Summer Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Google Cloud Certified - Associate Cloud Engineer Question and Answers

Google Cloud Certified - Associate Cloud Engineer

Last Update Jul 14, 2026
Total Questions : 363

We are offering FREE Associate-Cloud-Engineer Google exam questions. All you do is to just go and sign up. Give your details, prepare Associate-Cloud-Engineer free exam questions and then go for complete pool of Google Cloud Certified - Associate Cloud Engineer test questions that will help you more.

Associate-Cloud-Engineer pdf

Associate-Cloud-Engineer PDF

$36.75  $104.99
Associate-Cloud-Engineer Engine

Associate-Cloud-Engineer Testing Engine

$43.75  $124.99
Associate-Cloud-Engineer PDF + Engine

Associate-Cloud-Engineer PDF + Testing Engine

$57.75  $164.99
Questions 1

You have designed a solution on Google Cloud Platform (GCP) that uses multiple GCP products. Your company has asked you to estimate the costs of the solution. You need to provide estimates for the monthly total cost. What should you do?

Options:

A.  

For each GCP product in the solution, review the pricing details on the products pricing page. Use the pricing calculator to total the monthly costs for each GCP product.

B.  

For each GCP product in the solution, review the pricing details on the products pricing page. Create a Google Sheet that summarizes the expected monthly costs for each product.

C.  

Provision the solution on GCP. Leave the solution provisioned for 1 week. Navigate to the Billing Report page in the Google Cloud Platform Console. Multiply the 1 week cost to determine the monthly costs.

D.  

Provision the solution on GCP. Leave the solution provisioned for 1 week. Use Stackdriver to determine the provisioned and used resource amounts. Multiply the 1 week cost to determine the monthly costs.

Discussion 0
Questions 2

You are managing a project for the Business Intelligence (BI) department in your company. A data pipeline ingests data into BigQuery via streaming. You want the users in the BI department to be able to run the custom SQL queries against the latest data in BigQuery. What should you do?

Options:

A.  

Create a Data Studio dashboard that uses the related BigQuery tables as a source and give the BI team view access to the Data Studio dashboard.

B.  

Create a Service Account for the BI team and distribute a new private key to each member of the BI team.

C.  

Use Cloud Scheduler to schedule a batch Dataflow job to copy the data from BigQuery to the BI team ' s internal data warehouse.

D.  

Assign the IAM role of BigQuery User to a Google Group that contains the members of the BI team.

Discussion 0
Questions 3

The storage costs for your application logs have far exceeded the project budget. The logs are currently being retained indefinitely in the Cloud Storage bucket myapp-gcp-ace-logs. You have been asked to remove logs older than 90 days from your Cloud Storage bucket. You want to optimize ongoing Cloud Storage spend. What should you do?

Options:

A.  

Write a script that runs gsutil Is -| – gs://myapp-gcp-ace-logs/ to find and remove items older than 90 days. Schedule the script with cron.

B.  

Write a lifecycle management rule in JSON and push it to the bucket with gsutil lifecycle set config-json-file.

C.  

Write a lifecycle management rule in XML and push it to the bucket with gsutil lifecycle set config-xml-file.

D.  

Write a script that runs gsutil Is -Ir gs://myapp-gcp-ace-logs/ to find and remove items older than 90 days. Repeat this process every morning.

Discussion 0
Questions 4

You are creating an application that will run on Google Kubernetes Engine. You have identified MongoDB as the most suitable database system for your application and want to deploy a managed MongoDB environment that provides a support SLA. What should you do?

Options:

A.  

Create a Cloud Bigtable cluster and use the HBase API

B.  

Deploy MongoDB Alias from the Google Cloud Marketplace

C.  

Download a MongoDB installation package and run it on Compute Engine instances

D.  

Download a MongoDB installation package, and run it on a Managed Instance Group

Discussion 0
Questions 5

Your company is seeking a scalable solution to retain and explore application logs hosted on Compute Engine. You must be able to analyze your logs with SQL queries, and you want to be able to create charts to identify patterns and trends in your logs over time. You want to follow Google-recommended practices and minimize your operational costs. What should you do?

Options:

A.  

Use a custom script to push your application logs to Cloud SQL for exploration.

B.  

Ingest your application logs to Cloud Logging by using Ops Agent, and explore your logs in Logs Explorer.

C.  

Ingest your application logs to Cloud Logging by using Ops Agent, and explore your logs with Log Analytics.

D.  

Use a custom script to push your application logs to BigQuery for exploration.

Discussion 0
Questions 6

You want to find out when users were added to Cloud Spanner Identity Access Management (IAM) roles on your Google Cloud Platform (GCP) project. What should you do in the GCP Console?

Options:

A.  

Open the Cloud Spanner console to review configurations.

B.  

Open the IAM & admin console to review IAM policies for Cloud Spanner roles.

C.  

Go to the Stackdriver Monitoring console and review information for Cloud Spanner.

D.  

Go to the Stackdriver Logging console, review admin activity logs, and filter them for Cloud Spanner IAM roles.

Discussion 0
Questions 7

Your company is running a critical workload on a single Compute Engine VM instance. Your company ' s disaster recovery policies require you to backup the entire instance ' s disk data every day. The backups must be retained for 7 days. You must configure a backup solution that complies with your company ' s security policies and requires minimal setup and configuration. What should you do?

Options:

A.  

Configure the instance to use persistent disk asynchronous replication.

B.  

Configure daily scheduled persistent disk snapshots with a retention period of 7 days.

C.  

Configure Cloud Scheduler to trigger a Cloud Function each day that creates a new machine image and deletes machine images that are older than 7 days.

D.  

Configure a bash script using gsutil to run daily through a cron job. Copy the disk ' s files to a Cloud Storage bucket with archive storage class and an object lifecycle rule to delete the objects after 7 days.

Discussion 0
Questions 8

You have an application that runs on Compute Engine VM instances in a custom Virtual Private Cloud (VPC). Your company ' s security policies only allow the use to internal IP addresses on VM instances and do not let VM instances connect to the internet. You need to ensure that the application can access a file hosted in a Cloud Storage bucket within your project. What should you do?

Options:

A.  

Enable Private Service Access on the Cloud Storage Bucket.

B.  

Add slorage.googleapis.com to the list of restricted services in a VPC Service Controls perimeter and add your project to the list to protected projects.

C.  

Enable Private Google Access on the subnet within the custom VP

C.  

D.  

Deploy a Cloud NAT instance and route the traffic to the dedicated IP address of the Cloud Storage bucket.

Discussion 0
Questions 9

You have one project called proj-sa where you manage all your service accounts. You want to be able to use a service account from this project to take snapshots of VMs running in another project called proj-vm. What should you do?

Options:

A.  

Download the private key from the service account, and add it to each VMs custom metadata.

B.  

Download the private key from the service account, and add the private key to each VM’s SSH keys.

C.  

Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.

D.  

When creating the VMs, set the service account’s API scope for Compute Engine to read/write.

Discussion 0
Questions 10

You recently discovered that your developers are using many service account keys during their development process. While you work on a long term improvement, you need to quickly implement a process to enforce short-lived service account credentials in your company. You have the following requirements:

• All service accounts that require a key should be created in a centralized project called pj-sa.

• Service account keys should only be valid for one day.

You need a Google-recommended solution that minimizes cost. What should you do?

Options:

A.  

Implement a Cloud Run job to rotate all service account keys periodically in pj-sa. Enforce an org policy to deny service account key creation with an exception to pj-sa.

B.  

Implement a Kubernetes Cronjob to rotate all service account keys periodically. Disable attachment ofservice accounts to resources in all projects with an exception to pj-sa.

C.  

Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hours. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.

D.  

Enforce a DENY org policy constraint over the lifetime of service account keys for 24 hours. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.

Discussion 0
Questions 11

Your company has a 3-tier solution running on Compute Engine. The configuration of the current infrastructure is shown below.

Each tier has a service account that is associated with all instances within it. You need to enable communication on TCP port 8080 between tiers as follows:

• Instances in tier #1 must communicate with tier #2.

• Instances in tier #2 must communicate with tier #3.

What should you do?

Options:

A.  

1. Create an ingress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.2.0/24)• Protocols: allow all2. Create an ingress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.1.0/24)• Protocols: allow all

B.  

1. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #2 service account• Source filter: all instances with tier #1 service account• Protocols: allow TCP:80802. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #3 service account• Source filter: all instances with tier #2 service account• Protocols: allow TCP: 8080

C.  

1. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #2 service account• Source filter: all instances with tier #1 service account• Protocols: allow all2. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #3 service account• Source filter: all instances with tier #2 service account• Protocols: allow all

D.  

1. Create an egress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.2.0/24)• Protocols: allow TCP: 80802. Create an egress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.1.0/24)• Protocols: allow TCP: 8080

Discussion 0
Questions 12

You installed the Google Cloud CLI on your workstation and set the proxy configuration. However, you are worried that your proxy credentials will be recorded in the gcloud CLI logs. You want to prevent your proxy credentials from being logged What should you do?

Options:

A.  

Configure username and password by using gcloud configure set proxy/username and gcloud configure set proxy/ proxy/password commands.

B.  

Encode username and password in sha256 encoding, and save it to a text file. Use filename as a value in the gcloud configure set core/custom_ca_certs_file command.

