GCP Cloud Professional Architect

GCP CLOUD
PROFESSIONAL
ARCHITECT
Question 1:
You are using Cloud CDN to deliver static HTTP(S) website content
hosted on a Compute Engine instance group. You want to improve the
cache hit ratio. What should you do?
Customize the cache keys to omit the protocol from the key. (Correct)
Shorten the expiration time of the cached objects.
Make sure the HTTP(S) header 'Cache-Region' points to the closest

region of your users.
Replicate the static content in a Cloud Storage bucket. Point CloudCDN

toward a load balancer on that bucket.
Explanation
A is correct because, by default, Cloud CDN uses the complete request URL
to build the cache key. For performance and scalability, it’s important to
optimize the cache hit ratio. To help optimize your cache hit ratio, you can use
custom cache keys. By removing the protocol from the key, Cloud CDN will be
able to use the same cache for both HTTP and HTTPS requests for the same
object, thus optimizing the cache-hit ratio.
B is incorrect because shortening the expiration time will cause more cache
misses and thus, making the cache-hit ratio worse.
C is incorrect because Cloud CDN serves content from the closest location by
default.
D is incorrect because replicating the content to Cloud Storage does not

change the caching mechanism.
Links:
https://cloud.google.com/cdn/docs/best-practices#cache-hit-ratio
https://cloud.google.com/cdn/docs/using-cache-keys#turn-on
Question 2:
Your architecture calls for the centralized collection of all admin activity
and VM system logs within your project. How should you collect these
logs from both VMs and services?
All admin and VM system logs are automatically collected by Stackdriver.
Stackdriver automatically collects admin activity logs for most

services. The Stackdriver Logging agent must be installed on (Correct)
each instance to collect system logs.
Launch a custom syslogd compute instance and configure your GCP

project and VMs to forward all logs to it.
Install the Stackdriver Logging agent on a single compute instance and let
it collect all audit and access logs for your environment.
Explanation
A is incorrect because the VM logs are not collected by Stackdriver by default.
B is correct because you can view all activity and VM system logs in
Stackdriver if the Stackdriver Logging agent is configured on the VM. It
streams logs from common third-party applications and system software to
Logging. You can configure the agent to stream additional logs.
C is incorrect because there is no need to launch a custom syslogd compute

instance as Stackdriver is a managed service built for the same purpose.
D is incorrect because all Compute Engine instances that require logging

need to have the Stackdriver Logging Agent installed.
Links:
https://cloud.google.com/logging/docs/agent
https://cloud.google.com/logging/docs/agent/logging
Question 3:
You have an App Engine application that needs to be updated. You want
to test the update with production traffic before replacing the current
application version. What should you do?
Deploy the update using the Instance Group Updater to create a partial
rollout, which allows for canary testing.
Deploy the update as a new version in the App Engine

application, and split traffic between the new and current (Correct)
versions.
Deploy the update in a new VPC, and use Google's global HTTP load
balancing to split traffic between the update and current applications.
Deploy the update as a new App Engine application, and use Google's
global HTTP load balancing to split traffic between the new and current
applications.
Explanation
A is incorrect because App Engine does not have an instance group updater
component.
B is correct because you can use traffic splitting to specify a percentage

distribution of traffic across two or more of the versions within a service.
Splitting traffic allows you to conduct A/B testing between your versions and
provides control over the pace when rolling out features.
C is incorrect because App Engine is not part of GCP’s VPC and there is no
need for deploying to another VPC anyways as App Engine supports traffic
splitting by default.
D is incorrect because there is no need to create a new App Engine

Application to roll out a canary update.
Links:
https://cloud.google.com/appengine/docs/standard/python/splitting-traffic
Question 4:
All Compute Engine instances in your VPC should be able to connect to
an Active Directory server on specific ports. Any other traffic emerging
from your instances is not allowed. You want to enforce this using VPC
firewall rules. How should you configure the firewall rules?
Create an egress rule with priority 1000 to deny all traffic for all
instances. Create another egress rule with priority 100 to allow (Correct)
the Active Directory traffic for all instances.
Create an egress rule with priority 100 to deny all traffic for all instances.
Create another egress rule with priority 1000 to allow the Active Directory
traffic for all instances.
Create an egress rule with priority 1000 to allow the Active Directory
traffic. Rely on the implied deny egress rule with priority 100 to block all
traffic for all instances.
Create an egress rule with priority 100 to allow the Active Directory traffic.
Rely on the implied deny egress rule with priority 1000 to block all traffic
for all instances.
Explanation
A is correct because every VPC network has two implied IPv4 firewall rules.
An Allow all Egress rule with the lowest priority that allows all instances to
send traffic to any destination and a Deny all Ingress rule with the lowest
priority to block all outside traffic from entering. The egress rule that allows
the traffic must have a higher priority than the ingress rule that blocks the
traffic. Note: in the context of firewall rules, a smaller number signifies higher
priority.
B is incorrect because the egress rule that allows the traffic must have a
higher priority than the ingress rule that blocks the traffic.
C is incorrect because there is no implied deny egress rule.
D is incorrect because there is no implied deny egress rule.
Links:
https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules
Question 5:
Your customer runs a web service used by e-commerce sites to offer
product recommendations to users. The company has begun
experimenting with a machine learning model on Google Cloud Platform
to improve the quality of results. What should the customer do to
improve their model's results over time?
Export Cloud Machine Learning Engine performance metrics from

Stackdriver to BigQuery, to be used to analyze the efficiency of the model.
Build a roadmap to move the machine learning model training from Cloud
GPUs to Cloud TPUs, which offer better results.
Monitor Compute Engine announcements for availability of newer CPU

architectures, and deploy the model to them as soon as they are available
for additional performance.
Save a history of recommendations and results of the

(Correct)
recommendations in BigQuery, to be used as training data.
Explanation
A is incorrect because analyzing training metrics does not help improve the
quality of results.
B is incorrect because TPUs can provide better performance while training

the model but they cannot improve the results on their own.
C is incorrect because newer CPU architectures can help improve training

performance but not the actual quality of results.
D is correct because re-training the model periodically is the best way to

improve the quality of results over time. For example: When we deploy models
to production and expect to observe error rates like those we saw during
model evaluation, we are assuming that future data will be similar to past
observed data. Specifically, we are assuming that the distributions of the
features and targets will remain fairly constant. But this assumption usually
does not hold. Trends change over time, people’s interests vary with the
seasons, and the stock market ebbs and wanes. And so our models must
adapt. Thus, we need to keep retraining our model to keep the quality of
results relevant.
Links:
https://mlinproduction.com/model-
retraining/#:~:text=Rather%20retraining%20simply%20refers%20to,t%20inv
olve%20any%20code%20changes.
https://valohai.com/blog/when-should-a-machine-learning-model-be-
retrained/
Question 6:
A development team at your company has created a dockerized HTTPS
web application. You need to deploy the application on Google
Kubernetes Engine (GKE) and make sure that the application scales
automatically. How should you deploy to GKE?
Use the Horizontal Pod Autoscaler and enable cluster autoscaling. Use an
Ingress resource to load-balance the HTTPS traffic.
Use the Horizontal Pod Autoscaler and enable cluster autoscaling

on the Kubernetes cluster. Use a Service resource of type (Correct)
LoadBalancer to load-balance the HTTPS traffic.
Enable autoscaling on the Compute Engine instance group. Use an Ingress

resource to load-balance the HTTPS traffic.
Enable autoscaling on the Compute Engine instance group. Use a Service

resource of type LoadBalancer to load-balance the HTTPS traffic.
Explanation
A is incorrect because even though it is possible to use an Ingress resource
for load balancing, an ingress is mostly used when you want to expose
multiple services over a single URL. But in this case, we only want to expose a
single service and thus, Ingress is not the best option.
B is correct because a Horizontal Pod Autoscaler automatically scales the

number of Pods in a replication controller, deployment, replica set, or stateful
set based on observed CPU utilization (or, with custom metrics, support, on
some other application-provided metrics). If you are exposing an HTTP(S)
service hosted on GKE, HTTP(S) load balancing is the recommended method
for load balancing.
C is incorrect because enabling auto-scaling on the instance group does not

automatically enable auto-scaling on the application.
D is incorrect because enabling auto-scaling on the instance group does not

automatically enable auto-scaling on the application.
Links:
https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-autoscaler
https://cloud.google.com/kubernetes-engine/docs/tutorials/hello-app
Question 7:
You need to design a solution for global load balancing based on the URL path
being requested. You need to ensure operations reliability and end-to-end in-
transit encryption based on Google best practices. What should you do?
Create a cross-region load balancer with URL Maps.
Create an HTTPS load balancer with URL Maps. (Correct)
Create appropriate instance groups and instances. Configure SSL proxy

load balancing.
Create a global forwarding rule. Configure SSL proxy load balancing.
Explanation
A is incorrect because GCP does not have a cross-region load balancer type.
B is correct because the HTTP(S) load balancer supports URL pattern-based

routing.
C is incorrect because the SSL proxy load balancing does not support URL
maps.
D is incorrect because the SSL proxy load balancing does not support URL
maps.
Links:
https://cloud.google.com/load-balancing/docs/url-map
https://cloud.google.com/load-balancing/docs/ssl/#FAQ
Question 8:
You have an application that makes HTTP requests to Cloud Storage.
Occasionally the requests fail with HTTP status codes of 5xx and 429.
How should you handle these types of errors?
Use gRPC instead of HTTP for better performance.
Implement retry logic using a truncated exponential backoff

