Associate-Cloud-Engineer Google Cloud Certified - Associate Cloud Engineer Question and Answers

Cloud Storage allows world-wide storage and retrieval of any amount of data at any time. We dont need to set up auto-scaling ourselves. Cloud Storage autoscaling is managed by GCP. Cloud Storage is an object store so it is suitable for storing photos. Cloud Storage allows world-wide storage and retrieval so cater well to our worldwide audience. Cloud storage provides us lifecycle rules that can be configured to automatically delete objects older than 30 days. This also fits our requirements. Finally, Google Cloud Storage offers several storage classes such as Nearline Storage ($0.01 per GB per Month) Coldline Storage ($0.007 per GB per Month) and Archive Storage ($0.004 per GB per month) which are significantly cheaper than any of the options above.

Ref: https://cloud.google.com/storage/docs

Ref: https://cloud.google.com/storage/pricing

Logged information Within Cloud Audit Logs, there are two types of logs: Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket,or object. Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs: ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object. DATA_READ: Entries for operations that read an object. DATA_WRITE: Entries for operations that create or modify an object.https://cloud.google.com/storage/docs/audit-logs#types

https://cloud.google.com/kuberun/docs/rollouts-rollbacks-traffic-migration

https://cloud.google.com/sql/docs/postgres

Given that the new instance wants to access the application on the existing compute engine instance, these applications seem to be related so they should be within the same VPC. It is possible to have them in different VPCs and peer the VPCs but this is a lot of additional work and we can simplify this by choosing the option below (which is the answer)

1. Create a subnet in the same VPC, in europe-west1.

2. Create the new instance in the new subnet and use the first instance subnets private address as the endpoint. is the right answer.

We can create another subnet in the same VPC and this subnet is located in europe-west1. We can then spin up a new instance in this subnet. We also have to set up a firewall rule to allow communication between the two subnets. All instances in the two subnets with the same VPC can communicate through the internal IP Address

Ref: https://cloud.google.com/vpc

Authorizing with a service account

gcloud auth activate-service-account authorizes access using a service account. As with gcloud init and gcloud auth login, this command saves the service account credentials to the local system on successful completion and sets the specified account as the active account in your Cloud SDK configuration.

https://cloud.google.com/sdk/docs/authorizing#authorizing_with_a_service_account

Granting more permissions than necessary violates the principle of least privilege, a fundamental security best practice. While option A grants the necessary permissions (as subsets exist in two predefined roles), it might also grant more permissions than the Operations team strictly requires for their tasks on GKE and Cloud SQL. Option D is too broad; 'Admin' roles grant extensive permissions that likely exceed the specific needs.

Google Cloud's best practices strongly recommend adhering to the principle of least privilege. Creating a custom role allows you to precisely define the set of permissions the Operations team needs for their specific tasks on the GKE cluster and the Cloud SQL instance, without granting any unnecessary permissions. This minimizes the potential blast radius in case of accidental or malicious actions.

Google Cloud Documentation References:

IAM best practices: https://cloud.google.com/iam/docs/best-practices - This document explicitly recommends granting the minimum necessary permissions.

Creating and managing custom roles: https://cloud.google.com/iam/docs/creating-managing-custom-roles - This explains how to create roles tailored to specific job functions.

Understanding roles: https://cloud.google.com/iam/docs/understanding-roles - This outlines the concepts of predefined and custom roles and their use cases.

===========

Understanding IAM custom roles

Key Point: Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions.

Basic concepts

Custom roles are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. Custom roles are not maintained by Google; when new permissions, features, or services are added to Google Cloud, your custom roles will not be updated automatically.

When you create a custom role, you must choose an organization or project to create it in. You can then grant the custom role on the organization or project, as well as any resources within that organization or project.

https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts

The pending Pods resource requests are too large to fit on a single node of the cluster. Too many Pods are already running in the cluster, and there are not enough resources left to schedule the pending Pod. is the right answer.

When you have a deployment with some pods in running and other pods in the pending state, more often than not it is a problem with resources on the nodes. Heres a sample output of this use case. We see that the problem is with insufficient CPU on the Kubernetes nodes so we have to either enable auto-scaling or manually scale up the nodes.

https://cloud.google.com/storage/docs/audit-logs

https://cloud.google.com/compute/docs/logging/audit-logging#audited_operations

https://cloud.google.com/sdk/gcloud/reference/projects/create

Quickstart: Creating a New Instance Using the Command Line

Before you begin

1. In the Cloud Console, on the project selector page, select or create a Cloud project.

2. Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.