C.  

Provide values for CLOUDSDK_USERNAME and CLOUDSDK_PASSWORD in the gcloud CLI tool configure file.

D.  

Set the CLOUDSDK_PROXY_USERNAME and CLOUDSDK_PROXY PASSWORD properties by using environment variables in your command line tool.

Discussion 0
Questions 13

You have a workload running on Compute Engine that is critical to your business. You want to ensure that the data on the boot disk of this workload is backed up regularly. You need to be able to restore a backup as quickly as possible in case of disaster. You also want older backups to be cleaned automatically to save on cost. You want to follow Google-recommended practices. What should you do?

Options:

A.  

Create a Cloud Function to create an instance template.

B.  

Create a snapshot schedule for the disk using the desired interval.

C.  

Create a cron job to create a new disk from the disk using gcloud.

D.  

Create a Cloud Task to create an image and export it to Cloud Storage.

Discussion 0
Questions 14

Your application development team has created Docker images for an application that will be deployed on Google Cloud. Your team does not want to manage the infrastructure associated with this application. You need to ensure that the application can scale automatically as it gains popularity. What should you do?

Options:

A.  

Create an Instance template with the container image, and deploy a Managed Instance Group withAutoscaling.

B.  

Upload Docker images to Artifact Registry, and deploy the application on Google Kubernetes Engine usingStandard mode.

C.  

Upload Docker images to the Cloud Storage, and deploy the application on Google Kubernetes Engine usingStandard mode.

D.  

Upload Docker images to Artifact Registry, and deploy the application on Cloud Run.

Discussion 0
Questions 15

You have a website hosted on App Engine standard environment. You want 1% of your users to see a new test version of the website. You want to minimize complexity. What should you do?

Options:

A.  

Deploy the new version in the same application and use the --migrate option.

B.  

Deploy the new version in the same application and use the --splits option to give a weight of 99 to the current version and a weight of 1 to the new version.

C.  

Create a new App Engine application in the same project. Deploy the new version in that application. Use the App Engine library to proxy 1% of the requests to the new version.

D.  

Create a new App Engine application in the same project. Deploy the new version in that application. Configure your network load balancer to send 1% of the traffic to that new application.

Discussion 0
Questions 16

Your company runs a variety of applications and workloads on Google Cloud and you are responsible for managing cloud costs. You need to identify a solution that enables you to perform detailed cost analysis You also must be able to visualize the cost data in multiple ways on the same dashboard What should you do?

Options:

A.  

Use the cost breakdown report with the available filters from Cloud Billing to visualize the data

B.  

Enable the Cloud Billing export to BigQuery. and use Looker Studio to visualize the data

C.  

Run Queries in Cloud Monitoring Create dashboards to visualize the billing metrics

D.  

Enable Cloud Monitoring metrics export to BigQuery and use Looker to visualize the data

Discussion 0
Questions 17

Your Dataproc cluster runs in a single Virtual Private Cloud (VPC) network in a single subnet with range 172.16.20.128/25. There are no private IP addresses available in the VPC network. You want to add new VMs to communicate with your cluster using the minimum number of steps. What should you do?

Options:

A.  

Modify the existing subnet range to 172.16.20.0/24.

B.  

Create a new Secondary IP Range in the VPC and configure the VMs to use that range.

C.  

Create a new VPC network for the VMs. Enable VPC Peering between the VMs’ VPC network and the Dataproc cluster VPC network.

D.  

Create a new VPC network for the VMs with a subnet of 172.32.0.0/16. Enable VPC network Peering between the Dataproc VPC network and the VMs VPC network. Configure a custom Route exchange.

Discussion 0
Questions 18

You are asked to set up application performance monitoring on Google Cloud projects A, B, and C as a single pane of glass. You want to monitor CPU, memory, and disk. What should you do?

Options:

A.  

Enable API and then share charts from project A, B, and C.

B.  

Enable API and then give the metrics.reader role to projects A, B, and C.

C.  

Enable API and then use default dashboards to view all projects in sequence.

D.  

Enable API, create a workspace under project A, and then add project B and C.

Discussion 0
Questions 19

(You are managing the security configuration of your company ' s Google Cloud organization. The Operations team needs specific permissions on both a Google Kubernetes Engine (GKE) cluster and a Cloud SQL instance. Two predefined Identity and Access Management (IAM) roles exist that contain a subset of the permissions needed by the team. You need to configure the necessary IAM permissions for this team while following Google-recommended practices. What should you do?)

Options:

A.  

Grant the team the two predefined IAM roles.

B.  

Create a custom IAM role that combines the permissions from the two relevant predefined roles.

C.  

Create a custom IAM role that includes only the required permissions from the predefined roles.

D.  

Grant the team the IAM roles of Kubernetes Engine Admin and Cloud SQL Admin.

Discussion 0
Questions 20

You are using your personal workstation to develop an application that will be hosted in Google Cloud. You are authenticated using a Google Account (USER). You need to test whether a specific set of permissions assigned to an existing service account (SERVICE_ACCOUNT) are sufficient for a task without handling sensitive secret information. What should you do?

Options:

A.  

Grant USER the IAM role roles/iam.workloadIdentityUser on SERVICE_ACCOUNT.

B.  

Grant USER the IAM role roles/iam.serviceAccountKeyAdmin on SERVICE_ACCOUNT.

C.  

Grant USER the IAM role roles/iam.serviceAccountTokenCreator on SERVICE_ACCOUNT.

D.  

Grant USER the IAM role roles/iam.serviceAccountUser on SERVICE_ACCOUNT.

Discussion 0
Questions 21

The DevOps group in your organization needs full control of Compute Engine resources in your development project. However, they should not have permission to create or update any other resources in the project. You want to follow Google ' s recommendations for setting permissions for the DevOps group. What should you do?

Options:

A.  

Grant the basic role roles/viewer and the predefined role roles/compute.admin to the DevOps group.

B.  

Create an IAM policy and grant all compute. instanceAdmln. " permissions to the policy Attach the policy to the DevOps group.

C.  

Create a custom role at the folder level and grant all compute. instanceAdmln. * permissions to the role Grant the custom role to the DevOps group.

D.  

Grant the basic role roles/editor to the DevOps group.

Discussion 0
Questions 22

Your team is running an on-premises ecommerce application. The application contains a complex set of microservices written in Python, and each microservice is running on Docker containers. Configurations are injected by using environment variables. You need to deploy your current application to a serverless Google Cloud cloud solution. What should you do?

Options:

A.  

Use your existing CI/CD pipeline Use the generated Docker images and deploy them to Cloud Run. Update the configurations and the required endpoints.

B.  

Use your existing continuous integration and delivery (CI/CD) pipeline. Use the generated Docker images and deploy them to Cloud Function. Use the same configuration as on-premises.

C.  

Use the existing codebase and deploy each service as a separate Cloud Function Update the configurations and the required endpoints.

D.  

Use your existing codebase and deploy each service as a separate Cloud Run Use the same configurations as on-premises.

Discussion 0
Questions 23

Your VMs are running in a subnet that has a subnet mask of 255.255.255.240. The current subnet has no more free IP addresses and you require an additional 10 IP addresses for new VMs. The existing and new VMs should all be able to reach each other without additional routes. What should you do?

Options:

A.  

Use gcloud to expand the IP range of the current subnet.

B.  

Delete the subnet, and recreate it using a wider range of IP addresses.

C.  

Create a new project. Use Shared VPC to share the current network with the new project.

D.  

Create a new subnet with the same starting IP but a wider range to overwrite the current subnet.

Discussion 0
Questions 24

You are analyzing Google Cloud Platform service costs from three separate projects. You want to use this information to create service cost estimates by service type, daily and monthly, for the next six months using standard query syntax. What should you do?

Options:

A.  

Export your bill to a Cloud Storage bucket, and then import into Cloud Bigtable for analysis.

B.  

Export your bill to a Cloud Storage bucket, and then import into Google Sheets for analysis.

C.  

Export your transactions to a local file, and perform analysis with a desktop tool.

D.  

Export your bill to a BigQuery dataset, and then write time window-based SQL queries for analysis.

Discussion 0
Questions 25

Your company ' s management has chosen Google Cloud as its strategic cloud provider. You need to provision Google Cloud identities for all employees in the IT and Data departments but not to other departments. This access should automatically update when employees change departments, join, or leave the company. All employees are managed centrally in an LDAP directory, with one organizational unit (OU) for each department. What should you do?

Options:

A.  

Create a CSV file with the users from the relevant OUs. Upload the CSV file to Cloud Identity. Instruct your Human Resources department to repeat this process for any employee changes.

B.  

Develop a containerized application that reads user information from the relevant OUs in the LDAP directory. Use the Admin SDK to synchronize user accounts in Identity Platform with the LDAP directory. Deploy the application as a scheduled Cloud Run job.

C.  

Develop a containerized application that reads user information from the relevant OUs in the LDAP directory. Use the Directory API to create accounts in Cloud Identity for new users. Deploy the application as a scheduled Cloud Run job.

D.  

Configure Google Cloud Directory Sync to synchronize the relevant OUs between the LDAP directory and Cloud Identity. Set up a scheduled task that triggers a provisioning run.