(Correct)
strategy.
Make sure the Cloud Storage bucket is multi-regional for geo-redundancy.
Monitor https://status.cloud.google.com/feed.atom and only make

requests if Cloud Storage is not reporting an incident.
Explanation
A is incorrect because HTTP is better than gRPC.
B is correct because truncated exponential backoff is a standard error

handling strategy for network applications in which a client periodically retries
a failed request with increasing delays between requests. You can continue
retrying once you reach the maximum_backoff time, but it is recommended
your request should fail after an amount of time to prevent your application
from becoming unresponsive. For example, if a client uses a
maximum_backoff time of 64 seconds, then after reaching this value, the
client can retry every 64 seconds. The client then stops retrying after a
deadline of 600 seconds.
C is incorrect because changing the storage type does not automatically fix
API errors.
D is incorrect because monitoring the status of services does not

automatically fix problems with APIs.
Links:
https://cloud.google.com/storage/docs/retry-strategy
https://cloud.google.com/storage/docs/request-rate
Question 9:
You need to develop procedures to test a disaster plan for a mission-
critical application. You want to use Google-recommended practices and
native capabilities within GCP. What should you do?
Use Deployment Manager to automate service provisioning. Use Activity

Logs to monitor and debug your tests.
Use Deployment Manager to automate service provisioning. Use

(Correct)
Stackdriver to monitor and debug your tests.
Use gcloud scripts to automate service provisioning. Use Activity Logs to

monitor and debug your tests.
Use gcloud scripts to automate service provisioning. Use Stackdriver to

monitor and debug your tests.
Explanation
A is incorrect because activity logs don’t provide logging information about
the tests.
B is correct because You can use Deployment Manager to automate the

provisioning of VM instances and other Google Cloud infrastructure.
Stackdriver is Google's recommended tool for monitoring and debugging.
C is incorrect because it is always better to use managed services than

writing scripts.
D is incorrect because it is always better to use managed services than

writing scripts.
Links:
https://cloud.google.com/architecture/dr-scenarios-planning-
guide#test_your_plan_regularly
Question 10:
Your company creates rendering software which users can download
from the company website. Your company has customers all over the
world. You want to minimize latency for all your customers. You want to
follow Google-recommended practices. How should you store the files?
Save the files in a Multi-Regional Cloud Storage bucket. (Correct)
Save the files in a Regional Cloud Storage bucket, one bucket per zone of
the region.
Save the files in multiple Regional Cloud Storage buckets, one bucket per
zone per region.
Save the files in multiple Multi-Regional Cloud Storage buckets, one

bucket per multi-region.
Explanation
A is correct because it is recommended to use a multi-region when you want
to serve content to data consumers that are outside of the Google network
and distributed across large geographic areas, or when you want the higher
availability that comes with being geo-redundant. Objects stored in a multi-
region or dual-region are geo-redundant.
B is incorrect because a regional bucket will provide low latency in a smaller

geographic region compared to a multi-regional bucket.
C is incorrect because storing multiple copies of the file in different regions is

harder to manage and not a recommended practice.
D is incorrect because storing multiple copies of the file in different regions is

harder to manage and not a recommended practice.
Links:
https://cloud.google.com/storage/docs/locations
Question 11:
Your company acquired a healthcare startup and must retain its
customers' medical information for up to 4 more years, depending on
when it was created. Your corporate policy is to securely retain this data,
and then delete it as soon as regulations allow. Which approach should
you take?
Store the data in Google Drive and manually delete records as they expire.
Anonymize the data using the Cloud Data Loss Prevention API and store it
indefinitely.
Store the data in Cloud Storage and use lifecycle management to

(Correct)
delete files when they expire.
Store the data in Cloud Storage and run a nightly batch script that deletes
all expired data.
Explanation
A is incorrect because manually storing and deleting data on Google drive is
very tedious and error-prone.
B is incorrect because anonymizing the data is not a requirement here and the
data must be deleted as soon as the regulations allow.
C is correct because You can assign a lifecycle management configuration to

a bucket. The configuration contains a set of rules which apply to current and
future objects in the bucket. When an object meets the criteria of one of the
rules, Cloud Storage automatically performs a specified action on the object.
It can be used to delete the data after the regulatory period is over.
D is incorrect because it is always better to use managed services instead of

manually writing scripts whenever possible.
Links:
https://cloud.google.com/storage/docs/lifecycle
Question 12:
You are deploying a PHP App Engine Standard service with Cloud SQL as
the backend. You want to minimize the number of queries to the
database. What should you do?
Set the memcache service level to dedicated. Create a key from

the hash of the query, and return database values from (Correct)
memcache before issuing a query to Cloud SQL.
Set the memcache service level to dedicated. Create a cron task that runs
every minute to populate the cache with keys containing query results.
Set the memcache service level to shared. Create a cron task that runs
every minute to save all expected queries to a key called 'cached_queries'.
Set the memcache service level to shared. Create a key called

'cached_queries', and return database values from the key before using a
query to Cloud SQL.
Explanation
A is correct because Memcache is a managed caching service that can be
used to cache SQL queries by hashing the queries and using them as keys. A
dedicated Memcache performs better than a shared Memcache.
B is incorrect because the queries can be cached when they are run and not
periodically using CRON.
C is incorrect because a dedicated Memcache performs better than a shared

Memcache.
D is incorrect because a dedicated Memcache performs better than a shared

Memcache.
Links:
https://cloud.google.com/appengine/docs/standard/php/memcache/using
https://cloud.google.com/appengine/docs/standard/php/memcache/using#co
nfiguring_memcache
Question 13:
You need to ensure reliability for your application and operations by
supporting reliable task scheduling for compute on GCP. Leveraging
Google best practices, what should you do?
Using the Cron service provided by App Engine, publish messages directly
to a message-processing utility service running on Compute Engine
instances.
Using the Cron service provided by App Engine, publish

messages to a Cloud Pub/Sub topic. Subscribe to that topic using
(Correct)
a message-processing utility service running on Compute Engine
instances.
Using the Cron service provided by Google Kubernetes Engine (GKE),

publish messages directly to a message-processing utility service running
on Compute Engine instances.
Using the Cron service provided by GKE, publish messages to a Cloud

Pub/Sub topic. Subscribe to that topic using a message-processing utility
service running on Compute Engine instances.
Explanation
A is incorrect because a message publishing utility is required for Compute
Engine to consume the messages from.
B is correct because Pub/sub can publish messages and Compute Engine

can reliably consume those messages and perform the actions.
C is incorrect because you need to write code to publish the messages from a
Kubernetes CRON job, which is not efficient for this use case.
D is incorrect because you need to write code to publish the messages from a
Kubernetes CRON job, which is not efficient for this use case.
Links:
https://cloud.google.com/architecture/reliable-task-scheduling-compute-
engine
Question 14:
Your company is building a new architecture to support its data-centric
business focus. You are responsible for setting up the network. Your
company's mobile and web-facing applications will be deployed on-
premises, and all data analysis will be conducted in GCP. The plan is to
process and load 7 years of archived .csv files totaling 900 TB of data
and then continue loading 10 TB of data daily. You currently have an
existing 100-MB internet connection. What actions will meet your
company's needs?
Compress and upload both archived files and files uploaded daily using
the gsutil -m option.
Lease a Transfer Appliance, upload archived files to it, and send it

to Google to transfer archived data to Cloud Storage. Establish a
(Correct)
connection with Google using a Dedicated Interconnect or Direct
Peering connection and use it to upload files daily.
Lease a Transfer Appliance, upload archived files to it, and send it to

Google to transfer archived data to Cloud Storage. Establish one Cloud
VPN Tunnel to VPC networks over the public internet, and compress and
upload files daily using the gsutil -m option.
Lease a Transfer Appliance, upload archived files to it, and send it to

Google to transfer archived data to Cloud Storage. Establish a Cloud VPN
Tunnel to VPC networks over the public internet, and compress and
upload files daily.
Explanation
A is incorrect because it will take a very long time to upload 900TB of data
with a 100MB connection.
B is correct because to upload 900TB of data, the best option is to lease a

transfer appliance and let Google upload all the data to Cloud Storage.
Interconnect is a dedicated connection between the customer’s network and
GCP and it can provide high bandwidth compared to the existing 100MB
connection.
C is incorrect because the Cloud VPN will use the existing 100MB connection
and it will take a very long time to upload the daily data through it.
D is incorrect because the Cloud VPN will use the existing 100MB connection
and it will take a very long time to upload the daily data through it.
Links:
https://cloud.google.com/transfer-appliance/docs/4.0
https://cloud.google.com/network-connectivity/docs/interconnect
Question 15:
You are developing a globally scaled frontend for a legacy streaming backend
data API. This API expects events in strict chronological order with no-repeat
data for proper processing. Which products should you deploy to ensure
guaranteed-once FIFO (first-in, first-out) delivery of data?
Cloud Pub/Sub alone
Cloud Pub/Sub to Cloud Dataflow (Correct)
Cloud Pub/Sub to Stackdriver
Cloud Pub/Sub to Cloud SQL
Explanation
A is incorrect because pub/sub does not guarantee message order and only
once delivery.
B is correct because Pub/Sub doesn't provide guarantees about the order of

message delivery. Strict message ordering can be achieved with buffering,
often using Dataflow.
C is incorrect because stackdriver cannot help pub/sub in ensuring the order

of messages.
D is incorrect because Cloud SQL is only for storage. It cannot help in

maintaining the order of messages.
Links:
https://cloud.google.com/solutions/data-lifecycle-cloud-platform
https://cloud.google.com/pubsub/docs/pubsub-dataflow
Question 16:
Your company is planning to perform a lift and shift migration of their
Linux RHEL 6.5+ virtual machines. The virtual machines are running in an
on-premises VMware environment. You want to migrate them to
Compute Engine following Google-recommended practices. What should
you do?
1. Define a migration plan based on the list of the applications and their
dependencies.
2. Migrate all virtual machines into Compute Engine individually with
Migrate for Compute Engine.
1. Perform an assessment of virtual machines running in the current

VMware environment.
2. Create images of all disks. Import disks on Compute Engine.
3. Create standard virtual machines where the boot disks are the ones you
have imported.
1. Perform an assessment of virtual machines running in the

current VMware environment.
(Correct)
2. Define a migration plan, prepare a Migrate for Compute Engine
migration RunBook, and execute the migration.
1. Perform an assessment of virtual machines running in the current

