Pre-Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Google > Google Cloud Certified > Associate-Cloud-Engineer

Associate-Cloud-Engineer Google Cloud Certified - Associate Cloud Engineer Question and Answers

Question # 4

You deployed a new application inside your Google Kubernetes Engine cluster using the YAML file specified below.

You check the status of the deployed pods and notice that one of them is still in PENDING status:

You want to find out why the pod is stuck in pending status. What should you do?

A.

Review details of the myapp-service Service object and check for error messages.

B.

Review details of the myapp-deployment Deployment object and check for error messages.

C.

Review details of myapp-deployment-58ddbbb995-lp86m Pod and check for warning messages.

D.

View logs of the container in myapp-deployment-58ddbbb995-lp86m pod and check for warning messages.

Full Access
Question # 5

Your continuous integration and delivery (CI/CD) server can ' t execute Google Cloud actions in a specific project because of permission issues. You need to validate whether the used service account has the appropriate roles in the specific project. What should you do?

A.

Open the Google Cloud console, and run a query to determine which resources this service account can access.

B.

Open the Google Cloud console, and run a query of the audit logs to find permission denied errors for this service account.

C.

Open the Google Cloud console, and check the organization policies.

D.

Open the Google Cloud console, and check the Identity and Access Management (IAM) roles assigned to the service account at the project or inherited from the folder or organization levels.

Full Access
Question # 6

You assist different engineering teams in deploying their infrastructure on Google Cloud. Your company has defined certain practices required for all workloads. You need to provide the engineering teams with a solution that enables teams to deploy their infrastructure independently without having to know all implementation details of the company ' s required practices. What should you do?

A.

Create a service account per team, and grant the service account the Project Editor role. Ask the teams to provision their infrastructure through the Google Cloud CLI (gcloud CLI), while impersonating their dedicated service account.

B.

Provide training for all engineering teams you work with to understand the company’s required practices. Allow the engineering teams to provision the infrastructure to best meet their needs.

C.

Configure organization policies to enforce your company’s required practices. Ask the teams to provision their infrastructure by using the Google Cloud console.

D.

Write Terraform modules for each component that are compliant with the company’s required practices, and ask teams to implement their infrastructure through these modules.

Full Access
Question # 7

You have an application that runs on Compute Engine VM instances in a custom Virtual Private Cloud (VPC). Your company ' s security policies only allow the use to internal IP addresses on VM instances and do not let VM instances connect to the internet. You need to ensure that the application can access a file hosted in a Cloud Storage bucket within your project. What should you do?

A.

Enable Private Service Access on the Cloud Storage Bucket.

B.

Add slorage.googleapis.com to the list of restricted services in a VPC Service Controls perimeter and add your project to the list to protected projects.

C.

Enable Private Google Access on the subnet within the custom VPC.

D.

Deploy a Cloud NAT instance and route the traffic to the dedicated IP address of the Cloud Storage bucket.

Full Access
Question # 8

You are working for a startup that was officially registered as a business 6 months ago. As your customer base grows, your use of Google Cloud increases. You want to allow all engineers to create new projects without asking them for their credit card information. What should you do?

A.

Create a Billing account, associate a payment method with it, and provide all project creators with permission to associate that billing account with their projects.

B.

Grant all engineer’s permission to create their own billing accounts for each new project.

C.

Apply for monthly invoiced billing, and have a single invoice tor the project paid by the finance team.

D.

Create a billing account, associate it with a monthly purchase order (PO), and send the PO to Google Cloud.

Full Access
Question # 9

Your company implemented BigQuery as an enterprise data warehouse. Users from multiple business units run queries on this data warehouse. However, you notice that query costs for BigQuery are very high, and you need to control costs. Which two methods should you use? (Choose two.)

A.

Split the users from business units to multiple projects.

B.

Apply a user- or project-level custom query quota for BigQuery data warehouse.

C.

Create separate copies of your BigQuery data warehouse for each business unit.

D.

Split your BigQuery data warehouse into multiple data warehouses for each business unit.

E.

Change your BigQuery query model from on-demand to flat rate. Apply the appropriate number of slots to each Project.

Full Access
Question # 10

You need to create a Compute Engine instance in a new project that doesn’t exist yet. What should you do?

A.