Discussion 0
Questions 26

You are managing a new project for a web application on Google Cloud. The web application is running on a Compute Engine VM, and your team has a strict budget. You have already created a budget in Cloud Billing and set an alert rule to send an email when 90% of the budget is consumed. You must ensure that project spending automatically stops if it exceeds the budgeted amount. What should you do?

Options:

A.  

Create a new Cloud Billing account, and associate the project with it to prevent new spending from affecting your project ' s budget.

B.  

Create a Pub/Sub topic, and connect it to the budget. Create a Cloud Run function that subscribes to the Pub/Sub topic and executes code to stop the VM.

C.  

Use the Cloud Billing dashboard to identify the forecasted spend of your project, and then update the budget and alert to match the forecasted spend.

D.  

Rely on the budget ' s configuration to automatically disable billable resources when the spend reaches 100%.

Discussion 0
Questions 27

You created a cluster.YAML file containing

resources:

name: cluster

type: container.v1.cluster

properties:

zone: europe-west1-b

cluster:

description: My GCP ACE cluster

initialNodeCount: 2

You want to use Cloud Deployment Manager to create this cluster in GKE. What should you do?

Options:

A.  

gcloud deployment-manager deployments create my-gcp-ace-cluster --config cluster.yaml

B.  

gcloud deployment-manager deployments create my-gcp-ace-cluster --type container.v1.cluster --config cluster.yaml

C.  

gcloud deployment-manager deployments apply my-gcp-ace-cluster --type container.v1.cluster --config cluster.yaml

D.  

gcloud deployment-manager deployments apply my-gcp-ace-cluster --config cluster.yaml

Discussion 0
Questions 28

Your team is using Linux instances on Google Cloud. You need to ensure that your team logs in to these instances in the most secure and cost efficient way. What should you do?

Options:

A.  

Attach a public IP to the instances and allow incoming connections from the internet on port 22 for SSH.

B.  

Use a third party tool to provide remote access to the instances.

C.  

Use the gcloud compute ssh command with the --tunnel-through-iap flag. Allow ingress traffic from the IP range 35.235.240.0/20 on port 22.

D.  

Create a bastion host with public internet access. Create the SSH tunnel to the instance through the bastion host.

Discussion 0
Questions 29

Your organization uses Active Directory (AD) to manage user identities. Each user uses this identity for federated access to various on-premises systems. Your security team has adopted a policy that requires users to log into Google Cloud with their AD identity instead of their own login. You want to follow the Google-recommended practices to implement this policy. What should you do?

Options:

A.  

Sync Identities with Cloud Directory Sync, and then enable SAML for single sign-on

B.  

Sync Identities in the Google Admin console, and then enable Oauth for single sign-on

C.  

Sync identities with 3rd party LDAP sync, and then copy passwords to allow simplified login with (he same credentials

D.  

Sync identities with Cloud Directory Sync, and then copy passwords to allow simplified login with the same credentials.

Discussion 0
Questions 30

You need to host an application on a Compute Engine instance in a project shared with other teams. You want to prevent the other teams from accidentally causing downtime on that application. Which feature should you use?

Options:

A.  

Use a Shielded VM.

B.  

Use a Preemptible VM.

C.  

Use a sole-tenant node.

D.  

Enable deletion protection on the instance.

Discussion 0
Questions 31

Your organization has three existing Google Cloud projects. You need to bill the Marketing department for only their Google Cloud services for a new initiative within their group. What should you do?

Options:

A.  

1. Verify that you ace assigned the Billing Administrator IAM role tor your organization ' s Google Cloud Project for the Marketing department2. Link the new project to a Marketing Billing Account

B.  

1. Verify that you are assigned the Billing Administrator IAM role for your organization ' s Google Cloud account2. Create a new Google Cloud Project for the Marketing department3. Set the default key-value project labels to department marketing for all services in this project

C.  

1. Verify that you are assigned the Organization Administrator IAM role for your organization ' s Google Cloud account2. Create a new Google Cloud Project for the Marketing department 3. Link the new project to a Marketing Billing Account.

D.  

1. Verity that you are assigned the Organization Administrator IAM role for your organization ' s Google Cloud account2. Create a new Google Cloud Project for the Marketing department3. Set the default key value project labels to department marketing for all services in this protect

Discussion 0
Questions 32

You have 32 GB of data in a single file that you need to upload to a Nearline Storage bucket. The WAN connection you are using is rated at 1 Gbps, and you are the only one on the connection. You want to use as much of the rated 1 Gbps as possible to transfer the file rapidly. How should you upload the file?

Options:

A.  

Use the GCP Console to transfer the file instead of gsutil.

B.  

Enable parallel composite uploads using gsutil on the file transfer.

C.  

Decrease the TCP window size on the machine initiating the transfer.

D.  

Change the storage class of the bucket from Nearline to Multi-Regional.

Discussion 0
Questions 33

Youare configuring Cloud DNS. You want !to create DNS records to pointhome.mydomain.com,mydomain.com. andwww.mydomain.comto the IP address of your Google Cloud load balancer. What should you do?

Options:

A.  

Create one CNAME record to point mydomain.com to the load balancer, and create two A records to point WWW and HOME lo mydomain.com respectively.

B.  

Create one CNAME record to point mydomain.com to the load balancer, and create two AAAA records to point WWW and HOME to mydomain.com respectively.

C.  

Create one A record to point mydomain.com to the load balancer, and create two CNAME records to point WWW and HOME to mydomain.com respectively.

D.  

Create one A record to point mydomain.com lo the load balancer, and create two NS records to point WWW and HOME to mydomain.com respectively.

Discussion 0
Questions 34

You want to configure 10 Compute Engine instances for availability when maintenance occurs. Your requirements state that these instances should attempt to automatically restart if they crash. Also, the instances should be highly available including during system maintenance. What should you do?

Options:

A.  

Create an instance template for the instances. Set the ‘Automatic Restart’ to on. Set the ‘On-host maintenance’ to Migrate VM instance. Add the instance template to an instance group.

B.  

Create an instance template for the instances. Set ‘Automatic Restart’ to off. Set ‘On-host maintenance’ to Terminate VM instances. Add the instance template to an instance group.

C.  

Create an instance group for the instances. Set the ‘Autohealing’ health check to healthy (HTTP).

D.  

Create an instance group for the instance. Verify that the ‘Advanced creation options’ setting for ‘do not retry machine creation’ is set to off.

Discussion 0
Questions 35

A company wants to build an application that stores images in a Cloud Storage bucket and wants to generate thumbnails as well as resize the images. They want to use a google managed service that can scale up and scale down to zero automatically with minimal effort. You have been asked to recommend a service. Which GCP service would you suggest?

Options:

A.  

Google Compute Engine

B.  

Google App Engine

C.  

Cloud Functions

D.  

Google Kubernetes Engine

Discussion 0
Questions 36

You are given a project with a single virtual private cloud (VPC) and a single subnetwork in the us-central1 region. There is a Compute Engine instance hosting an application in thissubnetwork. You need to deploy a new instance in the same project in the europe-west1 region. This new instance needs access to the application. You want to follow Google-recommended practices. What should you do?

Options:

A.  

1. Create a subnetwork in the same VPC, in europe-west1.2. Create the new instance in the new subnetwork and use the first instance ' s private address as the endpoint.

B.  

1. Create a VPC and a subnetwork in europe-west1.2. Expose the application with an internal load balancer.3. Create the new instance in the new subnetwork and use the load balancer ' s address as the endpoint.

C.  

1. Create a subnetwork in the same VPC, in europe-west1.2. Use Cloud VPN to connect the two subnetworks.3. Create the new instance in the new subnetwork and use the first instance ' s private address as the endpoint.

D.  

1. Create a VPC and a subnetwork in europe-west1.2. Peer the 2 VPCs.3. Create the new instance in the new subnetwork and use the first instance ' s private address as the endpoint.

Discussion 0
Questions 37

You have deployed multiple Linux instances on Compute Engine. You plan on adding more instances in the coming weeks. You want to be able to access all of these instances through your SSH client over me Internet without having to configure specific access on the existing and new instances. You do not want the Compute Engine instances to have a public IP. What should you do?

Options:

A.  

Configure Cloud Identity-Aware Proxy (or HTTPS resources

B.  

Configure Cloud Identity-Aware Proxy for SSH and TCP resources.

C.  

Create an SSH keypair and store the public key as a project-wide SSH Key

D.  

Create an SSH keypair and store the private key as a project-wide SSH Key

Discussion 0
Questions 38

You are the team lead of a group of 10 developers. You provided each developer with an individual Google Cloud Project that they can use as their personal sandbox to experiment with different Google Cloud solutions. You want to be notified if any of the developers are spending above $500 per month on their sandbox environment. What should you do?

Options:

A.  

Create a single budget for all projects and configure budget alerts on this budget.

B.  

Create a separate billing account per sandbox project and enable BigQuery billing exports. Create a Data Studio dashboard to plot the spending per billing account.

C.  

Create a budget per project and configure budget alerts on all of these budgets.

D.  

Create a single billing account for all sandbox projects and enable BigQuery billing exports. Create a Data Studio dashboard to plot the spending per project.

Discussion 0
Questions 39

You created an instance of SQL Server 2017 on Compute Engine to test features in the new version. You want to connect to this instance using the fewest number of steps. What should you do?