VMware environment.
2. Install a third-party agent on all selected virtual machines.
3. Migrate all virtual machines into Compute Engine.
Explanation
A is incorrect because VMware machines are migrated using Compute Engine
RunBooks.
B is incorrect because VMware machines are migrated using Compute Engine

RunBooks.
C is correct because Runbooks are created from the Migrate for Compute
Engine Manager. The system queries VMware or AWS for VMs and generates
a CSV for you to edit.
D is incorrect because installing a third-party agent on the VMs is not

required.
Links:
https://cloud.google.com/migrate/compute-engine/docs/4.8/how-
to/organizing-migrations/creating-and-modifying-runbooks
https://cloud.google.com/architecture/migrating-vms-migrate-for-compute-
engine-getting-started
Question 17:
You need to deploy an application to Google Cloud. The application
receives traffic via TCP and reads and writes data to the filesystem. The
application does not support horizontal scaling. The application process
requires full control over the data on the file system because concurrent
access causes corruption. The business is willing to accept a downtime
when an incident occurs, but the application must be available 24/7 to
support their business operations. You need to design the architecture of
this application on Google Cloud. What should you do?
Use a managed instance group with instances in multiple zones, use

Cloud Filestore, and use an HTTP load balancer in front of the instances.
Use a managed instance group with instances in multiple zones, use

Cloud Filestore, and use a network load balancer in front of the instances.
Use an unmanaged instance group with an active and standby instance in

different zones, use a regional persistent disk, and use an HTTP load
balancer in front of the instances.
Use an unmanaged instance group with an active and standby

instance in different zones, use a regional persistent disk, and (Correct)
use a network load balancer in front of the instances.
Explanation
A is incorrect because the application does not support horizontal scaling and
thus, a managed instance group is not required.
B is incorrect because the application does not support horizontal scaling and
thus, a managed instance group is not required.
C is incorrect because the application accepts TCP traffic on a non-standard

port and thus, an HTTP load balancer will not work.
D is correct because an unmanaged instance group with an active and

standby instance in different zones will provide high availability for the
application, a regional persistent disk will be used to store the data and a
network load balancer can load balance TCP traffic.
Links:
https://cloud.google.com/compute/docs/instance-groups/creating-groups-of-
unmanaged-instances
https://cloud.google.com/load-balancing/docs/network
Question 18:
Your company has an application running on multiple Compute Engine
instances. You need to ensure that the application can communicate with an
on-premises service that requires high throughput via internal IPs while
minimizing latency. What should you do?
Use OpenVPN to configure a VPN tunnel between the on-premises

environment and Google Cloud.
Configure a direct peering connection between the on-premises

Use Cloud VPN to configure a VPN tunnel between the on-premises

Configure a Cloud Dedicated Interconnect connection between

(Correct)
the on-premises environment and Google Cloud.
Explanation
A is incorrect because GCP used Cloud VPN to connect to on-premise
networks and not open VPN.
B is incorrect because direct peering works on public IPs and not internal IPs.
C is incorrect because a VPN tunnel can be used to provide private network

access but it cannot provide the best throughput and scalability that is
required in this case.
D is correct because Cloud Interconnect extends your on-premises network

to Google's network through a highly available, low latency connection. You
can use Dedicated Interconnect to connect directly to Google or use Partner
Interconnect to connect to Google through a supported service provider.
Links:
https://cloud.google.com/network-connectivity/docs/interconnect
https://cloud.google.com/network-connectivity/docs/direct-peering
Question 19:
You are managing an application deployed on Cloud Run for Anthos, and
you need to define a strategy for deploying new versions of the
application. You want to evaluate the new code with a subset of
production traffic to decide whether to proceed with the rollout. What
should you do?
Deploy a new revision to Cloud Run with the new version.

(Correct)
Configure traffic percentage between revisions.
Deploy a new service to Cloud Run with the new version. Add a Cloud
Load Balancing instance in front of both services.
In the Google Cloud Console page for Cloud Run, set up continuous
deployment using Cloud Build for the development branch. As part of the
Cloud Build trigger, configure the substitution variable
TRAFFIC_PERCENTAGE with the percentage of traffic you want directed
to a new version.
In the Google Cloud Console, configure Traffic Director with a new Service
that points to the new version of the application on Cloud Run. Configure
Traffic Director to send a small percentage of traffic to the new version of
the application.
Explanation
A is correct because Cloud Run allows you to specify which revisions should
receive traffic and to specify traffic percentages that are received by a
revision. This feature allows you to roll back to a previous revision, gradually
roll out a revision, and split traffic between multiple revisions.
B is incorrect because you cannot split traffic between multiple services in

Cloud Run.
C is incorrect because the requirements do not specify a need for a

continuous deployment pipeline.
D is incorrect because the requirements do not specify a need for a

continuous deployment pipeline.
Links:
https://cloud.google.com/run/docs/rollouts-rollbacks-traffic-migration
Question 20:
You are monitoring Google Kubernetes Engine (GKE) clusters in a Cloud
Monitoring workspace. As a Site Reliability Engineer (SRE), you need to
triage incidents quickly. What should you do?
Navigate the predefined dashboards in the Cloud Monitoring

(Correct)
workspace, and then add metrics and create alert policies.
Navigate the predefined dashboards in the Cloud Monitoring workspace,

create custom metrics, and install alerting software on a Compute Engine
instance.
Write a shell script that gathers metrics from GKE nodes, publish these
metrics to a Pub/Sub topic, export the data to BigQuery, and make a Data
Studio dashboard.
Create a custom dashboard in the Cloud Monitoring workspace for each

incident, and then add metrics and create alert policies.
Explanation
A is correct because using the predefined dashboards and creating metrics
and alerting policies is the quickest way to triage events as they occur.
B is incorrect because Stackdriver provides alerting functionality by default.

You don’t need to install alerting software on Compute Engine for it.
C is incorrect because metrics are collected by Stackdriver by default, there is

no need to write shell scripts for it.
D is incorrect because a custom dashboard may not be required as the

predefined dashboards are designed to be highly useful and functional.
Links:
https://cloud.google.com/monitoring/charts/dashboards
Question 21:
You are implementing a single Cloud SQL MySQL second-generation
database that contains business-critical transaction data. You want to
ensure that the minimum amount of data is lost in case of catastrophic
failure. Which two features should you implement? (Choose two.)
Sharding
Read replicas
Binary logging (Correct)
Automated backups (Correct)
Semisynchronous replication
Explanation
A is incorrect because sharding does not prevent data loss.
B is incorrect because a read replica is a read-only copy of the master but it

does not prevent data loss.
C is correct because binary logging enables point-in-time recovery that can

be used to go back to a previous state of the database.
D is correct because automated backups can be restored at any time and

thus if the data in the database gets corrupted due to some reason, the latest
backup can be used to restore the data without losing much of the
information.
E is incorrect because semi-synchronous replication does not prevent data

loss.
Links:
https://cloud.google.com/sql/docs/mysql/backup-recovery/backups
https://cloud.google.com/sql/docs/mysql/backup-recovery/pitr
Question 22:
You are working at a sports association whose members range in age
from 8 to 30. The association collects a large amount of health data,
such as sustained injuries. You are storing this data in BigQuery. Current
legislation requires you to delete such information upon request of the
subject. You want to design a solution that can accommodate such a
request. What should you do?
Use a unique identifier for each individual. Upon a deletion

(Correct)
request, delete all rows from BigQuery with this identifier.
When ingesting new data in BigQuery, run the data through the Data Loss
Prevention (DLP) API to identify any personal information. As part of the
DLP scan, save the result to Data Catalog. Upon a deletion request, query
Data Catalog to find the column with personal information.
Create a BigQuery view over the table that contains all data. Upon a
deletion request, exclude the rows that affect the subject's data from this
view. Use this view instead of the source table for all analysis tasks.
Use a unique identifier for each individual. Upon a deletion request,

overwrite the column with the unique identifier with a salted SHA256 of its
value.
Explanation
A is correct because using a unique identifier for all users allows us to query
and delete data related to every user with ease.
B is incorrect because here the question is to delete the data on the user’s
request and not to detect personal information.
C is incorrect because views are read-only and we cannot delete data from a
view.
D is incorrect because overwriting the unique identifier will not delete the data
as required.
Links:
https://cloud.google.com/bigquery/docs/reference/standard-sql/dml-syntax
Question 23:
Your company has announced that they will be outsourcing operations
functions. You want to allow developers to easily stage new versions of a
cloud-based application in the production environment and allow the
outsourced operations team to autonomously promote staged versions
to production. You want to minimize the operational overhead of the
solution. Which Google Cloud product should you migrate to?
App Engine (Correct)
GKE On-Prem
Compute Engine
Google Kubernetes Engine
Explanation
A is correct because App Engine supports versions of services. Versions of
the same service can split traffic among each other which can be used to
upgrade or downgrade versions of your app by the operations team.
B is incorrect because GKE on-premise does not have direct support for
traffic splitting like App Engine.
C is incorrect because Compute Engine is operationally intensive and a worse

solution than App Engine.
D is incorrect because GKE is operationally intensive and a worse solution

than App Engine.
Links:
https://cloud.google.com/appengine/docs/standard/python/splitting-traffic
Question 24:
Your company is running its application workloads on Compute Engine.
The applications have been deployed in production, acceptance, and
development environments. The production environment is business-
critical and is used 24/7, while the acceptance and development
environments are only critical during office hours. Your CFO has asked
you to optimize these environments to achieve cost savings during idle
times. What should you do?
Create a shell script that uses the gcloud command to change the
machine type of the development and acceptance instances to a smaller
machine type outside of office hours. Schedule the shell script on one of
the production instances to automate the task.
Use Cloud Scheduler to trigger a Cloud Function that will stop

the development and acceptance environments after office hours (Correct)
and start them just before office hours.
Deploy the development and acceptance applications on a managed

instance group and enable autoscaling.
Use regular Compute Engine instances for the production environment,

and use preemptible VMs for the acceptance and development
environments.
Explanation
A is incorrect because it is better to just shut down the instances when they
are not in use than to resize them periodically.
B is correct because the development environments are not required after

office hours and thus, it makes sense to stop them during the time that they
are not in use and then start the instances during office hours. This way, it is
possible to optimize the cost savings to the maximum, and Cloud Scheduler
and Cloud Functions work very well for this task.
C is incorrect because a managed instance group does not automatically

scale down to zero and thus, it doesn’t optimize the costs best.
D is incorrect because preemptible VMs can shut down at any time regardless
of office hours. The development environments are critical during office hours
using preemptible VMs can cause downtime.
Links:
https://cloud.google.com/blog/products/storage-data-transfer/save-money-
by-stopping-and-starting-compute-engine-instances-on-schedule
https://cloud.google.com/compute/docs/instances/preemptible
https://cloud.google.com/compute/docs/instance-groups
Question 25:
You are moving an application that uses MySQL from on-premises to
Google Cloud. The application will run on Compute Engine and will use
Cloud SQL. You want to cut over to the Compute Engine deployment of
the application with minimal downtime and no data loss to your
customers. You want to migrate the application with minimal
modification. You also need to determine the cutover strategy. What
should you do?
1. Set up Cloud VPN to provide private network connectivity between the