Using the Cloud SDK, create a new project, enable the Compute Engine API in that project, and then create the instance specifying your new project.

B.

Enable the Compute Engine API in the Cloud Console, use the Cloud SDK to create the instance, and then use the ––project flag to specify a new project.

C.

Using the Cloud SDK, create the new instance, and use the ––project flag to specify the new project.Answer yes when prompted by Cloud SDK to enable the Compute Engine API.

D.

Enable the Compute Engine API in the Cloud Console. Go to the Compute Engine section of the Console to create a new instance, and look for the Create In A New Project option in the creation form.

Full Access
Question # 11

You need to track and verity modifications to a set of Google Compute Engine instances in your Google Cloud project. In particular, you want to verify OS system patching events on your virtual machines (VMs). What should you do?

A.

Review the Compute Engine activity logs Select and review the Admin Event logs

B.

Review the Compute Engine activity logs Select and review the System Event logs

C.

Install the Cloud Logging Agent In Cloud Logging review the Compute Engine syslog logs

D.

Install the Cloud Logging Agent In Cloud Logging, review the Compute Engine operation logs

Full Access
Question # 12

You are managing several Google Cloud Platform (GCP) projects and need access to all logs for the past 60 days. You want to be able to explore and quickly analyze the log contents. You want to follow Google- recommended practices to obtain the combined logs for all projects. What should you do?

A.

Navigate to Stackdriver Logging and select resource.labels.project_id= " * "

B.

Create a Stackdriver Logging Export with a Sink destination to a BigQuery dataset. Configure the table expiration to 60 days.

C.

Create a Stackdriver Logging Export with a Sink destination to Cloud Storage. Create a lifecycle rule to delete objects after 60 days.

D.

Configure a Cloud Scheduler job to read from Stackdriver and store the logs in BigQuery. Configure the table expiration to 60 days.

Full Access
Question # 13

You are building a new version of an application hosted in an App Engine environment. You want to test the new version with 1% of users before you completely switch your application over to the new version. What should you do?

A.

Deploy a new version of your application in Google Kubernetes Engine instead of App Engine and then use GCP Console to split traffic.

B.

Deploy a new version of your application in a Compute Engine instance instead of App Engine and then use GCP Console to split traffic.

C.

Deploy a new version as a separate app in App Engine. Then configure App Engine using GCP Console to split traffic between the two apps.

D.

Deploy a new version of your application in App Engine. Then go to App Engine settings in GCP Console and split traffic between the current version and newly deployed versions accordingly.

Full Access
Question # 14

You manage an App Engine Service that aggregates and visualizes data from BigQuery. The application is deployed with the default App Engine Service account. The data that needs to be visualized resides in a different project managed by another team. You do not have access to this project, but you want your application to be able to read data from the BigQuery dataset. What should you do?

A.

Ask the other team to grant your default App Engine Service account the role of BigQuery Job User.

B.

Ask the other team to grant your default App Engine Service account the role of BigQuery Data Viewer.

C.

In Cloud IAM of your project, ensure that the default App Engine service account has the role of BigQuery Data Viewer.

D.

In Cloud IAM of your project, grant a newly created service account from the other team the role of BigQuery Job User in your project.

Full Access
Question # 15

Your company publishes large files on an Apache web server that runs on a Compute Engine instance. The Apache web server is not the only application running in the project. You want to receive an email when the egress network costs for the server exceed 100 dollars for the current month as measured by Google Cloud Platform (GCP). What should you do?

A.

Set up a budget alert on the project with an amount of 100 dollars, a threshold of 100%, and notification type of “email.”

B.

Set up a budget alert on the billing account with an amount of 100 dollars, a threshold of 100%, and notification type of “email.”

C.

Export the billing data to BigQuery. Create a Cloud Function that uses BigQuery to sum the egress network costs of the exported billing data for the Apache web server for the current month and sends an email if it is over 100 dollars. Schedule the Cloud Function using Cloud Scheduler to run hourly.

D.

Use the Stackdriver Logging Agent to export the Apache web server logs to Stackdriver Logging. Create a Cloud Function that uses BigQuery to parse the HTTP response log data in Stackdriver for the current month and sends an email if the size of all HTTP responses, multiplied by current GCP egress prices, totals over 100 dollars. Schedule the Cloud Function using Cloud Scheduler to run hourly.