Options:

A.  

Install a RDP client on your desktop. Verify that a firewall rule for port 3389 exists.

B.  

Install a RDP client in your desktop. Set a Windows username and password in the GCP Console. Use the credentials to log in to the instance.

C.  

Set a Windows password in the GCP Console. Verify that a firewall rule for port 22 exists. Click the RDP button in the GCP Console and supply the credentials to log in.

D.  

Set a Windows username and password in the GCP Console. Verify that a firewall rule for port 3389 exists. Click the RDP button in the GCP Console, and supply the credentials to log in.

Discussion 0
Questions 40

You are using Container Registry to centrally store your company’s container images in a separate project. In another project, you want to create a Google Kubernetes Engine (GKE) cluster. You want to ensure that Kubernetes can download images from Container Registry. What should you do?

Options:

A.  

In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.

B.  

When you create the GKE cluster, choose the Allow full access to all Cloud APIs option under ‘Access scopes’.

C.  

Create a service account, and give it access to Cloud Storage. Create a P12 key for this service account and use it as an imagePullSecrets in Kubernetes.

D.  

Configure the ACLs on each image in Cloud Storage to give read-only access to the default Compute Engine service account.

Discussion 0
Questions 41

You want to verify the IAM users and roles assigned within a GCP project named my-project. What should you do?

Options:

A.  

Run gcloud iam roles list. Review the output section.

B.  

Run gcloud iam service-accounts list. Review the output section.

C.  

Navigate to the project and then to the IAM section in the GCP Console. Review the members and roles.

D.  

Navigate to the project and then to the Roles section in the GCP Console. Review the roles and status.

Discussion 0
Questions 42

You have an object in a Cloud Storage bucket that you want to share with an external company. The object contains sensitive data. You want access to the content to be removed after four hours. The external company does not have a Google account to which you can grant specific user-based access privileges. You want to use the most secure method that requires the fewest steps. What should you do?

Options:

A.  

Create a signed URL with a four-hour expiration and share the URL with the company.

B.  

Set object access to ‘public’ and use object lifecycle management to remove the object after four hours.

C.  

Configure the storage bucket as a static website and furnish the object’s URL to the company. Delete the object from the storage bucket after four hours.

D.  

Create a new Cloud Storage bucket specifically for the external company to access. Copy the object to that bucket. Delete the bucket after four hours have passed.

Discussion 0
Questions 43

You are writing a shell script that includes a few gcloud CLI commands to access some Google Cloud resources. You want to test the script in your local development environment with a service account in the most secure way. What should you do?

Options:

A.  

Download the service account key file and save it in a secure location. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the key file.

B.  

Enable service account impersonation, and use the gcloud config set auth/impersonate_service_account command to use it by default.

C.  

Generate an ID token for the service account. Use the token with the gcloud CLI commands.

D.  

Download the service account key file, and use it to generate an access token. Use the token with the gcloud CLI commands.

Discussion 0
Questions 44

You are running a data warehouse on BigQuery. A partner company is offering a recommendation engine based on the data in your data warehouse. The partner company is also running their application on Google Cloud. They manage the resources in their own project, but they need access to the BigQuery dataset in your project. You want to provide the partner company with access to the dataset What should you do?

Options:

A.  

Create a Service Account in your own project, and grant this Service Account access to BigGuery in your project

B.  

Create a Service Account in your own project, and ask the partner to grant this Service Account access to BigQuery in their project

C.  

Ask the partner to create a Service Account in their project, and have them give the Service Account access to BigQuery in their project

D.  

Ask the partner to create a Service Account in their project, and grant their Service Account access to the BigQuery dataset in your project

Discussion 0
Questions 45

You are deploying an application on Google Cloud that requires a relational database for storage. To satisfy your company ' s security policies, your application must connect to your database through an encrypted and authenticated connection that requires minimal management and integrates with Identity and Access Management (IAM). What should you do?

Options:

A.  

Deploy a Cloud SQL database with the SSL mode set to encrypted only, configure SSL/TLS client certificates, and configure a database user and password.

B.  

Deploy a Cloud SOL database and configure IAM database authentication. Access the database through the Cloud SQL Auth Proxy.

C.  

Deploy a Cloud SQL database with the SSL mode set to encrypted only, configure SSL/TLS client certificates, and configure IAM database authentication.

D.  

Deploy a Cloud SQL database and configure a database user and password. Access the database through the Cloud SQL Auth Proxy.

Discussion 0
Questions 46

Your company uses Pub/Sub for event-driven workloads. You have a subscription named email-updates attached to the new-orders topic. You need to fetch and acknowledge waiting messages from this subscription. What should you do?

Options:

A.  

Use the gcloud pubsub subscriptions seek email-updates command.

B.  

Use the gcloud pubsub topics describe new-orders command.

C.  

Use the gcloud pubsub subscriptions pull email-updates —auto-ack command.

D.  

Use the gcloud pubsub topics list-subscriptions new-orders —1ilter= " email-updates " command.

Discussion 0
Questions 47

You manage a business-critical backend application running on a Compute Engine managed instance group (MIG). The operations team requires a near-real time notification if the average CPU utilization across all instances in the MIG exceeds 75% for a continuous five-minute period. You need to implement a scalable Google Cloud solution to meet this monitoring requirement. What should you do?

Options:

A.  

Create a logs-based metric in Cloud Logging that filters for high CPU usage entries, and then create a Cloud Monitoring alert policy based on that custom metric.

B.  

Deploy the Ops Agent to all Compute Engine VM instances to collect the CPU metric. Use a custom script running on a separate Compute Engine instance to poll this metric every five minutes, and send an email notification if the threshold is breached.

C.  

Create a Cloud Monitoring alerting policy that targets the compute.googleapis.com/instance/cpu/utilization metric. Set the threshold to 75% and the duration to five minutes.

D.  

Configure an autoscaling policy for the MIG to use a CPU utilization target of 75% for five minutes, and then enable a notification channel in the autoscaler settings.

Discussion 0
Questions 48

You are deploying a new application on a Compute Engine VM instance. This application needs to store operational logs in a Cloud Storage bucket named project-logs-us-central1 and have the ability to create new objects (logs) in this bucket. The application must be restricted from modifying or deleting existing objects or accessing any other buckets in the Google Cloud project. You must configure access following the principle of least privilege. What should you do?

Options:

A.  

Create a dedicated service account for the application. Grant this service account the predefined roles/storage.objectCreator IAM role on the project-logs-us-central1 Cloud Storage bucket. Attach the service account to the Compute Engine VM instance.

B.  

Grant the Compute Engine default service account the predefined roles/storage.objectAdmin IAM role on the Google Cloud project.

C.  

Create a dedicated service account for the application. Generate a service account key, and grant the service account the predefined roles/storage.admin IAM role on the project-logs-us-central1 Cloud Storage bucket. Store the key file on the Compute Engine VM.

D.  

Grant the Compute Engine default service account the predefined roles/storage.objectCreator IAM role on the Google Cloud project. Attach the service account to the Compute Engine VM instance.

Discussion 0
Questions 49

(You are managing an application deployed on Cloud Run. The development team has released a new version of the application. You want to deploy and redirect traffic to this new version of the application. To ensure traffic to the new version of the application is served with no startup time, you want to ensure that there are two idle instances available for incoming traffic before adjusting the traffic flow. You also want to minimize administrative overhead. What should you do?)

Options:

A.  

Ensure the checkbox " Serve this revision immediately " is unchecked when deploying the new revision. Before changing the traffic rules, use a traffic simulation tool to send load to the new revision.

B.  

Configure service autoscaling and set the minimum number of instances to 2.

C.  

Configure revision autoscaling for the new revision and set the minimum number of instances to 2.

D.  

Configure revision autoscaling for the existing revision and set the minimum number of instances to 2.

Discussion 0
Questions 50

You have an application running in Google Kubernetes Engine (GKE) with cluster autoscaling enabled. The application exposes a TCP endpoint. There are several replicas of this application. You have a Compute Engine instance in the same region, but in another Virtual Private Cloud (VPC), called gce-network, that has no overlapping IP ranges with the first VPC. This instance needs to connect to the application on GKE. You want to minimize effort. What should you do?

Options:

A.  

1. In GKE, create a Service of type LoadBalancer that uses the application ' s Pods as backend.2. Set the service ' s externalTrafficPolicy to Cluster.3. Configure the Compute Engine instance to use the address of the load balancer that has been created.

B.  

1. In GKE, create a Service of type NodePort that uses the application ' s Pods as backend.2. Create a Compute Engine instance called proxy with 2 network interfaces, one in each VPC.3. Use iptables on this instance to forward traffic from gce-network to the GKE nodes.4. Configure the Compute Engine instance to use the address of proxy in gce-network as endpoint.

C.  

1. In GKE, create a Service of type LoadBalancer that uses the application ' s Pods as backend.2. Add an annotation to this service: cloud.google.com/load-balancer-type: Internal3. Peer the two VPCs together.4. Configure the Compute Engine instance to use the address of the load balancer that has been created.

D.  

1. In GKE, create a Service of type LoadBalancer that uses the application ' s Pods as backend.2. Add a Cloud Armor Security Policy to the load balancer that whitelists the internal IPs of the MIG ' s instances.3. Configure the Compute Engine instance to use the address of the load balancer that has been created.

