automated backup retention cannot be extended beyond 365 days. Using Cloud SQL's backup retention setting to 400 days is not supported. Using a read replica is not a backup.

Using PITR does not create a separate backup file.

686
MCQmedium

An alerting policy triggers frequently for a spike in CPU utilization on a Compute Engine instance, but the spike lasts only a few seconds. The SRE team wants to reduce false positives. Which change should they make?

A.Increase the notification channel threshold.
B.Decrease the alerting duration to 0s.
C.Increase the evaluation period and duration.
D.Change the aggregation to mean instead of max.
AnswerC

Longer evaluation period and duration require the condition to persist, reducing false positives from short-lived spikes.

Why this answer

Option C is correct because increasing the evaluation period and duration ensures that the alerting policy only fires when the CPU utilization spike persists over a longer window, filtering out transient spikes that last only a few seconds. This directly reduces false positives by requiring sustained high utilization before triggering an alert, aligning with Google Cloud Monitoring's sliding window evaluation logic.

Exam trap

Google Cloud often tests the misconception that reducing the duration or changing aggregation will solve false positives, but the correct approach is to increase the evaluation window to require sustained anomalous behavior, not to react to every momentary deviation.

How to eliminate wrong answers

Option A is wrong because increasing the notification channel threshold does not affect the alerting condition; it only controls how many notifications are sent, not the sensitivity of the metric evaluation. Option B is wrong because decreasing the alerting duration to 0s would cause the policy to trigger on any single data point, making false positives worse by reacting to every momentary spike. Option D is wrong because changing the aggregation to mean instead of max would smooth out spikes, potentially masking real issues and still not addressing the transient nature of the spike; the mean could still be elevated if the spike is high enough, but the core problem is the short duration, not the aggregation method.

687
MCQmedium

A team uses Cloud Build with a trigger on Cloud Source Repository. The build fails intermittently with error 'Failed to pull builder image 'gcr.io/cloud-builders/gcloud'' but sometimes succeeds. What is the most likely cause?

A.The Cloud Build worker pool is in a different region.
B.The builder image is too large.
C.Network egress from Cloud Build is throttled due to high concurrency.
D.The build service account lacks permissions to access Container Registry.
AnswerC

When many builds run concurrently, Cloud Build may throttle egress, causing timeouts pulling images. Reducing concurrency or using a private pool can resolve this.

Why this answer

The intermittent failure to pull the builder image 'gcr.io/cloud-builders/gcloud' indicates a transient network issue rather than a permanent misconfiguration. Cloud Build uses a shared pool of network resources, and under high concurrency, egress traffic to Container Registry can be throttled, causing pull operations to time out or fail. This explains why the build sometimes succeeds and sometimes fails, as throttling depends on the current load.

Exam trap

Google Cloud often tests the distinction between consistent misconfiguration errors (e.g., permissions, region) and transient network throttling issues, where the 'intermittent' keyword is the critical hint to choose throttling over permanent configuration problems.

How to eliminate wrong answers

Option A is wrong because Cloud Build worker pools are regional resources, but the region does not affect the ability to pull a public image from gcr.io; the error is intermittent, not a permanent region mismatch. Option B is wrong because the size of the builder image is not the cause of intermittent failures; if the image were too large, it would consistently fail or time out, not succeed sometimes. Option D is wrong because if the build service account lacked permissions to access Container Registry, the failure would be consistent (e.g., a 403 Forbidden error), not intermittent.

688
Multi-Selectmedium

Which TWO actions are required to set up point-in-time recovery (PITR) for Cloud SQL for MySQL? (Choose 2)

Select 2 answers
A.Enable binary logging.
B.Set the 'log_bin' flag to ON in the database flags.
C.Create a read replica in a different region.
D.Configure a cross-region backup replica.
E.Enable automated backups with a retention period between 1 and 7 days.
AnswersA, E

Binary logging is required for PITR in MySQL to capture point-in-time changes.

689
MCQhard

Refer to the exhibit. A DevOps engineer is trying to create a new project using the Cloud Console. The project creation fails with a policy violation. The engineer has permissions on folders/12345678 and folders/87654321 but not on any other folders. They select folder/87654321 as the parent. What is the most likely reason for the failure?

A.The engineer is missing the resourcemanager.projects.create permission.
B.The policy is enforced at the organization level but the engineer's IAM role does not allow creating projects in that folder.
C.The policy is set at the folder level, and folder/87654321 has a different policy.
D.The policy requires the project parent to be one of the allowed folders, and folder/87654321 is not listed.
AnswerD

The allowedValues only include folder/12345678.

Why this answer

Option D is correct because the policy violation indicates that the organization has a constraint restricting which folders can be used as project parents. The engineer selected folder/87654321, but the policy explicitly lists only certain allowed folders, and folder/87654321 is not among them. This is a common organization policy (e.g., a list constraint) that enforces project creation only in approved folders, regardless of the engineer's IAM permissions on that folder.

Exam trap

Google Cloud often tests the distinction between IAM permission errors (e.g., missing resourcemanager.projects.create) and organization policy constraint violations (e.g., list constraints), where candidates mistakenly attribute the failure to missing IAM roles rather than a policy that restricts allowed parent resources.

How to eliminate wrong answers

Option A is wrong because the engineer successfully navigated to the project creation UI and the error is a 'policy violation', not a permissions error; missing resourcemanager.projects.create would produce an 'access denied' or 'permission denied' message, not a policy violation. Option B is wrong because the policy is enforced at the organization level (as a constraint), not at the folder level, and the engineer's IAM role does allow creating projects in that folder (they have permissions on it); the failure is due to a policy constraint, not an IAM role limitation. Option C is wrong because the policy is not set at the folder level on folder/87654321; if it were, the engineer would see a folder-specific policy violation, but the question states the policy is enforced at the organization level, and the engineer has permissions on the folder itself.

690
MCQmedium

A company uses Cloud SQL for MySQL and wants to run complex analytical queries on the same data without affecting OLTP performance. They need a solution with minimal data movement and low operational overhead. Which approach should they take?

A.Migrate to Cloud Spanner
B.Export data to BigQuery periodically
C.Set up a Cloud SQL read replica and run analytical queries on it
D.Use AlloyDB for PostgreSQL with its columnar engine
AnswerD

AlloyDB provides HTAP with a built-in columnar engine for analytics without impacting OLTP.

Why this answer

AlloyDB is a PostgreSQL-compatible database that includes a columnar engine for analytical queries, providing HTAP capabilities with minimal performance impact on OLTP. BigQuery requires exporting data, which adds latency and overhead. Read replicas still run on MySQL engines optimized for OLTP.

Spanner is overkill and requires migration. AlloyDB is the best fit for HTAP.

691
MCQmedium

Refer to the exhibit. The build fails with error: 'invalid tag format' for the image. What is the issue?

A.The project ID substitution is not present.
B.The substitution $SHORT_SHA is not defined and the tag becomes empty.
C.The build step must explicitly push the image.
D.The image name must include a tag.
AnswerB

If $SHORT_SHA is empty, the tag becomes 'myimage:', which is invalid. Substitutions must be defined when running the build.

Why this answer

Option A is correct because $SHORT_SHA is a substitution that may be empty if not defined, resulting in an invalid tag. Option B is incorrect because a tag is provided. Option C is incorrect because the images array triggers a push automatically.

Option D is irrelevant.

692
MCQmedium

A company is migrating a batch processing workload to Google Cloud. The workload is CPU-intensive and runs for a few hours each day. Which Compute Engine machine family should they choose to optimize performance and cost?

A.Compute-optimized (C2/C2D)
B.Burstable (T2D)
C.GPU-accelerated (A2)
D.Memory-optimized (M2)
AnswerA

C2 family offers high CPU performance per core, ideal for batch processing.

Why this answer

A is correct because the workload is CPU-intensive and runs for a few hours each day, which is a sustained, compute-bound task. Compute-optimized machines (C2/C2D) are designed specifically for high-performance computing (HPC) and batch processing, offering the highest ratio of vCPU to memory and the fastest single-threaded performance on Google Cloud. This minimizes runtime and cost per job compared to general-purpose or burstable families.

Exam trap

The trap here is that candidates often confuse 'cost optimization' with choosing the cheapest machine family (burstable), ignoring that sustained CPU-intensive workloads on burstable instances incur performance throttling and longer runtimes, ultimately increasing total cost of ownership (TCO).

How to eliminate wrong answers

Option B is wrong because Burstable (T2D) machines are designed for workloads with low average CPU utilization and occasional spikes, not sustained CPU-intensive batch processing; they throttle performance when credits are exhausted, leading to unpredictable job completion times. Option C is wrong because GPU-accelerated (A2) machines are optimized for parallel processing workloads like ML training and 3D rendering, not general CPU-intensive batch jobs, and would incur unnecessary cost for unused GPU resources. Option D is wrong because Memory-optimized (M2) machines are designed for memory-intensive workloads such as large in-memory databases and SAP HANA, not CPU-bound tasks, and their higher memory-to-vCPU ratio would waste resources and increase cost.

693
MCQmedium

A Cloud Bigtable cluster is currently using HDD storage. The team wants to switch to SSD for better performance. What is the correct approach?

