Google Professional Cloud DevOps Engineer (PCDOE) — Questions 901975

987 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selecthard

Which TWO are best practices for implementing CI/CD on Google Cloud?

Select 2 answers
A.Use Cloud Run for all services.
B.Use Artifact Registry for storing container images.
C.Use Cloud Build for all deployments, including infrastructure changes.
D.Use Cloud Deploy for Kubernetes deployments.
E.Use GitHub Actions instead of Cloud Build.
AnswersB, D

Artifact Registry is the recommended registry for Google Cloud.

Why this answer

Option B is correct because Artifact Registry is the recommended service for storing, managing, and securing container images and other artifacts in Google Cloud. It integrates natively with Cloud Build, Cloud Run, and Kubernetes, providing vulnerability scanning and IAM-based access control, which are essential for a secure CI/CD pipeline.

Exam trap

Google Cloud often tests the distinction between CI/CD tools and compute services, so candidates mistakenly select Cloud Run as a CI/CD best practice because it is a popular Google Cloud service, but it is a runtime environment, not a pipeline component.

902
Multi-Selecteasy

What security checks can be integrated into a Cloud Build CI/CD pipeline? (Select TWO)

Select 2 answers
A.Manual code review
B.Container scanning with Artifact Analysis
C.Network penetration testing
D.Dynamic application security testing (DAST)
E.Static application security testing (SAST) with Cloud Build custom steps
AnswersB, E

Artifact Analysis can scan container images for vulnerabilities as part of the pipeline.

Why this answer

Options A and B are correct. Container scanning with Artifact Analysis (A) is native. SAST can be added via custom steps (B).

Option C (network penetration) is external. Option D (manual code review) is a process, not a tool. Option E (DAST) is for running apps.

903
MCQmedium

Your company runs a multi-region application on Google Kubernetes Engine. You have implemented Cloud Monitoring dashboards to track cluster resource utilization and application SLIs. After a recent upgrade, you notice that the dashboard shows a sudden drop in CPU utilization for all nodes in one zone, but the application is still serving traffic normally. You suspect a monitoring issue. What should you investigate first?

A.Check if the nodes in that zone have been cordoned.
B.Check if the application's resource requests and limits have changed.
C.Check if the Kubernetes Metrics Server is running correctly in that zone.
D.Check if the Cloud Monitoring agent has been updated incorrectly.
AnswerC

Metrics Server is responsible for collecting resource usage; if it's down, CPU data would drop.

Why this answer

The Kubernetes Metrics Server is responsible for collecting resource metrics from Kubelets and exposing them via the Metrics API, which Cloud Monitoring uses to display CPU utilization. A sudden drop in CPU utilization across all nodes in a single zone, while the application continues to serve traffic normally, strongly indicates that the Metrics Server in that zone has failed or is not reporting metrics, rather than an actual change in workload. Investigating the Metrics Server's health and logs is the correct first step to confirm whether the monitoring pipeline is broken.

Exam trap

Google Cloud often tests the misconception that Cloud Monitoring relies on an external agent for all metrics, when in fact GKE integrates natively with the Metrics Server for node and pod resource utilization, making agent-related options a red herring.

How to eliminate wrong answers

Option A is wrong because cordoning a node prevents new pods from being scheduled but does not affect the reporting of CPU utilization for existing pods; the Metrics Server would still report metrics from running pods on cordoned nodes. Option B is wrong because changes to resource requests and limits affect pod scheduling and resource guarantees, not the actual CPU utilization reported by the Metrics Server; a sudden drop in reported utilization across all nodes in a zone is not caused by request/limit changes. Option D is wrong because Cloud Monitoring agents are not required for GKE node metrics; the Metrics Server collects and exposes node and pod metrics natively via the Kubernetes API, and Cloud Monitoring integrates directly with the Metrics API, not through a separate agent.

904
Multi-Selecthard

A company wants to migrate a 5 TB MySQL database to Cloud Spanner with zero downtime. They need to validate schema and data consistency before switching traffic. Which THREE steps should they include in the migration plan?

Select 3 answers
A.Set up a Dataflow pipeline to replicate changes from MySQL to Spanner
B.Use pgloader to migrate the data
C.Create a Cloud SQL read replica for fallback
D.Use HarbourBridge to convert MySQL schema to Spanner DDL
E.Validate data consistency between MySQL and Spanner using checksums
AnswersA, D, E

Dataflow can stream changes for near real-time replication.

Why this answer

Zero-downtime migration to Spanner typically involves using Strangler Fig pattern: replicate writes from MySQL to Spanner, validate data, then cutover. Key steps: 1. Export schema and convert to Spanner DDL (using HarbourBridge). 2.

Set up live migration using Dataflow for continuous replication. 3. Validate data consistency (e.g., using checksums). Taking an export snapshot is fine but not for zero-downtime; using pgloader is for PostgreSQL; creating a Cloud SQL read replica is not directly relevant.

905
MCQmedium

A company wants to monitor Cloud SQL database latency for read replicas and set up an alert if the replica lag exceeds 30 seconds. Which metric should be used?

A.cloudsql.googleapis.com/database/postgresql/num_backends
B.cloudsql.googleapis.com/database/replication/replication_lag
C.cloudsql.googleapis.com/database/cpu/utilization
D.cloudsql.googleapis.com/database/disk/bytes_used
AnswerB

This metric directly reports the lag in seconds.

Why this answer

The 'replication_lag' metric in Cloud SQL measures the lag between primary and read replica. It is the correct metric to set alerts for replica lag.

906
MCQeasy

During a Cloud Build pipeline, a build step fails because the Docker image tag already exists in Container Registry. The team wants to avoid overwriting tags. What is the best practice to resolve this?

A.Use the commit SHA as the image tag in the build step.
B.Specify the :latest tag and always push to that tag.
C.Add a step to pull the image before building to ensure it's present.
D.Configure the build to retry on failure with a backoff.
AnswerA

Commit SHA is unique per change, avoiding collisions.

Why this answer

Using the commit SHA as the image tag guarantees uniqueness because each commit produces a distinct SHA. This prevents tag collisions in Container Registry without overwriting, as the SHA is immutable for that commit. It also provides traceability back to the exact source code version that produced the image.

Exam trap

Google Cloud often tests the misconception that retries or pulling images can resolve tag conflicts, when in fact only a unique tag strategy (like commit SHA) prevents the collision at the source.

How to eliminate wrong answers

Option B is wrong because using the :latest tag encourages overwriting, which directly violates the team's requirement to avoid overwriting tags. Option C is wrong because pulling an image before building does not prevent tag conflicts; it only ensures the image is cached locally, and the build step will still fail if the tag already exists in the registry. Option D is wrong because retrying with backoff does not resolve the underlying tag collision; it will simply fail again on each retry since the tag still exists.

907
MCQhard

A multinational corporation is bootstrapping a Google Cloud organization with multiple subsidiaries. Each subsidiary needs its own folder with IAM policies that are managed locally, but the parent company wants to enforce a global policy that restricts the use of certain machine types (e.g., N2D) for cost control. However, one subsidiary has a legitimate need for those machine types in a specific project. What is the best way to handle this exception while maintaining the global policy?

A.Create a custom organization policy with a condition that excludes the exception project from the restriction.
B.Set an organization policy that denies N2D machine types, then create a separate policy at the project level to allow them for the exception project.
C.Use an audit-only policy and rely on a team to review and approve machine type usage.
D.Place each subsidiary in its own folder and set the machine type restriction only on folders that require it.
AnswerA

Custom policies with conditions allow fine-grained exceptions.

Why this answer

Option A is correct because Google Cloud Organization Policies support hierarchical inheritance with conditional overrides. By creating a custom organization policy with a condition that excludes the specific project (e.g., using `resource.name` or a custom attribute), the global restriction on N2D machine types is enforced for all subsidiaries except the exempted project, maintaining centralized cost control while allowing the legitimate exception.

Exam trap

The trap here is that candidates often assume a project-level allow policy can override an organization-level deny policy (Option B), but GCP's hierarchical policy evaluation always applies the most restrictive policy, so a deny at the org level cannot be overridden by a project-level allow.

How to eliminate wrong answers

Option B is wrong because organization policies are hierarchical and cannot be overridden by a conflicting project-level policy; the deny policy at the org level would still block N2D machine types in the project, as the more restrictive policy wins. Option C is wrong because an audit-only policy does not enforce the restriction; it only logs violations, which fails the requirement to 'enforce' the global policy for cost control. Option D is wrong because placing the restriction only on certain folders does not create a global policy; the parent company wants a global policy enforced across all subsidiaries, and this approach leaves other folders (or the org root) without the restriction, violating the requirement.

908
MCQmedium

An engineer is migrating a workload from a relational database to Bigtable. The current schema has a Customers table (1M rows) and an Orders table (100M rows) with a foreign key. Queries often fetch all orders for a customer. What is the best row key design for the Bigtable orders table?

A.Use customer ID + order ID as the row key (e.g., cust123#ord456).
B.Use the order ID as the row key and store customer ID as a column.
C.Use a hash of the customer ID as the row key.
D.Use a random UUID as the row key.
AnswerA

This enables efficient scans by customer ID prefix.

Why this answer

Option A is correct because using customer ID + order ID as the row key ensures that all orders for a single customer are stored in contiguous rows, enabling efficient range scans. Bigtable orders rows lexicographically by row key, so a prefix scan on the customer ID retrieves all related orders in a single read operation, avoiding expensive joins or scatter-gather patterns.

Exam trap

Cisco often tests the misconception that a unique row key (like UUID or hash) is always best for distribution, ignoring that Bigtable's access pattern requires locality for range queries, which is the core trade-off in NoSQL row key design.

How to eliminate wrong answers

Option B is wrong because using only the order ID as the row key scatters each customer's orders across the entire keyspace, forcing multiple point lookups or a full table scan to fetch all orders for a customer, which defeats Bigtable's strength in wide-row access patterns. Option C is wrong because hashing the customer ID destroys the natural ordering, so a prefix scan is impossible; you would need to know all possible hash values for a customer (which is one) and still cannot retrieve multiple orders in a single range request. Option D is wrong because random UUIDs distribute rows uniformly but eliminate any locality of reference, making it impossible to efficiently retrieve all orders for a customer without scanning the entire table.

909
MCQhard

A company uses Cloud Run for a stateless API service with concurrency set to 80. During a traffic spike, some requests return HTTP 500 errors and latency spikes. Cloud Monitoring shows container CPU utilization at 100% and memory usage at 70%. What is the most likely cause and the best first step?

A.Concurrency per container is too high; reduce concurrency to 10
B.Maximum instances limit is too low; increase from 10 to 100
C.Min idle instances is too low; set min idle to 5 to reduce cold starts
D.Memory limit is too low; increase memory from 256 MiB to 512 MiB
AnswerA

Lowering concurrency reduces CPU contention, preventing timeouts and 500s.

Why this answer

The correct answer is A because with CPU at 100% and memory at only 70%, the bottleneck is CPU, not memory. Cloud Run containers handle requests concurrently; setting concurrency to 80 means each container processes up to 80 requests simultaneously. When CPU is saturated, requests queue up, causing latency spikes and eventual HTTP 500 errors as the container becomes unresponsive.

Reducing concurrency to 10 lowers the per-container request load, allowing each request to complete before CPU saturation occurs.