Compute Engine application and the on-premises MySQL server.
2. Stop the on-premises application.
3. Create a mysqldump of the on-premises MySQL server.
4. Upload the dump to a Cloud Storage bucket.
5. Import the dump into Cloud SQL.
6. Modify the source code of the application to write queries to both
databases and read from its local database.
7. Start the Compute Engine application.
1. Set up Cloud SQL proxy and MySQL proxy.

6. Start the Compute Engine application.
1. Set up Cloud VPN to provide private network connectivity

between Compute Engine application and on-premises MySQL
server.
2. Stop on-premises application.
3. Start Compute Engine application, configured to read and write
to on-premises MySQL server.
4. Create replication configuration in Cloud SQL. (Correct)
5. Configure source database server to accept connections from
Cloud SQL replica.
6. Finalize Cloud SQL replica configuration.
7. Stop Compute Engine application.
8. Promote Cloud SQL replica to a standalone instance.
9. Restart Compute Engine application.

5. Start the application on Compute Engine.
Explanation
A is incorrect because it will cause downtime during the time it takes to create
a MySQL dump, upload it to cloud storage, and load it in Cloud SQL.
B is incorrect because it will cause downtime during the time it takes to create
C is correct because it is necessary to set up Cloud VPN to allow Cloud SQL

replica to communicate with the on-prem database instance as it might not be
possible to expose it to the public internet. Once the replica is established,
the Compute Engine instance can use it and both the databases will remain in
sync. Once stability is achieved with the Compute Engine instance, we can
turn off the on-prem database and promote Cloud SQL to be the primary
database.
D is incorrect because it will cause downtime during the time it takes to create
Links:
https://cloud.google.com/architecture/migrating-mysql-to-cloudsql-concept
Question 26:
Your organization has decided to restrict the use of external IP addresses
on instances to only approved instances. You want to enforce this
requirement across all of your Virtual Private Clouds (VPCs). What
should you do?
Remove the default route on all VPCs. Move all approved instances into a
new subnet that has a default route to an internet gateway.
Create a new VPC in custom mode. Create a new subnet for the approved
instances, and set a default route to the internet gateway on this new
subnet.
Implement a Cloud NAT solution to remove the need for external IP
addresses entirely.
Set an Organization Policy with a constraint on

constraints/compute.vmExternalIpAccess. List the approved (Correct)
instances in the allowedValues list.
Explanation
A is incorrect because external IPs are not managed through GCP routes and
thus, removing the routes does not automatically remove public IPs from VMs.
B is incorrect because the VPCs already exist and we need to implement

policy to restrict the use of external IP addresses.
C is incorrect because Cloud NAT is used for egress traffic and the VMs will
not be able to receive any ingress traffic from the internet without public IPs -
which is against the requirements.
D is correct because the Organization Policy Service gives you centralized

and programmatic control over your organization's cloud resources. The
organization policy administrator will be able to configure constraints across
your entire resource hierarchy. An organization policy can help limit the
access to provision public IPs to unapproved VMs.
Links:
https://cloud.google.com/resource-manager/docs/organization-
policy/overview
https://cloud.google.com/compute/docs/ip-addresses/reserve-static-
external-ip-address
https://cloud.google.com/nat/docs/overview
Question 27:
Your company uses the Firewall Insights feature in the Google Network
Intelligence Center. You have several firewall rules applied to Compute
Engine instances. You need to evaluate the efficiency of the applied
firewall ruleset. When you bring up the Firewall Insights page in the
Google Cloud Console, you notice that there are no log rows to display.
What should you do to troubleshoot the issue?
Enable Virtual Private Cloud (VPC) flow logging.
Enable Firewall Rules Logging for the firewall rules you want to
(Correct)
monitor.
Verify that your user account is assigned the compute.networkAdmin

Identity and Access Management (IAM) role.
Install the Google Cloud SDK, and verify that there are no Firewall logs in
the command line output.
Explanation
A is incorrect because VPC flow logs are separate from Firewall rules and
enabling it does not make any changes to Firewall Rule logs.
B is correct because to view firewall utilization metrics, and to surface the

deny-rule-with-hit-count and unused-allow-rule insights, you must enable
Firewall Rules Logging for a given firewall rule.
C is incorrect because if the user was not assigned a proper IAM role, an
authorization error would show up.
D is incorrect because since Firewall logs are not enabled, the Cloud SQL will
not show any logs in the command line, and thus, verifying it does not solve
the problem.
Links:
https://cloud.google.com/network-intelligence-center/docs/firewall-
insights/how-to/using-firewall-insights
https://cloud.google.com/network-intelligence-center/docs/firewall-
insights/concepts/overview
Question 28:
Your company has sensitive data in Cloud Storage buckets. Data analysts
have Identity Access Management (IAM) permissions to read the
buckets. You want to prevent data analysts from retrieving the data in
the buckets from outside the office network. What should you do?
1. Create a VPC Service Controls perimeter that includes the

projects with the buckets. (Correct)
2. Create an access level with the CIDR of the office network.
1. Create a firewall rule for all instances in the Virtual Private Cloud (VPC)
network for source range.
2. Use the Classless Inter-domain Routing (CIDR) of the office network.
1. Create a Cloud Function to remove IAM permissions from the buckets,

and another Cloud Function to add IAM permissions to the buckets.
2. Schedule the Cloud Functions with Cloud Scheduler to add permissions
at the start of business and remove permissions at the end of business.
1. Create a Cloud VPN to the office network.

2. Configure Private Google Access for on-premises hosts.
Explanation
A is correct because, For all Google Cloud services secured with VPC Service
Controls, you can ensure that resources within a perimeter are accessed only
from clients within authorized VPC networks using Private Google Access with
either Google Cloud or on-premises.
B is incorrect because firewall rules don’t apply to Cloud Storage.
C is incorrect because adding and removing Cloud Storage IAM permissions

according to the time of day does not solve the problem of restricting access
to sensitive data from outside the company network.
D is incorrect because enabling private Google Access from on-premise hosts

does not restrict access to Cloud Storage from outside the office network.
Links:
https://cloud.google.com/vpc-service-controls/docs/supported-
products#table_storage
https://cloud.google.com/vpc-service-controls/docs/overview
https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid
Question 29:
You have developed a non-critical update to your application that is running in
a managed instance group, and have created a new instance template with
the update that you want to release. To prevent any possible impact on the
application, you don't want to update any running instances. You want any
new instances that are created by the managed instance group to contain the
new update. What should you do?
Start a new rolling restart operation.
Start a new rolling replace operation.
Start a new rolling update. Select the Proactive update mode.
Start a new rolling update. Select the Opportunistic update

(Correct)
mode.
Explanation
A is incorrect because a rolling restart operation will restart all instances.
B is incorrect because a rolling replace operation will recreate all instances

with the new template, but we only want new VMs to be created with the new
template.
C is incorrect because an opportunistic update will automatically roll out the

new configuration to all instances in the managed instance group.
D is correct because the requirement is not to update any running instances.

The managed instance group applies an opportunistic update only when you
manually initiate the update on selected instances or when new instances are
created. New instances can be created when you or another service, such as
an autoscaler, resizes the MIG.
Links:
https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-
to-managed-instance-groups
https://cloud.google.com/compute/docs/instance-groups/updating-
migs#choosing_between_automated_and_selective_updates
https://cloud.google.com/compute/docs/instance-groups/updating-
migs#opportunistic_updates
Question 30:
Your company is designing its application landscape on Compute Engine.
Whenever a zonal outage occurs, the application should be restored in
another zone as quickly as possible with the latest application data. You
need to design the solution to meet this requirement. What should you
do?
Create a snapshot schedule for the disk containing the application data.
Whenever a zonal outage occurs, use the latest snapshot to restore the
disk in the same zone.
Configure the Compute Engine instances with an instance

template for the application, and use a regional persistent disk for
the application data. Whenever a zonal outage occurs, use the
(Correct)
instance template to spin up the application in another zone in
the same region. Use the regional persistent disk for the
application data.
Create a snapshot schedule for the disk containing the application data.
Whenever a zonal outage occurs, use the latest snapshot to restore the
disk in another zone within the same region.
Configure the Compute Engine instances with an instance template for the
application, and use a regional persistent disk for the application data.
Whenever a zonal outage occurs, use the instance template to spin up the
application in another region. Use the regional persistent disk for the
application data,
Explanation
A is incorrect because we want to create the instance in another zone but this
approach suggests creating the instance in the same zone, which is not of
much use.
B is correct because a Regional persistent disk is a storage option that

provides synchronous replication of data between two zones in a region.
Regional persistent disks can be a good building block to use when you
implement HA services in Compute Engine. At the time of a zonal outage, it is
easy to use the existing instance template to create the instance in another
zone and use the same regional persistent disk.
C is incorrect because even though it works, there is no guarantee that the