Full Access
Question # 16

You are planning to move your company ' s website and a specific asynchronous background job to Google Cloud Your website contains only static HTML content The background job is started through an HTTP endpoint and generates monthly invoices for your customers. Your website needs to be available in multiple geographic locations and requires autoscaling. You want to have no costs when your workloads are not In use and follow recommended practices. What should you do?

A.

Move your website to Google Kubemetes Engine (GKE). and move your background job to Cloud Functions

B.

Move both your website and background job to Compute Engine

C.

Move both your website and background job to Cloud Run.

D.

Move your website to Google Kubemetes Engine (GKE), and move your background job to Compute Engine

Full Access
Question # 17

You are building an application that processes data files uploaded from thousands of suppliers. Your primary goals for the application are data security and the expiration of aged data. You need to design the application to:

•Restrict access so that suppliers can access only their own data.

•Give suppliers write access to data only for 30 minutes.

•Delete data that is over 45 days old.

You have a very short development cycle, and you need to make sure that the application requires minimal maintenance. Which two strategies should you use? (Choose two.)

A.

Build a lifecycle policy to delete Cloud Storage objects after 45 days.

B.

Use signed URLs to allow suppliers limited time access to store their objects.

C.

Set up an SFTP server for your application, and create a separate user for each supplier.

D.

Build a Cloud function that triggers a timer of 45 days to delete objects that have expired.

E.

Develop a script that loops through all Cloud Storage buckets and deletes any buckets that are older than 45 days.

Full Access
Question # 18

Every employee of your company has a Google account. Your operational team needs to manage a large number of instances on Compute Engine. Each member of this team needs only administrative access to the servers. Your security team wants to ensure that the deployment of credentials is operationally efficient and must be able to determine who accessed a given instance. What should you do?

A.

Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key in the metadata of each instance.

B.

Ask each member of the team to generate a new SSH key pair and to send you their public key. Use a configuration management tool to deploy those keys on each instance.

C.

Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the “compute.osAdminLogin” role to the Google group corresponding to this team.

D.

Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key as a project-wide public SSH key in your Cloud Platform project and allow project-wide public SSH keys on each instance.

Full Access
Question # 19

You have a Google Cloud Platform account with access to both production and development projects. You need to create an automated process to list all compute instances in development and production projects on a daily basis. What should you do?

A.

Create two configurations using gcloud config. Write a script that sets configurations as active, individually. For each configuration, use gcloud compute instances list to get a list of compute resources.

B.

Create two configurations using gsutil config. Write a script that sets configurations as active, individually. For each configuration, use gsutil compute instances list to get a list of compute resources.

C.

Go to Cloud Shell and export this information to Cloud Storage on a daily basis.

D.

Go to GCP Console and export this information to Cloud SQL on a daily basis.

Full Access
Question # 20

Your company has a Google Cloud Platform project that uses BigQuery for data warehousing. Your data science team changes frequently and has few members. You need to allow members of this team to perform queries. You want to follow Google-recommended practices. What should you do?

A.

1. Create an IAM entry for each data scientist ' s user account.2. Assign the BigQuery jobUser role to the group.

B.

1. Create an IAM entry for each data scientist ' s user account.2. Assign the BigQuery dataViewer user role to the group.

C.

1. Create a dedicated Google group in Cloud Identity.2. Add each data scientist ' s user account to the group.3. Assign the BigQuery jobUser role to the group.

D.

1. Create a dedicated Google group in Cloud Identity.2. Add each data scientist ' s user account to the group.3. Assign the BigQuery dataViewer user role to the group.

Full Access
Question # 21

(Your company has a rapidly growing social media platform and a user base primarily located in North America. Due to increasing demand, your current on-premises PostgreSQL database, hosted in your United States headquarters data center, no longer meets your needs. You need to identify a cloud-based database solution that offers automatic scaling, multi-region support for future expansion, and maintains low latency.)

A.

Use Bigtable.

B.

Use BigQuery.

C.

Use Spanner.

D.

Use Cloud SQL for PostgreSQL.

Full Access
Question # 22

You are deploying an application to App Engine. You want the number of instances to scale based on request rate. You need at least 3 unoccupied instances at all times. Which scaling type should you use?

A.