A.Create a new cluster in the same instance with SSD, then delete the old HDD cluster.
B.Use the gcloud bigtable clusters update command with the --storage-type flag.
C.Export the table to Cloud Storage, delete the instance, create a new one with SSD, and import.
D.Delete the existing cluster and recreate it with SSD. Data is retained in the instance.
AnswerA

Correct. A Bigtable instance can have multiple clusters; add a new SSD cluster, replicate data, then remove the HDD cluster.

Why this answer

In Cloud Bigtable, storage type is a property of the cluster, not the instance. You cannot change the storage type of an existing cluster. The correct approach is to add a new cluster with SSD storage to the same instance, then delete the original HDD cluster.

This allows you to migrate without data loss or downtime, as data is replicated across clusters in the same instance.

Exam trap

Cisco often tests the misconception that you can update storage type on an existing cluster or that deleting a cluster preserves data in the instance, but in Cloud Bigtable, storage type is immutable per cluster and data is tied to the cluster's existence.

How to eliminate wrong answers

Option B is wrong because the `gcloud bigtable clusters update` command does not support a `--storage-type` flag; storage type is immutable after cluster creation and cannot be changed via any command. Option C is wrong because it unnecessarily involves exporting to Cloud Storage and recreating the instance, which is complex and risks data loss or extended downtime; Cloud Bigtable supports multiple clusters per instance, making a simple cluster swap possible. Option D is wrong because deleting the cluster also deletes all data stored in that cluster; data is not retained in the instance when the only cluster is removed, as Cloud Bigtable stores data only in clusters.

694
Multi-Selecteasy

A company is moving large amounts of data between regions. Which two actions can reduce network egress costs? (Choose two.)

Select 2 answers
A.Consolidate resources to a single region
B.Use Cloud CDN to cache static content
C.Use Cloud Interconnect to connect to on-premises
D.Use a VPN connection to on-premises
E.Use VPC Network Peering within the same VPC network
AnswersA, B

Moving all resources to one region eliminates cross-region egress costs entirely.

Why this answer

Options B and C are correct. Cloud CDN reduces egress from origin by serving cached content from edge locations. Consolidating resources to a single region eliminates cross-region egress.

Options A, D, and E do not directly reduce inter-region egress costs: VPN uses public internet, same-region VPC peering is free but does not reduce cross-region egress, and Cloud Interconnect mainly reduces egress to on-premises.

695
MCQmedium

A company runs a production web application on Google Compute Engine behind an HTTP(S) load balancer. The application is deployed across multiple managed instance groups in three regions (us-east1, europe-west1, asia-east1). Recently, users report slow page load times. Monitoring shows that CPU utilization on instances is consistently low (around 30%) but memory usage is high (over 80%). The application uses a self-managed in-memory cache per instance to store session data and frequently accessed objects. The team is considering adding more instances to the instance groups to distribute the load. However, they notice that the load balancer's latency is spiking and the cache hit ratio is low. What is the most likely issue and what should the engineer do?

A.Add more instances to the instance groups to increase total memory capacity.
B.Migrate to a managed in-memory cache like Memorystore for Redis to serve as a centralized cache shared by all instances.
C.Increase the machine type of instances to have more memory per instance (e.g., n1-highmem-4).
D.Enable autoscaling based on memory utilization.
AnswerB

A centralized cache eliminates duplication, reduces per-instance memory pressure, and improves cache hit ratio, reducing latency.

Why this answer

The low cache hit ratio and high memory usage indicate that each instance's self-managed in-memory cache is fragmented and inefficient, as session data and frequently accessed objects are not shared across instances. This forces the load balancer to repeatedly fetch data from the backend, causing latency spikes. Migrating to a centralized managed cache like Memorystore for Redis eliminates per-instance cache duplication, improves cache hit ratio, and reduces load balancer latency by serving data from a single, consistent cache.

Exam trap

Google Cloud often tests the misconception that scaling horizontally (adding more instances) or vertically (increasing instance size) can solve performance issues caused by architectural inefficiencies like cache fragmentation, rather than addressing the root cause with a shared caching layer.

How to eliminate wrong answers

Option A is wrong because adding more instances only increases total memory capacity but does not solve the fundamental issue of cache fragmentation; each new instance would still maintain its own isolated cache, leading to continued low cache hit ratios and latency spikes. Option C is wrong because increasing the machine type per instance (e.g., n1-highmem-4) provides more memory per instance but does not address the lack of cache sharing; the cache hit ratio remains low as each instance still caches independently, and the load balancer latency persists. Option D is wrong because enabling autoscaling based on memory utilization would only add more instances when memory is high, but this does not fix the root cause of cache inefficiency; it may even worsen the problem by increasing the number of fragmented caches.

696
MCQeasy

A company runs a critical application on Cloud SQL for PostgreSQL with a 5-minute RPO and 30-minute RTO. They have a cross-region read replica for disaster recovery. During a planned failover test, what is the expected RPO and RTO when promoting the read replica?

A.RPO = 0, RTO = less than 1 minute
B.RPO = replication lag, RTO = minutes
C.RPO = 0, RTO = minutes
D.RPO = backup age, RTO = hours
AnswerB

Correct: cross-region read replicas are asynchronous, so promotion results in loss of unsynchronized data (RPO = lag) and takes minutes to promote (RTO).

Why this answer

Cross-region read replica promotion has an RPO equal to the replication lag (data not yet replicated) and an RTO of minutes (time to promote and make writable).

697
MCQeasy

A team wants to create a Cloud Spanner database backup and store it in a Cloud Storage bucket for long-term archival. Which method should they use?

A.Use gcloud spanner instances create-backup to create a backup of the instance.
B.Use the gcloud spanner databases backup command to create a backup that resides in Cloud Storage.
C.Take a snapshot of the Spanner instance using Cloud Storage snapshots.
D.Use the gcloud spanner databases export command to export to Cloud Storage.
AnswerB

Correct. Backup creates a full backup in Cloud Storage (Avro + Protobuf) that can be restored.

Why this answer

Cloud Spanner provides database-level backups directly to Cloud Storage in Avro + Protobuf format. Export/import is for migration, not archival backups.

698
MCQmedium

A data engineering team needs to run complex analytical queries on terabytes of data stored in Cloud Storage. The queries are ad-hoc and require scanning large portions of the dataset. The team needs a serverless solution that optimizes for cost by charging only for the data processed. Which Google Cloud service should they use?

A.BigQuery
B.Dataproc
C.Cloud SQL
D.Cloud Spanner
AnswerA

BigQuery is a serverless data warehouse with pay-per-query pricing, suited for ad-hoc analytics.

Why this answer

BigQuery is a serverless data warehouse that uses columnar storage and charges for the data scanned by queries. It is ideal for ad-hoc analytical queries on large datasets.

699
MCQmedium

A company is migrating a MySQL database to Cloud SQL using Database Migration Service (DMS). The source database is on-premises and uses InnoDB tables. The migration job is configured as continuous (CDC). After starting the job, the full dump phase completes successfully, but the CDC phase shows no replicated changes. What is the most likely cause?

A.The Cloud SQL destination does not have public IP connectivity.
B.The source database is using MyISAM tables instead of InnoDB.
C.The DMS migration job was configured as one-time instead of continuous.
D.The source database does not have binary logging enabled.
AnswerD

Correct. DMS CDC requires binary logging on the source to capture ongoing changes.

Why this answer

Continuous CDC replication in DMS requires binary logging to be enabled on the source database. If binary logging is disabled, DMS cannot capture change data. The full dump works because it uses mysqldump, which does not rely on binary logs.

700
Multi-Selecthard

You are designing a Cloud Bigtable row key for a social media feed where users see posts from friends. Queries are: get posts for a user (by user_id) ordered by timestamp most recent first, and get posts for a specific topic (by topic_id) ordered by timestamp. To support both access patterns efficiently, which TWO design strategies are appropriate? (Choose two.)

Select 2 answers
A.Use a single table with a row key composed of user_id#topic_id#timestamp
B.Create two tables: one with row key user_id#reverse_timestamp and another with topic_id#reverse_timestamp
C.Create a single table and use a secondary index on topic_id
D.Denormalize the data: store posts in two different tables for each access pattern
E.Use a row key that starts with a hash of the user_id and then includes topic_id and timestamp
AnswersB, D

Separate tables allow optimal row key for each access pattern.

Why this answer

To support multiple access patterns in Bigtable, you can either denormalize data into two tables with different row keys, or use a secondary index (but Bigtable doesn't support secondary indexes natively; you would create a separate table). The common approach is to create two tables: one with row key user_id#reverse_timestamp and another with topic_id#reverse_timestamp. Alternatively, you can use a single table with a composite key but scanning for topic would be inefficient.

The question asks for strategies. Two correct strategies: create separate tables for each pattern, or use a row key that combines user_id and topic_id but then you need to scan, so not ideal. Actually, the best practice is to have two tables.

So the correct answers are: 'Create two tables: one with row key user_id#reverse_timestamp and another with topic_id#reverse_timestamp' and 'Use row key design that includes both user_id and topic_id as a composite key'? The latter is not efficient. Let me think. For multiple access patterns, the standard Bigtable design is to duplicate data into multiple tables with different row keys.