latest snapshot will have the most recent data as the snapshots are created
periodically on a schedule.
D is incorrect because this option suggests creating the instance in another

region, while the requirement is to create the instance in another zone.
Links:
https://cloud.google.com/compute/docs/disks/high-availability-regional-
persistent-disk
https://cloud.google.com/compute/docs/disks/create-
snapshots#:~:text=Create%20snapshots%20to%20periodically%20back,inst
ance%20within%20the%20same%20project.
Question 31:
Your company has just acquired another company, and you have been
asked to integrate their existing Google Cloud environment into your
company's data center. Upon investigation, you discover that some of
the RFC 1918 IP ranges being used in the new company's Virtual Private
Cloud (VPC) overlap with your data center IP space. What should you do
to enable connectivity and make sure that there are no routing conflicts
when connectivity is established?
Create a Cloud VPN connection from the new VPC to the data center,
create a Cloud Router, and apply new IP addresses so there is no
overlapping IP space.
Create a Cloud VPN connection from the new VPC to the data center, and
create a Cloud NAT instance to perform NAT on the overlapping IP space.
Create a Cloud VPN connection from the new VPC to the data
center, create a Cloud Router, and apply a custom route (Correct)
advertisement to block the overlapping IP space.
Create a Cloud VPN connection from the new VPC to the data center, and
apply a firewall rule that blocks the overlapping IP space.
Explanation
A is incorrect because the overlapping IP addresses already exist and we need
to ensure connectivity between the VPC and on-prem network, thus applying
new IPs is not an option.
B is incorrect because Cloud NAT (network address translation) lets certain

resources without external IP addresses create outbound connections to the
internet. It has nothing to do with connecting on-premise networks with GCP.
C is correct because, With custom route advertisements, you choose which

routes Cloud Router advertises to your on-premises router through the Border
Gateway Protocol (BGP). You can block the overlapping IPs by applying
custom route advertisements.
D is incorrect because firewall rules are separate from routes in GCP and they
don’t have any role in ensuring connectivity between overlapping IP ranges.
Links:
https://cloud.google.com/network-connectivity/docs/router/how-
to/advertising-overview
https://cloud.google.com/nat/docs/overview
https://cloud.google.com/network-connectivity/docs/router/how-
to/advertising-custom-ip
Question 32:
You need to migrate Hadoop jobs for your company's Data Science team
without modifying the underlying infrastructure. You want to minimize
costs and infrastructure management effort. What should you do?
Create a Dataproc cluster using standard worker instances.
Create a Dataproc cluster using preemptible worker instances. (Correct)
Manually deploy a Hadoop cluster on Compute Engine using standard

instances.
Manually deploy a Hadoop cluster on Compute Engine using preemptible

instances.
Explanation
A is incorrect because preemptible worker instances can provide more cost
savings compared to standard VMs.
B is correct because Dataproc is a managed Hadoop and Spark environment.

You can use Dataproc to run most of your existing jobs with minimal
alteration, so you don't need to move away from all of the Hadoop tools you
already know. Preemptible worker instances can provide more cost savings
compared to standard VMs.
C is incorrect because deploying a Hadoop cluster manually can require

significant migration efforts when compared to migrating to Dataproc.
D is incorrect because deploying a Hadoop cluster manually can require

significant migration efforts when compared to migrating to Dataproc.
Links:
https://cloud.google.com/dataproc/docs/concepts/compute/secondary-
vms#preemptible_and_non-preemptible_secondary_workers
https://cloud.google.com/architecture/hadoop/hadoop-gcp-migration-
overview
Question 33:
Your company has a project in Google Cloud with three Virtual Private Clouds
(VPCs). There is a Compute Engine instance on each VPC. Network subnets
do not overlap and must remain separated. The network configuration is
shown below. Instance #1 is an exception and must communicate directly with
both Instance #2 and Instance #3 via internal IPs. How should you accomplish
this?
Create a cloud router to advertise subnet #2 and subnet #3 to subnet #1.
Add two additional NICs to Instance #1 with the following

configuration: NIC1 --> VPC: VPC #2 and SUBNETWORK: subnet
(Correct)
#2 , NIC2 --> VPC: VPC #3 and SUBNETWORK: subnet #3.
Update firewall rules to enable traffic between instances.
Create two VPN tunnels via CloudVPN: 1 between VPC #1 and VPC #2 and
1 between VPC #2 and VPC #3. Update firewall rules to enable traffic
between the instances.
Peer all three VPCs: Peer VPC #1 with VPC #2 and peer VPC #2 with VPC
#3. Update firewall rules to enable traffic between the instances.
Explanation
A is incorrect because Cloud Router cannot create routes to instances that are
outside its network(separate VPCs).
B is correct because, by default, every instance in a VPC network has a single

network interface. It is possible to attach additional network interfaces to
Compute Engine instances. Each interface is attached to a different VPC
network, giving that instant access to different VPC networks in Google
Cloud.
C is incorrect because Cloud VPN can be used to enable communication

between VMs but in this case, our only requirement is to enable
communication from VM1 to VM2 and VM3, and thus, opening a VPN tunnel
between VM3 and VM3 is against the requirements.
D is incorrect because VPC peering will enable additional communication

channels between VM2 and VM3, which is not required, and thus, this option
should be used as a last resort.
Links:
https://cloud.google.com/vpc/docs/create-use-multiple-interfaces
Question 34:
You need to deploy an application on Google Cloud that must run on a
Debian Linux environment. The application requires extensive
configuration in order to operate correctly. You want to ensure that you
can install Debian distribution updates with minimal manual intervention
whenever they become available. What should you do?
Create a Compute Engine instance template using the most recent Debian
image. Create an instance from this template, and install and configure the
application as part of the startup script. Repeat this process whenever a
new Google-managed Debian image becomes available.
Create a Debian-based Compute Engine instance, install and

configure the application, and use OS patch management to (Correct)
install available updates.
Create an instance with the latest available Debian image. Connect to the
instance via SSH, and install and configure the application on the
instance. Repeat this process whenever a new Google-managed Debian
image becomes available.
Create a Docker container with Debian as the base image. Install and
configure the application as part of the Docker image creation process.
Host the container on Google Kubernetes Engine and restart the container
whenever a new update is available.
Explanation
A is incorrect because repeating the deployment process every time a new
Debian image gets made available is not scalable.
B is correct because you can use OS patch management to apply operating

system patches across a set of Compute Engine VM instances (VMs). Long-
running VMs require periodic system updates to protect against defects and
vulnerabilities. OS patch management supports Debian Linux.
C is incorrect because manually configuring the application every time a new

Debian image is available is tedious and error-prone.
D is incorrect because updating the docker image whenever a new Debian

update is available is a manual process and should be automated if possible.
Links:
https://cloud.google.com/compute/docs/os-patch-management
https://cloud.google.com/blog/products/compute/using-compute-engines-os-
patch-management-service
Question 35:
You have an application that runs in Google Kubernetes Engine (GKE).
Over the last 2 weeks, customers have reported that a specific part of
the application returns errors very frequently. You currently have no
logging or monitoring solution enabled on your GKE cluster. You want to
diagnose the problem, but you have not been able to replicate the issue.
You want to cause minimal disruption to the application. What should you
do?
1. Update your GKE cluster to use Cloud Operations for GKE.

2. Use the GKE Monitoring dashboard to investigate logs from affected
Pods.
1. Create a new GKE cluster with Cloud Operations for GKE enabled.
2. Migrate the affected Pods to the new cluster, and redirect traffic for
those Pods to the new cluster.
3. Use the GKE Monitoring dashboard to investigate logs from affected
Pods.
1. Update your GKE cluster to use Cloud Operations for GKE, and
deploy Prometheus.
(Correct)
2. Set an alert to trigger whenever the application returns an
error.
1. Create a new GKE cluster with Cloud Operations for GKE enabled, and
deploy Prometheus.
2. Migrate the affected Pods to the new cluster, and redirect traffic for
those Pods to the new cluster.
3. Set an alert to trigger whenever the application returns an error.
Explanation
A is incorrect because updating the cluster to use Cloud Operations for GKE
will enable logging for the application but the logs can be viewed in
Stackdriver Logging and not in GKE Monitoring.
B is incorrect because there is no need to create a new GKE cluster for

enabling Cloud Operations for GKE as the existing cluster can be updated with
no downtime.
C is correct because updating the cluster to use Cloud Operations for GKE
will enable logging for the application. Prometheus can be used to collect
custom metrics from the deployed application and the best way to detect
errors proactively is to set alerts in Stackdriver to notify the correct people
when an error occurs.
D is incorrect because there is no need to create a new GKE cluster for

enabling Cloud Operations for GKE as the existing cluster can be updated with
no downtime.
Links:
https://cloud.google.com/stackdriver/docs/solutions/gke
https://prometheus.io/
https://cloud.google.com/error-reporting/docs/notifications
Question 36:
You need to deploy a stateful workload on Google Cloud. The workload can
scale horizontally, but each instance needs to read and write to the same
POSIX filesystem. At a high load, the stateful workload needs to support up to
100 MB/s of writes. What should you do?
Use a persistent disk for each instance.
Use a regional persistent disk for each instance.
Create a Cloud Filestore instance and mount it in each instance. (Correct)
Create a Cloud Storage bucket and mount it in each instance using

gcsfuse.
Explanation
A is incorrect because It is possible to attach a persistent disk to more than
one instance. However, if you attach a persistent disk to multiple instances, all
instances must attach the persistent disk in read-only mode. It is not possible
to attach the persistent disk to multiple instances in read-write mode.
B is incorrect because It is possible to attach a persistent disk to more than

one instance. However, if you attach a persistent disk to multiple instances, all
instances must attach the persistent disk in read-only mode. It is not possible
to attach the persistent disk to multiple instances in read-write mode.
C is correct because Cloud Filestore is a fully managed network-attached

storage (NAS) for Compute Engine and GKE instances. A filestore instance
can be attached to multiple instances in read-write mode. Filestore provides a
consistent view of your filesystem data and steady performance over time.
With speeds up to 720K IOPS and 2 GB/s.
D is incorrect because even though GCS Fuse can be used to allow multiple
instances to write to the same storage, Cloud Storage FUSE has much higher
latency than a local file system and one of the requirements is to have fast
read/write speed.
Links:
https://cloud.google.com/filestore/docs/mounting-fileshares
https://cloud.google.com/filestore
https://cloud.google.com/storage/docs/gcs-fuse#notes
Question 37:
Your company has an application deployed on Anthos clusters (formerly
Anthos GKE) that are running multiple microservices. The cluster has both
Anthos Service Mesh and Anthos Config Management configured. End users
inform you that the application is responding very slowly. You want to identify
the microservice that is causing the delay. What should you do?
Use the Service Mesh visualization in the Cloud Console to