To use the gcloud command-line tool for this quickstart, you must first install and initialize the Cloud SDK:

1. Download and install the Cloud SDK using the instructions given on Installing Google Cloud SDK.

2. Initialize the SDK using the instructions given on Initializing Cloud SDK.

To use gcloud in Cloud Shell for this quickstart, first activate Cloud Shell using the instructions given on Starting Cloud Shell.

https://cloud.google.com/ai-platform/deep-learning-vm/docs/quickstart-cli#before-you-begin

The organization policy explicitly prevents the use of service account keys, so options A and B, which involve requesting exceptions to create them, are not in line with the policy and Google's recommended practices for secure authentication.

Logged onto console and followed the steps and was able to see all the assigned users and roles.

Keywords, Financial data (large data) used globally, data stored and queried using relational structure (SQL), clients should get exact identical copies(Strong Consistency), Multiple region, low latency to end user, select storage option to minimize latency.

https://kubernetes.io/docs/tasks/debug-application-cluster/debug-application/#debugging-pods

VMs cannot communicate over the internet without a public IP address. Private Google Access permits access to Google APIs and services in Google's production infrastructure.https://cloud.google.com/vpc/docs/private-google-access

Comprehensive and Detailed In Depth Explanation:

The core requirements are secure access to a specific BigQuery dataset from a Compute Engine instance, using short-lived credentials, adhering to Google's best practices, and minimizing operational overhead.

A. Project-level IAM role: Granting the BigQuery Data Viewer role at the project level gives the service account broad access to all BigQuery datasets within that project. This violates the principle of least privilege, a fundamental security best practice, as the application should only have access to the designated dataset.

B. Hourly new service account with dataset-level role: While this aims to achieve short-lived credentials, the operational burden of creating, attaching, and managing IAM policies for a new service account every hour is significant and not a Google-recommended practice for routine access. It introduces unnecessary complexity and potential for errors.

C. Custom service account with dataset-level IAM role: This is the recommended and most efficient approach. You create a dedicated Google Cloud service account specifically for this application. You then grant this service account the necessary IAM role (e.g., BigQuery Data Viewer, or a more specific custom role) directly on the target BigQuery dataset. When the Compute Engine instance runs as this service account, the Google Cloud client libraries automatically handle the acquisition and rotation of short-lived OAuth 2.0 access tokens from the instance's metadata server. This eliminates the need to manage long-lived credentials (like service account keys) and ensures the application only has access to the intended dataset. This adheres to the principle of least privilege and minimizes operational costs.

D. Hourly new service account with project-level role: This option combines the high operational overhead of frequently creating new service accounts with the security risk of granting overly permissive project-level access. It is not a recommended practice.

Therefore, the most secure, cost-effective, and operationally efficient solution is to create a custom service account, attach it to the Compute Engine instance, and grant it the appropriate BigQuery IAM role specifically on the target dataset. The platform handles the short-lived credentials automatically.

Google Cloud Documentation References:

Creating and enabling service accounts for instances: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances - Explains how to create and associate service accounts with Compute Engine VMs.  

Granting, changing, and revoking access to resources: https://cloud.google.com/iam/docs/granting-changing-revoking-access - Details how to manage IAM policies and grant roles to service accounts on specific resources (like BigQuery datasets).  

BigQuery IAM roles: https://cloud.google.com/bigquery/docs/control-access - Provides information on the various IAM roles available for controlling access to BigQuery resources at different levels (project, dataset, table, etc.).

Best practices for using service accounts: https://cloud.google.com/iam/docs/best-practices-for-using-service-accounts - Emphasizes the importance of the principle of least privilege and avoiding the management of long-lived service account keys when possible (relying on the metadata server for short-lived tokens).

This is the most optimal solution. Rather than recreating all nodes, you create a new node pool with GPU enabled. You then modify the pod specification to target particular GPU types by adding node selector to your workloads Pod specification. YOu still have a single cluster so you pay Kubernetes cluster management fee for just one cluster thus minimizing the cost.

Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/gpus

Ref: https://cloud.google.com/kubernetes-engine/pricing

Example:

apiVersion: v1

kind: Pod

metadata:

name:my-gpu-pod

spec:

containers:

name:my-gpu-container

image: nvidia/cuda:10.0-runtime-ubuntu18.04

command: [/bin/bash]

resources:

limits:

nvidia.com/gpu: 2

nodeSelector:

cloud.google.com/gke-accelerator: nvidia-tesla-k80# or nvidia-tesla-p100 or nvidia-tesla-p4 or nvidia-tesla-v100 or nvidia-tesla-t4

Installing Jenkins

In this section, you use Cloud Marketplace to provision a Jenkins instance. You customize this instance to use the agent image you created in the previous section.

Go to the Cloud Marketplace solution for Jenkins.

Click Launch on Compute Engine.

Change the Machine Type field to 4 vCPUs 15 GB Memory, n1-standard-4.

Machine type selection for Jenkins deployment.

Click Deploy and wait for your Jenkins instance to finish being provisioned. When it is finished, you will see:

Jenkins has been deployed.

https://cloud.google.com/solutions/using-jenkins-for-distributed-builds-on-compute-engine#installing_jenkins

"Billing Account Viewer access would usually be granted to finance teams, it provides access to spend information, but does not confer the right to link or unlink projects or otherwise manage the properties of the billing account."https://cloud.google.com/billing/docs/how-to/billing-access

/25:

CIDR to IP Range

Result

CIDR Range 172.16.20.128/25

Netmask 255.255.255.128

Wildcard Bits 0.0.0.127

First IP 172.16.20.128

First IP (Decimal) 2886734976

Last IP 172.16.20.255

Last IP (Decimal) 2886735103

Total Host 128

CIDR

172.16.20.128/25

/24:

CIDR to IP Range

Result

CIDR Range 172.16.20.128/24

Netmask 255.255.255.0

Wildcard Bits 0.0.0.255

First IP 172.16.20.0

First IP (Decimal) 2886734848

Last IP 172.16.20.255

Last IP (Decimal) 2886735103

Total Host 256

CIDR

172.16.20.128/24

Configure the ACLs on each image in Cloud Storage to give read-only access to the default Compute Engine service account. is not right.

As mentioned above, Container Registry ignores permissions set on individual objects within the storage bucket so this isnt going to work.

Ref: https://cloud.google.com/container-registry/docs/access-control

https://gtseres.medium.com/using-service-accounts-across-projects-in-gcp-cf9473fef8f0

You create the service account in proj-sa and take note of the service account email, then you go to proj-vm in IAM > ADD and add the service account's email as new member and give it the Compute Storage Admin role.

https://cloud.google.com/compute/docs/access/iam#compute.storageAdmin

roles/monitoring.viewer provides read-only access to get and list information about all monitoring data and configurations. This role provides monitoring access and fits our requirements. roles/monitoring.viewer. is the right answer.

Ref: https://cloud.google.com/iam/docs/understanding-roles#cloud-spanner-roles

Coldline Storage is the perfect service to store audit logs from all the projects and is very cost-efficient as well. Coldline Storage is a very low-cost, highly durable storage service for storing infrequently accessed data.

IAP controls access to your App Engine apps and Compute Engine VMs running on Google Cloud. It leverages user identity and the context of a request to determine if a user should be allowed access. IAP is a building block toward BeyondCorp, an enterprise security model that enables employees to work from untrusted networks without using a VPN.

By default, IAP uses Google identities and IAM. By leveraging Identity Platform instead, you can authenticate users with a wide range of external identity providers, such as:

Email/password

OAuth (Google, Facebook, Twitter, GitHub, Microsoft, etc.)

SAML

OIDC

Phone number

Custom

Anonymous

This is useful if your application is already using an external authentication system, and migrating your users to Google accounts is impractical.

https://cloud.google.com/iap/docs/using-tcp-forwarding#grant-permission

A simple approach would be to use the command flags available when listing all the IAM policy for a given project. For instance, the following command: `gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" --format="table(bindings.members)" --filter="bindings.role:roles/owner"` outputs all the users and service accounts associatedwith the role ‘roles/owner’ in the project in question.https://groups.google.com/g/google-cloud-dev/c/Z6sZs7TvygQ?pli=1

https://cloud.google.com/compute/docs/autoscaler#specifications

Autoscaling works independently from autohealing. If you configure autohealing for your group and an instance fails the health check, the autohealer attempts to recreate the instance. Recreating an instance can cause the number of instances in the group to fall below the autoscaling threshold (minNumReplicas) that you specify.

Since we need the application running at all times, we need a minimum 1 instance.

Only a single instance of the VM should run, we need a maximum 1 instance.