Manual Scaling with 3 instances.

B.

Basic Scaling with min_instances set to 3.

C.

Basic Scaling with max_instances set to 3.

D.

Automatic Scaling with min_idle_instances set to 3.

Full Access
Question # 23

You are managing a fleet of data storage solutions for your company on Google Cloud, including Bigtable, Cloud SQL, Memorystore, and Spanner. You need a single, unified view to monitor the health of all data storage solutions and identify any that are at risk for downtime. What should you do?

A.

Use Dataplex Universal Catalog to search the metadata of the data storage solutions to obtain the required insights.

B.

In the Google Cloud Console, navigate to Database Center to find an overview of the data storage solutions.

C.

Use the terraform state list command in the directory used to deploy the data storage solutions.

D.

In the Google Cloud Console, use Cloud Asset Inventory to see an overview of the data storage solutions.

Full Access
Question # 24

You are running out of primary internal IP addresses in a subnet for a custom mode VPC. The subnet has the IP range 10.0.0.0/20. and the IP addresses are primarily used by virtual machines in the project. You need to provide more IP addresses for the virtual machines. What should you do?

A.

Change the subnet IP range from 10.0.0.0/20 to 10.0.0.0/22.

B.

Change the subnet IP range from 10.0 0.0/20 to 10.0.0.0718.

C.

Add a secondary IP range 10.1.0.0/20 to the subnet.

D.

Convert the subnet IP range from IPv4 to IPv6

Full Access
Question # 25

Your company has an internal application for managing transactional orders. The application is used exclusively by employees in a single physical location. The application requires strong consistency, fast queries, and ACID guarantees for multi-table transactional updates. The first version of the application is implemented inPostgreSQL, and you want to deploy it to the cloud with minimal code changes. Which database is most appropriate for this application?

A.

BigQuery

B.

Cloud SQL

C.

Cloud Spanner

D.

Cloud Datastore

Full Access
Question # 26

You want to send and consume Cloud Pub/Sub messages from your App Engine application. The Cloud Pub/Sub API is currently disabled. You will use a service account to authenticate yourapplication to the API. You want to make sure your application can use Cloud Pub/Sub. What should you do?

A.

Enable the Cloud Pub/Sub API in the API Library on the GCP Console.

B.

Rely on the automatic enablement of the Cloud Pub/Sub API when the Service Account accesses it.

C.

Use Deployment Manager to deploy your application. Rely on the automatic enablement of all APIs used by the application being deployed.

D.

Grant the App Engine Default service account the role of Cloud Pub/Sub Admin. Have your application enable the API on the first connection to Cloud Pub/Sub.

Full Access
Question # 27

You are building a product on top of Google Kubernetes Engine (GKE). You have a single GKE cluster. For each of your customers, a Pod is running in that cluster, and your customers can run arbitrary code inside their Pod. You want to maximize the isolation between your customers’ Pods. What should you do?

A.

Use Binary Authorization and whitelist only the container images used by your customers’ Pods.

B.

Use the Container Analysis API to detect vulnerabilities in the containers used by your customers’ Pods.

C.

Create a GKE node pool with a sandbox type configured to gvisor. Add the parameter runtimeClassName: gvisor to the specification of your customers’ Pods.

D.

Use the cos_containerd image for your GKE nodes. Add a nodeSelector with the value cloud.google.com/gke-os-distribution: cos_containerd to the specification of your customers’ Pods.

Full Access
Question # 28

You have an application that looks for its licensing server on the IP 10.0.3.21. You need to deploy the licensing server on Compute Engine. You do not want to change the configuration of the application and want the application to be able to reach the licensing server. What should you do?

A.

Reserve the IP 10.0.3.21 as a static internal IP address using gcloud and assign it to the licensing server.

B.

Reserve the IP 10.0.3.21 as a static public IP address using gcloud and assign it to the licensing server.

C.

Use the IP 10.0.3.21 as a custom ephemeral IP address and assign it to the licensing server.

D.

Start the licensing server with an automatic ephemeral IP address, and then promote it to a static internal IP address.

Full Access
Question # 29

During a recent audit of your existing Google Cloud resources, you discovered several users with email addresses outside of your Google Workspace domain.