(Correct)
inspect the telemetry between the microservices.
Use Anthos Config Management to create a ClusterSelector selecting the

relevant cluster. On the Google Cloud Console page for Google
Kubernetes Engine, view the Workloads and filter on the cluster. Inspect
the configurations of the filtered workloads.
Use Anthos Config Management to create a namespaceSelector selecting

the relevant cluster namespace. On the Google Cloud Console page for
Google Kubernetes Engine, visit the workloads and filter on the
namespace. Inspect the configurations of the filtered workloads.
Reinstall istio using the default istio profile in order to collect request
latency. Evaluate the telemetry between the microservices in the Cloud
Console.
Explanation
A is correct because the Anthos Service Mesh pages in the Google Cloud
Console provide both summary and in-depth metrics, charts, and graphs that
enable you to observe service behavior. You can monitor the overall health of
your services, or drill down on a specific service to set a service level
objective (SLO) or troubleshoot an issue.
B is incorrect because Anthos Config management is used to publish

configuration and policies to all connected Kubernetes clusters. It is not used
for debugging latency-related issues.
C is incorrect because Anthos Config management is used to publish

configuration and policies to all connected Kubernetes clusters. It is not used
for debugging latency-related issues.
D is incorrect because reinstalling Istio is not required as Anthos Service Mesh

is used to gain visibility on the cluster.
Links:
https://cloud.google.com/service-mesh/docs/observability/explore-dashboard
https://cloud.google.com/anthos/config-management
Question 38:
You are working at a financial institution that stores mortgage loan
approval documents on Cloud Storage. Any change to these approval
documents must be uploaded as a separate approval file, so you want to
ensure that these documents cannot be deleted or overwritten for the
next 5 years. What should you do?
Create a retention policy on the bucket for the duration of 5

(Correct)
years. Create a lock on the retention policy.
Create the bucket with uniform bucket-level access, and grant a service
account the role of Object Writer. Use the service account to upload new
files.
Use a customer-managed key for the encryption of the bucket. Rotate the
key after 5 years.
Create the bucket with fine-grained access control, and grant a service
account the role of Object Writer. Use the service account to upload new
files.
Explanation
A is correct because a bucker retention policy for 5 years ensures that the
objects in the bucket cannot be overwritten or deleted before 5 years.
B is incorrect because granting access to a service account will allow that

service account to overwrite existing objects.
C is incorrect because using a customer-managed key does not prevent

deletion or overwriting of cloud Storage objects.
D is incorrect because granting access to a service account will allow that

service account to overwrite existing objects.
Links:
https://cloud.google.com/storage/docs/bucket-lock
Question 39:
Your team will start developing a new application using microservices
architecture on Kubernetes Engine. As part of the development lifecycle, any
code change that has been pushed to the remote development branch on
your GitHub repository should be built and tested automatically. When the
build and test are successful, the relevant microservice will be deployed
automatically in the development environment. You want to ensure that all
code deployed in the development environment follows this process. What
should you do?
Have each developer install a pre-commit hook on their workstation that

tests the code and builds the container when committing on the
development branch. After a successful commit, have the developer
deploy the newly built container image on the development cluster.
Install a post-commit hook on the remote git repository that tests the
code and builds the container when code is pushed to the development
branch. After a successful commit, have the developer deploy the newly
built container image on the development cluster.
Create a Cloud Build trigger based on the development branch

that tests the code, builds the container, and stores it in
Container Registry. Create a deployment pipeline that watches
(Correct)
for new images and deploys the new image on the development
cluster. Ensure only the deployment tool has access to deploy
new versions.
Create a Cloud Build trigger based on the development branch to build a

new container image and store it in Container Registry. Rely on
Vulnerability Scanning to ensure the code tests succeed. As the final step
of the Cloud Build process, deploy the new container image on the
development cluster. Ensure only Cloud Build has access to deploy new
versions.
Explanation
A is incorrect because asking all developers to set up commit-hooks locally is
not scalable as some people might choose to not follow the required process
and untested code might end up being deployed.
B is incorrect because a post-commit hook on GitHub can be used to test the

code but still, the deployment to the development environment is manual in
this case.
C is correct because a cloud build pipeline can test and build the code and
store it in the Container Registry. Another pipeline that watches for new
images can use the newly uploaded image and deploy it to the required
environment.
D is incorrect because Container registry vulnerability scanning does not test

code. It scans the system packages installed in the container and displays the
vulnerabilities in them.
Links:
https://cloud.google.com/build/docs
https://cloud.google.com/container-analysis/docs/container-scanning-
overview
Question 40:
Your operations team has asked you to help diagnose a performance
issue in a production application that runs on Compute Engine. The
application is dropping requests that reach it when under heavy load.
The process list for affected instances shows a single application
process that is consuming all available CPU, and autoscaling has reached
the upper limit of instances. There is no abnormal load on any other
related systems, including the database. You want to allow production
traffic to be served again as quickly as possible. Which action should you
recommend?
Change the autoscaling metric to

agent.googleapis.com/memory/percent_used.
Restart the affected instances on a staggered schedule.
SSH to each instance and restart the application process.
Increase the maximum number of instances in the autoscaling

(Correct)
group.
Explanation
A is incorrect because changing the auto-scaling metric will not do anything
as the autoscaling has already reached the upper limit of instances and yet
the requests are failing.
B is incorrect because restarting instances might be able to solve the problem

but it will not provide an immediate solution as there is no guarantee that it will
work.
C is incorrect because restarting the process might be able to solve the

problem but it will not provide an immediate solution as there is no guarantee
that it will work.
D is correct because the quickest way to reduce the saturation levels on the
cluster is to increase the upper limit of instances and let the system scale up
to handle the required amount of load.
Links:
https://cloud.google.com/compute/docs/instance-groups/creating-groups-of-
managed-instances
https://acloudguru.com/hands-on-labs/creating-a-load-balanced-managed-
instance-group-on-google-cloud-platform
Question 41:
You are implementing the infrastructure for a web service on Google
Cloud. The web service needs to receive and store the data from
500,000 requests per second. The data will be queried later in real time,
based on exact matches of a known set of attributes. There will be
periods where the web service will not receive any requests. The
business wants to keep costs low. Which web service platform and
database should you use for the application?
Cloud Run and BigQuery
Cloud Run and Cloud Bigtable (Correct)
A Compute Engine autoscaling managed instance group and BigQuery
A Compute Engine autoscaling managed instance group and Cloud

Bigtable
Explanation
A is incorrect because the records will need to be loaded in Bigquery via
streaming inserts which are expensive. Also, the data will be queried later in
real-time, based on exact matches of a known set of attributes, which means
there will not be any advanced queries on data, thus using Bigquery is not the
best option here.
B is correct because Cloud Run charges based on the number of invocations,

thus it can help save costs during the times when the application will not
receive any traffic. Bigtable is optimized for heavy write loads and it can query
records based on exact match of attributes in real-time.
C is incorrect because using Compute Engine is a more costly solution which

is against the requirement of saving costs.
D is incorrect because using Compute Engine is a more costly solution which

is against the requirement of saving costs.
Links:
https://cloud.google.com/run/pricing
https://cloud.google.com/blog/topics/developers-practitioners/bigtable-vs-
bigquery-whats-difference
https://cloud.google.com/bigtable
Question 42:
You are developing an application using different microservices that
should remain internal to the cluster. You want to be able to configure
each microservice with a specific number of replicas. You also want to be
able to address a specific microservice from any other microservice in a
uniform way, regardless of the number of replicas the microservice
scales to. You need to implement this solution on Google Kubernetes
Engine. What should you do?
Deploy each microservice as a Deployment. Expose the