Exam trap

Google Cloud often tests the misconception that HTTP 500 errors during spikes are always due to insufficient instances or memory, but the key diagnostic clue here is CPU at 100% with memory well below limit, pointing to concurrency overload as the root cause.

How to eliminate wrong answers

Option B is wrong because increasing the maximum instances limit would add more containers, but each new container would also be configured with concurrency 80 and would immediately hit the same CPU bottleneck, spreading the problem without solving it. Option C is wrong because min idle instances addresses cold start latency for new containers, but the issue here is CPU saturation during a traffic spike, not cold starts; idle instances would still be overwhelmed by the high concurrency setting. Option D is wrong because memory usage is at 70%, not 100%, so memory is not the bottleneck; increasing memory would not resolve CPU saturation and could even increase per-container cost without benefit.

910
MCQhard

You are building a global application that requires strong consistency across regions. The application needs to support SQL queries and horizontal scaling. Which database service should you choose?

A.Cloud Spanner
B.Cloud SQL with cross-region replicas
C.Cloud Bigtable
D.Firestore
AnswerA

Spanner provides global strong consistency, SQL support, and automatic horizontal scaling across regions.

911
MCQeasy

A developer needs to connect to a Memorystore for Redis instance from a Compute Engine VM in the same VPC network. The Redis instance has AUTH enabled. What must the developer provide in the connection string?

A.The Redis AUTH password.
B.The IAM role 'Memorystore User'.
C.The client certificate and private key.
D.The service account key file.
AnswerA

AUTH requires a password to access the instance.

Why this answer

When AUTH is enabled on a Memorystore for Redis instance, the client must provide the AUTH password in the connection string (e.g., `redis://:password@host:6379`) or via the `AUTH` command after connecting. This password is set during instance creation and is required for authentication before any data commands can be executed. Without it, the Redis server will reject the connection with a `NOAUTH Authentication required` error.

Exam trap

Cisco often tests the distinction between control-plane IAM permissions and data-plane authentication mechanisms, leading candidates to incorrectly select IAM roles for Redis AUTH.

How to eliminate wrong answers

Option B is wrong because Memorystore for Redis does not use IAM roles for authentication; IAM is used for control-plane access (e.g., creating instances), not for data-plane Redis connections. Option C is wrong because Memorystore for Redis does not support TLS client certificate authentication by default; it uses AUTH password or, if in-transit encryption is enabled, server-side TLS with optional client certificates, but the question specifies AUTH enabled, not TLS. Option D is wrong because service account key files are used for authenticating Google Cloud API calls (e.g., via gcloud or client libraries), not for Redis protocol-level authentication.

912
MCQmedium

A company wants to run complex analytical queries on terabytes of data with sub-second response times. The data is structured and stored in Cloud Storage as Parquet files. They need a serverless solution that can query the data directly without loading it into a database. Which service should they use?

A.Cloud Dataproc
B.BigQuery
C.Cloud Bigtable
D.Cloud SQL
AnswerB

BigQuery can query external data sources like Cloud Storage Parquet files using external tables, with sub-second performance.

Why this answer

BigQuery is the correct choice because it is a serverless, fully managed data warehouse that supports querying structured data directly from Cloud Storage using external tables, without requiring data loading. It can handle terabytes of data with sub-second response times via its columnar storage, automatic scaling, and BI Engine for acceleration.

Exam trap

The trap here is that candidates often confuse BigQuery with Cloud Dataproc, thinking that Hadoop/Spark is required for large-scale analytics, but BigQuery's serverless architecture and direct Cloud Storage querying eliminate the need for cluster management and provide faster interactive response times.

How to eliminate wrong answers

Option A is wrong because Cloud Dataproc is a managed Hadoop/Spark service that requires provisioning and managing clusters, not a serverless solution, and it is designed for batch processing rather than sub-second interactive queries. Option C is wrong because Cloud Bigtable is a NoSQL wide-column database optimized for low-latency read/write access to large volumes of time-series or IoT data, not for complex analytical SQL queries on structured Parquet files. Option D is wrong because Cloud SQL is a fully managed relational database (MySQL, PostgreSQL, SQL Server) that requires loading data into tables and is not designed for petabyte-scale analytics or direct querying of Cloud Storage files.

913
Multi-Selecthard

Which TWO metrics should be monitored to detect a potential memory leak in a Compute Engine VM?

Select 2 answers
A.CPU utilization
B.Process count
C.Memory usage (percentage)
D.Disk read IOPS
E.Network bytes sent
AnswersB, C

A memory leak may cause the application to spawn more processes.

Why this answer

Option B is correct because a memory leak causes processes to consume increasing amounts of memory without releasing it, leading to a growing process count as new instances of the leaking process are spawned or existing processes remain active. Monitoring the process count helps detect abnormal growth that correlates with memory exhaustion. Option C is correct because memory usage percentage directly reflects how much of the VM's available RAM is consumed; a steady upward trend without a corresponding increase in workload indicates a leak.

Exam trap

Google Cloud often tests the misconception that CPU utilization is a primary indicator of memory leaks, but in reality, a leak can silently consume memory without spiking CPU until the system is critically low on memory.

914
MCQmedium

You are running Cloud Bigtable for time-series analytics. Each row represents a metric and uses a row key of format 'metricID#timestamp' (e.g., 'cpu_usage#2023-08-01T00:00:00Z'). You notice that writes are concentrated on a small number of nodes. What is the most effective way to distribute writes more evenly?

A.Use a different column family for each metric
B.Increase the number of nodes
C.Add a hash prefix of the metricID to the row key
D.Reverse the timestamp in the row key
AnswerC

Salting with a hash prefix distributes writes across all nodes.

Why this answer

The row key design is poor because metricID is a limited set (e.g., cpu_usage) and timestamp is increasing, so all writes for a metric go to a single tablet. Salting by prepending a hash of the metricID (or using a field promotion with a hash prefix) distributes writes across tablets. Reversing timestamp helps with reads but not write distribution.

Using a different column family does not affect row key distribution. Increasing nodes only helps if data is distributed, but the hotspot will remain.

915
MCQeasy

A DevOps team is setting up a CI/CD pipeline using Cloud Build. They want the Cloud Build service account to have permission to deploy to Cloud Run within a specific project. Which IAM role should be granted to the Cloud Build service account?

A.roles/run.admin
B.roles/run.invoker
C.roles/cloudbuild.builds.editor
D.roles/iam.serviceAccountUser
AnswerA

This allows deploying and managing Cloud Run services.

Why this answer

The Cloud Build service account needs the `roles/run.admin` role to deploy services to Cloud Run. This role grants full control over Cloud Run resources, including creating, updating, and deleting services, which is required for a CI/CD pipeline to perform deployments. Without this role, the service account would lack the necessary permissions to modify Cloud Run configurations.

Exam trap

Google Cloud often tests the distinction between roles that grant management permissions (like `roles/run.admin`) versus roles that only grant invocation or build management, leading candidates to mistakenly choose `roles/run.invoker` or `roles/cloudbuild.builds.editor` when deployment is required.

How to eliminate wrong answers

Option B is wrong because `roles/run.invoker` only allows invoking (calling) Cloud Run services, not deploying or managing them. Option C is wrong because `roles/cloudbuild.builds.editor` grants permissions to manage Cloud Build triggers and builds, but does not include any Cloud Run deployment permissions. Option D is wrong because `roles/iam.serviceAccountUser` allows a principal to impersonate a service account (e.g., to use its identity), but does not grant direct Cloud Run deployment permissions; it is often used in conjunction with other roles, not as a standalone deployment role.

916
MCQeasy

A company is migrating an on-premises Oracle database to Cloud SQL for PostgreSQL. They have used Ora2Pg to convert the schema. Which of the following data type conversions is correct?

A.Oracle NUMBER(10) → PostgreSQL NUMERIC(10)
B.Oracle CLOB → PostgreSQL TEXT
C.Oracle NUMBER(10,2) → PostgreSQL INTEGER
D.Oracle DATE → PostgreSQL DATE
AnswerB

CLOB is large character object, maps to TEXT.

Why this answer

Oracle's DATE includes both date and time, so the correct mapping is to PostgreSQL TIMESTAMP. NUMBER(10) maps to INTEGER, NUMBER(10,2) to NUMERIC(10,2), and CLOB to TEXT.

917
MCQhard

Refer to the exhibit. A rollout to dev succeeds, but when promoting to prod, it fails with 'Target 'prod' not found'. What is the issue?

A.The prod target does not have a required approval rule.
B.The prod target has not been created in the same region.
C.The prod target exists but is in a different project.
D.The delivery pipeline must be redeployed to include the prod target.
AnswerB

Cloud Deploy targets must exist before they can be used in a pipeline. The error indicates the target does not exist.

Why this answer

Option A is correct because the prod target must be created before it can be referenced in a pipeline. Option B is incorrect because redeploying the pipeline won't create the target. Option C is incorrect because the error indicates the target does not exist, not that it's in a different project.

Option D is incorrect because approval is not related.

918
MCQmedium

A company uses Memorystore for Redis and wants to ensure data is preserved in case of a node failure. They cannot afford any data loss. What should they do?

A.Increase the maxmemory setting to avoid eviction
B.Enable AOF persistence on the Redis instance
C.Use active cross-region replication to a replica instance
D.Schedule periodic backups to Cloud Storage using export
AnswerD

Memorystore allows exporting data to Cloud Storage, which can be used for recovery in case of failure.

Why this answer

Memorystore for Redis does not provide native persistence (RDB/AOF). For data durability, you must enable persistence by taking periodic snapshots to Cloud Storage or use a cross-region replica for high availability. However, note that Memorystore does offer persistence options (RDB/AOF) in some tiers; but the question states 'no persistence in Memorystore' based on the domain content, so the correct answer is using Cloud Storage snapshots.

Actually, Memorystore does support persistence (RDB/AOF) for Standard Tier. Let me reconsider: The domain content says 'Memorystore Redis operations: ... persistence (no persistence in Memorystore — use Cloud Storage snapshots or cross-region replica for HA)'. So according to that, persistence is not available in Memorystore, so they must use Cloud Storage snapshots or cross-region replica.

But to avoid any data loss, cross-region replica might still have some lag. The best answer per domain content is Cloud Storage snapshots. However, I'll keep as per domain: 'no persistence in Memorystore' so the correct answer is to use Cloud Storage snapshots.

Option A (enable AOF persistence) is incorrect per domain. Option D (increase maxmemory) is for eviction. So B is correct.

919
Multi-Selecteasy

You are designing a monitoring strategy for a cloud-native application. Which THREE components are essential for observability?

Select 3 answers
A.Metrics
B.Alerts
C.Dashboards
D.Traces
E.Logs
AnswersA, D, E

Metrics provide quantitative data about system performance.

Why this answer

Metrics (A) are essential because they provide quantitative, time-series data about system health and performance, such as CPU utilization, request latency, and error rates. In cloud-native observability, metrics are typically collected via Prometheus or similar systems, enabling trend analysis and threshold-based alerting. Without metrics, you cannot measure the overall state of your application or infrastructure over time.

Exam trap

Google Cloud often tests the distinction between the core observability data types (metrics, logs, traces) and the operational tools built on them (alerts, dashboards), trapping candidates who confuse 'observability components' with 'monitoring tools'.

920
MCQmedium

A company is using BigQuery for analytics and wants to control costs. They have many queries that scan large amounts of data. Which approach is most effective in reducing query costs?