Discussion 0
Questions 51

You need to manage a third-party application that will run on a Compute Engine instance. Other Compute Engine instances are already running with default configuration. Application installation files are hosted on Cloud Storage. You need to access these files from the new instance without allowing other virtual machines (VMs) to access these files. What should you do?

Options:

A.  

Create the instance with the default Compute Engine service account Grant the service account permissions on Cloud Storage.

B.  

Create the instance with the default Compute Engine service account Add metadata to the objects on Cloud Storage that matches the metadata on the new instance.

C.  

Create a new service account and assig n this service account to the new instance Grant the service account permissions on Cloud Storage.

D.  

Create a new service account and assign this service account to the new instance Add metadata to the objects on Cloud Storage that matches the metadata on the new instance.

Discussion 0
Questions 52

Your managed instance group raised an alert stating that new instance creation has failed to create new instances. You need to maintain the number of running instances specified by the template to be able to process expected application traffic. What should you do?

Options:

A.  

Create an instance template that contains valid syntax which will be used by the instance group. Delete any persistent disks with the same name as instance names.

B.  

Create an instance template that contains valid syntax that will be used by the instance group. Verify that the instance name and persistent disk name values are not the same in the template.

C.  

Verify that the instance template being used by the instance group contains valid syntax. Delete any persistent disks with the same name as instance names. Set the disks.autoDelete property to true in the instance template.

D.  

Delete the current instance template and replace it with a new instance template. Verify that the instance name and persistent disk name values are not the same in the template. Set the disks.autoDelete property to true in the instance template.

Discussion 0
Questions 53

Users of your application are complaining of slowness when loading the application. You realize the slowness is because the App Engine deployment serving the application is deployed in us-central whereas all users of this application are closest to europe-west3. You want to change the region of the App Engine application to europe-west3 to minimize latency. What’s the best way to change the App Engine region?

Options:

A.  

Create a new project and create an App Engine instance in europe-west3

B.  

Use the gcloud app region set command and supply the name of the new region.

C.  

From the console, under the App Engine page, click edit, and change the region drop-down.

D.  

Contact Google Cloud Support and request the change.

Discussion 0
Questions 54

You are a Google Cloud organization policy administrator for your company that operates in a regulated industry. You need to enforce a policy that restricts all new location-based Google Cloud resources to the australia-southeast1 and australia-southeast2 regions only. You want to ensure that this policy requires minimal configuration. What should you do?

Options:

A.  

Create a custom organization policy that uses the resource.location == ' australia-southeast1 ' || resource.location == ' australia-southeast2 ' Common Expression Language (CEL) condition.

B.  

Modify the gcp.resourceLocations list constraint by adding in:australia-locations to the allowed_values list.

C.  

Modify the gcp.resourceLocations list constraint by adding in:australia-locations to the denied_values list.

D.  

Create a custom organization policy that uses the resource.location.startsWith( ' australia ' ) Common Expression Language (CEL) condition.

Discussion 0
Questions 55

Your development team has packaged and pushed a new container image to Artifact Registry. Due to design requirements, the application must be able to scale to zero. You need to take this image to production as quickly as possible while following the design requirements. What should you do?

Options:

A.  

Create an instance template for the container, and use it to create a managed instance group behind an external Application Load Balancer.

B.  

Create an app.yaml file that specifies the container images, and deploy it to the App Engine Flexible environment.

C.  

Write a Kubernetes Deployment and a Service manifest (YAML), and apply them to a Google Kubernetes Engine cluster.

D.  

Deploy the application directly to Cloud Run.

Discussion 0
Questions 56

You have been asked to set up Object Lifecycle Management for objects stored in storage buckets. The objects are written once and accessed frequently for 30 days. After 30 days, the objects are not read again unless there is a special need. The object should be kept for three years, and you need to minimize cost. What should you do?

Options:

A.  

Set up a policy that uses Nearline storage for 30 days and then moves to Archive storage for three years.

B.  

Set up a policy that uses Standard storage for 30 days and then moves to Archive storage for three years.

C.  

Set up a policy that uses Nearline storage for 30 days, then moves the Coldline for one year, and then moves to Archive storage for two years.

D.  

Set up a policy that uses Standard storage for 30 days, then moves to Coldline for one year, and then moves to Archive storage for two years.

Discussion 0
Questions 57

You deployed a new application inside your Google Kubernetes Engine cluster using the YAML file specified below.

You check the status of the deployed pods and notice that one of them is still in PENDING status:

You want to find out why the pod is stuck in pending status. What should you do?

Options:

A.  

Review details of the myapp-service Service object and check for error messages.

B.  

Review details of the myapp-deployment Deployment object and check for error messages.

C.  

Review details of myapp-deployment-58ddbbb995-lp86m Pod and check for warning messages.

D.  

View logs of the container in myapp-deployment-58ddbbb995-lp86m pod and check for warning messages.

Discussion 0
Questions 58

You need to verify that a Google Cloud Platform service account was created at a particular time. What should you do?

Options:

A.  

Filter the Activity log to view the Configuration category. Filter the Resource type to Service Account.

B.  

Filter the Activity log to view the Configuration category. Filter the Resource type to Google Project.

C.  

Filter the Activity log to view the Data Access category. Filter the Resource type to Service Account.

D.  

Filter the Activity log to view the Data Access category. Filter the Resource type to Google Project.

Discussion 0
Questions 59

(You are developing an internet of things (IoT) application that captures sensor data from multiple devices that have already been set up. You need to identify the global data storage product your company should use to store this data. You must ensure that the storage solution you choose meets your requirements of sub-millisecond latency. What should you do?)

Options:

A.  

Store the IoT data in Spanner. Use caches to speed up the process and avoid latencies.

B.  

Store the IoT data in Bigtable.

C.  

Capture IoT data in BigQuery datasets.

D.  

Store the IoT data in Cloud Storage. Implement caching by using Cloud CDN.

Discussion 0
Questions 60

You want to host your video encoding software on Compute Engine. Your user base is growing rapidly, and users need to be able 3 to encode their videos at any time without interruption or CPU limitations. You must ensure that your encoding solution is highly available, and you want to follow Google-recommended practices to automate operations. What should you do?

Options:

A.  

Deploy your solution on multiple standalone Compute Engine instances, and increase the number of existing instances wnen CPU utilization on Cloud Monitoring reaches a certain threshold.

B.  

Deploy your solution on multiple standalone Compute Engine instances, and replace existing instances with high-CPUinstances when CPU utilization on Cloud Monitoring reaches a certain threshold.

C.  

Deploy your solution to an instance group, and increase the number of available instances whenever you see high CPU utilization in Cloud Monitoring.

D.  

Deploy your solution to an instance group, and set the autoscaling based on CPU utilization.

Discussion 0
Questions 61

A team of data scientists infrequently needs to use a Google Kubernetes Engine (GKE) cluster that you manage. They require GPUs for some long-running, non-restartable jobs. You want to minimize cost. What should you do?

Options:

A.  

Enable node auto-provisioning on the GKE cluster.

B.  

Create a VerticalPodAutscaler for those workloads.

C.  

Create a node pool with preemptible VMs and GPUs attached to those VMs.

D.  

Create a node pool of instances with GPUs, and enable autoscaling on this node pool with a minimum size of 1.

Discussion 0
Questions 62

You need to set a budget alert for use of Compute Engineer services on one of the three Google Cloud Platform projects that you manage. All three projects are linked to a single billing account. What should you do?

Options:

A.  

Verify that you are the project billing administrator. Select the associated billing account and create a budget and alert for the appropriate project.

B.  

Verify that you are the project billing administrator. Select the associated billing account and create a budget and a custom alert.

C.  

Verify that you are the project administrator. Select the associated billing account and create a budget for the appropriate project.

D.  

Verify that you are project administrator. Select the associated billing account and create a budget and a custom alert.

Discussion 0
Questions 63

You built an application on your development laptop that uses Google Cloud services. Your application uses Application Default Credentials for authentication and works fine on your development laptop. You want to migrate this application to a Compute Engine virtual machine (VM) and set up authentication using Google- recommended practices and minimal changes. What should you do?

Options:

A.  

Assign appropriate access for Google services to the service account used by the Compute Engine VM.

B.  

Create a service account with appropriate access for Google services, and configure the application to use this account.

C.  

Store credentials for service accounts with appropriate access for Google services in a config file, and deploy this config file with your application.

D.  

Store credentials for your user account with appropriate access for Google services in a config file, and deploy this config file with your application.

Discussion 0
Questions 64

You recently received a new Google Cloud project with an attached billing account where you will work. You need to create instances, set firewalls, and store data in Cloud Storage. You want to follow Google-recommended practices. What should you do?

Options:

A.  

Use the gcloud CLI services enablecloudresourcemanager.googleapis.comcommand to enable all resources.

B.  

Use the gcloud services enablecompute.googleapis.comcommand to enable Compute Engineand thegcloud services enablestorage-api.googleapis.comcommand to enable the Cloud Storage APIs.

C.  

Open the Google Cloud console and enable all Google Cloud APIs from the API dashboard.

D.  

Open the Google Cloud console and run gcloud init --project < project-id > in a Cloud Shell.