You want to ensure that your resources are only shared with users whose email addresses match your domain. You need to remove any mismatched users, and you want to avoid having to audit your resources to identify mismatched users. What should you do?

A.

Create a Cloud Scheduler task to regularly scan your projects and delete mismatched users.

B.

Create a Cloud Scheduler task to regularly scan your resources and delete mismatched users.

C.

Set an organizational policy constraint to limit identities by domain to automatically remove mismatched users.

D.

Set an organizational policy constraint to limit identities by domain, and then retroactively remove the existing mismatched users.

Full Access
Question # 30

You are creating an application that will run on Google Kubernetes Engine. You have identified MongoDB as the most suitable database system for your application and want to deploy a managed MongoDB environment that provides a support SLA. What should you do?

A.

Create a Cloud Bigtable cluster and use the HBase API

B.

Deploy MongoDB Alias from the Google Cloud Marketplace

C.

Download a MongoDB installation package and run it on Compute Engine instances

D.

Download a MongoDB installation package, and run it on a Managed Instance Group

Full Access
Question # 31

Your web application is hosted on Cloud Run and needs to query a Cloud SQL database. Every morning during a traffic spike, you notice API quota errors in Cloud SQL logs. The project has already reached the maximum API quota. You want to make a configuration change to mitigate the issue. What should you do?

A.

Use traffic splitting

B.

Modify the minimum number of Cloud Run instances.

C.

Set a minimum concurrent requests environment variable for the application.

D.

Increase the maximum number of Cloud Run instances.

Full Access
Question # 32

(You deployed an application on a managed instance group in Compute Engine. The application accepts Transmission Control Protocol (TCP) traffic on port 389 and requires you to preserve the IP address of the client who is making a request. You want to expose the application to the internet by using a load balancer. What should you do?)

A.

Expose the application by using an internal passthrough Network Load Balancer.

B.

Expose the application by using an external passthrough Network Load Balancer.

C.

Expose the application by using a global external proxy Network Load Balancer.

D.

Expose the application by using a regional external proxy Network Load Balancer.

Full Access
Question # 33

You recently discovered an issue with your rolling update in Google Kubernetes Engine (GKE). You now need to roll back a rolling update. What should you do?

A.

Manually scale down the new Pods and scale up the old Pods.

B.

Delete the deployment.

C.

Use the kubectl rollout restart command to revert the deployment.

D.

Use the kubectl rollout undo command.

Full Access
Question # 34

You have deployed multiple Linux instances on Compute Engine. You plan on adding more instances in the coming weeks. You want to be able to access all of these instances through your SSH client over me Internet without having to configure specific access on the existing and new instances. You do not want the Compute Engine instances to have a public IP. What should you do?

A.

Configure Cloud Identity-Aware Proxy (or HTTPS resources

B.

Configure Cloud Identity-Aware Proxy for SSH and TCP resources.

C.

Create an SSH keypair and store the public key as a project-wide SSH Key

D.

Create an SSH keypair and store the private key as a project-wide SSH Key

Full Access
Question # 35

You need to deploy a single stateless web application with a web interface and multiple endpoints. For security reasons, the web application must be reachable from an internal IP address from your company ' s private VPC and on-premises network. You also need to update the web application multiple times per day with minimal effort and want to manage a minimal amount of cloud infrastructure. What should you do?

A.

Deploy the web application on Google Kubernetes Engine standard edition with an internal ingress.

B.

Deploy the web application on Cloud Run with Private Google Access configured

C.

Deploy the web application to GKE Autopilot with Private Google Access configured

D.

Deploy the web application on Cloud Run with Private Service Connect configured.

Full Access
Question # 36

An employee was terminated, but their access to Google Cloud Platform (GCP) was not removed until 2 weeks later. You need to find out this employee accessed any sensitive customer information after their termination. What should you do?

A.

View System Event Logs in Stackdriver. Search for the user’s email as the principal.

B.

View System Event Logs in Stackdriver. Search for the service account associated with the user.

C.

View Data Access audit logs in Stackdriver. Search for the user’s email as the principal.

D.

View the Admin Activity log in Stackdriver. Search for the service account associated with the user.

Full Access
Question # 37

You have an on-premises data analytics set of binaries that processes data files in memory for about 45 minutes every midnight. The sizes of those data files range from 1 gigabyte to 16 gigabytes. You want to migrate this application to Google Cloud with minimal effort and cost. What should you do?