A.Switch to flat-rate pricing to cap costs.
B.Partition tables by date and use partition pruning in queries.
C.Reserve BigQuery slots for dedicated capacity.
D.Use clustering to organize data within partitions.
AnswerB

Partitioning limits the data scanned, reducing query costs.

Why this answer

Partitioning tables by date and using partition pruning in queries directly reduces the amount of data scanned by BigQuery, which is the primary driver of on-demand query costs. By filtering on the partition column, BigQuery can skip entire partitions that do not match the query criteria, minimizing the bytes processed. This is the most effective cost-control measure because it addresses the root cause of high costs—excessive data scanning—without requiring a pricing model change or additional resource commitments.

Exam trap

Google Cloud often tests the misconception that clustering alone is sufficient for cost reduction, but clustering only optimizes data within a partition and cannot skip entire partitions, making partitioning the primary mechanism for cost control.

How to eliminate wrong answers

Option A is wrong because switching to flat-rate pricing caps the maximum cost but does not reduce the amount of data scanned; it simply changes the billing model from per-byte to a fixed monthly fee, which could be more expensive if usage is low or variable. Option C is wrong because reserving BigQuery slots for dedicated capacity provides predictable performance and cost but does not inherently reduce the amount of data scanned; it is a capacity-based pricing model that still charges for the slots regardless of query efficiency. Option D is wrong because clustering organizes data within partitions to improve query performance and reduce costs by limiting the data scanned within a partition, but it is secondary to partitioning; without partition pruning, clustering alone cannot skip entire partitions and is less effective at reducing overall data scanned.

921
MCQeasy

A startup needs to run complex analytical queries on large datasets (10+ TB) with sub-second to a few seconds latency. The data is structured and updated daily in batch. Which Google Cloud service is best suited for this use case?

A.BigQuery
B.Cloud Bigtable
C.AlloyDB
D.Cloud SQL
AnswerA

BigQuery is the ideal service for analytical queries on large datasets with fast performance.

Why this answer

BigQuery is a serverless, highly scalable data warehouse designed for petabyte-scale analytics with fast SQL queries using columnar storage and a distributed query engine. It supports sub-second to few-second latency on structured data via features like clustering, partitioning, and BI Engine acceleration, and it handles daily batch updates efficiently through batch loading or scheduled queries.

Exam trap

Cisco often tests the distinction between OLTP databases (Cloud SQL, AlloyDB) and OLAP data warehouses (BigQuery), where candidates mistakenly choose a transactional database for analytical workloads due to familiarity with SQL or relational models.

How to eliminate wrong answers

Option B (Cloud Bigtable) is wrong because it is a NoSQL wide-column database optimized for real-time, high-throughput read/write operations on semi-structured or time-series data, not for complex analytical SQL queries on structured data with sub-second latency. Option C (AlloyDB) is wrong because it is a PostgreSQL-compatible transactional database designed for high-performance OLTP workloads, not for analytical queries on 10+ TB datasets with sub-second latency. Option D (Cloud SQL) is wrong because it is a managed relational database for OLTP workloads with limited scalability (max ~30 TB) and cannot deliver sub-second analytical query performance on 10+ TB datasets.

922
MCQeasy

Based on the exhibit, which Cloud Logging query filter will return all logs of this type?

A.severity>=ERROR
B.severity:"ERROR"
C.severity=ERROR
D.jsonPayload.severity:ERROR
AnswerC

This is the correct syntax to match logs with severity exactly 'ERROR'.

Why this answer

Option C is correct because Cloud Logging uses the `severity=ERROR` syntax to filter logs by exact severity level. The `=` operator performs an exact match on the severity field, which is a standard LogEntry field with predefined values (DEFAULT, DEBUG, INFO, NOTICE, WARNING, ERROR, CRITICAL, ALERT, EMERGENCY). This filter returns all logs where the severity is exactly ERROR, matching the requirement.

Exam trap

Google Cloud often tests the distinction between exact match (`=`) and text search (`:`) operators in Cloud Logging, and candidates mistakenly apply SQL-like range operators (`>=`) or confuse the severity field with a JSON payload field.

How to eliminate wrong answers

Option A is wrong because `severity>=ERROR` uses a comparison operator that is not supported in Cloud Logging filtering; severity filtering requires exact match operators (`=` or `!=`), not range comparisons. Option B is wrong because `severity:"ERROR"` uses a colon operator which is for text search or has field matching in some logging systems, but Cloud Logging requires the `=` operator for exact severity field matching. Option D is wrong because `jsonPayload.severity:ERROR` references a nested field under `jsonPayload`, but the severity field is a top-level LogEntry field, not part of the JSON payload; this filter would look for a custom field and miss the standard severity logs.

923
MCQmedium

During a one-time (non-continuous) migration from MySQL to Cloud SQL using mysqldump, the engineer wants to ensure the dump does not lock InnoDB tables. Which flag should be included in the mysqldump command?

A.--skip-lock-tables
B.--flush-logs
C.--single-transaction
D.--lock-all-tables
AnswerC

This flag ensures a consistent read without locking InnoDB tables.

Why this answer

--single-transaction starts a transaction at the time of dump, ensuring a consistent snapshot without locking tables (for InnoDB).

924
MCQmedium

A company wants to migrate their on-premises PostgreSQL database to Cloud SQL. The database currently runs mixed workloads: OLTP with heavy writes and occasional complex analytical queries. They want to avoid performance impact on the transactional workload. Which approach should they take?

A.Migrate to Cloud Spanner to handle both workloads using its analytics interface.
B.Use Cloud SQL with the 'analytics' tier enabled.
C.Create a read replica of the Cloud SQL instance and run analytical queries against the replica.
D.Use the same Cloud SQL instance but schedule analytical queries during off-peak hours.
AnswerC

Read replicas handle both read-only queries and analytics without impacting the primary instance.

Why this answer

Creating a read replica of the Cloud SQL instance allows analytical queries to be offloaded to the replica, preventing resource contention (CPU, I/O, memory) with the primary OLTP workload. Cloud SQL read replicas are asynchronous and maintain a near-real-time copy of the data, ensuring the transactional workload experiences no performance degradation from heavy analytical queries.

Exam trap

Cisco often tests the misconception that scheduling queries during off-peak hours is a sufficient solution for workload isolation, ignoring that resource contention still occurs and that read replicas provide a dedicated, scalable environment for analytical workloads.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner is a globally distributed, strongly consistent database designed for horizontal scalability, not a direct migration target for PostgreSQL; it would require significant application changes and does not natively support PostgreSQL syntax or mixed OLTP/analytical workloads without additional tooling. Option B is wrong because Cloud SQL does not have an 'analytics' tier; this is a fictional feature — Cloud SQL offers tiers based on machine type (e.g., db-custom, db-standard) and does not provide a separate analytics-optimized configuration. Option D is wrong because scheduling analytical queries during off-peak hours does not eliminate resource contention; if the analytical query is complex and resource-intensive, it can still degrade OLTP performance during those hours, and it does not address the need for continuous availability of analytical capabilities.

925
Matchingmedium

Match each Google Cloud DevOps capability to its benefit.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed continuous delivery to GKE

Centralized container and package storage

Private Git repositories integrated with Cloud Build

IDE plugins for Kubernetes and Cloud Run

CLI for continuous development on Kubernetes

Why these pairings

Tools that accelerate DevOps workflows.

926
Multi-Selectmedium

Which TWO actions can reduce tail latency in a microservices architecture deployed on GKE? (Choose 2)

Select 2 answers
A.Run multiple replicas of each service and use a load balancer with least-request algorithm.
B.Use a single large machine type for all services.
C.Enable session affinity to keep users on the same pod.
D.Increase the batch size for processing requests.
E.Implement request hedging by sending duplicate requests to multiple replicas.
AnswersA, E

Distributes load and reduces queuing delay.

Why this answer

Option A is correct because running multiple replicas and using a load balancer with a least-request algorithm distributes incoming requests to the pod with the fewest active connections, reducing queuing delay and preventing any single replica from becoming a hotspot. This directly lowers tail latency by ensuring that slow or overloaded pods are not overwhelmed, and the load balancer's algorithm minimizes the variance in response times across replicas.

Exam trap

Google Cloud often tests the misconception that session affinity (sticky sessions) improves performance, but in reality it harms tail latency by preventing even load distribution and causing pod overload under variable traffic.

927
MCQhard

A Cloud Deploy pipeline fails during a rollout with: 'FAILED_PRECONDITION: The release is not in a state that can be promoted.' The Cloud Build service account has the IAM roles shown in the exhibit. What is the missing role or permission?

A.The service account is missing the 'roles/clouddeploy.jobRunner' role.
B.The service account is missing the 'roles/cloudbuild.builds.builder' role.
C.The service account is missing the 'roles/clouddeploy.operator' role.
D.The service account is missing the 'roles/clouddeploy.approver' role, which includes the 'clouddeploy.releases.promote' permission.
AnswerD

Approver role is needed for promotion.

Why this answer

The error 'FAILED_PRECONDITION: The release is not in a state that can be promoted' occurs when a Cloud Deploy pipeline attempts to promote a release but the service account lacks the `clouddeploy.releases.promote` permission. This permission is included in the `roles/clouddeploy.approver` role, which is required to trigger a promotion from one target to the next in the pipeline. Without this role, the release cannot be promoted even if other deployment permissions are present.

Exam trap

Google Cloud often tests the distinction between the `clouddeploy.operator` role (which manages releases and rollouts) and the `clouddeploy.approver` role (which specifically allows promotion), leading candidates to mistakenly choose the operator role for promotion actions.

How to eliminate wrong answers

Option A is wrong because the `roles/clouddeploy.jobRunner` role is used for executing deployment jobs (e.g., running Skaffold render/apply) and does not include the `clouddeploy.releases.promote` permission needed for promotion. Option B is wrong because the `roles/cloudbuild.builds.builder` role is for Cloud Build execution, not for Cloud Deploy release promotion; it does not grant `clouddeploy.releases.promote`. Option C is wrong because the `roles/clouddeploy.operator` role provides broader management permissions (e.g., creating releases, rollbacks) but does not include the `clouddeploy.releases.promote` permission, which is exclusive to the `roles/clouddeploy.approver` role.

928
Multi-Selecthard

A company uses Cloud Spanner and needs to capture real-time changes from a table for downstream processing. They want to avoid writing custom application code to track changes. Which THREE components should they use? (Choose three.)

Select 3 answers
A.Cloud Bigtable
B.Pub/Sub
C.Change Streams
D.Cloud Spanner API
E.Dataflow
AnswersB, C, E

Change Streams can publish to Pub/Sub for downstream consumption.

Why this answer

Spanner Change Streams capture real-time data changes (inserts, updates, deletes) and publish them to a Pub/Sub topic. The engineer can then create a Pub/Sub subscription to receive the changes. Dataflow can be used to process the change stream messages for further transformations or loading into other systems.

The Cloud Spanner API is not needed for this purpose; Change Streams already leverage the API. Bigtable is not involved. Dataflow is optional but commonly used.

929
MCQeasy

Which data type mapping is correct when converting an Oracle NUMBER(10,2) column to PostgreSQL?

A.NUMERIC(10,2)
B.INTEGER
C.DECIMAL(10)
D.REAL
AnswerA

NUMERIC maps directly to NUMBER with same precision and scale.