Discussion 0
Questions 65

You are deploying an application to Cloud Run. Your application requires the use of an API that runs on Google Kubernetes Engine (GKE). You need to ensure that your Cloud Run service can privately reach the API on GKE, and you want to follow Google-recommended practices. What should you do?

Options:

A.  

Deploy an ingress resource on the GKE cluster to expose the API to the internet. Use Cloud Armor to filter for IP addresses that can connect to the API. On the Cloud Run service, configure the application to fetch its public IP address and update the Cloud Armor policy on startup to allow this IP address to call the API on ports 80 and 443.

B.  

Create an egress firewall rule on the VPC to allow connections to 0.0.0.0/0 on ports 80 and 443.

C.  

Create an ingress firewall rule on the VPC to allow connections from 0.0.0.0/0 on ports 80 and 443.

D.  

Deploy an internal Application Load Balancer to expose the API on GKE to the VPC. Configure Cloud DNS with the IP address of the internal Application Load Balancer. Deploy a Serverless VPC Access connector to allow the Cloud Run service to call the API through the FQDN on Cloud DNS.

Discussion 0
Questions 66

Your company publishes large files on an Apache web server that runs on a Compute Engine instance. The Apache web server is not the only application running in the project. You want to receive an email when the egress network costs for the server exceed 100 dollars for the current month as measured by Google Cloud Platform (GCP). What should you do?

Options:

A.  

Set up a budget alert on the project with an amount of 100 dollars, a threshold of 100%, and notification type of “email.”

B.  

Set up a budget alert on the billing account with an amount of 100 dollars, a threshold of 100%, and notification type of “email.”

C.  

Export the billing data to BigQuery. Create a Cloud Function that uses BigQuery to sum the egress network costs of the exported billing data for the Apache web server for the current month and sends an email if it is over 100 dollars. Schedule the Cloud Function using Cloud Scheduler to run hourly.

D.  

Use the Stackdriver Logging Agent to export the Apache web server logs to Stackdriver Logging. Create a Cloud Function that uses BigQuery to parse the HTTP response log data in Stackdriver for the current month and sends an email if the size of all HTTP responses, multiplied by current GCP egress prices, totals over 100 dollars. Schedule the Cloud Function using Cloud Scheduler to run hourly.

Discussion 0
Questions 67

You built an application on Google Cloud Platform that uses Cloud Spanner. Your support team needs to monitor the environment but should not have access to table data. You need a streamlined solution to grant the correct permissions to your support team, and you want to follow Google-recommended practices. What should you do?

Options:

A.  

Add the support team group to the roles/monitoring.viewer role

B.  

Add the support team group to the roles/spanner.databaseUser role.

C.  

Add the support team group to the roles/spanner.databaseReader role.

D.  

Add the support team group to the roles/stackdriver.accounts.viewer role.

Discussion 0
Questions 68

Your company has a large quantity of unstructured data in different file formats. You want to perform ETL transformations on the data. You need to make the data accessible on Google Cloud so it can be processed by a Dataflow job. What should you do?

Options:

A.  

Upload the data to BigQuery using the bq command line tool.

B.  

Upload the data to Cloud Storage using the gsutil command line tool.

C.  

Upload the data into Cloud SQL using the import function in the console.

D.  

Upload the data into Cloud Spanner using the import function in the console.

Discussion 0
Questions 69

You want to select and configure a solution for storing and archiving data on Google Cloud Platform. You need to support compliance objectives for data from one geographic location. This data is archived after 30 days and needs to be accessed annually. What should you do?

Options:

A.  

Select Multi-Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Coldline Storage.

B.  

Select Multi-Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Nearline Storage.

C.  

Select Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Nearline Storage.

D.  

Select Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Coldline Storage.

Discussion 0
Questions 70

You are hosting an application from Compute Engine virtual machines (VMs) in us–central1–a. You want to adjust your design to support the failure of a single Compute Engine zone, eliminate downtime, and minimize cost. What should you do?

Options:

A.  

– Create Compute Engine resources in us–central1–b.–Balance the load across both us–central1–a and us–central1–b.

B.  

– Create a Managed Instance Group and specify us–central1–a as the zone.–Configure the Health Check with a short Health Interval.

C.  

– Create an HTTP(S) Load Balancer.–Create one or more global forwarding rules to direct traffic to your VMs.

D.  

– Perform regular backups of your application.–Create a Cloud Monitoring Alert and be notified if your application becomes unavailable.–Restore from backups when notified.

Discussion 0
Questions 71

Your manager asks you to deploy a workload to a Kubernetes cluster. You are not sure of the workloads resource requirements or how the requirements might vary depending on usage patterns, external dependencies, or other factors. You need a solution that makes cost-effective recommendations regarding CPU and memory requirements, and allows the workload to function consistently in any situation. You want to follow Google-recommended practices. What should you do?

Options:

A.  

Configure the Horizontal Pod Autoscaler for availability, and configure the cluster autoscaler for suggestions.

B.  

Configure the Horizontal Pod Autoscaler for availability, and configure the Vertical Pod Autoscaler recommendations for suggestions.

C.  

Configure the Vertical Pod Autoscaler recommendations for availability, and configure the Cluster autoscaler for suggestions.

D.  

Configure the Vertical Pod Autoscaler recommendations for availability, and configure the Horizontal Pod Autoscaler for suggestions.

Discussion 0
Questions 72

(Your company was recently impacted by a service disruption that caused multiple Dataflow jobs to get stuck, resulting in significant downtime in downstream applications and revenue loss. You were able to resolve the issue by identifying and fixing an error you found in the code. You need to design a solution with minimal management effort to identify when jobs are stuck in the future to ensure that this issue does not occur again. What should you do?)

Options:

A.  

Set up Error Reporting to identify stack traces that indicate slowdowns in Dataflow jobs. Set up alerts based on these log entries.

B.  

Use the Personalized Service Health dashboard to identify issues with Dataflow jobs across regions.

C.  

Update the Dataflow job configurations to send messages to a Pub/Sub topic when there are delays. Configure a backup Dataflow job to process jobs that are delayed. Use Cloud Tasks to trigger an alert when messages are pushed to the Pub/Sub topic.

D.  

Set up Cloud Monitoring alerts on the data freshness metric for the Dataflow jobs to receive a notification when a certain threshold is reached.

Discussion 0
Questions 73

An employee was terminated, but their access to Google Cloud Platform (GCP) was not removed until 2 weeks later. You need to find out this employee accessed any sensitive customer information after their termination. What should you do?

Options:

A.  

View System Event Logs in Stackdriver. Search for the user’s email as the principal.

B.  

View System Event Logs in Stackdriver. Search for the service account associated with the user.

C.  

View Data Access audit logs in Stackdriver. Search for the user’s email as the principal.

D.  

View the Admin Activity log in Stackdriver. Search for the service account associated with the user.

Discussion 0
Questions 74

Your company has developed a new application that consists of multiple microservices. You want to deploy the application to Google Kubernetes Engine (GKE), and you want to ensure that the cluster can scale as more applications are deployed in the future. You want to avoid manual intervention when each new application is deployed. What should you do?

Options:

A.  

Deploy the application on GKE, and add a HorizontalPodAutoscaler to the deployment.

B.  

Deploy the application on GKE, and add a VerticalPodAutoscaler to the deployment.

C.  

Create a GKE cluster with autoscaling enabled on the node pool. Set a minimum and maximum for the size of the node pool.

D.  

Create a separate node pool for each application, and deploy each application to its dedicated node pool.

Discussion 0
Questions 75

You have an instance group that you want to load balance. You want the load balancer to terminate the client SSL session. The instance group is used to serve a public web application over HTTPS. You want to follow Google-recommended practices. What should you do?

Options:

A.  

Configure an HTTP(S) load balancer.

B.  

Configure an internal TCP load balancer.

C.  

Configure an external SSL proxy load balancer.

D.  

Configure an external TCP proxy load balancer.

Discussion 0
Questions 76

Your web application has been running successfully on Cloud Run for Anthos. You want to evaluate an updated version of the application with a specific percentage of your production users (canary deployment). What should you do?

Options:

A.  

Create a new service with the new version of the application. Split traffic between this version and the version that is currently running.

B.  

Create a new revision with the new version of the application. Split traffic between this version and the version that is currently running.

C.  

Create a new service with the new version of the application. Add an HTTP Load Balancer in front of both services.

D.  

Create a new revision with the new version of the application. Add an HTTP Load Balancer in front of both revisions.

Discussion 0
Questions 77

You need to provide a cost estimate for a Kubernetes cluster using the GCP pricing calculator for Kubernetes. Your workload requires high IOPs, and you will also be using disk snapshots. You start by entering the number of nodes, average hours, and average days. What should you do next?

Options:

A.  

Fill in local SSD. Fill in persistent disk storage and snapshot storage.

B.  

Fill in local SSD. Add estimated cost for cluster management.

C.  

Select Add GPUs. Fill in persistent disk storage and snapshot storage.

D.  

Select Add GPUs. Add estimated cost for cluster management.

Discussion 0
Questions 78

You are building an application that processes data files uploaded from thousands of suppliers. Your primary goals for the application are data security and the expiration of aged data. You need to design the application to:

•Restrict access so that suppliers can access only their own data.

•Give suppliers write access to data only for 30 minutes.

•Delete data that is over 45 days old.