A.

Upload the code to Cloud Functions. Use Cloud Scheduler to start the application.

B.

Create a container for the set of binaries. Use Cloud Scheduler to start a Cloud Run job for the container.

C.

Create a container for the set of binaries Deploy the container to Google Kubernetes Engine (GKE) and use the Kubernetes scheduler to start the application.

D.

Lift and shift to a VM on Compute Engine. Use an instance schedule to start and stop the instance.

Full Access
Question # 38

You need to create a custom VPC with a single subnet. The subnet’s range must be as large as possible. Which range should you use?

A.

.00.0.0/0

B.

10.0.0.0/8

C.

172.16.0.0/12

D.

192.168.0.0/16

Full Access
Question # 39

You are building a pipeline to process time-series data. Which Google Cloud Platform services should you put in boxes 1,2,3, and 4?

A.

Cloud Pub/Sub, Cloud Dataflow, Cloud Datastore, BigQuery

B.

Firebase Messages, Cloud Pub/Sub, Cloud Spanner, BigQuery

C.

Cloud Pub/Sub, Cloud Storage, BigQuery, Cloud Bigtable

D.

Cloud Pub/Sub, Cloud Dataflow, Cloud Bigtable, BigQuery

Full Access
Question # 40

You have developed an application that consists of multiple microservices, with each microservice packaged in its own Docker container image. You want to deploy the entire application on Google Kubernetes Engine so that each microservice can be scaled individually. What should you do?

A.

Create and deploy a Custom Resource Definition per microservice.

B.

Create and deploy a Docker Compose File.

C.

Create and deploy a Job per microservice.

D.

Create and deploy a Deployment per microservice.

Full Access
Question # 41

Your company plans to migrate its on-premises PostgreSQL database to Google Cloud. The workloads are demanding, requiring fast transactional and analytical performance. You need to select a fully managed database service on Google Cloud. Your solution must also be able to synchronously replicate and optimize the storage layer. What should you do?

A.

Use the psql client installed on a Compute Engine Instance. Connect to the Cloud SQL instance to perform the database migration.

B.

Migrate the database to AlloyDB for PostgreSQL by using Database Migration Service.

C.

Migrate the database to Cloud SQL for PostgreSQL by using Database Migration Service.

D.

Create a Compute Engine instance. Install and configure PostgreSQL on the instance, and migrate the database.

Full Access
Question # 42

You manage a business-critical backend application running on a Compute Engine managed instance group (MIG). The operations team requires a near-real time notification if the average CPU utilization across all instances in the MIG exceeds 75% for a continuous five-minute period. You need to implement a scalable Google Cloud solution to meet this monitoring requirement. What should you do?

A.

Create a logs-based metric in Cloud Logging that filters for high CPU usage entries, and then create a Cloud Monitoring alert policy based on that custom metric.

B.

Deploy the Ops Agent to all Compute Engine VM instances to collect the CPU metric. Use a custom script running on a separate Compute Engine instance to poll this metric every five minutes, and send an email notification if the threshold is breached.

C.

Create a Cloud Monitoring alerting policy that targets the compute.googleapis.com/instance/cpu/utilization metric. Set the threshold to 75% and the duration to five minutes.

D.

Configure an autoscaling policy for the MIG to use a CPU utilization target of 75% for five minutes, and then enable a notification channel in the autoscaler settings.

Full Access
Question # 43

(You are developing an internet of things (IoT) application that captures sensor data from multiple devices that have already been set up. You need to identify the global data storage product your company should use to store this data. You must ensure that the storage solution you choose meets your requirements of sub-millisecond latency. What should you do?)

A.

Store the IoT data in Spanner. Use caches to speed up the process and avoid latencies.

B.

Store the IoT data in Bigtable.

C.

Capture IoT data in BigQuery datasets.

D.

Store the IoT data in Cloud Storage. Implement caching by using Cloud CDN.

Full Access
Question # 44

You have created an application that is packaged into a Docker image. You want to deploy the Docker image as a workload on Google Kubernetes Engine. What should you do?

A.

Upload the image to Cloud Storage and create a Kubernetes Service referencing the image.

B.