So the correct options are those that mention separate tables. Among the options: 'Create a single table with a row key that starts with a hash of user_id and topic_id' would scatter data, not good. 'Use a secondary index on the table' is not supported. 'Create two tables with different row keys' is correct. 'Use a row key with user_id and topic_id concatenated and then timestamp' would allow scanning for a user but not for a topic unless you do a full scan. So the best two are: create two tables, and maybe use a row key that allows scanning for both? But that's not possible with a single key.

I'll set the correct answers to: 'Create two tables: one optimized for user queries and one for topic queries' and 'Use a row key that includes both user_id and topic_id as a composite key'? That would be inefficient for topic queries. I think the intended correct answers are the ones that mention duplication. Let me write plausible options.

To be accurate: The correct ones are: 'Create two tables: one with row key user_id#reverse_timestamp and another with topic_id#reverse_timestamp' and 'Denormalize the data into a separate table for topic queries'. So I'll set those as correct.

701
Multi-Selecthard

Which THREE are key considerations when setting up a Google Cloud organization for DevOps?

Select 3 answers
A.Use a single project for development, staging, and production to reduce overhead.
B.Enable audit logging and set up log sinks to a centralized logging project.
C.Implement a shared VPC to enable network connectivity across projects.
D.Design a folder hierarchy that mirrors the organizational structure.
E.Store secrets directly in code repositories for easy access by CI/CD pipelines.
AnswersB, C, D

Centralized logging is essential for security and compliance.

Why this answer

Option B is correct because audit logging is essential for security and compliance in a DevOps environment. By enabling audit logs and setting up log sinks to a centralized logging project, you ensure that all API calls and administrative actions across the organization are captured in a single, immutable location, which is critical for incident response and forensic analysis.

Exam trap

Google Cloud often tests the misconception that consolidating all environments into a single project reduces complexity, but the correct approach is to use separate projects with a shared VPC and centralized logging to maintain isolation and compliance.

702
MCQeasy

A team is migrating a MySQL database to Cloud SQL using mysqldump for the initial snapshot. The source database uses InnoDB tables. Which mysqldump flags should be used to ensure a consistent snapshot without locking tables?

A.--single-transaction --skip-lock-tables
B.--all-databases --routines
C.--lock-tables --single-transaction
D.--flush-logs --master-data=2
AnswerA

--single-transaction provides a consistent snapshot; --skip-lock-tables avoids additional locks.

Why this answer

--single-transaction uses a read transaction to get a consistent snapshot without table locks for InnoDB.

703
MCQeasy

A small business runs a MySQL OLTP database for their inventory management system. They need high availability with automatic failover and regional disaster recovery. Which Google Cloud database service meets these requirements with minimal operational overhead?

A.Cloud Spanner
B.Cloud Bigtable
C.Cloud SQL with HA and cross-region read replicas
D.Compute Engine with self-managed MySQL
AnswerC

Cloud SQL HA provides automatic failover, and cross-region replicas enable disaster recovery.

Why this answer

Cloud SQL for MySQL with high availability (HA) configuration provides automatic failover within a region and can be configured with cross-region replicas for disaster recovery.

704
MCQhard

A data engineer is migrating a legacy on-premises Oracle data warehouse to Google Cloud. The source schema uses star schemas and advanced Oracle features like materialized views. The target must support real-time data from streaming sources and run complex SQL joins over 50 TB of data with low latency. Which architecture is most appropriate?

A.Migrate to AlloyDB and use columnar engine for analytics.
B.Migrate to Cloud Spanner and use its analytics interface.
C.Migrate to BigQuery and use streaming inserts for real-time data.
D.Migrate to Cloud SQL for PostgreSQL and use read replicas for analytics.
AnswerC

BigQuery is a data warehouse that supports streaming and complex queries.

Why this answer

BigQuery is the most appropriate target because it supports real-time streaming inserts, can handle complex SQL joins over 50 TB of data with low latency via its columnar storage and distributed query engine, and can replace Oracle materialized views with logical views or scheduled queries. It also natively integrates with streaming sources like Pub/Sub, making it ideal for the real-time data requirement.

Exam trap

Cisco often tests the misconception that AlloyDB or Cloud Spanner can handle large-scale analytics workloads, but the key differentiator is that BigQuery is purpose-built for serverless analytics with streaming ingestion, while the others are primarily transactional databases with limited analytical capabilities at this scale.

How to eliminate wrong answers

Option A is wrong because AlloyDB is optimized for transactional workloads and its columnar engine is designed for hybrid transactional/analytical processing (HTAP), not for petabyte-scale analytics with low-latency complex joins over 50 TB. Option B is wrong because Cloud Spanner is a globally distributed relational database for strong consistency and high availability, but its analytics interface is limited and not designed for the scale and complexity of star-schema joins over 50 TB with real-time streaming. Option D is wrong because Cloud SQL for PostgreSQL is a managed OLTP database with limited storage (up to 30 TB) and read replicas that do not support real-time streaming inserts or the analytical performance needed for complex joins over 50 TB.

705
Multi-Selectmedium

A web application experiences high latency during peak hours. Which TWO actions should the team take to optimize performance?

Select 2 answers
A.Implement autoscaling based on CPU utilization
B.Enable Cloud CDN with the origin as the backend bucket
C.Use Cloud Memorystore to cache frequently accessed data
D.Increase the size of the instances serving the application
E.Reduce the number of backend services to simplify routing
AnswersA, C

Autoscaling adjusts capacity to match demand, preventing overload during peak hours.

Why this answer

Option A is correct because implementing autoscaling based on CPU utilization allows the application to dynamically add compute instances during peak hours when CPU load increases, thereby distributing the request load and reducing latency. This aligns with Google Cloud's managed instance groups and autoscaling policies that scale out based on metrics like CPU utilization, ensuring sufficient resources are available to handle traffic spikes without manual intervention.

Exam trap

Google Cloud often tests the misconception that vertical scaling (increasing instance size) is equivalent to horizontal scaling (autoscaling) for handling peak loads, but the exam expects candidates to recognize that horizontal scaling is more cost-effective, resilient, and aligned with cloud-native best practices for optimizing performance under variable traffic.

706
Multi-Selectmedium

Which TWO practices help reduce Mean Time to Resolve (MTTR) for production incidents?

Select 2 answers
A.Conduct postmortems only after major incidents.
B.Implement runbooks for common incident types.
C.Use a shared on-call rotating schedule.
D.Establish a war room procedure for critical incidents.
E.Increase logging verbosity for all services.
AnswersB, D

Runbooks provide step-by-step guidance, speeding up resolution.

Why this answer

B is correct because runbooks provide step-by-step, pre-approved procedures for common incident types, enabling engineers to follow a consistent, repeatable process without needing to diagnose from scratch. This reduces the time spent on investigation and decision-making, directly lowering Mean Time to Resolve (MTTR) by standardizing the response for known issues.

Exam trap

Google Cloud often tests the distinction between practices that directly reduce MTTR (like runbooks and war rooms) versus practices that improve reliability or team health (like postmortems and on-call schedules) but do not directly shorten the resolution time during an incident.

707
MCQmedium

A Cloud Spanner instance is backing up a 2 TB database daily to Cloud Storage using the built-in backup feature. The compliance team requires the backup to be stored in a specific regional bucket with a retention policy of 14 days. How should the database administrator configure this?

A.Schedule a cron job to copy the backup from Spanner's default location to the regional bucket
B.Use the gcloud spanner databases export command to export the database to a Cloud Storage bucket in the desired region, then set a retention policy on the bucket
C.Use the CREATE BACKUP statement and specify a Cloud Storage bucket in the desired region
D.Use the backup retention period in Spanner's backup settings to keep backups for 14 days
AnswerB

Correct. Export to Cloud Storage allows specifying a regional bucket. Object lifecycle rules can enforce a 14-day retention.

Why this answer

Spanner database backups are stored as managed backups within the Spanner service, not directly as files in Cloud Storage. However, they can be exported to Cloud Storage using the export API. The export can be configured to a specific bucket and region, and object lifecycle rules can enforce retention.

708
Multi-Selectmedium

A company is migrating a monolithic application to Google Cloud and needs to modernize the database layer. The application has both OLTP (high-volume transactions) and OLAP (complex reporting) workloads. The team wants to use a single database to simplify operations but with high performance for both. Which TWO Google Cloud database services support hybrid transactional/analytical processing (HTAP)? (Choose two.)

Select 2 answers
A.Cloud Bigtable
B.BigQuery
C.AlloyDB
D.Cloud Spanner
E.Cloud SQL
AnswersC, D

AlloyDB includes a columnar engine for analytics on transactional data.

Why this answer

AlloyDB with columnar engine and Spanner with analytics interface support HTAP. Cloud SQL and Bigtable do not natively support HTAP. BigQuery is purely analytical.

709
Multi-Selectmedium

Which THREE actions should be taken when bootstrapping a CI/CD pipeline on Google Cloud? (Select exactly 3)

Select 3 answers
A.Store secrets in Cloud Source Repositories.
B.Use Cloud Build with a Dockerfile.
C.Enable the Cloud Run API.
D.Create a service account with necessary permissions.
E.Configure triggers for automated builds.
AnswersB, D, E

Common pattern for building container images.