Deployment in the cluster using a Service, and use the Service
(Correct)
DNS name to address it from other microservices within the
cluster.
Deploy each microservice as a Deployment. Expose the Deployment in the

cluster using an Ingress, and use the Ingress IP address to address the
Deployment from other microservices within the cluster.
Deploy each microservice as a Pod. Expose the Pod in the cluster using a
Service, and use the Service DNS name to address the microservice from
other microservices within the cluster.
Deploy each microservice as a Pod. Expose the Pod in the cluster using an
Ingress, and use the Ingress IP address name to address the Pod from
other microservices within the cluster.
Explanation
A is correct because a Deployment provides declarative updates for Pods
and ReplicaSets which can be used to create multiple replicas of the pods
running under the deployment. A clusterIP service exposed the deployment
internally, which can be used by other services to communicate with the pods
using DNS names.
B is incorrect because an ingress resource exposes the service to the public

internet.
C is incorrect because pods need a deployment or ReplicaSet on top of them

to create and manage replicas.
D is incorrect because pods need a deployment or ReplicaSet on top of them

to create and manage replicas.
Links:
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
https://kubernetes.io/docs/concepts/services-networking/service/
Question 43:
Your company has a networking team and a development team. The
development team runs applications on Compute Engine instances that
contain sensitive data. The development team requires administrative
permissions for Compute Engine. Your company requires all network
resources to be managed by the networking team. The development
team does not want the networking team to have access to the sensitive
data on the instances. What should you do?
1. Create a project with a standalone VPC and assign the Network Admin
role to the networking team.
2. Create a second project with a standalone VPC and assign the Compute
Admin role to the development team.
3. Use Cloud VPN to join the two VPCs.
1. Create a project with a standalone Virtual Private Cloud (VPC),

assign the Network Admin role to the networking team, and (Correct)
assign the Compute Admin role to the development team.
1. Create a project with a Shared VPC and assign the Network Admin role
to the networking team.
2. Create a second project without a VPC, configure it as a Shared VPC
service project, and assign the Compute Admin role to the development
team.
1. Create a project with a standalone VPC and assign the Network Admin
role to the networking team.
2. Create a second project with a standalone VPC and assign the Compute
Admin role to the development team.
3. Use VPC Peering to join the two VPCs.
Explanation
A is incorrect because there is no need to create 2 separate VPCs for the two
teams.
B is correct because the Network Admin role provides permissions to create,

modify, and delete networking resources, except for firewall rules and SSL
certificates. And the Compute Admin role provides permission to create,
update, and SSH into Compute Engine instances.
C is incorrect because there is no need to create 2 separate projects for this

use case.
D is incorrect because there is no need to create 2 separate projects for this

use case.
Links:
https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin
https://cloud.google.com/compute/docs/access/iam#compute.admin
Question 44:
Your company wants you to build a highly reliable web application with a
few public APIs as the backend. You don't expect a lot of user traffic, but
traffic could spike occasionally. You want to leverage Cloud Load
Balancing, and the solution must be cost-effective for users. What
should you do?
Store static content such as HTML and images in Cloud CDN. Host the
APIs on App Engine and store the user data in Cloud SQL.
Store static content such as HTML and images in a Cloud Storage bucket.
Host the APIs on a zonal Google Kubernetes Engine cluster with worker
nodes in multiple zones, and save the user data in Cloud Spanner.
Store static content such as HTML and images in Cloud CDN. Use Cloud
Run to host the APIs and save the user data in Cloud SQL.
Store static content such as HTML and images in a Cloud

Storage bucket. Use Cloud Functions to host the APIs and save (Correct)
the user data in Firestore.
Explanation
A is incorrect because you cannot store HTML and static content on Cloud
CDN. It is used to cache static content which is stored at other places(Cloud
Storage).
B is incorrect because GKE is not a cost-effective solution for a low-traffic

application.
C is incorrect because you cannot store HTML and static content on Cloud
CDN. It is used to cache static content which is stored at other places(Cloud
Storage).
D is correct because static content can be stored in Cloud Storage, Cloud

Functions is very cost-effective for small APIs with low traffic and it can scale
horizontally based on the load. Firestore is a managed NoSQL database that is
good for medium to low traffic applications.
Links:
https://cloud.google.com/storage/pricing
https://cloud.google.com/functions
https://firebase.google.com/docs/firestore
Question 45:
Your company sends all Google Cloud logs to Cloud Logging. Your
security team wants to monitor the logs. You want to ensure that the
security team can react quickly if an anomaly such as an unwanted
firewall change or server breach is detected. You want to follow Google-
recommended practices. What should you do?
Schedule a cron job with Cloud Scheduler. The scheduled job queries the
logs every minute for the relevant events.
Export logs to BigQuery, and trigger a query in BigQuery to

(Correct)
process the log data for the relevant events.
Export logs to a Pub/Sub topic, and trigger Cloud Function with the
relevant log events.
Export logs to a Cloud Storage bucket, and trigger Cloud Run with the
relevant log events.
Explanation
A is incorrect because you need to write custom code to analyze the logs
using CRON jobs, which is inefficient and error-prone.
B is correct because exported logs can be analyzed in Bigquery to identity

anomalies by executing scheduled queries on the exported data.
C is incorrect because exporting the logs to Pub/sub to trigger a cloud

Function can generate a lot of traffic to the Cloud Function which may not be
cost-effective. You also need to write custom code to perform the analysis.
D is incorrect because you need to write custom code to analyze the logs
using Cloud Run. Writing SQL is better for anomaly detection than custom
code.
Links:
https://cloud.google.com/logging/docs/export
https://www.brainlabsdigital.com/marketing-library/the-complete-guide-to-
log-analysis-with-big-query/
Question 46:
You have deployed several instances on Compute Engine. As a security
requirement, instances cannot have a public IP address. There is no VPN
connection between Google Cloud and your office, and you need to
connect via SSH into a specific machine without violating the security
requirements. What should you do?
Configure Cloud NAT on the subnet where the instance is hosted. Create
an SSH connection to the Cloud NAT IP address to reach the instance.
Add all instances to an unmanaged instance group. Configure TCP Proxy

Load Balancing with the instance group as a backend. Connect to the
instance using the TCP Proxy IP.
Configure Identity-Aware Proxy (IAP) for the instance and ensure

that you have the role of IAP-secured Tunnel User. Use the (Correct)
gcloud command line tool to ssh into the instance.
Create a bastion host in the network to SSH into the bastion host from
your office location. From the bastion host, SSH into the desired instance.
Explanation
A is incorrect because Cloud NAT is used for outbound connections and not
for Inbound connections.
B is incorrect because you cannot SSH into an instance through a Load

Balancer.
C is correct because Cloud IAP can be used to enable administrative access

to VM instances that do not have external IP addresses or do not permit direct
access over the internet. You need to use the gcloud command-line tool to
SSH into the instance after IAP is configured.
D is incorrect because since there is no VPN connection between GCP and

the on-premise network, the bastion host will need to have a public IP
address, which is against the requirement.
Links:
https://cloud.google.com/iap/docs/using-tcp-forwarding
Question 47:
Your company is using Google Cloud. You have two folders under the
Organization: Finance and Shopping. The members of the development team
are in a Google Group. The development team group has been assigned the
Project Owner role in the Organization. You want to prevent the development
team from creating resources in projects in the Finance folder. What should
you do?
Assign the development team group the Project Viewer role on the
Finance folder, and assign the development team group the Project Owner
role on the Shopping folder.
Assign the development team group only the Project Viewer role on the
Finance folder.
Assign the development team group the Project Owner role on

the Shopping folder, and remove the development team group (Correct)
Project Owner role from the Organization.
Assign the development team group only the Project Owner role on the
Shopping folder.
Explanation
A is incorrect because IAM policies are hierarchical and propagate down the
structure. The effective policy for a resource is the union of the policy set at
that resource and the policy inherited from its parent. Permission granted at
the organization level cannot be removed at the folder or project level.
B is incorrect because IAM policies are hierarchical and propagate down the
C is correct because you need to remove the access at the Organization level
to prevent the development team group from getting access to the projects in
the Finance folder.
D is incorrect because IAM policies are hierarchical and propagate down the
Links:
https://cloud.google.com/iam/docs/resource-hierarchy-access-control
Question 48:
You are developing your microservices application on Google Kubernetes
Engine. During testing, you want to validate the behavior of your
application in case a specific microservice should suddenly crash. What
should you do?
Add a taint to one of the nodes of the Kubernetes cluster. For the specific
microservice, configure a pod anti-affinity label that has the name of the
tainted node as a value.
Use Istio's fault injection on the particular microservice whose

(Correct)
faulty behavior you want to simulate.
Destroy one of the nodes of the Kubernetes cluster to observe the

behavior.
Configure Istio's traffic management features to steer the traffic away

from a crashing microservice.
Explanation
A is incorrect because we want to observe the behavior when a microservice
crashes and not for node failure.
B is correct because Istio Fault Injection allows you to inject faults to test the
resiliency of your application.
C is incorrect because we want to observe the behavior when a microservice

D is incorrect because we want to observe the behavior when a microservice

Links:
https://istio.io/latest/docs/tasks/traffic-management/fault-injection/
Question 49:
Your company is developing a new application that will allow globally
distributed users to upload pictures and share them with other selected
users. The application will support millions of concurrent users. You
want to allow developers to focus on just building code without having to
create and maintain the underlying infrastructure. Which service should
you use to deploy the application?
App Engine (Correct)
Cloud Endpoints
Compute Engine
Google Kubernetes Engine
Explanation
A is correct because App Engine is a platform as a service that allows
developers to just focus on their code and does not require any provisioning
or maintenance of infrastructure. It also scales horizontally based on load.
B is incorrect because Cloud Endpoints is used for building and deploying
APIs and not full-fledged applications.
C is incorrect because Compute Engine is not a managed service and you

need to provision and manage the infrastructure yourself.
D is incorrect because you need to provision GKE nodes yourself before

deploying your applications on GKE.
Links:
https://cloud.google.com/appengine
https://cloud.google.com/endpoints
Question 50:
Your company provides a recommendation engine for retail customers.
You are providing retail customers with an API where they can submit a
user ID and the API returns a list of recommendations for that user. You
are responsible for the API lifecycle and want to ensure stability for your
customers in case the API makes backward-incompatible changes. You
want to follow Google-recommended practices. What should you do?
Create a distribution list of all customers to inform them of an upcoming

backward-incompatible change at least one month before replacing the
old API with the new API.
Create an automated process to generate API documentation, and update

the public API documentation as part of the CI/CD process when
deploying an update to the API.
Use a versioning strategy for the APIs that increases the version
(Correct)
number on every backward-incompatible change.
Use a versioning strategy for the APIs that adds the suffix 'DEPRECATED'
to the current API version number on every backward-incompatible
change. Use the current version number for the new API.
Explanation
A is incorrect because creating a distribution list to inform all customers
whenever a backward-incompatible change is published is a manual process
and it is not scalable. The customers need to make updates from their side to
make use of the updated APIs, which might take time.
B is incorrect because even though creating an automated process for