Why this answer

NUMBER(p,s) maps to NUMERIC(p,s) in PostgreSQL. NUMBER(10,2) becomes NUMERIC(10,2).

930
MCQhard

An organization has a service that must meet a 99.99% SLO. The service runs on GKE and uses Cloud SQL. The team notices that during a major incident, the error budget is consumed rapidly. They want to implement a mechanism to automatically rollback deployments that cause sustained error budget consumption above a threshold. What is the best approach?

A.Use Cloud Scheduler to run a script that checks error budget and rolls back if needed.
B.Set up a deployment pipeline with Cloud Deploy that includes a predeployment validation step that checks the current error budget burn rate and blocks the release if the burn rate exceeds 10% per hour.
C.Implement a canary deployment strategy with manual approval steps.
D.Configure Cloud Build to automatically revert the last commit if error budget is consumed.
AnswerB

Automated policy prevents deployments that would consume error budget quickly.

Why this answer

Option A is correct because using Cloud Deploy or Spinnaker with automated rollback based on error budget burn rate is the recommended pattern. Option B is wrong because Cloud Build is CI, not deployment orchestration. Option C is wrong because canary deployments reduce blast radius but don't auto-rollback.

Option D is wrong because manual rollback via Cloud Console is not automated.

931
MCQmedium

An e-commerce application uses Firestore in Native mode. The team needs to run a query that filters on two fields and orders by a third field. What is the correct approach to ensure this query runs efficiently?

A.Create a composite index on the three fields
B.Rely on automatic single-field indexes
C.Use an index exemption on the fields
D.Use Firestore in Datastore mode instead
AnswerA

Composite indexes must be created manually for queries that filter on multiple fields and order by another.

Why this answer

Firestore requires a composite index for queries that filter on multiple fields and order by a different field, because single-field indexes cannot satisfy the combined filtering and ordering constraints. Creating a composite index on the three fields (the two filter fields and the order field) allows Firestore to efficiently execute the query without scanning all documents.

Exam trap

Cisco often tests the misconception that single-field indexes are sufficient for multi-field queries, or that index exemptions can be used to optimize queries, when in fact composite indexes are mandatory for such queries in Firestore.

How to eliminate wrong answers

Option B is wrong because automatic single-field indexes only support simple equality filters on one field or range filters on one field with an order on the same field; they cannot handle filtering on two fields and ordering by a third. Option C is wrong because an index exemption is used to exclude fields from automatic indexing, not to enable complex queries; it would prevent the query from running efficiently. Option D is wrong because switching to Datastore mode does not solve the indexing requirement—Datastore mode also requires composite indexes for similar multi-field queries, and the question specifies Firestore in Native mode, so changing modes is unnecessary and introduces other differences.

932
MCQeasy

An organization needs to run a disaster recovery drill for its Cloud SQL for MySQL instance by promoting a read replica to a standalone instance. The replica is in the same region as the primary. After the drill, they want the original primary to resume serving writes. What should they do?

A.Promote the replica, then delete and recreate the replica from the original primary after the drill.
B.Stop replication, then restart the primary instance to make it the new replica.
C.Use the gcloud command to switch roles between the primary and replica.
D.Promote the replica, then perform a failover on the original primary to make it the new primary.
AnswerA

Promotion is irreversible; to restore replication, you must recreate the replica.

Why this answer

Promoting a read replica in Cloud SQL for MySQL breaks the replication link, making the replica a standalone primary. After the drill, you must delete the promoted replica and create a new read replica from the original primary to re-establish replication. This is the only supported method because Cloud SQL does not allow reversing the promotion or re-attaching a promoted instance as a replica.

Exam trap

The trap here is that candidates assume you can simply re-attach the promoted replica or use a failover command to reverse the roles, but Cloud SQL's architecture treats promotion as an irreversible operation that requires deleting and recreating the replica.

How to eliminate wrong answers

Option B is wrong because stopping replication does not make the original primary a replica; Cloud SQL does not support converting a primary into a replica of another instance. Option C is wrong because there is no gcloud command to switch roles between a primary and a replica; promotion is a one-way operation. Option D is wrong because performing a failover on the original primary would attempt to promote it again, but it is already the primary and failover is designed for high-availability configurations, not for reversing a replica promotion.

933
Multi-Selecthard

A company is designing a data warehouse for analytics. They need to store structured and semi-structured data, support SQL queries with sub-second performance on petabytes, and integrate with Data Studio. Which TWO services should they consider? (Choose 2)

Select 1 answer
A.Cloud Bigtable
B.Cloud Spanner
C.BigQuery
D.Dataproc
E.Cloud SQL
AnswersC

BigQuery is purpose-built for analytics at scale.

Why this answer

BigQuery is a serverless data warehouse for petabyte-scale analytics. Cloud SQL can serve as a source for smaller datasets but not for petabytes. Bigtable is NoSQL, not SQL.

Spanner is for OLTP. Data Studio connects to BigQuery.

934
MCQhard

An organization has a strict compliance requirement that all CI/CD pipelines must use customer-managed encryption keys (CMEK) for any artifacts stored in Cloud Storage. How can this be enforced at the organization level?

A.Use IAM conditions on storage buckets to require CMEK.
B.Create an Organization Policy with constraint `constraints/gcp.storageRequireCmeK`.
C.Use Cloud Asset Inventory to scan for non-compliant buckets.
D.Configure Cloud Audit Logs to monitor and alert on non-CMEK usage.
AnswerB

Enforces CMEK on all new Cloud Storage objects in projects under the organization.

Why this answer

Option B is correct because the Organization Policy constraint `constraints/gcp.storageRequireCmeK` is specifically designed to enforce that all new Cloud Storage buckets must be created with a customer-managed encryption key (CMEK). This policy is applied at the organization, folder, or project level and prevents the creation of buckets that do not use CMEK, thereby meeting the compliance requirement at the organizational level.

Exam trap

The trap here is that candidates confuse IAM conditions (which control access) with Organization Policy constraints (which enforce creation-time requirements), leading them to choose Option A instead of the correct policy-based enforcement.

How to eliminate wrong answers

Option A is wrong because IAM conditions on storage buckets can restrict access based on encryption key type, but they cannot enforce the requirement that buckets must be created with CMEK; IAM conditions control access, not creation policies. Option C is wrong because Cloud Asset Inventory can identify non-compliant buckets after they are created, but it does not prevent their creation or enforce the policy proactively. Option D is wrong because Cloud Audit Logs can monitor and alert on non-CMEK usage, but they are reactive and do not enforce the requirement at the time of bucket creation.

935
MCQhard

A large enterprise uses Cloud Build across multiple projects for different microservices. They want to create a centralized CI/CD governance where a single trigger can initiate builds across multiple projects, but each project's artifacts must be stored in a shared Artifact Registry. What is the best way to achieve this?

A.Use a shared VPC and a single Cloud Build private pool accessible to all projects, and configure triggers in each project.
B.Create a Cloud Build trigger in the governance project that uses a service account with permissions to send build requests to other projects.
C.Use a single Cloud Build trigger in the governance project and configure triggers in each project to listen to Pub/Sub notifications from the governance trigger.
D.Deploy a Cloud Function that listens to Cloud Source Repo events and creates Cloud Build builds in each project.
AnswerB

Cloud Build triggers can invoke builds in other projects using the 'projects/{projectId}/builds' resource with appropriate IAM.

Why this answer

Option B is correct because using a Cloud Build trigger with a cross-project service account and a multi-project configuration is the most native approach. Option A is incorrect - triggers are per project. Option C is incorrect - service accounts in each project is less centralized.

Option D is incorrect - Cloud Functions adds unnecessary complexity.

936
MCQeasy

A company uses Cloud Build and wants to trigger builds only from the master branch. Which configuration is required?

A.Create separate triggers for each branch.
B.Set the branch filter to 'master' in the trigger.
C.Use a custom Cloud Build step to check the branch name.
D.Use a Cloud Function to call Cloud Build for master only.
AnswerB

Directly filters on branch name.

Why this answer

Option B is correct because Cloud Build triggers allow you to specify a branch filter using a regex pattern. Setting the filter to 'master' ensures that only pushes or pull requests targeting the master branch initiate the build. This is the native, supported method for branch-based triggering without additional overhead.

Exam trap

Google Cloud often tests the misconception that you need external services or custom logic to filter branches, when in fact Cloud Build's built-in trigger branch filter is the simplest and most efficient solution.

How to eliminate wrong answers

Option A is wrong because creating separate triggers for each branch would cause builds for all branches, not just master, and adds unnecessary complexity. Option C is wrong because using a custom Cloud Build step to check the branch name would still trigger the build for every branch, wasting resources and time; the branch check should happen before the build starts, not during it. Option D is wrong because using a Cloud Function to call Cloud Build for master only introduces an unnecessary intermediary, adding latency and complexity when the native branch filter in the trigger already achieves the goal directly.

937
MCQmedium

A company uses Bigtable for real-time analytics. They notice that writes to a specific row range are significantly slower. The Key Visualizer shows a hotspot. What is the most likely cause and recommended action?

A.Create a new cluster and replicate data to that cluster.
B.Change the storage type from HDD to SSD.
C.Redesign the row key to avoid sequential writes to the same region.
D.Increase the number of nodes to handle the load.
AnswerC

A well-distributed row key spreads writes across tablet servers, eliminating hotspots.

Why this answer

Hotspots occur when a single tablet server is overloaded due to high write traffic to a contiguous key range. The solution is to redesign the row key to distribute writes.

938
Multi-Selectmedium

Which TWO practices should be implemented to optimize query performance in Cloud Spanner?

Select 2 answers
A.Split large tables into multiple smaller tables to distribute load.
B.Create as many indexes as possible on all columns.
C.Use interleaved tables to co-locate related rows.
D.Use globally distributed interleaving across regions.
E.Define secondary indexes on columns used in WHERE clauses.
AnswersC, E

Interleaving ensures parent and child rows are stored together, reducing cross-node reads.

Why this answer

Option C is correct because interleaved tables in Cloud Spanner physically co-locate parent and child rows on the same split, reducing cross-node round trips and improving join performance. This design leverages Spanner's hierarchical storage model to minimize latency for queries that access related data together.

Exam trap

Google Cloud often tests the misconception that more indexes always improve query performance, but in Spanner, excessive indexes degrade write performance and storage efficiency, while interleaving and selective secondary indexes are the correct optimization strategies.

939
MCQmedium

You need to design a Bigtable row key for a time-series application that records temperature readings from thousands of sensors. The most common query is 'get all readings for a specific sensor in the last hour'. Which row key design is optimal?

A.timestamp#sensorID
B.sensorID#timestamp
C.sensorID#reverse_timestamp
D.hash(sensorID)#timestamp
AnswerC

Groups by sensor and puts recent data first.

Why this answer

Option C is optimal because it groups all readings for a sensor together (via sensorID as the row key prefix) while using reverse timestamps to ensure the most recent data appears first within each row. This design allows Bigtable to efficiently scan a single row for the last hour's readings using a prefix scan on sensorID with a timestamp range filter, minimizing the number of rows accessed.

Exam trap

The trap here is that candidates often choose sensorID#timestamp (Option B) thinking it groups data correctly, but they overlook that Bigtable's lexicographic ordering places older data first, making 'last hour' queries require scanning the entire row or using a reverse scan, which is less efficient than reverse timestamps.