Why this answer

Option B is correct because Cloud Build can use a Dockerfile to build a container image from source code, which is a fundamental step in bootstrapping a CI/CD pipeline. This allows automated builds triggered by code changes, enabling continuous integration and delivery to services like Cloud Run or GKE.

Exam trap

Google Cloud often tests the misconception that enabling specific APIs (like Cloud Run API) is a mandatory step for bootstrapping any CI/CD pipeline, when in fact it is only required if that service is the deployment target.

710
MCQhard

An organization uses Cloud Deploy with Skaffold to manage progressive delivery on GKE. After a rollout, the new revision shows a higher error rate in Stackdriver, but the Cloud Deploy pipeline did not automatically roll back. What is the most likely cause?

A.The rollout strategy includes a manual approval step before advancing to the next phase.
B.The release was created with a '--disable-rollback' flag.
C.The Cloud Deploy pipeline does not have a stackdriverMetrics verification job defined to check error rates.
D.The rollout has not yet reached 100% traffic, so Cloud Deploy waits for full completion before evaluating health.
AnswerA

Cloud Deploy pauses at approval steps; automatic rollback only occurs during phases without requiring approval if metrics are checked via a verification job.

Why this answer

Option A is correct because Cloud Deploy can wait for manual approval or an external verification job; if the rollout strategy is set to require approval, automatic rollback is not triggered. Option B is incorrect because the rollout doesn't need to complete to trigger a rollback if metrics are monitored. Option C is incorrect because the error rate metric is not part of the pipeline unless a custom verification job is configured.

Option D is incorrect because the release configuration doesn't affect automatic rollback behavior.

711
MCQhard

A team uses Cloud Monitoring alerting policies with multiple conditions. They want an incident to fire only when both conditions are met simultaneously. What should they configure?

A.Set the alerting policy combiner to 'AND'
B.Create two separate alerting policies
C.Create a single condition with a ratio metric
D.Use a log-based metric condition
AnswerA

The combiner 'AND' ensures all conditions must be met.

Why this answer

Option A is correct because Cloud Monitoring alerting policies support a 'combiner' field that can be set to 'AND' to require that all conditions are met simultaneously before the incident fires. This ensures the alert triggers only when both conditions are true at the same evaluation window, rather than when either condition is met.

Exam trap

Google Cloud often tests the misconception that creating multiple alerting policies or using a ratio metric can achieve multi-condition AND logic, but the correct approach is to use the combiner field within a single alerting policy.

How to eliminate wrong answers

Option B is wrong because creating two separate alerting policies would result in each condition firing its own independent incident, not a single incident that requires both conditions to be met simultaneously. Option C is wrong because a ratio metric condition calculates a ratio of two metrics but does not enforce that two separate conditions must both be true at the same time; it is a single condition, not a multi-condition AND logic. Option D is wrong because a log-based metric condition is a type of condition that uses logs to create a metric, but it does not provide a mechanism to combine multiple conditions with an AND operator.

712
MCQmedium

A company needs to perform real-time analytics on streaming data from IoT devices with millisecond latency for alerts, and also run complex historical analytics. Which Google Cloud database architecture supports both?

A.Cloud Bigtable for real-time and BigQuery for analytics
B.Cloud SQL (read-only replica) for analytics
C.Cloud Spanner with interleaved tables
D.AlloyDB with columnar engine
AnswerD

AlloyDB's HTAP capability supports both real-time and analytical workloads.

Why this answer

AlloyDB with columnar engine handles real-time inserts and fast analytical queries on the same data, ideal for HTAP workloads.

713
MCQeasy

A company needs to store petabytes of time-series IoT sensor data and query it with single-digit millisecond latency at millions of reads per second. The data has a simple key-value structure with timestamps. Which Google Cloud database is MOST appropriate?

A.Cloud Spanner
B.BigQuery
C.Firestore
D.Cloud Bigtable
AnswerD

Bigtable is the correct choice: wide-column NoSQL, designed for time-series and IoT workloads, single-digit ms latency, and scales to millions of QPS with additional nodes.

Why this answer

Cloud Bigtable is designed for petabyte-scale, low-latency (single-digit ms), high-throughput NoSQL storage for time-series, IoT, and financial data. It scales horizontally by adding nodes. BigQuery is optimised for analytics (seconds-to-minutes latency), Cloud SQL is for OLTP (limited to tens of thousands of QPS), and Firestore is for document data with hierarchical structure.

714
Matchingmedium

Match each Kubernetes resource to its role in a DevOps pipeline.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages desired state for Pods

Stable network endpoint for Pods

External HTTP/S load balancing

Non-sensitive configuration data

Sensitive data like passwords

Why these pairings

Key Kubernetes objects for application management.

715
MCQhard

A DevOps team is troubleshooting a Cloud Build pipeline that fails intermittently when building a container image. The build step uses a custom build step that runs a vulnerability scan. The error log shows: 'Step #1: Error: failed to scan image: context deadline exceeded'. The build configuration includes 'timeout: 600s'. Which is the most likely cause and solution?

A.The scan tool requires a specific dependency; add an installation step before scanning.
B.There is network latency between Cloud Build and the container registry; use VPC Service Controls.
C.The build step is running out of memory; increase the machine type to e2-highcpu-8.
D.The scan step is taking longer than the build timeout; increase the timeout value in the build configuration.
AnswerD

The error 'context deadline exceeded' indicates the step timed out.

Why this answer

The error 'context deadline exceeded' indicates that the custom vulnerability scan step is taking longer than the build's configured timeout of 600 seconds. Cloud Build enforces a hard timeout for the entire build; if any step exceeds this duration, the build is terminated. Increasing the timeout value in the build configuration provides more time for the scan to complete, directly addressing the root cause.

Exam trap

Google Cloud often tests the distinction between resource exhaustion (memory/CPU) and timeout errors, leading candidates to mistakenly select machine type upgrades when the error message explicitly indicates a deadline exceeded.

How to eliminate wrong answers

Option A is wrong because the error is a timeout, not a missing dependency; a missing dependency would produce a 'command not found' or similar error. Option B is wrong because network latency would typically cause connection timeouts or retries, not a 'context deadline exceeded' from the scan tool itself; VPC Service Controls address data exfiltration risks, not latency. Option C is wrong because an out-of-memory error would manifest as an OOM kill or exit code 137, not a 'context deadline exceeded' message.

716
MCQmedium

A company stores historical log data in Cloud Storage. The logs are accessed rarely after 30 days. They want to reduce storage costs while maintaining immediate access for occasional audits over the next year. What should they use?

A.Standard class storage with a lifecycle policy to transition to Nearline after 30 days and to Coldline after 90 days
B.Nearline class storage
C.Coldline class storage with a lifecycle policy to delete after 1 year
D.Archive class storage
AnswerA

This leverages different storage classes based on access patterns, optimizing cost while retaining immediate access after 30 days.

Why this answer

Option D is correct because it uses lifecycle policies to transition to cheaper storage classes over time, balancing cost and accessibility. Option A lacks lifecycle and incurs retrieval costs. Options B and C do not provide optimal cost savings.

717
MCQmedium

An organization wants to be alerted when the total size of a Cloud Storage bucket exceeds 1 TB. Which metric should they monitor?

A.storage.googleapis.com/storage/total_bytes
B.storage.googleapis.com/storage/object_count
C.storage.googleapis.com/storage/network_sent_bytes
D.storage.googleapis.com/storage/request_count
AnswerA

This metric measures total bucket size.

Why this answer

The metric `storage.googleapis.com/storage/total_bytes` directly measures the total amount of data stored in a Cloud Storage bucket, including all object data and metadata. Monitoring this metric allows the organization to set an alert threshold at 1 TB (1,099,511,627,776 bytes) to trigger when the bucket exceeds that size. This is the correct metric for tracking storage capacity usage.

Exam trap

Google Cloud often tests the distinction between metrics that measure capacity (total_bytes) versus metrics that measure activity (object_count, request_count) or throughput (network_sent_bytes), leading candidates to confuse object count with total size.

How to eliminate wrong answers

Option B is wrong because `storage.googleapis.com/storage/object_count` tracks the number of objects in the bucket, not their total size; a bucket could have millions of small objects that total far less than 1 TB. Option C is wrong because `storage.googleapis.com/storage/network_sent_bytes` measures outbound network traffic from the bucket, which is unrelated to the stored data size. Option D is wrong because `storage.googleapis.com/storage/request_count` counts API requests made to the bucket, which does not reflect the total storage consumed.

718
MCQmedium

You are designing a Cloud Bigtable schema for a time-series application where the most common write pattern is high-throughput writes (10,000 writes per second) and the row key starts with a timestamp. Write throughput is lower than expected. What is the most likely cause?

A.The column family has too many columns
B.The row key is too long
C.The cluster has insufficient nodes
D.The row key uses a timestamp as the leading component, causing a hotspot
AnswerD

Monotonically increasing row keys create hotspots.