You have a very short development cycle, and you need to make sure that the application requires minimal maintenance. Which two strategies should you use? (Choose two.)

Options:

A.  

Build a lifecycle policy to delete Cloud Storage objects after 45 days.

B.  

Use signed URLs to allow suppliers limited time access to store their objects.

C.  

Set up an SFTP server for your application, and create a separate user for each supplier.

D.  

Build a Cloud function that triggers a timer of 45 days to delete objects that have expired.

E.  

Develop a script that loops through all Cloud Storage buckets and deletes any buckets that are older than 45 days.

Discussion 0
Questions 79

You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow Google-recommended practices. What should you do?

Options:

A.  

Create a service account with an access scope. Use the access scope ‘https://www.googleapis.com/auth/devstorage.write_only’.

B.  

Create a service account with an access scope. Use the access scope ‘https://www.googleapis.com/auth/cloud-platform’.

C.  

Create a service account and add it to the IAM role ‘storage.objectCreator’ for that bucket.

D.  

Create a service account and add it to the IAM role ‘storage.objectAdmin’ for that bucket.

Discussion 0
Questions 80

Every employee of your company has a Google account. Your operational team needs to manage a large number of instances on Compute Engine. Each member of this team needs only administrative access to the servers. Your security team wants to ensure that the deployment of credentials is operationally efficient and must be able to determine who accessed a given instance. What should you do?

Options:

A.  

Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key in the metadata of each instance.

B.  

Ask each member of the team to generate a new SSH key pair and to send you their public key. Use a configuration management tool to deploy those keys on each instance.

C.  

Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the “compute.osAdminLogin” role to the Google group corresponding to this team.

D.  

Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key as a project-wide public SSH key in your Cloud Platform project and allow project-wide public SSH keys on each instance.

Discussion 0
Questions 81

Your company has an internal application for managing transactional orders. The application is used exclusively by employees in a single physical location. The application requires strong consistency, fast queries, and ACID guarantees for multi-table transactional updates. The first version of the application is implemented inPostgreSQL, and you want to deploy it to the cloud with minimal code changes. Which database is most appropriate for this application?

Options:

A.  

BigQuery

B.  

Cloud SQL

C.  

Cloud Spanner

D.  

Cloud Datastore

Discussion 0
Questions 82

You want to deploy SAP HANA workloads on Compute Engine. The installation requires high-performance data storage, with input/output operations per second (IOPS) frequently exceeding 200,000. Your solution must also ensure the data persists through instance restarts. What should you do?

Options:

A.  

Use Hyperdisk Extreme disks for the application data.

B.  

Use in-memory RAM disks for the application data.

C.  

Use Local SSD disks for the application data.

D.  

Use Hyperdisk Throughput disks for the application data.

Discussion 0
Questions 83

You manage Identity and Access Management (IAM) for your Google Cloud project. A new developer joined the cloud-developer team, and they need to be able to deploy containerized applications to an existing Google Kubernetes Engine (GKE) cluster. They do not need to manage other cloud resources or the GKE cluster itself. You need to grant access following the principle of least privilege. What should you do?

Options:

A.  

Add the developer to the cloud-developer group that already has the container.developer IAM role.

B.  

Grant the developer the container.admin IAM role for the project.

C.  

Grant the developer the container.serviceAgent IAM role for the project.

D.  

Grant the developer the editor IAM role for the project.

Discussion 0
Questions 84

(Your company is migrating its workloads to Google Cloud due to an expiring data center contract. The on-premises environment and Google Cloud are not connected. You have decided to follow a lift-and-shift approach, and you plan to modernize the workloads in a future project. Several old applications connect to each other through hard-coded internal IP addresses. You want to migrate these workloads quickly without modifying the application code. You also want to maintain all functionality. What should you do?)

Options:

A.  

Create a VPC with non-overlapping CIDR ranges compared to your on-premises network. When migrating individual workloads, assign each workload a new static internal IP address.

B.  

Migrate your DNS server first. Configure Cloud DNS with a forwarding zone to your migrated DNS server. Then migrate all other workloads with ephemeral internal IP addresses.

C.  

Migrate all workloads to a single VPC subnet. Configure Cloud NAT for the subnet and manually assign a static IP address to the Cloud NAT gateway.

D.  

Create a VPC with the same CIDR ranges as your on-premises network. When migrating individual workloads, assign each workload the same static internal IP address.

Discussion 0
Questions 85

You want to set up a Google Kubernetes Engine cluster Verifiable node identity and integrity are required for the cluster, and nodes cannot be accessed from the internet. You want to reduce the operational cost of managing your cluster, and you want to follow Google-recommended practices. What should you do?

Options:

A.  

Deploy a private autopilot cluster

B.  

Deploy a public autopilot cluster.

C.  

Deploy a standard public cluster and enable shielded nodes.

D.  

Deploy a standard private cluster and enable shielded nodes.

Discussion 0
Questions 86

You need to update a deployment in Deployment Manager without any resource downtime in the deployment. Which command should you use?

Options:

A.  

gcloud deployment-manager deployments create --config < deployment-config-path >

B.  

gcloud deployment-manager deployments update --config < deployment-config-path >

C.  

gcloud deployment-manager resources create --config < deployment-config-path >

D.  

gcloud deployment-manager resources update --config < deployment-config-path >

Discussion 0
Questions 87

You are designing an application that uses WebSockets and HTTP sessions that are not distributed across the web servers. You want to ensure the application runs properly on Google Cloud Platform. What should you do?

Options:

A.  

Meet with the cloud enablement team to discuss load balancer options.

B.  

Redesign the application to use a distributed user session service that does not rely on WebSockets and HTTP sessions.

C.  

Review the encryption requirements for WebSocket connections with the security team.

D.  

Convert the WebSocket code to use HTTP streaming.

Discussion 0
Questions 88

(Your company is modernizing its applications and refactoring them to containerized microservices. You need to deploy the infrastructure on Google Cloud so that teams can deploy their applications. The applications cannot be exposed publicly. You want to minimize management and operational overhead. What should you do?)

Options:

A.  

Provision a Standard zonal Google Kubernetes Engine (GKE) cluster.

B.  

Provision a fleet of Compute Engine instances and install Kubernetes.

C.  

Provision a Google Kubernetes Engine (GKE) Autopilot cluster.

D.  

Provision a Standard regional Google Kubernetes Engine (GKE) cluster.

Discussion 0
Questions 89

You have a virtual machine that is currently configured with 2 vCPUs and 4 GB of memory. It is running out of memory. You want to upgrade the virtual machine to have 8 GB of memory. What should you do?

Options:

A.  

Rely on live migration to move the workload to a machine with more memory.

B.  

Use gcloud to add metadata to the VM. Set the key to required-memory-size and the value to 8 G

B.  

C.  

Stop the VM, change the machine type to n1-standard-8, and start the VM.

D.  

Stop the VM, increase the memory to 8 GB, and start the VM.

Discussion 0
Questions 90

You need to create a custom VPC with a single subnet. The subnet’s range must be as large as possible. Which range should you use?

Options:

A.  

.00.0.0/0

B.  

10.0.0.0/8

C.  

172.16.0.0/12

D.  

192.168.0.0/16

Discussion 0
Questions 91

You want to run a single caching HTTP reverse proxy on GCP for a latency-sensitive website. This specific reverse proxy consumes almost no CPU. You want to have a 30-GB in-memory cache, and need an additional 2 GB of memory for the rest of the processes. You want to minimize cost. How should you run this reverse proxy?

Options:

A.  

Create a Cloud Memorystore for Redis instance with 32-GB capacity.

B.  

Run it on Compute Engine, and choose a custom instance type with 6 vCPUs and 32 GB of memory.

C.  

Package it in a container image, and run it on Kubernetes Engine, using n1-standard-32 instances as nodes.

D.  

Run it on Compute Engine, choose the instance type n1-standard-1, and add an SSD persistent disk of 32 GB.

Discussion 0
Questions 92

You have downloaded and installed the gcloud command line interface (CLI) and have authenticated with your Google Account. Most of your Compute Engine instances in your project run in the europe-west1-d zone. You want to avoid having to specify this zone with each CLI command when managing these instances. What should you do?

Options:

A.  

Set the europe-west1-d zone as the default zone using the gcloud config subcommand.

B.  

In the Settings page for Compute Engine under Default location, set the zone to europe–west1-d.

C.  

In the CLI installation directory, create a file called default.conf containing zone=europe–west1–d.

D.  

Create a Metadata entry on the Compute Engine page with key compute/zone and value europe–west1–d.

Discussion 0
Questions 93

Your team is building a website that handles votes from a large user population. The incoming votes will arrive at various rates. You want to optimize the storage and processing of the votes. What should you do?

Options:

A.  

Save the incoming votes to Firestore. Use Cloud Scheduler to trigger a Cloud Functions instance to periodically process the votes.

B.  

Use a dedicated instance to process the incoming votes. Send the votes directly to this instance.

C.  

Save the incoming votes to a JSON file on Cloud Storage. Process the votes in a batch at the end of the day.

D.  

Save the incoming votes to Pub/Sub. Use the Pub/Sub topic to trigger a Cloud Functions instance to process the votes.