How to eliminate wrong answers

Option A is wrong because timestamp#sensorID scatters data for the same sensor across many rows, requiring a full table scan to collect all readings for a sensor in the last hour. Option B is wrong because sensorID#timestamp places the most recent data at the end of the row, making it inefficient to retrieve the last hour's readings without scanning the entire row or using a reverse scan. Option D is wrong because hash(sensorID)#timestamp distributes data for the same sensor across multiple rows, breaking locality and requiring multiple scans to gather all readings for a sensor.

940
MCQhard

A company wants to enforce that all service accounts are created with a specific naming convention (e.g., prefix 'sa-'). What is the most efficient way to enforce this?

A.Use a custom role that restricts service account creation to users who follow the naming convention.
B.Use a Cloud Function that monitors and remediates non-compliant service accounts.
C.Use an organization policy constraint with a condition on the service account name.
D.Use a folder-level attribute with a policy on service account names.
AnswerB

A Cloud Function can detect violations and automatically delete or rename.

Why this answer

Option B is correct because a Cloud Function can be triggered by a Pub/Sub notification on the `google.cloud.audit.log.v1.activityLog` topic for `google.iam.admin.v1.CreateServiceAccount` events. The function can immediately delete or disable non-compliant service accounts that do not match the 'sa-' prefix, providing automated enforcement without blocking legitimate creation attempts. This approach is event-driven and avoids the latency or complexity of periodic scanning.

Exam trap

The trap here is that candidates often assume organization policy constraints can enforce naming conventions because they are familiar with resource location or domain restrictions, but Google Cloud's organization policies do not support regex or prefix matching on IAM resource names.

How to eliminate wrong answers

Option A is wrong because custom roles cannot enforce naming conventions at creation time; they only control permissions to call the API, not validate input parameters like the account name. Option C is wrong because organization policy constraints (e.g., `constraints/iam.allowedPolicyMemberDomains`) do not support conditions on service account names; they only restrict resource locations, domains, or specific IAM conditions, not naming patterns. Option D is wrong because folder-level attributes and policies in Google Cloud do not have a native mechanism to enforce naming conventions on service accounts; folder policies apply to resource hierarchies but cannot validate string patterns on IAM resources.

941
Multi-Selectmedium

A company needs to migrate a 5 TB Oracle database to Cloud SQL for PostgreSQL. They need to convert schemas and data, and also set up ongoing replication with minimal downtime. Which TWO services/tools should they use? (Choose TWO.)

Select 2 answers
A.Database Migration Service
B.Cloud SQL for MySQL
C.BigQuery Data Transfer Service
D.gcloud bigquery load
E.Ora2Pg
AnswersA, E

DMS supports Oracle to Cloud SQL for PostgreSQL migration with continuous CDC.

Why this answer

Ora2Pg converts schemas; DMS can handle data migration with continuous replication from Oracle (using logical replication) to Cloud SQL.

942
MCQmedium

A DevOps team wants to automate the deployment of a microservice application to Google Kubernetes Engine (GKE) using Cloud Build. They have a Cloud Build configuration file that builds a container image and deploys it to GKE. However, the deployment step fails with an authorization error. What is the most likely cause?

A.The Cloud Build service account does not have the Kubernetes Engine Developer IAM role.
B.The user triggering the build does not have IAM permissions to deploy to GKE.
C.Cloud Build does not have permission to access the source code repository.
D.The Docker image build step failed due to missing dependencies.
AnswerA

To deploy to GKE, the service account needs roles/container.developer or roles/container.clusterAdmin.

Why this answer

Cloud Build uses a default service account (the Cloud Build service account) to execute build steps, including deploying to GKE. The Kubernetes Engine Developer IAM role (roles/container.developer) grants the necessary permissions to deploy and manage workloads on GKE clusters. Without this role, the Cloud Build service account cannot authenticate to the GKE cluster's Kubernetes API, resulting in an authorization error during the deployment step.

Exam trap

Google Cloud often tests the distinction between the identity that triggers a build (user) and the identity that executes build steps (Cloud Build service account), leading candidates to incorrectly blame user permissions when the service account lacks the necessary Kubernetes Engine IAM role.

How to eliminate wrong answers

Option B is wrong because the user triggering the build only needs permission to start the Cloud Build execution; the actual deployment to GKE is performed by the Cloud Build service account, not the user's identity. Option C is wrong because an authorization error during the deployment step is distinct from source code repository access; if Cloud Build lacked repository permissions, the error would occur earlier during the source fetch step, not during deployment. Option D is wrong because a Docker build failure due to missing dependencies would cause a build step failure, not an authorization error; the error message specifically indicates an authorization issue, not a build failure.

943
MCQmedium

A company is bootstrapping a Google Cloud organization. They have created a Shared VPC host project. They want to allow a service project's default compute service account to launch instances that use the Shared VPC's subnets. Which IAM role should be granted to that service account at the host project level?

A.roles/compute.xpnAdmin
B.roles/compute.securityAdmin
C.roles/compute.networkUser
D.roles/compute.networkAdmin
AnswerC

This role allows using subnets in the host project.

Why this answer

The correct answer is C because the `roles/compute.networkUser` role grants a service account the necessary permissions to use the subnets of a Shared VPC host project. Specifically, this role includes the `compute.subnetworks.use` permission, which allows the service account to launch instances in the host project's subnets without granting broader network management rights.

Exam trap

The trap here is that candidates often confuse the `networkUser` role with the `networkAdmin` role, mistakenly thinking that launching instances requires full network administration privileges, when in fact only the `compute.subnetworks.use` permission is needed.

How to eliminate wrong answers

Option A is wrong because `roles/compute.xpnAdmin` is used for administering the Shared VPC (XPN) configuration itself, such as attaching or detaching service projects, not for granting a service account the ability to use subnets. Option B is wrong because `roles/compute.securityAdmin` provides permissions to manage firewall rules and SSL certificates, but does not include the `compute.subnetworks.use` permission required to launch instances in Shared VPC subnets. Option D is wrong because `roles/compute.networkAdmin` grants full control over network resources, including creating and deleting subnets, which is overly permissive and not the least-privilege role needed for simply using existing subnets.

944
MCQhard

When bootstrapping a new Google Cloud organization for DevOps, which set of initial IAM roles should be assigned to the DevOps team to enable them to create and manage projects, folders, and billing accounts?

A.Folder Admin, Billing Admin, Security Reviewer
B.Org Admin, Project Creator, Billing Admin
C.Project Creator, Billing Account User, Organization Policy Administrator
D.Project Creator, Billing Admin, Folder Admin
AnswerC

These roles provide the minimum required to create projects, link billing, and set policies.

Why this answer

Option C is correct because the DevOps team needs the Project Creator role to create new projects, the Billing Account User role to link billing accounts to those projects, and the Organization Policy Administrator role to set organization-wide policies that control resource constraints. These three roles together provide the minimum necessary permissions for bootstrapping a Google Cloud organization without granting excessive administrative privileges.

Exam trap

The trap here is that candidates often confuse Billing Admin (roles/billing.admin) with Billing Account User (roles/billing.user), mistakenly thinking full billing management is needed when only the ability to link projects to a billing account is required.

How to eliminate wrong answers

Option A is wrong because Folder Admin allows management of folder hierarchy but not project creation or billing account linking, and Security Reviewer only provides read-only access to IAM policies, lacking the permissions needed to create projects or manage billing. Option B is wrong because Org Admin grants broad organization-level management permissions that are too permissive for a DevOps team, and Project Creator alone cannot link billing accounts without the Billing Account User role. Option D is wrong because Billing Admin provides full billing account management (including modifying billing account settings) which is excessive, and Folder Admin is not required for initial project creation; the correct role for linking billing is Billing Account User, not Billing Admin.

945
MCQeasy

A startup runs a batch data processing job every night. The job processes large datasets and takes about 6 hours to complete. The job is designed to handle interruptions gracefully by saving checkpoint files to Cloud Storage every few minutes. The startup wants to minimize compute costs. The current setup uses a managed instance group with 10 n1-standard-4 VMs running for the entire 6-hour window. They are considering using preemptible VMs. However, they are concerned about cost stability and potential preemption. What should they do?

A.Use sole-tenant nodes to improve performance.
B.Use a mix of preemptible and regular VMs to ensure at least some progress if preempted.
C.Use preemptible VMs for all instances, as the job can resume from checkpoints.
D.Use regular VMs with committed use discounts for a 1-year term.
AnswerC

Preemptible VMs offer cost savings of 60-80% and are ideal for fault-tolerant batch jobs that can checkpoint progress.

Why this answer

Option A is correct because the job is fault-tolerant and can resume from checkpoints, making preemptible VMs suitable and significantly cheaper. Option B adds unnecessary complexity. Option C requires a long-term commitment and is more expensive.

Option D increases cost without benefit.

946
Multi-Selecteasy

Which TWO are best practices for implementing service monitoring strategies in Google Cloud?

Select 2 answers
A.Monitor the four golden signals (latency, traffic, errors, saturation) for every service.
B.Rely solely on synthetic monitoring to measure user experience.
C.Define Service Level Objectives (SLOs) and use them to drive alerting.
D.Use multiple monitoring tools to cover all aspects of the system.
E.Manually analyze logs and metrics to identify issues.
AnswersA, C

The four golden signals provide a high-level overview of service health.

Why this answer

A is correct because the four golden signals (latency, traffic, errors, saturation) are the foundational metrics recommended by Google SRE practices for monitoring any service. Monitoring these signals provides a comprehensive view of service health and user experience, enabling rapid detection of issues like high latency or resource exhaustion.

Exam trap

Google Cloud often tests the misconception that synthetic monitoring is sufficient for user experience measurement, but the correct approach combines synthetic and real user monitoring to capture the full picture.

947
MCQhard

During a DMS continuous migration from MySQL to Cloud SQL, the full dump phase completed successfully, but the CDC phase is failing with 'Error: binary log not found' after a few minutes. The source MySQL has binary logs enabled. What is the most likely cause?

A.The binary logs were purged due to a short binlog_expire_logs_seconds setting.
B.The DMS connection profile has incorrect SSL settings.
C.The source database was restarted and binary logs were reset.
D.The source MySQL server has run out of disk space.
AnswerA

If logs expire before DMS consumes them, DMS cannot continue CDC.

Why this answer

DMS requires that binary logs are retained until the CDC phase has consumed them. If logs expire due to a short binlog retention period (e.g., default 1 day), the migration fails. The source should have binlog retention set to 7 days or more.

948
MCQeasy

An engineer is planning a migration from on-premises MySQL to Cloud SQL. They want to use Database Migration Service with continuous replication. What must be enabled on the source MySQL database before starting the migration job?

A.Error log
B.Slow query log
C.General query log
D.Binary logging
AnswerD

Binary logging is required for CDC to capture changes as they occur.

Why this answer

Database Migration Service with continuous replication requires binary logging (binlog) on the source MySQL instance to capture and stream ongoing changes. Binary logs record all data modifications (INSERT, UPDATE, DELETE) in a format that Cloud SQL can replay, enabling near-real-time replication without downtime. Without binary logging enabled, only a one-time snapshot migration is possible, not continuous replication.

Exam trap

The trap here is that candidates confuse logging types used for auditing or troubleshooting (error log, slow query log, general query log) with the specific binary log required for change data capture and replication in Database Migration Service.