Upload the image to Cloud Storage and create a Kubernetes Deployment referencing the image.

C.

Upload the image to Container Registry and create a Kubernetes Service referencing the image.

D.

Upload the image to Container Registry and create a Kubernetes Deployment referencing the image.

Full Access
Question # 45

(You are deploying an application to Google Kubernetes Engine (GKE). The application needs to make API calls to a private Cloud Storage bucket. You need to configure your application Pods to authenticate to the Cloud Storage API, but your organization policy prevents the usage of service account keys. You want to follow Google-recommended practices. What should you do?)

A.

Create the GKE cluster and deploy the application. Request a security exception to create a Google service account key. Set the constraints/iam.serviceAccountKeyExpiryHours organization policy to 8 hours.

B.

Create the GKE cluster and deploy the application. Request a security exception to create a Google service account key. Set the constraints/iam.serviceAccountKeyExpiryHours organization policy to 24 hours.

C.

Create the GKE cluster with Workload Identity Federation. Configure the default node service account to access the bucket. Deploy the application into the cluster so the application can use the node service account permissions. Use Identity and Access Management (IAM) to grant the service account access to the bucket.

D.

Create the GKE cluster with Workload Identity Federation. Create a Google service account and a Kubernetes ServiceAccount, and configure both service accounts to use Workload Identity Federation. Attach the Kubernetes ServiceAccount to the application Pods and configure the Google service account to access the bucket with Identity and Access Management (IAM).

Full Access
Question # 46

You are using Data Studio to visualize a table from your data warehouse that is built on top of BigQuery. Data is appended to the data warehouse during the day. At night, the daily summary is recalculated by overwriting the table. You just noticed that the charts in Data Studio are broken, and you want to analyze the problem. What should you do?

A.

Use the BigQuery interface to review the nightly Job and look for any errors

B.

Review the Error Reporting page in the Cloud Console to find any errors.

C.

In Cloud Logging create a filter for your Data Studio report

D.

Use the open source CLI tool. Snapshot Debugger, to find out why the data was not refreshed correctly.

Full Access
Question # 47

You are the project owner of a GCP project and want to delegate control to colleagues to manage buckets and files in Cloud Storage. You want to follow Google-recommended practices. Which IAM roles should you grant your colleagues?

A.

Project Editor

B.

Storage Admin

C.

Storage Object Admin

D.

Storage Object Creator

Full Access
Question # 48

You are a Cloud Billing administrator for your company. Your company uses numerous Google Cloud projects and needs to implement a cost-control mechanism. Project teams must be notified promptly when their spending approaches its limit. You need to send near real-time notifications to a team ' s Slack channel when their project ' s spending reaches a predefined budget threshold. Your solution must be easy to support and require minimal maintenance. What should you do?

A.

Create a detailed billing export to BigQuery. Create a Cloud Composer directed acyclic graph (DAG) that runs on a schedule to analyze the BigQuery data and post notifications to Slack.

B.

Create a programmatic budget notification to send messages to a Pub/Sub topic. Create a Cloud Run function that is triggered by messages on the topic and posts the notifications to Slack.

C.

Create a programmatic budget notification to send messages to a Pub/Sub topic. Create a Compute Engine managed instance group to pull messages from the Pub/Sub subscription and post them to Slack.

D.

Create a detailed billing export to BigQuery. Create a Cloud Scheduler job that triggers a Cloud Run function to analyze the BigQuery data and post notifications to Slack.

Full Access
Question # 49

Your company is moving its continuous integration and delivery (CI/CD) pipeline to Compute Engine instances. The pipeline will manage the entire cloud infrastructure through code. How can you ensure that the pipeline has appropriate permissions while your system is following security best practices?

A.

• Add a step for human approval to the CI/CD pipeline before the execution of the infrastructureprovisioning.• Use the human approvals IAM account for the provisioning.

B.

• Attach a single service account to the compute instances.• Add minimal rights to the service account.• Allow the service account to impersonate a Cloud Identity user with elevated permissions to create, update, or delete resources.

C.

• Attach a single service account to the compute instances.• Add all required Identity and Access Management (IAM) permissions to this service account to create, update, or delete resources

D.

• Create multiple service accounts, one for each pipeline with the appropriate minimal Identity andAccess Management (IAM) permissions.• Use a secret manager service to store the key files of the service accounts.• Allow the CI/CD pipeline to request the appropriate secrets during the execution of the pipeline.