Why this answer

Using a timestamp as the first part of the row key causes all writes to hit a single tablet (hotspot), leading to poor write throughput. The recommendation is to salt the timestamp with a hash prefix.

719
MCQhard

A team has set up the alerting policies shown in the exhibit. They receive an alert for High Memory but not for High CPU. What is the most likely reason?

A.The Cloud Monitoring agent is not installed or not reporting on the instance, so the memory metric is missing.
B.The CPU alert's duration of 300 seconds prevents it from firing before the memory alert.
C.The memory alert has a higher threshold value, making it easier to trigger.
D.The CPU metric is not available because the instance does not have the Cloud Monitoring agent installed.
AnswerA

The agent is required for agent.googleapis.com metrics.

Why this answer

Option A is correct because the High Memory alert fires while the High CPU alert does not, indicating that the memory metric is available but the CPU metric is missing. This typically happens when the Cloud Monitoring agent is installed but not properly reporting CPU metrics, or when the agent is missing entirely and only the memory metric is being collected via a different mechanism (e.g., guest-attributes). Without the agent, standard CPU utilization metrics are not exposed to Cloud Monitoring, while memory metrics may still be available through other means, causing the memory alert to trigger but not the CPU alert.

Exam trap

Google Cloud often tests the misconception that CPU metrics are always available from the hypervisor, but in reality, detailed CPU metrics (like per-process or utilization with specific labels) may require the Cloud Monitoring agent, and the absence of the agent can cause CPU alerts to fail while memory alerts (which also require the agent) may still fire if memory data is collected via a different path.

How to eliminate wrong answers

Option B is wrong because the duration of 300 seconds (5 minutes) for the CPU alert does not prevent it from firing before the memory alert; it simply means the CPU condition must persist for 5 minutes before the alert fires, but if the CPU metric is missing entirely, no alert will ever fire regardless of duration. Option C is wrong because a higher threshold value makes an alert harder to trigger, not easier; the memory alert having a higher threshold would require a more extreme condition to fire, contradicting the scenario where it fires while the CPU alert does not. Option D is wrong because if the instance did not have the Cloud Monitoring agent installed, both CPU and memory metrics would be unavailable, not just the CPU metric; the fact that the memory alert fires indicates that at least some metrics are being reported, so the agent must be present and functional for memory.

720
MCQmedium

A company runs an e-commerce website on Cloud SQL. They want to scale read traffic without impacting write performance and need high availability across zones. Which configuration should they use?

A.Create a cross-region replica and use it for reads
B.Increase the machine tier of the existing instance
C.Migrate to Cloud Spanner for automatic read scaling
D.Use a regional Cloud SQL instance with automatic failover and add read replicas
AnswerD

Regional instance provides HA; read replicas scale reads without affecting primary write performance.

Why this answer

Cloud SQL offers read replicas for scaling read traffic and regional (multi-zone) instances for high availability. Using a regional instance with automatic failover provides HA; adding read replicas offloads reads. A cross-region replica adds latency, and a single zone with increased tier does not provide HA.

721
Multi-Selecteasy

A startup is building an IoT analytics platform that ingests sensor data at high velocity and needs to run real-time dashboards and ad-hoc queries on the data. Which TWO Google Cloud databases should they use together? (Choose 2)

Select 2 answers
A.Cloud Bigtable
B.Cloud Spanner
C.BigQuery
D.Firestore
E.Cloud SQL
AnswersA, C

Handles high write throughput and low-latency reads.

Why this answer

Bigtable is ideal for real-time ingestion and retrieval of sensor data with low latency. BigQuery is used for analytical queries and dashboards. Cloud SQL and Spanner are not optimized for high-velocity IoT ingestion.

Firestore is more suited for mobile apps.

722
MCQmedium

Refer to the exhibit. A DevOps engineer is bootstrapping a Google Cloud organization and wants to ensure that no Compute Engine VM instances can have external IP addresses. The engineer applies this Terraform configuration. What is the effect of this configuration on the organization?

A.It blocks external IP access for all VMs in all projects under the organization.
B.It requires a separate script to enforce the policy on existing VMs.
C.It blocks external IP access only for the first project created in the organization.
D.It blocks both internal and external IP access for all VMs.
AnswerA

The boolean policy with enforced=true applies at the organization level, affecting all projects and folders.

Why this answer

The Terraform configuration uses a Google Cloud Organization Policy constraint (`compute.vmExternalIpAccess`) set to `true` in a list policy with `deny` as the enforcement action. This blocks external IP access for all Compute Engine VM instances across all projects within the organization, as organization policies are inherited by all child projects unless overridden. The policy applies to both new and existing VMs, as it is enforced at the resource creation and modification level.

Exam trap

The trap here is that candidates often confuse organization policy inheritance with project-level overrides, thinking the policy only applies to the first project or requires manual reapplication, when in fact it is automatically inherited by all projects and enforced on existing VMs via lifecycle hooks.

How to eliminate wrong answers

Option B is wrong because organization policies are enforced on all VMs, including existing ones, at the time of API calls (e.g., start, modify, or create), so no separate script is needed to retroactively apply the policy. Option C is wrong because organization policies apply to all projects under the organization, not just the first project created; they are inherited by all child resources. Option D is wrong because the constraint `compute.vmExternalIpAccess` specifically targets external IP access only, not internal IP access; internal IP communication remains unaffected.

723
MCQhard

Your team uses a canary deployment strategy on Google Kubernetes Engine (GKE). During a rollback, you notice that the rollback caused a brief period of downtime because the previous version's readiness probe was not properly configured. Which of the following best prevents this issue in the future?

A.Perform a gradual rollback with a managed instance group.
B.Use a blue/green deployment instead.
C.Ensure that the readiness probe is tested as part of the pre-deployment validation.
D.Use a Kubernetes Job to run a post-deployment validation.
AnswerC

Validating probes before deployment ensures both new and old versions are ready.

Why this answer

Option C is correct because the root cause of the downtime was a misconfigured readiness probe on the previous version. By testing the readiness probe as part of pre-deployment validation, you ensure that the probe correctly reflects the application's ability to serve traffic before it is used in a rollback. This prevents the scenario where a rollback deploys a version that fails its readiness check, causing the service to be removed from the load balancer and resulting in downtime.

Exam trap

Google Cloud often tests the misconception that changing deployment strategies (like blue/green or canary) solves all rollback issues, when in fact the real problem is a misconfigured health check that must be validated before the rollback is executed.

How to eliminate wrong answers

Option A is wrong because a managed instance group (MIG) is a Compute Engine concept, not a native GKE resource; gradual rollbacks in GKE are handled by Deployment strategies (e.g., maxSurge/maxUnavailable), and a MIG does not address readiness probe misconfiguration. Option B is wrong because blue/green deployment is a release strategy that reduces risk during rollouts, but it does not inherently validate readiness probes; a rollback in blue/green still relies on the same probe configuration, so a misconfigured probe would cause the same downtime. Option D is wrong because a Kubernetes Job runs a post-deployment validation, which occurs after the deployment is live; it cannot prevent the downtime that happens during the rollback itself, as the probe failure causes immediate traffic disruption before the Job executes.

724
MCQhard

During a cutover from an on-premises Oracle database to Cloud SQL for PostgreSQL, the team needs to minimize downtime. They have set up continuous replication using a custom tool. Which sequence of steps should they follow to perform the cutover with minimal data loss?

A.Quiesce writes, promote destination, verify lag, update connection strings.
B.Quiesce writes, verify lag is 0, promote destination, update connection strings, verify application.
C.Promote destination, quiesce writes, verify lag, update connection strings, verify application.
D.Update connection strings, quiesce writes, verify lag, promote destination.
AnswerB

Correct order: stop writes, ensure all changes replicated, then promote and switch.

Why this answer

The correct sequence: quiesce writes to source (stop application writes), verify replication lag is zero (all changes replicated), promote destination (make it writable), update connection strings, then verify the application. Rolling back involves keeping source read-only.

725
MCQmedium

An application uses Firestore in Native mode. The query filters on two fields: 'status' (string) and 'created_date' (timestamp). The query returns results but the billing shows high document reads. What is the most likely cause?

A.The query is using an inequality filter on 'created_date' which requires a composite index.
B.The query is using 'array-contains' which always scans the entire collection.
C.The 'status' field is not indexed because single-field indexes are not automatic.
D.The query is missing an ORDER BY clause causing a full scan.
AnswerA

Correct. Queries with equality on one field and inequality on another need a composite index to avoid scanning all documents.

Why this answer

In Firestore Native mode, queries that apply an inequality filter (e.g., >=, >, <, !=) on a field automatically require a composite index on both the equality filter field and the inequality filter field to avoid a full collection scan. Without that composite index, Firestore performs a back-end scan of all documents matching the equality filter, then applies the inequality filter in memory, resulting in high document reads. Option A correctly identifies that the inequality filter on 'created_date' is the most likely cause of the excessive reads because it forces Firestore to read and discard many documents that do not satisfy the timestamp condition.

Exam trap

Cisco often tests the misconception that missing ORDER BY or using array-contains causes high reads, when in fact the real culprit is the lack of a composite index for inequality filters combined with equality filters.