We want the application running at all times. If the VM crashes due to any underlying hardware failure, we want another instance to be added to MIG so that application can continue to serve requests. We can achieve this by enabling autoscaling. The only option that satisfies these three is Set autoscaling to On, set the minimum number of instances to 1, and then set the maximum number of instances to 1.

Ref: https://cloud.google.com/compute/docs/autoscaler

https://cloud.google.com/logging/docs/audit

performs a peering between the two VPC's (the statement makes sure that this option is feasible since it clearly specifies that there is no overlapping between the ip ranges of both vpc's), deploy the LoadBalancer as internal with the annotation, and configure the endpoint so that the compute engine instance can access the application internally, that is, without the need to have a public ip at any time and therefore, without the need to go outside the google network. The traffic, therefore, never crosses the public internet.

https://medium.com/pablo-perez/k8s-externaltrafficpolicy-local-or-cluster-40b259a19404

https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing

clients in a VPC network connected to the LoadBalancer network using VPC Network Peering can also access the Service

https://cloud.google.com/kubernetes-engine/docs/how-to/service-parameters

The reason is that when you do health check, you want the VM to be working. Do the first check after initial setup time of 3 mins = 180 s < 200 s is reasonable.

The reason why our autoscaling is adding more instances than needed is that it checks 30 seconds after launching the instance and at this point, the instance isnt up and isnt ready to serve traffic. So our autoscaling policy starts another instance  again checks this after 30 seconds and the cycle repeats until it gets to the maximum instances or the instances launched earlier are healthy and start processing traffic  which happens after 180 seconds (3 minutes). This can be easily rectified by adjusting the initial delay to be higher than the time it takes for the instance to become available for processing traffic.So setting this to 200 ensures that it waits until the instance is up (around 180-second mark) and then starts forwarding traffic to this instance. Even after a cool out period, if the CPU utilization is still high, the autoscaler can again scale up but this scale-up is genuine and is based on the actual load.

Initial Delay Seconds  This setting delays autohealing from potentially prematurely recreating the instance if the instance is in the process of starting up. The initial delay timer starts when the currentAction of the instance is VERIFYING.

Ref: https://cloud.google.com/compute/docs/instance-groups/autohealing-instances-in-migs

https://cloud.google.com/kubernetes-engine/docs/concepts/deployment

Google Cloud Storage Triggers

Cloud Functions can respond to change notifications emerging from Google Cloud Storage. These notifications can be configured to trigger in response to various events inside a bucket—object creation, deletion, archiving and metadata updates.

Note: Cloud Functions can only be triggered by Cloud Storage buckets in the same Google Cloud Platform project.

Event types

Cloud Storage events used by Cloud Functions are based on Cloud Pub/Sub Notifications for Google Cloud Storage and can be configured in a similar way.

Supported trigger type values are:

google.storage.object.finalize

google.storage.object.delete

google.storage.object.archive

google.storage.object.metadataUpdate

Object Finalize

Trigger type value: google.storage.object.finalize

This event is sent when a new object is created (or an existing object is overwritten, and a new generation of that object is created) in the bucket.

https://cloud.google.com/functions/docs/calling/storage#event_types

The Vertical Pod Autoscaler (VPA) in Kubernetes automatically adjusts the CPU and memory requests and limits of the containers within a pod based on historical and real-time resource usage. In this scenario, where a single-replica stateful application needs more CPU during peak times, VPA can dynamically increase the CPU allocated to the pod when needed and potentially decrease it during off-peak periods to optimize resource utilization and cost efficiency.

Option A: Cluster autoscaling adds or removes nodes in your GKE cluster based on the resource requests of your pods. While it can help with overall cluster capacity, it oesn't directly address the need for more CPU for a specific pod.

Option C: Horizontal Pod Autoscaler (HPA) scales the number of pod replicas based on observed CPU utilization or other select metrics. Since the application can only have one replica, HPA is not suitable.

Option D: Node auto-provisioning is similar to cluster autoscaling, automatically creating and deleting node pools based on workload demands. It doesn't directly manage the resources of individual pods.

Reference to Google Cloud Certified - Associate Cloud Engineer Documents:

The functionality and use cases of the Vertical Pod Autoscaler (VPA) are detailed in the Google Kubernetes Engine documentation, specifically within the resource management and autoscaling sections. Understanding how VPA can dynamically adjust pod resources is relevant to the Associate Cloud Engineer certification.

https://cloud.google.com/monitoring/settings/multiple-projects

https://cloud.google.com/monitoring/workspaces

https://cloud.google.com/architecture/identity/migrating-consumer-accounts

A tag is simply a character string added to a tags field in a resource, such as Compute Engine virtual machine (VM) instances or instance templates. A tag is not a separateresource, so you cannot create it separately. All resources with that string are considered to have that tag. Tags enable you to make firewall rules and routes applicable to specific VM instances.