How to eliminate wrong answers

Option A is wrong because the error log records startup/shutdown events and critical errors, which are irrelevant to capturing data changes for replication. Option B is wrong because the slow query log logs queries that exceed a defined execution time threshold, used for performance tuning, not for change data capture. Option C is wrong because the general query log records all client connections and queries, which creates excessive overhead and is not used by Database Migration Service to replicate data changes.

949
Multi-Selecthard

A company runs a Memorystore for Redis cluster with standard tier (for replication). They need to ensure high durability of session data and be able to recover from a complete zone failure. Which three actions should they take? (Choose THREE.)

Select 3 answers
A.Schedule regular exports of the instance data to Cloud Storage using gcloud
B.Configure cross-region replication to have a replica in another region
C.Use a Redis Cluster with multiple shards for horizontal scaling
D.Enable RDB persistence on the primary instance
E.Set up a second instance in a different zone and use client-side replication
AnswersA, B, E

Exports can be done via the gcloud redis instances export command (or using the console) to create backups in Cloud Storage.

Why this answer

For durability, cross-region replication provides HA across zones. Enabling persistence (RDB/AOF) is not supported in Memorystore. Regular exports to Cloud Storage can be used for backup.

Scaling horizontally with Redis Cluster can improve performance but not durability. AUTH is for security, not durability.

950
Multi-Selectmedium

A company wants to use Cloud SQL for MySQL to serve a read-heavy application. They need to ensure high availability and offload read traffic. Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Schedule on-demand backups daily
B.Create a cross-region read replica
C.Create a same-region read replica
D.Enable auto-storage increase
E.Enable high availability (HA) configuration on the primary instance
AnswersC, E

Same-region read replicas offload read traffic and are low-latency.

Why this answer

To ensure high availability, create a Cloud SQL HA configuration (regional instance with standby). To offload read traffic, create read replicas. Cross-region replicas are for disaster recovery but add latency.

On-demand backups are for data protection, not availability. Auto-storage increase is for storage management.

951
MCQhard

A company uses Cloud CDN to deliver content globally. They notice increasing egress costs. Which change will most effectively reduce egress costs?

A.Switch to a premium tier network for lower egress rates.
B.Enable gzip compression for all responses.
C.Use Cloud Armor to block malicious traffic.
D.Configure Cloud CDN to cache more content and increase cache hit ratio.
AnswerD

Higher cache hit ratio reduces the amount of data fetched from the origin, lowering egress costs.

Why this answer

Increasing the cache hit ratio reduces the number of requests that reach the origin server, which directly lowers the volume of data transferred from the origin to the CDN edge. Since egress costs are primarily driven by data served from the CDN edges to users, caching more content at the edge minimizes the need to fetch and serve data from the origin, thereby reducing overall egress traffic and associated costs.

Exam trap

The trap here is that candidates often confuse reducing data size (compression) with reducing data volume (caching), or assume that blocking traffic (Cloud Armor) is the primary cost-control mechanism, when in fact increasing cache efficiency is the most direct and effective method to lower egress costs in a CDN architecture.

How to eliminate wrong answers

Option A is wrong because switching to a premium tier network typically increases egress rates (higher performance, higher cost) and does not reduce egress costs; it may even increase them. Option B is wrong because enabling gzip compression reduces the size of responses, which can lower bandwidth usage, but it does not address the root cause of egress costs—the volume of data served from the CDN—and compression is often already applied by default or has limited impact on already-compressed content like images and video. Option C is wrong because Cloud Armor blocks malicious traffic at the edge, which can reduce some egress from attacks, but legitimate user traffic still generates egress costs; blocking malicious traffic does not significantly reduce overall egress costs for a globally distributed content delivery service.

952
MCQhard

A company is bootstrapping their Google Cloud organization for DevOps. They want to implement a least-privilege model for service accounts used by CI/CD pipelines. The pipelines need to deploy resources in multiple projects. What is the best practice for managing service account keys?

A.Use a user account for the CI/CD pipeline and assign it the necessary roles.
B.Store service account keys in Secret Manager and have the pipeline retrieve them at runtime.
C.Generate a single service account key and securely distribute it to the CI/CD system.
D.Use workload identity federation to allow the CI/CD system to impersonate a service account without keys.
AnswerD

Eliminates the need for keys and follows least privilege.

Why this answer

Option D is correct because workload identity federation allows an external CI/CD system (e.g., Jenkins, GitHub Actions) to impersonate a Google Cloud service account without managing or storing any long-lived keys. This eliminates the security risk of key leakage and aligns with the least-privilege principle by enabling short-lived, scoped credentials via the Security Token Service (STS) and OAuth 2.0 token exchange.

Exam trap

Google Cloud often tests the misconception that storing keys in a secure vault like Secret Manager is the best practice, but the trap here is that any long-lived key — even if encrypted at rest — introduces a persistent secret that can be exfiltrated, whereas workload identity federation eliminates the key entirely.

How to eliminate wrong answers

Option A is wrong because using a user account violates the least-privilege model — user accounts have persistent, broad permissions and are not designed for automated pipelines, creating a security risk and auditability gap. Option B is wrong because storing service account keys in Secret Manager still requires managing a long-lived, static secret that can be compromised; the key itself is a high-value target and must be rotated, which adds operational overhead. Option C is wrong because generating a single service account key and distributing it securely still introduces a long-lived credential that can be leaked, rotated only with manual effort, and violates the principle of using short-lived, just-in-time credentials.

953
MCQhard

Refer to the exhibit. What is the effect of the metricRelabelings section in this ServiceMonitor?

A.It adds a label called 'container_' to all metrics.
B.It only keeps metrics whose name starts with 'container_'.
C.It renames all metrics with the prefix 'container_' to remove the prefix.
D.It drops all metrics whose name starts with 'container_'.
AnswerD

The drop action with regex 'container_.*' removes matching metrics.

Why this answer

The `metricRelabelings` section in a ServiceMonitor uses Prometheus relabeling rules to modify or filter metrics before ingestion. The `action: drop` directive, combined with a `regex: 'container_.*'` pattern matching the metric name, causes all metrics whose names start with 'container_' to be dropped (i.e., not scraped). This is a common pattern to exclude unwanted metrics and reduce cardinality.

Exam trap

Google Cloud often tests the distinction between `drop` and `keep` actions in relabeling configs, and the trap here is that candidates confuse 'drop' with 'keep' or mistakenly think `metricRelabelings` adds or renames labels instead of filtering metrics.

How to eliminate wrong answers

Option A is wrong because `metricRelabelings` does not add labels; it modifies or filters existing metric names or labels, and the `action: drop` specifically removes metrics, not adds. Option B is wrong because the `action: drop` with a regex that matches metrics starting with 'container_' drops those metrics, not keeps them; keeping would require `action: keep`. Option C is wrong because renaming metrics (e.g., removing a prefix) would use `action: replace` with a `replacement` field, not `action: drop`.

954
MCQhard

A company wants to enforce that all projects in the organization have a specific VPC Service Controls perimeter. What is the most efficient way to achieve this?

A.Use folder-level VPC Service Controls perimeters.
B.Use project-level VPC Service Controls perimeters.
C.Use organization policies to set the perimeter.
D.Use a custom script to monitor and alert on non-compliant projects.
AnswerA

Folder-level perimeters apply to all projects in the folder, ensuring consistent enforcement.

Why this answer

Folder-level VPC Service Controls perimeters allow you to apply a single perimeter configuration to all projects within a folder, ensuring consistent enforcement across the organization without needing to configure each project individually. This is the most efficient method because it leverages the resource hierarchy to inherit the policy, reducing administrative overhead and preventing misconfigurations.

Exam trap

The trap here is that candidates often confuse organization policies with VPC Service Controls, assuming that an organization policy can directly set a perimeter, but in reality, organization policies are for different constraints and cannot define perimeters.

How to eliminate wrong answers

Option B is wrong because project-level perimeters require manual attachment to each project, which is inefficient and error-prone for enforcing a policy across many projects. Option C is wrong because organization policies (e.g., constraints/compute.restrictVpcPeering) cannot directly define VPC Service Controls perimeters; they are used for different types of restrictions like resource location or service usage. Option D is wrong because a custom script only monitors and alerts on non-compliance but does not enforce the perimeter, leaving a window of non-compliance and requiring additional remediation steps.

955
MCQeasy

A company runs Cloud SQL for PostgreSQL and wants to automatically increase storage when usage reaches a threshold. What should they enable?

A.Create a cron job to resize via gcloud
B.Configure automated backups
C.Use Active Assist recommendations to resize
D.Enable storage auto-increase in instance settings
AnswerD

This feature automatically increases disk size when usage is high.

Why this answer

Cloud SQL has a built-in 'auto-storage increase' feature that automatically adds storage when necessary, avoiding manual intervention.

956
Multi-Selectmedium

A company is using Bigtable for a high-throughput write workload. They need to monitor replication lag between clusters in a replicated setup and ensure that reads are eventually consistent. Which two configurations should they check? (Choose TWO.)

Select 2 answers
A.Create a replication dashboard in Data Studio
B.Set the replication consistency level to 'strong'
C.Ensure replication is set to asynchronous (default)
D.Monitor the 'bigtable.googleapis.com/cluster/replication_lag' metric
E.Enable synchronous replication for zero lag
AnswersC, D

Async replication is the default and provides eventual consistency.

Why this answer

Bigtable replication is asynchronous and eventually consistent by default. Replication lag can be monitored using the 'replication lag' metric in Cloud Monitoring. Consistency levels are not configurable; async is the default.

957
Multi-Selecthard

An engineer is manually migrating a MySQL database to Cloud SQL using mysqldump and import. They need to capture the binary log position to enable CDC with Database Migration Service later. Which TWO mysqldump flags should they include to ensure a consistent snapshot and capture the log position? (Choose 2 correct answers.)

Select 2 answers
A.--no-data
B.--single-transaction
C.--master-data=2
D.--skip-lock-tables
E.--triggers
AnswersB, C

This flag ensures a consistent snapshot without locking tables.

Why this answer

--single-transaction ensures a consistent snapshot by starting a transaction and avoiding table locks (for InnoDB). --master-data=2 writes the binary log position as a comment in the dump file (value 2). --skip-lock-tables is not needed because --single-transaction handles consistency. --triggers exports triggers but not binary log position. --no-data excludes data.

958
Multi-Selectmedium

A site reliability engineer is defining SLOs for a microservice application running on Google Kubernetes Engine. The application serves user-facing API requests. Which TWO approaches should the engineer take to effectively monitor the service's performance?

Select 2 answers
A.Monitor average latency because it is most representative of typical user experience.
B.Monitor container CPU utilization as a proxy for application latency.
C.Monitor the 99th percentile of request latency directly using Cloud Monitoring custom metrics.
D.Use logs-based metrics to count error rates (e.g., HTTP 5xx responses).
E.Use the number of running pods as the primary SLO indicator.
AnswersC, D

Direct latency measurement at the 99th percentile accurately reflects the experience of slow requests and is a standard SLO indicator.

Why this answer

Option C is correct because monitoring the 99th percentile (p99) of request latency directly captures the experience of the slowest 1% of users, which is critical for user-facing APIs where tail latency directly impacts user satisfaction. Cloud Monitoring custom metrics allow the engineer to instrument the application to emit precise latency distributions, enabling accurate SLO tracking rather than relying on averages that mask outliers.