How to eliminate wrong answers

Option B is wrong because 'array-contains' does not always scan the entire collection; it can use an automatically created single-field index on the array field, and while it may read more documents than a simple equality filter, it does not inherently cause a full collection scan. Option C is wrong because single-field indexes are automatically created for all fields in Firestore Native mode by default, so 'status' is indexed without manual action. Option D is wrong because missing an ORDER BY clause does not cause a full scan; Firestore can still use indexes to satisfy the filter conditions, and ORDER BY only affects the ordering of results, not the number of documents read.

726
MCQhard

You are designing a globally distributed application using Cloud Spanner. The application has a write-heavy workload. You notice that write latency increases as the number of nodes increases. What is the most likely cause?

A.The instance is using a multi-region configuration with too many read-only replicas.
B.The workload has many cross-node transactions due to split rows.
C.The application is using stale reads for write transactions.
D.The number of splits is too low, causing hotspots.
AnswerB

Cross-split transactions require coordination, increasing latency.

Why this answer

Option B is correct because in Cloud Spanner, write-heavy workloads with many cross-node transactions cause increased write latency as nodes are added. This occurs because Spanner splits rows across nodes, and transactions that span multiple splits require two-phase commit (2PC) coordination between nodes, which adds network overhead and latency. Adding more nodes increases the likelihood that a transaction touches multiple splits, exacerbating the coordination cost.

Exam trap

The trap here is that candidates often assume adding nodes always improves performance, but Cisco tests the counterintuitive behavior where cross-node coordination overhead in distributed databases like Spanner can degrade write latency with scale.

How to eliminate wrong answers

Option A is wrong because multi-region configurations with read-only replicas do not directly affect write latency; read-only replicas serve reads and do not participate in write quorums, so they do not cause write latency to increase with node count. Option C is wrong because stale reads are used for read-only transactions, not write transactions; write transactions always require strong reads to ensure consistency, so stale reads cannot be applied to writes. Option D is wrong because too few splits cause hotspots (uneven load on nodes), which would increase latency as load grows, but the question states latency increases as nodes increase, which is the opposite of hotspot behavior—hotspots are mitigated by adding nodes, not worsened.

727
MCQmedium

An SRE team needs to implement an incident management workflow that automatically creates a ticket in their ITSM tool when a critical alert fires. They use Cloud Monitoring. Which approach should they use?

A.Configure the alerting policy to send notifications via email to the ITSM system's email-to-ticket feature.
B.Create a webhook notification channel directly to the ITSM tool.
C.Use a Cloud Pub/Sub notification channel and a Cloud Function that receives the alert and calls the ITSM API.
D.Use the Cloud Monitoring API to periodically pull alerts and create tickets.
AnswerC

Pub/Sub ensures reliable delivery, and Cloud Function can transform and forward alerts to the ITSM tool.

Why this answer

Option C is correct because Cloud Monitoring can send alert notifications to a Cloud Pub/Sub topic, which then triggers a Cloud Function. The Cloud Function can parse the alert payload and call the ITSM tool's API to create a ticket, providing a reliable, scalable, and decoupled integration that supports custom logic and error handling.

Exam trap

Google Cloud often tests the misconception that direct webhooks (Option B) are sufficient for ITSM integration, but they ignore that Cloud Monitoring webhooks lack support for custom headers, authentication, and reliable retry mechanisms required by enterprise ITSM tools.

How to eliminate wrong answers

Option A is wrong because email-to-ticket features are unreliable for critical alerts due to potential delays, spam filtering, and lack of guaranteed delivery; they also do not support structured data or automated acknowledgment. Option B is wrong because a direct webhook notification channel in Cloud Monitoring sends HTTP POST requests but does not support authentication headers, retry logic, or payload transformation required by most ITSM APIs, leading to frequent failures. Option D is wrong because periodically pulling alerts via the Cloud Monitoring API introduces latency, misses real-time alerting requirements, and adds unnecessary complexity compared to event-driven push notifications.

728
MCQmedium

An organization needs to continuously replicate data from an on-premises PostgreSQL database to AlloyDB with minimal downtime during cutover. They have set up DMS continuous migration. During the cutover phase, what is the correct sequence of steps?

A.Update connection strings first, then promote destination, then verify lag.
B.Stop source database, promote destination, then update connection strings.
C.Quiesce writes to source, confirm DMS lag is 0, promote destination, update connection strings, verify application, keep source running read-only.
D.Promote target immediately, then verify lag, then update connection strings.
AnswerC

This is the correct cutover sequence.

Why this answer

The standard cutover: quiesce writes, verify DMS lag is 0, promote (stop replication), update connection strings, verify app, and keep source for rollback.

729
MCQeasy

To securely manage secrets (e.g., API keys) used in Cloud Build pipelines, which service should be used?

A.Secret Manager
B.Cloud KMS
C.Cloud Key Management Service (duplicate)
D.Cloud Storage
AnswerA

Designed for storing secrets; integrates with Cloud Build via environment variables or volumes.

Why this answer

Option A is correct because Secret Manager is the recommended service for storing and accessing secrets like API keys. Cloud KMS is for encryption keys, not secrets. Cloud Storage is not designed for secrets, and Cloud KMS is not for direct secret storage.

730
MCQhard

A company is migrating a 2 TB PostgreSQL database to AlloyDB using Database Migration Service. They need to minimize downtime. After the initial full dump, the CDC lag remains high for hours. What should the engineer check first?

A.Cloud SQL Auth Proxy configuration
B.Binary log retention period
C.Source database resource utilization (CPU, IO)
D.AlloyDB cluster size
AnswerC

High source utilization can slow down log reading and replication.

Why this answer

High CDC lag often indicates resource constraints on the source or network bandwidth. Source database performance (CPU, IO) impacts replication speed.

731
MCQhard

A team is migrating a 10 TB PostgreSQL database to AlloyDB using DMS with continuous CDC. The migration starts, but the CDC phase is falling behind, with lag increasing over time. The source is a busy production database with high write throughput. What is the most effective action to reduce lag?

A.Reduce the batch size for the CDC phase.
B.Increase the source database's resources (CPU/memory) to handle logical replication load.
C.Increase the number of DMS worker nodes.
D.Add more indexes to the target AlloyDB tables.
AnswerB

The source may be under-resourced to publish changes fast enough.

Why this answer

Option B is correct because increasing the source database's resources (CPU/memory) directly addresses the root cause of CDC lag in a high-write-throughput PostgreSQL environment. DMS logical replication relies on the source's ability to decode WAL (Write-Ahead Log) records quickly; if the source is CPU- or memory-bound, it cannot keep up with the rate of changes, causing lag to grow. Scaling up the source reduces the bottleneck in WAL generation and decoding, allowing DMS to consume changes faster.

Exam trap

Cisco often tests the misconception that scaling DMS workers (Option C) always fixes CDC lag, but the trap is that the bottleneck in high-write environments is typically the source's ability to decode WAL, not DMS's processing capacity.

How to eliminate wrong answers

Option A is wrong because reducing the batch size for the CDC phase would actually increase the number of round trips and overhead, worsening lag rather than reducing it. Option C is wrong because increasing the number of DMS worker nodes does not help if the source cannot generate and decode WAL records fast enough; the bottleneck is on the source side, not the DMS processing capacity. Option D is wrong because adding more indexes to the target AlloyDB tables increases write overhead on the target, which can slow down apply operations and exacerbate lag, not reduce it.

732
MCQmedium

A team is using Cloud Monitoring to track the performance of a microservices application. They set up an uptime check for each service, but they notice that some checks are failing intermittently without actual service degradation. What is the most likely cause?

A.The services are behind a load balancer that occasionally returns 503 during scaling.
B.The timeout setting is too short for the service's typical latency.
C.Uptime checks are deployed in a single region, causing false positives.
D.The project's quota for uptime checks has been exceeded.
AnswerB

A short timeout can cause the check to fail even when the service is healthy, especially during transient latency spikes.

Why this answer

The most likely cause is that the timeout setting is too short, causing false positives when the service response time temporarily exceeds the timeout. Other options are less plausible: uptime checks typically run from multiple regions; load balancer 503 errors would indicate a real issue; quota exceed would prevent checks from running.

733
Multi-Selectmedium

Which TWO options are best practices when bootstrapping a Google Cloud organization for DevOps? (Choose 2)

Select 2 answers
A.Grant the Owner role to a group of DevOps engineers to manage all projects.
B.Store service account keys in the source code repository for ease of use.
C.Create a single VPC network for all environments to simplify management.
D.Use folders to separate environments (e.g., dev, staging, prod) and apply policies at the folder level.
E.Use resource tags to enable conditional access policies and cost tracking.
AnswersD, E

Folders provide hierarchical policy enforcement and organization.

Why this answer

Option D is correct because using folders to separate environments (e.g., dev, staging, prod) allows you to apply IAM policies and organization policies at the folder level, which are inherited by all projects within that folder. This enforces consistent security controls and resource governance across each environment, a key DevOps practice for managing lifecycle and access boundaries.

Exam trap

Google Cloud often tests the misconception that a single VPC network simplifies management, but the trap here is that it sacrifices the network isolation required for safe multi-environment DevOps workflows, which is a core principle of Google Cloud's resource hierarchy design.