C:\GCP\appeng>gcloud config list

[core]

account = xxx@gmail.com

disable_usage_reporting = False

project = my-first-demo-xxxx

https://cloud.google.com/endpoints/docs/openapi/troubleshoot-gce-deployment

https://cloud.google.com/iam/docs/understanding-service-accounts#using_service_accounts_with_compute_engine

https://cloud.google.com/storage/docs/access-control/iam-roles

Comprehensive and Detailed In Depth Explanation:

The key requirement is to migrate applications that rely on hard-coded internal IP addresses without modifying the application code. To achieve this, the migrated VMs in Google Cloud need to retain their original internal IP addresses.

A. Non-overlapping CIDR ranges and new static IPs: This option requires changing the IP addresses of the migrated workloads, which would necessitate modifying the application code to reflect these new addresses. This violates a core requirement.

B. Migrating DNS and using ephemeral IPs: While migrating DNS can be beneficial in the long run, using ephemeral internal IP addresses for the migrated workloads means their IPs could change upon restart, breaking the hard-coded IP address dependencies.

C. Single subnet with Cloud NAT and static NAT IP: Cloud NAT allows instances without external IP addresses to access the internet, but it doesn't help in preserving the internal IP addresses that the applications use to communicate with each other. The internal IP addresses of the VMs would still be within the VPC subnet range and might conflict if they are the same as the on-premises IPs.

D. Same CIDR ranges and same static IPs: Creating a VPC with the same CIDR ranges as the on-premises network and assigning the same static internal IP addresses to the migrated workloads is the only way to ensure that the applications can continue to communicate using their hard-coded IP addresses without any code changes. This approach effectively extends the on-premises network's IP address space into Google Cloud (though without direct connectivity initially, as stated in the problem). Once the workloads are migrated, future steps can involve establishing connectivity (e.g., using VPN or Interconnect) if needed for hybrid scenarios.

Google Cloud Documentation References:

VPC Network Overview: https://cloud.google.com/vpc/docs/vpc - This document explains the fundamentals of VPC networks and their IP addressing. While it doesn 't explicitly detail lift-and-shift scenarios with identical IP ranges without connectivity, it lays the groundwork for understanding VPC configuration.

Considerations for planning IP address ranges: https://cloud.google.com/vpc/docs/subnets#ip-ranges - This section discusses IP address planning, and while overlapping ranges are generally discouraged for connected networks, for isolated migration scenarios as described, it 's a necessary step to avoid application changes. The problem statement explicitly says the environments are not connected during the initial migration.

===========

Spot VMs (formerly known as preemptible VMs) are Compute Engine virtual machine instances that are available at a much lower price than standard Compute Engine instances. However, Compute Engine might preempt (stop) these instances if it needs to reclaim those resources for other tasks. This makes Spot VMs ideal for batch processing jobs that are fault-tolerant and can handle interruptions, as they can be restarted when resources become available again. This directly addresses the requirement for a cost-effective solution for interruptible workloads.

Option A: While containerization offers portability and consistency, it doesn't inherently provide cost savings for compute resources. You would still need to choose a cost-effective underlying compute option.

Option B: Custom machine types allow you to tailor the CPU and memory configuration of your VMs, which can optimize costs to some extent by avoiding over-provisioning. However, they don't offer the significant cost reduction that Spot VMs provide.

Option C: The M1 machine series is a specific family of Compute Engine instances optimized for memory-intensive workloads. While potentially suitable for the job's requirements, it doesn't inherently address the cost-effectiveness requirement as directly as Spot VMs, which are priced lower regardless of the machine series.

Reference to Google Cloud Certified - Associate Cloud Engineer Documents:

The concept and use cases for Spot VMs are explicitly covered in the Compute Engine section of the Google Cloud documentation, which is a key area for the Associate Cloud Engineer certification. The cost savings and suitability for fault-tolerant workloads are highlighted as primary benefits.

https://cloud.google.com/storage/docs/object-versioning

Read the dataset's metadata and to list tables in the dataset. Read data and metadata from the dataset's tables. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

BigQuery Data Viewer

(roles/bigquery.dataViewer)

When applied to a table or view, this role provides permissions to:

Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read the dataset's metadata and list tables in the dataset.

Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Table

View

BigQuery Job User

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

Lowest-level resources where you can grant this role:

Project

to run jobs https://cloud.google.com/bigquery/docs/access-control#bigquery.jobUser databaseUser needs additional role permission to run jobshttps://cloud.google.com/spanner/docs/iam#spanner.databaseUser

https://cloud.google.com/compute/docs/disks/local-ssd

https://cloud.google.com/logging/docs/audit

Data Access audit logs Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.

https://cloud.google.com/logging/docs/audit#data-access

Comprehensive and Detailed Explanation From Exact Extract:

To adhere to the most secure way and Google-recommended practices, you must avoid the creation and handling of service account key files.

Option B (Impersonation): This method allows the currently logged-in user to temporarily assume the identity and permissions of the service account. It is keyless, meaning no long-lived secret is downloaded or stored on the local machine, drastically improving security. The gcloud config command sets this behavior for all subsequent gcloud commands in the session.

https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

Because if you directly add users to the IAM roles, then if any users left the organization then you have to remove the users from multiple places and need to revoke his/her access from multiple places. But, if you put a user into a group then its very easy to manage these type of situations. Now, if any user left then you just need to remove the user from the group and all the access got revoked

The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. During normal access, the auditors' Google group is only granted access to view the historic logs stored in BigQuery. If any anomalies are discovered, the group is granted permission to view the actual Cloud Logging Admin Activity logs via the dashboard's elevated access mode. At the end of each audit period, the group's access is then revoked. Data is redacted using Cloud DLP before being made accessible for viewing via the dashboard application. The table below explains IAM logging roles that an Organization Administrator can grant to the service account used by the dashboard, as well as the resource level at which the role is granted.

Coldline Storage is a very-low-cost, highly durable storage service for storing infrequently accessed data. Coldline Storage is ideal for data you plan to read or modify at most once a quarter. Since we have a requirement to access data once a quarter and want to go with the most cost-efficient option, we should select Coldline Storage.

Ref: https://cloud.google.com/storage/docs/storage-classes#coldline

In general, Google recommends that each instance that needs to call a Google API should run as a service account with the minimum permissions necessary for that instance to do its job. In practice, this means you should configure service accounts for your instances with the following process: Create a new service account rather than using the Compute Engine default service account. Grant IAM roles to that service account for only the resources that it needs. Configure the instance to run as that service account. Grant the instance the https://www.googleapis.com/auth/cloud-platform scope to allow full access to all Google Cloud APIs, so that the IAM permissions of the instance are completely determined by the IAM roles of the service account. Avoid granting more access than necessary and regularly check your service account permissions to make sure they are up-to-date.https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#best_practices

HTTP(S) load balancing is a Google-recommended practice for distributing web traffic across multiple regions and zones, and providing high availability, scalability, and security for web applications. It supports both IPv4 and IPv6 addresses, and can handle SSL/TLS termination and encryption. It also integrates with Cloud CDN, Cloud Armor, and Cloud Identity-Aware Proxy for enhanced performance and protection. A MIG can be used as a backend service for HTTP(S) load balancing, and can automatically scale and heal the VM instances that host the web application.

To configure DNS for HTTP(S) load balancing, you need to create an A record in your DNS public zone with the load balancer’s IP address. This will map your domain name to the load balancer’s IP address, and allow users to access your web application using the domain name. A CNAME record is not recommended, as it can cause latency and DNS resolution issues. A private zone is not suitable, as it is only visible within your VPC network, and not to the public internet.

HTTP(S) Load Balancing documentation

Setting up DNS records for HTTP(S) load balancing

Choosing a load balancer

https://developers.google.com/cloud-search/docs/guides/audit-logging-manual

Cloud Debugger helps inspect the state of an application, at any code location, without stopping or slowing down the running app //https://cloud.google.com/debugger/docs

Explanation

Run gcloud builds submit tag gcr.io/img-278322/acme_track_n_trace:v1. is the right answer.

This command correctly tags the image as acme_track_n_trace:v1 and uploads the image to the img-278322 project.

Ref: https://cloud.google.com/sdk/gcloud/reference/builds/submit

The resource that you need to get access is in the other project.

roles/bigquery.dataViewer BigQuery Data Viewer

When applied to a table or view, this role provides permissions to:

Read data and metadata from the table or view.