Exam trap

Google Cloud often tests the misconception that average latency or infrastructure metrics like CPU/pod count are sufficient for SLOs, when in fact user-facing SLOs must directly measure the user experience via tail latency and error rates.

959
Multi-Selecthard

Which TWO of the following are essential elements of a comprehensive incident post-mortem document according to Google's Site Reliability Engineering (SRE) best practices?

Select 2 answers
A.Exact code line numbers and commits that caused the incident.
B.A timeline of events leading to and during the incident.
C.A detailed analysis of the root cause only.
D.An attribution of blame to the individual or team responsible.
E.A list of action items with owners and deadlines to prevent recurrence.
AnswersB, E

Timeline helps understand sequence.

Why this answer

Option B is correct because a timeline of events is a core element of an incident post-mortem in Google SRE practice, as it provides a chronological reconstruction of the incident's progression, enabling teams to understand the sequence of failures and responses. This timeline is essential for identifying contributing factors and evaluating the effectiveness of mitigation actions, not just the root cause.

Exam trap

Google Cloud often tests the misconception that a post-mortem is solely about finding the root cause or assigning blame, but SRE best practices emphasize a blameless culture and a comprehensive review that includes a timeline and actionable follow-ups.

960
MCQhard

You are designing a Spanner schema for a social media application. The table Posts has primary key (UserId, PostId) where PostId is a UUID. The application frequently queries all posts for a given user, ordered by timestamp descending. The current schema uses PostId as the second part of the key, which is random. How can you improve read performance for this query pattern?

A.Use a hash prefix on UserId
B.Create a secondary index on (UserId, Timestamp DESC) with STORING clause
C.Use a materialized view
D.Change the primary key to (UserId, Timestamp, PostId)
AnswerB

This index supports the query pattern efficiently without changing the primary key.

Why this answer

To efficiently query posts for a user in descending order of timestamp, you need the timestamp to be part of the primary key after UserId. However, using PostId (UUID) as the second part doesn't help ordering. You can add a timestamp column and create a secondary index with descending order, but that adds write overhead.

Another approach is to change the primary key to (UserId, Timestamp, PostId) and use a separate mechanism to avoid hotspots (e.g., hash prefix on Timestamp). But the simplest improvement is to use a secondary index on (UserId, Timestamp DESC). The question asks to improve read performance; a secondary index with storing clause can provide good performance.

The best answer is to create a secondary index on UserId and Timestamp with STORING to include other columns.

961
MCQhard

A company runs a critical application on Compute Engine instances behind a TCP/UDP Network Load Balancer. They notice intermittent high latency for a subset of users. The application logs show no errors, and instance CPU is below 50%. Which next step is most effective to diagnose the latency?

A.Increase the number of instances behind the load balancer.
B.Enable VPC Flow Logs and analyze for dropped packets.
C.Switch to an HTTP(S) Load Balancer for better visibility.
D.Analyze Cloud Monitoring metrics for the load balancer, including backend latency and request counts.
AnswerD

These metrics pinpoint where latency occurs.

Why this answer

Option D is correct because Cloud Monitoring provides detailed metrics for TCP/UDP Network Load Balancers, including backend latency and request counts, which directly help identify whether the latency originates from the load balancer itself or the backend instances. Since instance CPU is below 50% and application logs show no errors, the issue is likely at the network or load balancer level, and these metrics offer the most targeted diagnostic data without changing the architecture.

Exam trap

The trap here is that candidates assume VPC Flow Logs (Option B) are the go-to tool for diagnosing latency, but they only show flow-level metadata and not latency metrics, whereas Cloud Monitoring provides the specific performance data needed for this scenario.

How to eliminate wrong answers

Option A is wrong because increasing the number of instances does not diagnose the root cause of latency; it only masks the symptom and may not help if the issue is due to network congestion, load balancer configuration, or regional user distribution. Option B is wrong because VPC Flow Logs capture metadata about network flows (e.g., source/destination IP, ports, packet count) but do not provide latency or dropped packet analysis for a Network Load Balancer; they are more suited for security auditing or connection tracking, not performance diagnostics. Option C is wrong because switching to an HTTP(S) Load Balancer would change the architecture and introduce Layer 7 processing overhead, which is unnecessary for a TCP/UDP application and does not directly diagnose the existing latency issue; the current load balancer type is appropriate for the protocol, and the problem should be investigated with existing monitoring tools.

962
MCQhard

A media streaming service uses Cloud Storage to store video files and serves them via Cloud CDN. Users in Asia report buffering issues. The team notices that the cache hit ratio is low in that region. The origin is a single Cloud Storage bucket in us-central1. Which set of actions would best improve performance for Asian users?

A.Use Cloud Load Balancing with Cloud Armor to protect the origin.
B.Enable HTTP/2 on Cloud CDN and increase the TTL for video content.
C.Configure a custom domain on Cloud CDN with SSL and enable request collapsing.
D.Create a new Cloud Storage bucket in an Asian region and use dual-region bucket with Cloud CDN.
AnswerD

A closer origin reduces latency for cache misses, improving performance.

Why this answer

Option D is correct because creating a new Cloud Storage bucket in an Asian region and using a dual-region bucket with Cloud CDN reduces latency by serving content from a geographically closer origin, improving cache hit ratios for Asian users. Cloud CDN caches content at edge locations, but if the origin is far away (us-central1), the first miss still incurs high latency. A dual-region bucket provides a local origin for cache misses, significantly reducing round-trip time.

Exam trap

Google Cloud often tests the misconception that Cloud CDN alone solves all latency issues, but the trap here is that cache hit ratio depends on both edge caching and origin proximity; without a local origin, cache misses still cause high latency for distant users.

How to eliminate wrong answers

Option A is wrong because Cloud Load Balancing with Cloud Armor provides DDoS protection and traffic distribution, but does not address the low cache hit ratio or reduce latency for Asian users; it does not change the origin location or caching behavior. Option B is wrong because enabling HTTP/2 and increasing TTL for video content can improve performance generally, but HTTP/2 does not fix the fundamental issue of a distant origin, and longer TTLs only help if content is already cached; they do not improve cache hit ratio for a region with a faraway origin. Option C is wrong because configuring a custom domain with SSL and enabling request collapsing improves security and reduces origin load by collapsing concurrent requests, but does not address the geographic distance between Asian users and the us-central1 origin, so cache misses still suffer high latency.

963
MCQeasy

Which Google Cloud service provides a fully managed, private Git repository that integrates with Cloud Build for continuous integration?

A.Cloud Deployment Manager
B.Cloud Source Repositories
C.Cloud Storage
D.Container Registry
AnswerB

Designed for hosted Git repositories; native integration with Cloud Build.

Why this answer

Cloud Source Repositories is the correct answer because it provides fully managed, private Git repositories hosted on Google Cloud. It integrates natively with Cloud Build, enabling automatic triggers for continuous integration (CI) pipelines whenever code is pushed to a repository branch or tag, without requiring external Git hosting.

Exam trap

The trap here is confusing Cloud Source Repositories with Container Registry, as both integrate with Cloud Build, but only Cloud Source Repositories provides Git repository hosting, while Container Registry stores built container images.

How to eliminate wrong answers

Option A is wrong because Cloud Deployment Manager is an infrastructure-as-code service for managing Google Cloud resources using declarative templates (YAML/Python), not a Git repository service. Option C is wrong because Cloud Storage is an object storage service for storing unstructured data (blobs) via HTTP/S, not a Git repository with version control or CI integration. Option D is wrong because Container Registry is a private container image registry for storing and managing Docker images, not a Git repository; it integrates with Cloud Build for building images from source, but it does not host Git repositories.

964
MCQmedium

A mid-size company has multiple Google Cloud projects for different departments. The finance team wants to set up budget alerts to track spending across all projects. They have enabled billing export to BigQuery. The budget should trigger alerts when total cumulative spending exceeds 80% and 100% of the monthly budget of $10,000. The budget must be applied across all projects in the organization. They created a budget at the billing account level with amount $10,000, set alert thresholds at 80% and 100%, and added email recipients. However, after two weeks, spending in one project alone has exceeded $8,000 but no alert was triggered. What is the most likely cause?

A.The budget was set at the organization level, not billing account.
B.The budget was scoped to a single project instead of the billing account.
C.The budget thresholds were set as percentage of current spending not cumulative.
D.The budget amount includes credits or discounts.
AnswerB

A budget scoped to a single project only monitors that project's spending, missing spending from other projects.

Why this answer

Option D is correct. If the budget was scoped to a single project, it would not consider spending from other projects. Option A is incorrect because credits do not affect whether alerts are triggered.

Option B is incorrect; thresholds are based on cumulative spending. Option C is incorrect because budgets must be at the billing account level, not organization level.

965
Multi-Selectmedium

An engineer is designing a Cloud Spanner schema for a social media application. The database will have a User table and a Post table. Users have many posts, and the application frequently queries all posts for a user, ordered by timestamp. Which two schema design choices will improve performance? (Choose two.)

Select 2 answers
A.Interleave the Post table within the User table.
B.Create a secondary index on PostId.
C.Use a monotonically increasing integer for PostId.
D.Use a UUID for PostId.
E.Use (UserId, PostTimestamp) as the primary key of the Post table.
AnswersA, E

Interleaving optimizes parent-child queries.

Why this answer

Option A is correct because interleaving the Post table within the User table physically co-locates rows for a user and their posts on the same split, enabling fast, low-latency queries for all posts by a user. This design avoids cross-node lookups and leverages Cloud Spanner's hierarchical storage to reduce read overhead.

Exam trap

Cisco often tests the misconception that any index or unique key design is beneficial, but in Cloud Spanner, the physical storage order and interleaving are critical for query performance, not just uniqueness or distribution.

966
MCQhard

A team uses Cloud SQL for MySQL. They have read-heavy traffic and want to reduce costs. Which strategy is most effective?

A.Use read replicas to offload read queries.
B.Use committed use discounts.
C.Use High Availability with a standby instance.
D.Use vertical scaling to increase instance size.
AnswerA

Read replicas distribute reads, reducing primary load and enabling potential downsizing.

Why this answer

Using read replicas offloads read queries from the primary instance, allowing the primary to be downsized or use a lower-tier instance, reducing cost.

967
MCQhard

A financial services company is migrating from an on-premises Oracle RAC database to Cloud Spanner. The current application uses sequences to generate globally unique IDs for transactions. To avoid creating hotspots in Spanner, the database architect recommends using a different primary key strategy. Which primary key design is most appropriate for Spanner to avoid hotspots?

A.Use a bit-reversed sequential key generated by the application.
B.Use a UUID string as the primary key.
C.Continue using sequential IDs from Oracle sequences to maintain consistency.
D.Use a composite key with a hash prefix derived from the transaction timestamp.
AnswerA

Bit-reversed keys distribute writes evenly while preserving some locality, avoiding hotspots.

Why this answer

Option A is correct because bit-reversed sequential keys distribute writes evenly across Cloud Spanner's split boundaries, preventing hotspots. Spanner uses key-range-based sharding, so monotonically increasing keys (like Oracle sequences) cause all new writes to hit a single split, leading to contention. Bit-reversal spreads sequential values across the key space, ensuring balanced write distribution.