publishing the APIs is a good practice, the customers need to make updates
from their side to make use of the updated APIs, which can make their
applications unstable.
C is correct because a versioning strategy for the APIs will ensure that the
customers’ applications do not break when a backward-incompatible update
is released. The customers can keep using the old APIs and update them to
the newer version as and when required.
D is incorrect because changing the existing API prefix will break the
applications of the customers who are using that API.
Links:
https://restfulapi.net/versioning/
Question 51:
Your company has developed a monolithic, 3-tier application to allow
external users to upload and share files. The solution cannot be easily
enhanced and lacks reliability. The development team would like to re-
architect the application to adopt microservices and a fully managed
service approach, but they need to convince their leadership that the
effort is worthwhile. Which advantage(s) should they highlight to
leadership?
The new approach will be significantly less costly, make it easier to

manage the underlying infrastructure, and automatically manage the
CI/CD pipelines.
The monolithic solution can be converted to a container with Docker. The

generated container can then be deployed into a Kubernetes cluster.
The new approach will make it easier to decouple infrastructure

from application, develop and release new features, manage the
(Correct)
underlying infrastructure, manage CI/CD pipelines and perform
A/B testing, and scale the solution if necessary.
The process can be automated with Migrate for Compute Engine.
Explanation
A is incorrect microservices are not necessarily cheaper than monolithic
applications.
B is incorrect because deploying a monolithic application to Kubernetes does

not make it a microservices-based architecture.
C is correct because microservices allow decoupling of infrastructure and the

code, they help in developing new features quickly and also enable A/B
testing.
D is incorrect because migration to microservices cannot be automated using

migrate for compute Engine.
Links:
https://solace.com/blog/microservices-advantages-and-disadvantages/
Question 52:
Your team is developing a web application that will be deployed on
Google Kubernetes Engine (GKE). Your CTO expects a successful launch
and you need to ensure your application can handle the expected load of
tens of thousands of users. You want to test the current deployment to
ensure the latency of your application stays below a certain threshold.
What should you do?
Use a load testing tool to simulate the expected number of

concurrent users and total requests to your application, and (Correct)
inspect the results.
Enable autoscaling on the GKE cluster and enable horizontal pod

autoscaling on your application deployments. Send curl requests to your
application, and validate if the auto scaling works.
Replicate the application over multiple GKE clusters in every Google Cloud
region. Configure a global HTTP(S) load balancer to expose the different
clusters over a single global IP address.
Use Cloud Debugger in the development environment to understand the

latency between the different microservices.
Explanation
A is correct because a load testing tool can simulate the required amount of
traffic and provide insights for latency and performance metrics.
B is incorrect because enabling auto-scaling does not offer a simulation of

user traffic. By just using curl, it is difficult to simulate a realistic scenario.
C is incorrect because replicating the clusters in multiple regions provides

high availability but does not provide insights in latency due to user traffic.
D is incorrect because a Cloud debugger can be used to debug code, not to

measure latency.
Links:
https://jmeter.apache.org/
https://cloud.google.com/debugger
Question 53:
Your company wants to deploy several microservices to help its system
handle elastic loads. Each microservice uses a different version of software
libraries. You want to enable their developers to keep their development
environment in sync with the various production services. Which technology
should you choose?
A. RPM/DEB
B. Containers (Correct)
C. Chef/Puppet
D. Virtual machines
Explanation
A is not correct because although OS packages are a convenient way to
distribute and deploy libraries, they don't directly help with synchronizing.
Even with a common repository, the development environments will probably
deviate from production.
B is correct because using containers for development, test, and production

deployments abstracts away system OS environments so that a single host
OS image can be used for all environments. Changes that are made during
development are captured using a copy-on-write filesystem, and teams can
easily publish new versions of the microservices in a repository.
C is not correct because although infrastructure configuration as code can

help unify production and test environments, it is very difficult to make all
changes during development this way.
D is not correct because virtual machines run their own OS, which will
eventually deviate in each environment, just as now.
Question 54:
Your company wants to track whether someone is present in a meeting room
reserved for a scheduled meeting. There are 1000 meeting rooms across 5
offices on 3 continents. Each room is equipped with a motion sensor that
reports its status every second. You want to support the data ingestion needs
of this sensor network. The receiving infrastructure needs to account for the
possibility that the devices may have inconsistent connectivity. Which solution
should you design?
A. Have each device create a persistent connection to a Compute Engine

instance and write messages to a custom application.
B. Have devices poll for connectivity to Cloud SQL and insert the latest
messages on a regular interval to a device-specific table.
C. Have devices poll for connectivity to Cloud Pub/Sub and

publish the latest messages on a regular interval to a shared (Correct)
topic for all devices.
D. Have devices create a persistent connection to an App Engine

application fronted by Cloud Endpoints, which ingest messages and write
them to Cloud Datastore.
Explanation
A is not correct because having a persistent connection does not handle the
case where the device is disconnected.
B is not correct because Cloud SQL is a regional, relational database and not
the best fit for sensor data. Additionally, the frequency of the writes has the
potential to exceed the supported number of concurrent connections.
C is correct because Cloud Pub/Sub can handle the frequency of this data,
and consumers of the data can pull from the shared topic for further
processing.
D is not correct because having a persistent connection does not handle the
case where the device is disconnected.
Links:
https://cloud.google.com/sql/
https://cloud.google.com/pubsub/
Question 55:
Your organization has a 3-tier web application deployed in the same Google
Cloud Virtual Private Cloud (VPC). Each tier (web, API, and database) scales
independently of the others. Network traffic should flow through the web to
the API tier, and then on to the database tier. Traffic should not flow between
the web and the database tier. How should you configure the network with
minimal steps?
Add each tier to a different subnetwork.
Set up software-based firewalls on individual VMs.
Add tags to each tier and set up routes to allow the desired traffic flow.
Add tags to each tier and set up firewall rules to allow the desired
(Correct)
traffic flow.
Explanation
A is not correct because the subnetwork alone will not allow and restrict
traffic as required without firewall rules.
B is not correct because this adds complexity to the architecture and the
instance configuration.
C is not correct because routes still require firewall rules to allow traffic as
requests. Additionally, the tags are used for defining the instances the route
applies to, and not for identifying the next hop. The next hop is either an IP
range or instance name, but in the proposed solution the tiers are only
identified by tags.
D is correct because as instances scale, they will all have the same tag to
identify the tier. These tags can then be leveraged in firewall rules to allow and
restrict traffic as required because tags can be used for both the target and
source.
Links:
https://cloud.google.com/vpc/docs/using-vpc
https://cloud.google.com/vpc/docs/routes
https://cloud.google.com/vpc/docs/add-remove-network-tags
Gcp cloud
professional
architect

GCP Cloud Professional Architect

Uploaded by

Copyright:

Available Formats

GCP Cloud Professional Architect

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GCP Cloud Professional Architect

Uploaded by

Copyright:

Available Formats

GCP CLOUD

Shorten the expiration time of the cached objects.

Make sure the HTTP(S) header 'Cache-Region' points to the closest

Replicate the static content in a Cloud Storage bucket. Point CloudCDN

D is incorrect because replicating the content to Cloud Storage does not

All admin and VM system logs are automatically collected by Stackdriver.

Stackdriver automatically collects admin activity logs for most

Launch a custom syslogd compute instance and configure your GCP

C is incorrect because there is no need to launch a custom syslogd compute

D is incorrect because all Compute Engine instances that require logging

Deploy the update as a new version in the App Engine

B is correct because you can use traffic splitting to specify a percentage

D is incorrect because there is no need to create a new App Engine

C is incorrect because there is no implied deny egress rule.

D is incorrect because there is no implied deny egress rule.

Export Cloud Machine Learning Engine performance metrics from

Monitor Compute Engine announcements for availability of newer CPU

Save a history of recommendations and results of the

B is incorrect because TPUs can provide better performance while training

C is incorrect because newer CPU architectures can help improve training

D is correct because re-training the model periodically is the best way to

Use the Horizontal Pod Autoscaler and enable cluster autoscaling

Enable autoscaling on the Compute Engine instance group. Use an Ingress

Enable autoscaling on the Compute Engine instance group. Use a Service

B is correct because a Horizontal Pod Autoscaler automatically scales the

C is incorrect because enabling auto-scaling on the instance group does not

D is incorrect because enabling auto-scaling on the instance group does not

Create a cross-region load balancer with URL Maps.

Create an HTTPS load balancer with URL Maps. (Correct)

Create appropriate instance groups and instances. Configure SSL proxy

Create a global forwarding rule. Configure SSL proxy load balancing.

B is correct because the HTTP(S) load balancer supports URL pattern-based

Use gRPC instead of HTTP for better performance.

Implement retry logic using a truncated exponential backoff

Make sure the Cloud Storage bucket is multi-regional for geo-redundancy.

Monitor https://status.cloud.google.com/feed.atom and only make

B is correct because truncated exponential backoff is a standard error

D is incorrect because monitoring the status of services does not

Use Deployment Manager to automate service provisioning. Use Activity

Use Deployment Manager to automate service provisioning. Use

Use gcloud scripts to automate service provisioning. Use Activity Logs to

Use gcloud scripts to automate service provisioning. Use Stackdriver to

B is correct because You can use Deployment Manager to automate the

C is incorrect because it is always better to use managed services than

D is incorrect because it is always better to use managed services than

Save the files in a Multi-Regional Cloud Storage bucket. (Correct)

Save the files in multiple Multi-Regional Cloud Storage buckets, one

B is incorrect because a regional bucket will provide low latency in a smaller

C is incorrect because storing multiple copies of the file in different regions is

D is incorrect because storing multiple copies of the file in different regions is

Store the data in Cloud Storage and use lifecycle management to

C is correct because You can assign a lifecycle management configuration to

D is incorrect because it is always better to use managed services instead of

Set the memcache service level to dedicated. Create a key from

Set the memcache service level to shared. Create a key called

C is incorrect because a dedicated Memcache performs better than a shared

D is incorrect because a dedicated Memcache performs better than a shared

Using the Cron service provided by App Engine, publish

Using the Cron service provided by Google Kubernetes Engine (GKE),