This role cannot be applied to individual models or routines.

When applied to a dataset, this role provides permissions to:

Read the dataset's metadata and list tables in the dataset.

Read data and metadata from the dataset's tables.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Comprehensive and Detailed In Depth Explanation:

The problem states that a subnet is nearing its IP address capacity, and the requirement is to expand it without downtime and with minimal operational cost, following Google-recommended practices.

A. Creating a second VPC with the same subnet IP range and peering: While VPC Network Peering allows communication between VPCs, having overlapping IP ranges is generally not recommended and can lead to routing complexities if not managed carefully. It also adds operational overhead of managing two VPCs. This is not the most straightforward or cost-effective solution for simply expanding IP capacity within the same logical network.

B. Deleting and recreating the subnet: Deleting a subnet that contains active VM instances will cause downtime for those instances, violating a key requirement.

C. Using the Google Cloud CLI tool to expand the primary IP range of your subnet: Google Cloud allows you to expand the primary IP range of an existing subnet after it's created, as long as there are no conflicting subnets in the VPC. This operation does not require deleting the subnet or restarting the existing VMs within it, thus avoiding downtime. It's a direct and cost-effective way to increase the available IP address space within the existing subnet. This is a Google-recommended practice for handling subnet capacity issues.

D. Permitting additional traffic with firewall rules: Firewall rules control network traffic based on IP ranges, protocols, and ports. They do not increase the number of available private IP addresses within the subnet. This option does not address the core issue of IP address exhaustion.

Therefore, expanding the primary IP range of the existing subnet using the Google Cloud CLI is the recommended solution that meets all the requirements: addressing IP capacity, minimizing operational costs, and avoiding downtime.

Google Cloud Documentation References:

Expanding Subnet IP Ranges: https://cloud.google.com/vpc/docs/expand-subnet - This documentation explicitly describes how to expand the IP range of an existing subnet without downtime. It outlines the prerequisites and steps involved using the gcloud CLI or the Google Cloud Console.

VPC Network Overview: https://cloud.google.com/vpc/docs/vpc - Provides context on subnet IP ranges and their management.

===========

The most secure method and Google-recommended practice for local testing of service account permissions is Service Account Impersonation, as it avoids the security risk of managing physical key files.

Option A (Impersonation): This method allows your user credentials to temporarily act as the service account. It is keyless, meaning no service account key needs to be created, downloaded, or stored, which is the cornerstone of secure credential management on Google Cloud.

When applied to a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When applied to a project, this role also provides the ability to run jobs, including queries, within the project. A member with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

https://cloud.google.com/bigquery/docs/access-control

https://cloud.google.com/spanner/docs/iam#spanner.databaseUser

Using the gcloud tool, execute the gcloud iam roles describe roles/spanner.databaseUser command on Cloud Shell. Attach the users to a newly created Google group and add the group to the role.

Best practices for persistent disk snapshots

You can create persistent disk snapshots at any time, but you can create snapshots more quickly and with greater reliability if you use the following best practices.

Creating frequent snapshots efficiently

Use snapshots to manage your data efficiently.

Create a snapshot of your data on a regular schedule to minimize data loss due to unexpected failure.

Improve performance by eliminating excessive snapshot downloads and by creating an image and reusing it.

Set your snapshot schedule to off-peak hours to reduce snapshot time.

Snapshot frequency limits

Creating snapshots from persistent disks

You can snapshot your disks at most once every 10 minutes. If you want to issue a burst of requests to snapshot your disks, you can issue at most 6 requests in 60 minutes.

If the limit is exceeded, the operation fails and returns the following error:

https://cloud.google.com/compute/docs/disks/snapshot-best-practices

https://support.google.com/cloudidentity/answer/6262987?hl=en &ref_topic=7558767

Cloud Run takes any container images and pairs great with the container ecosystem: Cloud Build, Artifact Registry, Docker. ... No infrastructure to manage: once deployed, Cloud Run manages your services so you can sleep well. Fast autoscaling. Cloud Run automatically scales up or down from zero to N depending on traffic.

https://cloud.google.com/run

"large quantity" : Cloud Storage or BigQuery "files" a file is nothing but an Object

Billing Administrators can not create a new billing account, and the project is presumably already created. Project Billing Manager allows you to link the created billing account to the project. It is vague on how the billing account gets created but by process of elimination

The best option is to attach a single service account to the compute instances and add minimal rights to the service account. Then, allow the service account to impersonate a Cloud Identity user with elevated permissions to create, update, or delete resources. This way, the service account can use short-lived access tokens to authenticate to Google Cloud APIs without needing to manage service account keys. This option follows the principle of least privilege and reduces the risk of credential leakage and misuse.