Exam trap

Cisco often tests the misconception that UUIDs are always the best choice for distributed databases, but in Spanner, they cause storage bloat and poor performance; the trap here is that candidates may overlook the specific hotspot issue with sequential keys and choose UUIDs for their uniqueness without considering Spanner's key-range sharding behavior.

How to eliminate wrong answers

Option B is wrong because UUIDs, while random, are 128-bit strings that cause excessive storage overhead and poor read locality in Spanner; they also lead to random splits and inefficient range scans. Option C is wrong because continuing to use sequential IDs from Oracle sequences creates monotonically increasing keys, which cause all new writes to target the same Spanner split, creating a hotspot. Option D is wrong because a composite key with a hash prefix derived from the transaction timestamp can still lead to hotspots if the timestamp is monotonically increasing; additionally, hash prefixes add complexity and may not guarantee uniform distribution if the hash function is not carefully chosen.

968
MCQmedium

A GKE cluster node fails, causing pods to be rescheduled. However, some pods remain in 'CrashLoopBackOff' state. After examining logs, you find the application has a dependency on local SSD that was ephemeral. What is the best long-term solution?

A.Use PersistentVolumes with ReadWriteOnce access mode.
B.Configure pod anti-affinity.
C.Increase the node pool size.
D.Use a DaemonSet to run the application.
AnswerA

PersistentVolumes retain data across pod rescheduling and node failures.

Why this answer

The correct answer is A because the application's dependency on local SSD (ephemeral storage) means that when the node fails, the data is lost, causing the pods to crash. PersistentVolumes (PVs) with ReadWriteOnce (RWO) access mode provide durable, node-independent storage that survives node failures, ensuring pods can be rescheduled on any node and access their data. This is the best long-term solution because it decouples storage from the node lifecycle, preventing CrashLoopBackOff due to missing local data.

Exam trap

Google Cloud often tests the misconception that scaling resources (e.g., node pool size) or controlling pod placement (e.g., anti-affinity) can fix data persistence issues, but the trap here is that ephemeral storage is tied to the node's lifecycle, so only persistent storage solutions like PersistentVolumes address the root cause.

How to eliminate wrong answers

Option B is wrong because pod anti-affinity controls pod placement (e.g., spreading pods across nodes) but does not address the root cause of data loss from ephemeral local SSD; it would not prevent CrashLoopBackOff if the data is missing. Option C is wrong because increasing the node pool size adds more nodes but does not solve the problem of ephemeral storage being tied to a failed node; pods would still fail on new nodes if they rely on local SSD that is not replicated. Option D is wrong because a DaemonSet runs one pod per node, but it does not provide persistent storage; if the node fails, the pod is rescheduled on another node without the local SSD data, leading to the same CrashLoopBackOff issue.

969
MCQmedium

An organization is migrating an Oracle database to Cloud SQL for PostgreSQL. They have numerous stored procedures written in PL/SQL. Which tool should they use to automatically convert these procedures to PL/pgSQL?

A.Ora2Pg
B.BigQuery Data Transfer Service
C.Database Migration Service (DMS)
D.gcloud sql import
AnswerA

Ora2Pg is designed for Oracle-to-PostgreSQL schema conversion, including stored procedures.

Why this answer

Ora2Pg is a schema conversion tool that translates Oracle PL/SQL code to PostgreSQL PL/pgSQL, handling data type mappings and object conversions.

970
MCQmedium

A team uses Spanner for a global database. They notice increased read latency and high CPU utilization on some nodes. The workload is read-heavy with occasional writes. Which action is most likely to improve performance?

A.Create read-only replicas in each region.
B.Split the most frequently read tables into smaller tables.
C.Increase the number of nodes in the instance.
D.Add more nodes to the instance and ensure read requests are distributed evenly.
AnswerD

More nodes spread read load and reduce CPU per node.

Why this answer

In a read-heavy Spanner workload with high CPU utilization on some nodes, adding more nodes and ensuring read requests are distributed evenly (Option D) directly addresses the bottleneck by increasing the instance's compute capacity and spreading the load across all nodes. Spanner's architecture uses a shared-nothing design where each node handles a portion of the data and traffic; uneven distribution can cause hot spots. Adding nodes scales out processing power, and ensuring even distribution (e.g., via proper key design or using Spanner's built-in load balancing) reduces latency and CPU spikes on individual nodes.

Exam trap

Google Cloud often tests the misconception that adding nodes alone (Option C) solves performance issues, but the trap is that without even distribution of read requests, hot spots persist, making Option D the only complete solution.

How to eliminate wrong answers

Option A is wrong because read-only replicas in Spanner are used for improving read latency for stale reads (non-strong reads) and do not reduce CPU utilization on the primary nodes; they also cannot serve strong reads, which are common in read-heavy workloads. Option B is wrong because splitting frequently read tables into smaller tables does not inherently reduce CPU utilization or read latency; it may increase complexity and cross-table joins, and Spanner already partitions data into splits automatically. Option C is wrong because simply increasing the number of nodes without ensuring even distribution of read requests can leave hot spots unresolved; the key issue is uneven load, not just insufficient capacity.

971
MCQmedium

Your Firestore database in Native mode is used by a mobile app. You need to query a collection where documents are filtered by two fields: 'status' (string) and 'createdAt' (timestamp). The query is not performing as expected. What action is required?

A.Create an index exemption for the collection to allow multi-field queries.
B.Add a third field to the query to make it more specific.
C.Create a composite index on the 'status' and 'createdAt' fields.
D.Ensure that single-field indexes exist for both 'status' and 'createdAt'.
AnswerC

Composite indexes are required for multi-field queries. Firestore does not automatically create them.

Why this answer

Firestore in Native mode requires a composite index to efficiently query documents filtered by multiple fields, such as 'status' and 'createdAt'. Without this index, the query may fail or perform poorly, as Firestore cannot combine separate single-field indexes for equality and range filters. Option C is correct because creating a composite index on both fields enables the query to run as expected.

Exam trap

Cisco often tests the misconception that single-field indexes are sufficient for multi-field queries, but Firestore requires composite indexes for any query combining equality and range filters on different fields.

How to eliminate wrong answers

Option A is wrong because index exemptions are not a Firestore feature; they are used in other databases like Cloud Datastore to skip automatic index creation, but Firestore requires explicit composite indexes for multi-field queries. Option B is wrong because adding a third field does not resolve the missing composite index requirement; it would only introduce another filter that still needs indexing. Option D is wrong because single-field indexes exist by default in Firestore for all fields, but they cannot be combined to support queries with both an equality filter on 'status' and a range filter on 'createdAt'; a composite index is mandatory.

972
Multi-Selectmedium

A team is planning a migration from Oracle to PostgreSQL on Cloud SQL. They use Ora2Pg to convert the schema. Which THREE Oracle data types require special attention for correct mapping to avoid data loss or precision issues? (Choose 3 correct answers.)

Select 3 answers
A.DATE
B.NUMBER(10,2)
C.FLOAT
D.CLOB
E.VARCHAR2
AnswersA, B, D

Oracle DATE includes time; maps to TIMESTAMP, not DATE.

Why this answer

NUMBER(10,2) maps to NUMERIC(10,2) (exact). DATE in Oracle includes time, so it maps to TIMESTAMP. CLOB maps to TEXT.

VARCHAR2 maps to VARCHAR. FLOAT maps to double precision, but NUMBER(10) without decimal maps to INTEGER. The tricky ones are DATE (includes time), NUMBER with precision (exact numeric), and CLOB (large text).

973
Multi-Selectmedium

A team is optimizing a Cloud Run service. Which two actions can reduce request latency? (Select TWO.)

Select 2 answers
A.Increase max-instances
B.Enable HTTP/2
C.Reduce container image size
D.Use a regional endpoint
E.Enable min-instances
AnswersC, E

Reduces startup time, lowering latency for new instances.

Why this answer

Reducing the container image size decreases the time required to pull the image from the registry to the compute instance, which directly reduces cold-start latency. Enabling min-instances keeps a specified number of instances always warm, eliminating cold-start delays for baseline traffic. Both actions address the most common sources of latency in serverless Cloud Run deployments.

Exam trap

Cisco often tests the misconception that increasing max-instances or enabling HTTP/2 directly reduces per-request latency, when in fact those options address scalability and concurrency, not the cold-start or image-pull delays that dominate latency in serverless environments.

974
MCQmedium

An e-commerce platform uses Cloud Spanner with a table Orders and a child table OrderItems. The primary key of Orders is (CustomerId, OrderId) where OrderId is a UUID. The primary key of OrderItems is (CustomerId, OrderId, ItemId). However, writes to OrderItems are creating hotspots. What is the most likely cause?

A.Using UUID for OrderId causes random writes
B.The primary key is too long
C.The parent-child interleaving is not defined correctly
D.The leading key (CustomerId) is monotonically increasing
AnswerD

Monotonically increasing leading keys cause writes to concentrate on one tablet, creating hotspots.

Why this answer

Hotspots occur when writes are concentrated on a small range of keys. Since OrderId is a UUID, it's already random. However, using CustomerId as the first part of the primary key can cause hotspots if certain customers place many orders.

But more commonly, if OrderItems uses the same CustomerId and OrderId, and many items are inserted for the same order, they will be interleaved and written sequentially. Still, the hotspot is due to the leading key CustomerId being monotonically increasing if customers are assigned IDs sequentially. The best answer is that the primary key design leads to concentrated writes because CustomerId is not distributed well.

However, the question likely expects that the primary key design is correct (UUID) but the hotspot might be due to not using a hash prefix. Actually, in Spanner, the first key part should be distributed. If CustomerId is sequential (e.g., auto-increment), it causes hotspots.

So the cause is a monotonically increasing leading key. The correct answer should point to the leading key being monotonically increasing.

975
MCQmedium

You are using Memorystore for Redis with persistence disabled. Your application requires that no data is lost in the event of a node failure. What should you do to achieve this requirement?

A.Configure a cross-region replica to provide failover and data durability.
B.Enable AOF persistence in Memorystore.
C.Take regular on-demand backups using gcloud redis instances export.
D.Increase the maxmemory setting to store more data.
AnswerA

A cross-region replica provides redundancy and can be promoted on failure, protecting against data loss.

Why this answer

Option A is correct because a cross-region replica provides a fully independent copy of the data in a different geographic region. In the event of a node failure (or even a full zonal outage), the replica can be promoted to primary, ensuring no data loss since the data is asynchronously replicated. This meets the requirement of zero data loss during node failure without relying on persistence, which is disabled.

Exam trap

Cisco often tests the misconception that enabling persistence (AOF/RDB) is sufficient for node failure protection, but persistence only protects against data loss on restart, not against the complete loss of a node; candidates must recognize that replication (cross-region replica) is required for high availability and data durability during node failures.

How to eliminate wrong answers

Option B is wrong because enabling AOF (Append-Only File) persistence in Memorystore would write every write operation to disk, but with persistence disabled, this option is not available and would not prevent data loss during a node failure—it only protects against data loss on restart, not against node failure where the node is lost entirely. Option C is wrong because taking regular on-demand backups using gcloud redis instances export creates point-in-time snapshots, but these backups are not real-time; any data written between the last backup and the node failure would be lost, failing the 'no data lost' requirement. Option D is wrong because increasing the maxmemory setting only controls the maximum amount of memory Redis can use; it does nothing to protect against data loss during a node failure, as it does not create redundancy or durability.

Page 12

Page 13 of 14

Page 14