Discussion 0
Questions 94

You used the gcloud container clusters command to create two Google Cloud Kubernetes (GKE) clusters prod-cluster and dev-cluster.

• prod-cluster is a standard cluster.

• dev-cluster is an auto-pilot duster.

When you run the Kubect1 get nodes command, you only see the nodes from prod-cluster Which commands should you run to check the node status for dev-cluster?

Options:

A.  

B.  

C.  

D.  

Discussion 0
Questions 95

Your company is active in the European Economic Area (EEA), and will adopt Google Cloud for its workloads. Projects are currently structured within different folders. You need to ensure any resources that will be deployed are using Google Cloud locations within the EEA by using the Organization Policy Service resource locations constraint. What should you do?

Options:

A.  

Configure the policy at the organization level, and add all allowed locations to the policy.

B.  

Configure the policy at the folder level, and add all disallowed locations to the policy.

C.  

Configure the policy at the organization level, and add all disallowed locations to the policy.

D.  

Configure the policy at the folder level, and add all allowed locations to the policy.

Discussion 0
Questions 96

Your team manages several petabytes of historical, structured transaction data stored in Apache Avro format on-premises. You are migrating this data to Google Cloud for a machine learning project. You must ensure that the data is accessible for large-scale analysis and model training using BigQuery. You must also minimize storage costs and avoid the overhead of loading data into BigQuery ' s managed storage. What should you do?

Options:

A.  

Use the BigQuery Data Transfer Service to ingest all Avro files into a BigQuery native table.

B.  

Migrate the data to a Cloud SQL for PostgreSQL instance, and use BigQuery federated queries to access the data.

C.  

Store the data in a Cloud Storage bucket, and define a BigQuery external table partitioned by a relevant column.

D.  

Store the data in a Cloud Storage bucket, define a schema, and then use the bq load command to upload files individually.

Discussion 0
Questions 97

Your development team needs a new Jenkins server for their project. You need to deploy the server using the fewest steps possible. What should you do?

Options:

A.  

Download and deploy the Jenkins Java WAR to App Engine Standard.

B.  

Create a new Compute Engine instance and install Jenkins through the command line interface.

C.  

Create a Kubernetes cluster on Compute Engine and create a deployment with the Jenkins Docker image.

D.  

Use GCP Marketplace to launch the Jenkins solution.

Discussion 0
Questions 98

Your existing application running in Google Kubernetes Engine (GKE) consists of multiple pods running on four GKE n1–standard–2 nodes. You need to deploy additional pods requiring n2–highmem–16 nodes without any downtime. What should you do?

Options:

A.  

Use gcloud container clusters upgrade. Deploy the new services.

B.  

Create a new Node Pool and specify machine type n2–highmem–16. Deploy the new pods.

C.  

Create a new cluster with n2–highmem–16 nodes. Redeploy the pods and delete the old cluster.

D.  

Create a new cluster with both n1–standard–2 and n2–highmem–16 nodes. Redeploy the pods and delete the old cluster.

Discussion 0
Questions 99

You are managing a fleet of data storage solutions for your company on Google Cloud, including Bigtable, Cloud SQL, Memorystore, and Spanner. You need a single, unified view to monitor the health of all data storage solutions and identify any that are at risk for downtime. What should you do?

Options:

A.  

Use Dataplex Universal Catalog to search the metadata of the data storage solutions to obtain the required insights.

B.  

In the Google Cloud Console, navigate to Database Center to find an overview of the data storage solutions.

C.  

Use the terraform state list command in the directory used to deploy the data storage solutions.

D.  

In the Google Cloud Console, use Cloud Asset Inventory to see an overview of the data storage solutions.

Discussion 0
Questions 100

You are assigned to maintain a Google Kubernetes Engine (GKE) cluster named dev that was deployed on Google Cloud. You want to manage the GKE configuration using the command line interface (CLI). You have just downloaded and installed the Cloud SDK. You want to ensure that future CLI commands by default address this specific cluster. What should you do?

Options:

A.  

Use the command gcloud config set container/cluster dev.

B.  

Use the command gcloud container clusters update dev.

C.  

Create a file called gke.default in the ~/.gcloud aname.

D.  

Create a file called defaults.json in the ~/.gcloud folder that contains the cluster name.

Discussion 0
Questions 101

You have a development project with appropriate IAM roles defined. You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps. What should you do?

Options:

A.  

Use gcloud iam roles copy and specify the production project as the destination project.

B.  

Use gcloud iam roles copy and specify your organization as the destination organization.

C.  

In the Google Cloud Platform Console, use the ‘create role from role’ functionality.

D.  

In the Google Cloud Platform Console, use the ‘create role’ functionality and select all applicable permissions.

Discussion 0
Questions 102

You are managing a Data Warehouse on BigQuery. An external auditor will review your company ' s processes, and multiple external consultants will need view access to the data. You need to provide them with view access while following Google-recommended practices. What should you do?

Options:

A.  

Grant each individual external consultant the role of BigQuery Editor

B.  

Grant each individual external consultant the role of BigQuery Viewer

C.  

Create a Google Group that contains the consultants and grant the group the role of BigQuery Editor

D.  

Create a Google Group that contains the consultants, and grant the group the role of BigQuery Viewer

Discussion 0
Questions 103

Your company runs its Linux workloads on Compute Engine instances. Your company will be working with a new operations partner that does not use Google Accounts. You need to grant access to the instances to your operations partner so they can maintain the installed tooling. What should you do?

Options:

A.  

Enable Cloud IAP for the Compute Engine instances, and add the operations partner as a Cloud IAP Tunnel User.

B.  

Tag all the instances with the same network tag. Create a firewall rule in the VPC to grant TCP access on port 22 for traffic from the operations partner to instances with the network tag.

C.  

Set up Cloud VPN between your Google Cloud VPC and the internal network of the operations partner.

D.  

Ask the operations partner to generate SSH key pairs, and add the public keys to the VM instances.

Discussion 0
Questions 104

You host a static website on Cloud Storage. Recently, you began to include links to PDF files on this site. Currently, when users click on the links to these PDF files, their browsers prompt them to save the file onto their local system. Instead, you want the clicked PDF files to be displayed within the browser window directly, without prompting the user to save the file locally. What should you do?

Options:

A.  

Enable Cloud CDN on the website frontend.

B.  

Enable ‘Share publicly’ on the PDF file objects.

C.  

Set Content-Type metadata to application/pdf on the PDF file objects.

D.  

Add a label to the storage bucket with a key of Content-Type and value of application/pdf.

Discussion 0
Questions 105

You have a Linux VM that must connect to Cloud SQL. You created a service account with the appropriate access rights. You want to make sure that the VM uses this service account instead of the default Compute Engine service account. What should you do?

Options:

A.  

When creating the VM via the web console, specify the service account under the ‘Identity and API Access’ section.

B.  

Download a JSON Private Key for the service account. On the Project Metadata, add that JSON as the value for the key compute-engine-service-account.

C.  

Download a JSON Private Key for the service account. On the Custom Metadata of the VM, add that JSON as the value for the key compute-engine-service-account.

D.  

Download a JSON Private Key for the service account. After creating the VM, ssh into the VM and save the JSON under ~/.gcloud/compute-engine-service-account.json.

Discussion 0
Questions 106

You have successfully created a development environment in a project for an application. This application uses Compute Engine and Cloud SQL. Now, you need to create a production environment for this application.

The security team has forbidden the existence of network routes between these 2 environments, and asks you to follow Google-recommended practices. What should you do?

Options:

A.  

Create a new project, enable the Compute Engine and Cloud SQL APIs in that project, and replicate the setup you have created in the development environment.

B.  

Create a new production subnet in the existing VPC and a new production Cloud SQL instance in your existing project, and deploy your application using those resources.

C.  

Create a new project, modify your existing VPC to be a Shared VPC, share that VPC with your new project, and replicate the setup you have in the development environment in that new project, in the Shared VP

C.  

D.  

Ask the security team to grant you the Project Editor role in an existing production project used by another division of your company. Once they grant you that role, replicate the setup you have in the development environment in that project.

Discussion 0
Questions 107

You are deploying a production application on Compute Engine. You want to prevent anyone from accidentally destroying the instance by clicking the wrong button. What should you do?

Options:

A.  

Disable the flag “Delete boot disk when instance is deleted.”

B.  

Enable delete protection on the instance.

C.  

Disable Automatic restart on the instance.

D.  

Enable Preemptibility on the instance.

Discussion 0
Questions 108

You need to extract text from audio files by using the Speech-to-Text API. The audio files are pushed to a Cloud Storage bucket. You need to implement a fully managed, serverless compute solution that requires authentication and aligns with Google-recommended practices. You want to automate the call to the API by submitting each file to the API as the audio file arrives in the bucket. What should you do?

Options:

A.  

Run a Kubernetes job to scan the bucket regularly for incoming files, and call the Speech-to-Text API for each unprocessed file.

B.  

Create an App Engine standard environment triggered by Cloud Storage bucket events to submit the file URI to the Google Speech-to-Text API.

C.  

Run a Python script by using a Linux cron job in Compute Engine to scan the bucket regularly for incoming files, and call the Speech-to-Text API for each unprocessed file.

D.  

Create a Cloud Function triggered by Cloud Storage bucket events to submit the file URI to the Google Speech-to-Text API.

Discussion 0