Option A is not recommended because it requires human intervention, which can slow down the CI/CD pipeline and introduce human errors. Option C is not secure because it grants all required IAM permissions to a single service account, which can increase the impact of a compromised key. Option D is not cost-effective because it requires creating and managing multiple service accounts and keys, as well as using a secret manager service.

1: https://cloud.google.com/iam/docs/impersonating-service-accounts

2: https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys

3: https://cloud.google.com/iam/docs/understanding-service-accounts

Using primitive roles The following table lists the primitive roles that you can grant to access a project, the description of what the role does, and the permissions bundled within that role. Avoid using primitive roles except when absolutely necessary. These roles are very powerful, and include a large number of permissions across all Google Cloud services. For more details on when you should use primitive roles, see the Identity and Access Management FAQ. IAM predefined roles are much more granular, and allow you to carefully manage the set of permissions that your users have access to. See Understanding Roles for a list of roles that can be granted at the project level. Creating custom roles can further increase the control you have over user permissions.https://cloud.google.com/resource-manager/docs/access-control-proj#using_primitive_roles

https://cloud.google.com/iam/docs/understanding-custom-roles

An external passthrough Network Load Balancer operates at layer 4 (TCP/UDP) and preserves the original client IP address. This is a key requirement stated in the question. It's also designed for external-facing applications that need to handle TCP or UDP traffic directly without proxying at the application layer.

Option A: An internal passthrough Network Load Balancer is used for load balancing traffic within a Virtual Private Cloud (VPC) network, not for exposing applications to the public internet.

Option C & D: Global and regional external proxy Network Load Balancers operate at layer 7 (HTTP/HTTPS) or use a proxy for TCP/SSL, which means they terminate the client connection at the load balancer and establish a new connection to the backend instances. This does not preserve the original client IP address by default (though there are ways to retrieve it via headers, it's not a direct passthrough).

Reference to Google Cloud Certified - Associate Cloud Engineer Documents:

The different types of Google Cloud Load Balancers, their operating layers (L4 vs. L7), and their capabilities, including client IP preservation, are thoroughly documented in the Google Cloud Load Balancing documentation, a critical area for the Associate Cloud Engineer certification. The distinction between passthrough and proxy load balancers is essential.

A managed instance group (MIG) is a group of identical virtual machines (VMs) that you can manage as a single entity. You can use a MIG to deploy and maintain a stateless application that runs directly on VMs. A MIG can automatically scale the number of VMs based on the load or a schedule. A MIG can also automatically heal the VMs if they become unhealthy or unavailable. A MIG is suitable for applications that need to run on VMs rather than containers or serverless platforms.

B is incorrect because Kubernetes Engine is a managed service for running containerized applications on a cluster of nodes. It is not necessary to use Kubernetes Engine if the application does not use containers and can run directly on VMs.

C is incorrect because Cloud Functions is a serverless platform for running event-driven code in response to triggers. It is not suitable for applications that need to run continuously and handle HTTP requests.

D is incorrect because Cloud Run is a serverless platform for running stateless containerized applications. It is not suitable for applications that do not use containers and can run directly on VMs.

Managed instance groups documentation

Choosing a compute option for Google Cloud

https://cloud.google.com/monitoring/alerts#alerting-example

The requirements specify a relational database that provides global scale and is a managed service.

Cloud Spanner is Google Cloud's globally distributed, strong-consistency database service. It provides limitless horizontal scaling while maintaining the structure of a relational database, making it the best fit for an application with a rapidly growing, global user base. As a fully managed service, it inherently minimizes management and administration efforts.

Cloud SQL (Option A) is a regional managed relational database and does not offer the same unlimited, global horizontal scaling capability as Spanner.

https://cloud.google.com/iam/docs/understanding-roles#billing-roles

If your apps are fault-tolerant and can withstand possible instance preemptions, then preemptible instances can reduce your Compute Engine costs significantly. For example, batch processing jobs can run on preemptible instances. If some of those instances stop during processing, the job slows but does not completely stop. Preemptible instances complete your batch processing tasks without placing additional workload on your existing instances and without requiring you to pay full price for additional normal instances.

https://cloud.google.com/compute/docs/instances/preemptible