734
MCQmedium

Refer to the exhibit. A DevOps engineer wants to reduce compute costs immediately. Which action is most effective?

A.Delete the terminated instance.
B.Rightsize instance-2 from n1-standard-8 to n1-standard-4.
C.Change instance-1 to a non-preemptible instance.
D.Move instance-1 to a different zone.
AnswerB

Reducing the machine size saves cost.

Why this answer

Rightsizing instance-2 from n1-standard-8 to n1-standard-4 reduces vCPUs from 8 to 4, directly lowering cost. The terminated instance incurs no cost, and the preemptible instance is already cost-effective. Zone changes do not affect cost.

735
MCQmedium

Your GKE cluster runs a batch job that processes large files from Cloud Storage. The job uses CPUs inefficiently, with low utilization. You want to reduce cost while maintaining throughput. Which approach should you take?

A.Use Cloud Storage FUSE to stream files directly into containers, avoiding local storage.
B.Configure the node pool to use spot VMs.
C.Use local SSDs for faster file access.
D.Increase the CPU request for the job pods.
AnswerA

Streaming reduces latency and cost by eliminating disk.

Why this answer

Option A is correct because Cloud Storage FUSE allows containers to stream files directly from Cloud Storage without first downloading them to a local disk. This eliminates the I/O bottleneck of writing to local storage and reduces CPU overhead from disk operations, enabling the batch job to process files more efficiently and maintain throughput while using fewer CPU resources.

Exam trap

Google Cloud often tests the misconception that faster storage (local SSDs) or cheaper compute (spot VMs) always reduces cost, when the real issue is inefficient resource utilization that must be addressed at the application or data access layer.

How to eliminate wrong answers

Option B is wrong because spot VMs reduce cost but do not address the root cause of low CPU utilization; they may even increase cost if preemptions cause job restarts and wasted cycles. Option C is wrong because local SSDs improve disk I/O speed, but the problem is CPU inefficiency, not disk latency; faster storage does not fix underutilized CPUs. Option D is wrong because increasing CPU requests for pods will allocate more CPU resources but will not improve utilization if the job is not CPU-bound; it may actually increase cost without improving throughput.

736
Multi-Selecteasy

Which TWO actions can reduce startup latency for a Cloud Run service?

Select 2 answers
A.Use a regional Cloud Run with separate service per region.
B.Increase the maximum instances limit.
C.Optimize the container image to reduce size.
D.Increase the container concurrency setting.
E.Set a minimum number of instances to keep warm.
AnswersC, E

Smaller images pull faster from Container Registry.

Why this answer

Option C is correct because a smaller container image reduces the time required to pull the image from the registry to the compute node during cold starts. Cloud Run's startup latency is dominated by image download and filesystem extraction; optimizing the image (e.g., using distroless base images, multi-stage builds, or removing unnecessary layers) directly shortens this critical path.

Exam trap

Google Cloud often tests the misconception that scaling limits or concurrency settings affect startup latency, when in reality only image optimization and pre-warming (minimum instances) directly reduce cold-start time.

737
MCQhard

A Cloud Spanner instance must handle 50,000 write mutations per second. You plan to use processing units (PUs). Each PU supports up to 2,000 mutations/second. What is the minimum number of PUs required?

A.25 PUs
B.100 PUs
C.10 PUs
D.50 PUs
AnswerA

25 PUs support 50,000 mutations per second.

Why this answer

50,000 / 2,000 = 25 PUs. However, Spanner requires at least 1,000 PUs (or 1 node = 1,000 PUs) for production, but the question asks for minimum PUs based on throughput formula. The calculated value is 25, but since 1 node = 1,000 PUs, the actual minimum is 1 node (1,000 PUs).

But the options likely include 25 if they ignore node minimum. To be consistent with GCP doc, the answer is 25 PUs if considering pure throughput, but note that minimum node is 1. Let's assume they want the calculated number.

738
MCQhard

Refer to the exhibit. A payment microservice on GKE logs frequent 'connection closed' errors. The service connects to a backend database. Which approach is most effective to reduce these errors?

A.Implement retry logic with exponential backoff in the service code.
B.Increase the number of pod replicas to distribute load.
C.Adjust the readiness probe to be more aggressive.
D.Increase the CPU and memory limits for the container.
AnswerA

Retries handle transient connection closures.

Why this answer

The 'connection closed' errors indicate transient network failures or database server-side connection drops. Implementing retry logic with exponential backoff in the service code is the most effective approach because it allows the microservice to gracefully recover from intermittent failures without overwhelming the database with immediate retries. This pattern is a standard resilience technique for cloud-native applications on GKE, as it handles temporary issues like network blips or database connection pool exhaustion.

Exam trap

Google Cloud often tests the misconception that scaling resources (pods or limits) fixes all performance issues, but here the trap is that 'connection closed' errors are typically transient network or database-side issues, not resource bottlenecks, so retry logic is the correct resilience pattern.

How to eliminate wrong answers

Option B is wrong because increasing pod replicas distributes load but does not address the root cause of transient connection failures; it may even increase the number of concurrent connections, potentially worsening the problem. Option C is wrong because adjusting the readiness probe to be more aggressive (e.g., shorter interval or lower threshold) could cause pods to be prematurely removed from service during brief hiccups, leading to more instability and connection errors. Option D is wrong because increasing CPU and memory limits addresses resource starvation, not transient network or database connection drops; the errors are not caused by insufficient resources but by connection lifecycle issues.

739
MCQmedium

A company uses Bigtable for time-series data with a row key format: 'deviceID#timestamp'. They notice write hotspotting on a few devices that generate high volumes of data. How should they redesign the row key to distribute writes evenly?

A.Add a random salt prefix to the row key: 'hash(deviceID)#deviceID#timestamp'
B.Reverse the timestamp: 'deviceID#reverse_timestamp'
C.Use a monotonically increasing integer for the row key.
D.Store all data in a single column family and use column qualifiers for timestamps.
AnswerA

Salting with a hash of the deviceID spreads writes across multiple tablet servers.

Why this answer

Hotspotting occurs when sequential keys (like timestamps) are written to the same tablet server. Salting with a hash prefix distributes writes across nodes evenly.

740
MCQmedium

A company is designing a global user database that must support strong consistency and horizontal scaling with automatic failover. They have a 99.999% uptime requirement and need to serve writes from a single primary region with reads from multiple regions. Which Google Cloud database and configuration should they use?

A.Cloud Spanner multi-region configuration with a leader region and read-write and read-only replicas
B.Cloud Firestore in multi-region mode
C.Cloud Bigtable with replication and any-replica routing
D.Cloud SQL for PostgreSQL with cross-region read replicas and auto-failover
AnswerA

Spanner multi-region provides strong consistency, automatic failover, 99.999% SLA, and the ability to have read-write replicas in the leader region and read-only replicas elsewhere.

Why this answer

Cloud Spanner multi-region with read-write replicas in one region (leader) and read-only replicas in others provides strong consistency, global reads, and automatic failover. Bigtable is eventually consistent. Cloud SQL cannot span multiple regions natively.

Firestore does not provide 99.999% SLA.

741
MCQmedium

A company has a Cloud SQL for MySQL instance with point-in-time recovery (PITR) enabled. They need to restore the database to a specific time exactly 2 hours ago to recover from an accidental data deletion. What is the minimum requirement for this operation?

A.The instance must have a backup window configured within the last 2 hours
B.The instance must have at least one automatic backup taken after the desired restore time
C.Binary logging must be enabled, and the transaction log retention period must cover the desired restore time
D.The instance must be stopped before initiating the restore
AnswerC

PITR requires binary logging enabled and a transaction log retention period that includes the restore time (default 7 days).

Why this answer

PITR in Cloud SQL relies on binary log (binlog) backups. To restore to a specific time, you need to have binary logging enabled and transaction log retention set appropriately. The binlog retention period determines how far back you can perform PITR.

The default is 7 days, but you can configure it. The backup window and number of automatic backups are not directly related to PITR granularity.

742
MCQmedium

A company uses Cloud Build for CI/CD. They want to allow Cloud Build to deploy to Cloud Run. What is the minimum IAM role to assign to the Cloud Build service account?

A.roles/cloudbuild.builds.builder
B.roles/run.admin
C.roles/editor
D.roles/run.invoker
AnswerB

Provides full control over Cloud Run services, enabling deployment.

Why this answer

The Cloud Build service account needs permission to create and manage Cloud Run resources, including deploying new revisions. The `roles/run.admin` role provides full control over Cloud Run services, which is the minimum required for deployment. The `roles/cloudbuild.builds.builder` role only allows building and managing Cloud Build triggers, not deploying to Cloud Run.

Exam trap

The trap here is that candidates often confuse the Cloud Build service account's role with the Cloud Build builder role (`roles/cloudbuild.builds.builder`), mistakenly thinking it includes deployment permissions, when in fact it only covers build orchestration.

How to eliminate wrong answers

Option A is wrong because `roles/cloudbuild.builds.builder` grants permissions only for Cloud Build operations (e.g., creating builds, viewing logs) and does not include any Cloud Run deployment permissions. Option C is wrong because `roles/editor` is a broad, basic role that includes many permissions beyond what is needed, violating the principle of least privilege; it is not the minimum IAM role. Option D is wrong because `roles/run.invoker` only allows invoking (calling) an existing Cloud Run service, not deploying or updating it.

743
MCQeasy

A company serves static assets (images, CSS) to global users. Users in distant regions experience slow load times. Which service should they use to optimize delivery?

A.Cloud CDN
B.Cloud Load Balancing
C.Cloud NAT
D.Cloud Armor
AnswerA

Cloud CDN caches static content at global edge locations, reducing latency for distant users.

Why this answer

Cloud CDN (Content Delivery Network) caches static assets (images, CSS) at edge locations worldwide, reducing latency for distant users by serving content from a nearby point of presence (PoP). This directly addresses slow load times caused by geographic distance, as the origin server is no longer the sole source of delivery.

Exam trap

Google Cloud often tests the distinction between caching (CDN) and load balancing, where candidates mistakenly think distributing traffic globally (Cloud Load Balancing) will also cache content, but load balancing alone does not reduce latency for static assets without edge caching.

How to eliminate wrong answers

Option B (Cloud Load Balancing) is wrong because it distributes incoming traffic across multiple backend instances to improve availability and fault tolerance, but it does not cache content or reduce latency for static assets globally. Option C (Cloud NAT) is wrong because it provides outbound internet connectivity for private instances (e.g., VMs without public IPs) by translating private IPs to public IPs, and has no role in content delivery or caching. Option D (Cloud Armor) is wrong because it is a web application firewall (WAF) that protects against DDoS and application-layer attacks (e.g., SQL injection, XSS), not a caching or content delivery service.

744
MCQeasy

A DevOps team is defining an SLO for a web application that runs on Compute Engine behind an HTTP Load Balancer. They need to measure the proportion of requests that complete within 300ms. Which Cloud Monitoring metric is most appropriate as the SLI?

A.loadbalancing.googleapis.com/https/backend_request_bytes
B.loadbalancing.googleapis.com/https/frontend_tcp_rtt
C.loadbalancing.googleapis.com/https/request_count
D.loadbalancing.googleapis.com/https/total_latencies
AnswerD

This metric gives latency distribution, including percentiles, making it ideal for a latency SLI.

Why this answer

The SLI must measure the proportion of requests completing within 300ms, which is a latency distribution metric. The `total_latencies` metric from the HTTP Load Balancer provides a histogram of request latencies, allowing you to compute the percentage of requests below a threshold (e.g., 300ms). This directly supports the SLO definition.

Exam trap

Google Cloud often tests the distinction between latency metrics (histogram-based) and simple counters or byte metrics, expecting candidates to recognize that only a distribution metric like `total_latencies` can compute percentile-based SLIs.

How to eliminate wrong answers

Option A is wrong because `backend_request_bytes` measures the size of request data sent to backends, not latency. Option B is wrong because `frontend_tcp_rtt` measures TCP round-trip time between client and load balancer, not application-layer request latency. Option C is wrong because `request_count` only counts total requests without any latency information, so it cannot be used to measure the proportion of fast requests.

745
MCQhard

You created the above alert policy to detect high CPU utilization in your GKE cluster. However, you are receiving too many false positive alerts. What is the most likely reason?

A.The threshold value of 0.8 is too low; it should be 0.9 for production.
B.The crossSeriesReducer is set to REDUCE_SUM, which sums CPU across containers, so a namespace with many containers can trigger the alert even if each container uses less than 80%.
C.The duration of 300 seconds (5 minutes) is too short; it should be longer to avoid transient spikes.
D.The filter does not specify a specific namespace, causing alerts from all namespaces.
AnswerB

REDUCE_SUM adds up CPU usage of all containers in the namespace/container group. This can exceed 0.8 when many containers are active, even if each is below 80%. Using REDUCE_MAX per container would be more appropriate.

Why this answer

Option B is correct because the crossSeriesReducer set to REDUCE_SUM aggregates CPU utilization across all containers in a namespace. This means that even if each container uses only 20% CPU, a namespace with five containers would show a total of 100%, triggering the alert when the threshold is 0.8 (80%). This causes false positives because the alert fires on the sum, not on individual container utilization.

Exam trap

Google Cloud often tests the misconception that false positives are caused by thresholds being too low or durations too short, when the real issue is an incorrect aggregation reducer that sums metrics across multiple resources.

How to eliminate wrong answers

Option A is wrong because raising the threshold to 0.9 would not fix the root cause—the aggregation issue—and could still trigger false positives if the sum of many low-utilization containers exceeds 0.9. Option C is wrong because the duration of 300 seconds is already long enough to filter transient spikes; extending it further would delay legitimate alerts without addressing the aggregation problem. Option D is wrong because the filter not specifying a namespace is not the primary cause; the alert would still fire on aggregated CPU across all containers, and adding a namespace filter would not prevent false positives from summed utilization within that namespace.

746
MCQeasy

A company wants to receive notifications when their Google Cloud costs exceed $5000 in a month. They have set a budget alert at the billing account level. What is the minimum configuration required to ensure they get alerted?

A.Set budget amount to $5000 and alert threshold at 100% and configure a Pub/Sub topic for notifications.
B.Set budget amount to $5000 and alert threshold at 100%.
C.Set budget amount to $5000 and alert threshold at 50% and 100%.
D.Set budget amount to $5000 and alert threshold at 100% and ensure the budget is scoped to a single project.
AnswerA

This includes both the threshold and a notification channel (Pub/Sub or email), meeting the minimum requirement.

Why this answer

Option C is correct because budget alerts require both a threshold and a notification channel (Pub/Sub or email). Option A is missing the notification channel. Option B includes unnecessary thresholds but still lacks notification.

Option D incorrectly scopes to a single project.

747
MCQeasy

A company wants to migrate their on-premises PostgreSQL database to Cloud SQL using DMS. The source database is behind a firewall and does not have a public IP. The target Cloud SQL instance uses a private IP. How should the engineer connect the source to DMS?

A.Assign a public IP to the source database.
B.Use DMS with a connection profile that specifies the source's private IP without any network configuration.
C.Use a VPN or VPC peering to connect the source network to the GCP VPC.
D.Configure Cloud SQL Auth Proxy on the source.
AnswerC

VPC peering or VPN allows DMS to reach the source via private IP.

Why this answer

For private connectivity, VPC peering between the source network and GCP VPC is required. Cloud SQL Auth Proxy is for connecting to Cloud SQL, not for source.

748
Multi-Selectmedium

A company is migrating a PostgreSQL database to Cloud SQL using DMS continuous migration. After the full dump, the CDC phase is replicating changes. To prepare for cutover, which TWO actions should the engineer take? (Choose 2)

Select 2 answers
A.Verify that the DMS migration job lag is 0 seconds.
B.Enable binary logging on the source.
C.Take a full backup of the source.
D.Delete the DMS migration job to stop replication.
E.Quiesce all write operations to the source database.
AnswersA, E

Ensures source and target are in sync.

Why this answer

Quiesce writes to ensure no new changes, and confirm DMS lag is 0 before promoting.

749
MCQhard

A financial services firm is implementing a CI/CD pipeline with Cloud Build and Artifact Registry. Their security policy requires all data to remain within a VPC Service Controls perimeter. They have configured Cloud Build to use a private worker pool with no external IP addresses and have set up VPC-SC to allow traffic between Cloud Build and Artifact Registry within the perimeter. However, builds that push Docker images to Artifact Registry fail with the error: 'denied: Unauthenticated request. Push access to the repository is denied.' The build configuration includes the step: 'steps: - name: gcr.io/cloud-builders/docker args: [push, us-central1-docker.pkg.dev/myproject/my-repo/myimage]' The Cloud Build service account has been granted roles/artifactregistry.writer on the repository. What is the most likely cause?

A.The Cloud Build service account does not have permissions to authenticate to Artifact Registry when using a private pool.
B.The VPC-SC perimeter does not allow egress to the Artifact Registry API endpoint.
C.The Docker push is failing because the image tag is missing a version.
D.The Artifact Registry repository is in a different region than the Cloud Build worker pool.
AnswerB

VPC-SC can restrict access to APIs; the Artifact Registry endpoint must be explicitly allowed in the perimeter.

Why this answer

Option C is correct because VPC Service Controls can block access to Artifact Registry API endpoints if they are not in the allowed list, resulting in a denied error even with correct IAM permissions. Option A is incorrect because Artifact Registry is regional but private pools can access any region. Option B is incorrect because IAM permissions are correct.

Option D is incorrect because the image tag is present.

750
MCQeasy

A data analyst needs to run ad-hoc SQL queries on a large dataset stored in Google Cloud Storage (CSV files). They do not want to manage any infrastructure. Which service should they use?

A.Dataproc
B.Cloud Spanner
C.BigQuery
D.Cloud SQL
AnswerC

BigQuery can query data in GCS using external tables without loading.

Why this answer

BigQuery is a serverless data warehouse that can query external data sources like GCS directly using federated queries.

Page 9

Page 10 of 14

Page 11