Full Access
Question # 50

(Your company uses a multi-cloud strategy that includes Google Cloud. You want to centralize application logs in a third-party software-as-a-service (SaaS) tool from all environments. You need tointegrate logs originating from Cloud Logging, and you want to ensure the export occurs with the least amount of delay possible. What should you do?)

A.

Use a Cloud Scheduler cron job to trigger a Cloud Function that queries Cloud Logging and sends the logs to the SaaS tool.

B.

Create a Cloud Logging sink and configure Pub/Sub as the destination. Configure the SaaS tool to subscribe to the Pub/Sub topic to retrieve the logs.

C.

Create a Cloud Logging sink and configure Cloud Storage as the destination. Configure the SaaS tool to read the Cloud Storage bucket to retrieve the logs.

D.

Create a Cloud Logging sink and configure BigQuery as the destination. Configure the SaaS tool to query BigQuery to retrieve the logs.

Full Access
Question # 51

You have downloaded and installed the gcloud command line interface (CLI) and have authenticated with your Google Account. Most of your Compute Engine instances in your project run in the europe-west1-d zone. You want to avoid having to specify this zone with each CLI command when managing these instances. What should you do?

A.

Set the europe-west1-d zone as the default zone using the gcloud config subcommand.

B.

In the Settings page for Compute Engine under Default location, set the zone to europe–west1-d.

C.

In the CLI installation directory, create a file called default.conf containing zone=europe–west1–d.

D.

Create a Metadata entry on the Compute Engine page with key compute/zone and value europe–west1–d.

Full Access
Question # 52

You recently received a new Google Cloud project with an attached billing account where you will work. You need to create instances, set firewalls, and store data in Cloud Storage. You want to follow Google-recommended practices. What should you do?

A.

Use the gcloud CLI services enablecloudresourcemanager.googleapis.comcommand to enable all resources.

B.

Use the gcloud services enablecompute.googleapis.comcommand to enable Compute Engineand thegcloud services enablestorage-api.googleapis.comcommand to enable the Cloud Storage APIs.

C.

Open the Google Cloud console and enable all Google Cloud APIs from the API dashboard.

D.

Open the Google Cloud console and run gcloud init --project < project-id > in a Cloud Shell.

Full Access
Question # 53

You’ve deployed a microservice called myapp1 to a Google Kubernetes Engine cluster using the YAML file specified below:

You need to refactor this configuration so that the database password is not stored in plain text. You want to follow Google-recommended practices. What should you do?

A.

Store the database password inside the Docker image of the container, not in the YAML file.

B.

Store the database password inside a Secret object. Modify the YAML file to populate the DB_PASSWORD environment variable from the Secret.

C.

Store the database password inside a ConfigMap object. Modify the YAML file to populate the DB_PASSWORD environment variable from the ConfigMap.

D.

Store the database password in a file inside a Kubernetes persistent volume, and use a persistent volume claim to mount the volume to the container.

Full Access
Question # 54

You are building an archival solution for your data warehouse and have selected Cloud Storage to archive your data. Your users need to be able to access this archived data once a quarter for some regulatory requirements. You want to select a cost-efficient option. Which storage option should you use?

A.

Coldline Storage

B.

Nearline Storage

C.

Regional Storage

D.

Multi-Regional Storage

Full Access
Question # 55

Your application is running on Google Cloud in a managed instance group (MIG). You see errors in Cloud Logging for one VM that one of the processes is not responsive. You want to replace this VM in the MIG quickly. What should you do?

A.

Select the MIG from the Compute Engine console and, in the menu, select Replace VMs.

B.

Use the gcloud compute instance-groups managed recreate-instances command to recreate theVM.

C.

Use the gcloud compute instances update command with a REFRESH action for the VM.

D.

Update and apply the instance template of the MIG.

Full Access
Question # 56

Your company is moving its entire workload to Compute Engine. Some servers should be accessible through the Internet, and other servers should only be accessible over the internal network. All servers need to be able to talk to each other over specific ports and protocols. The current on-premises network relies on a demilitarized zone (DMZ) for the public servers and a Local Area Network (LAN) for the private servers. You need to design the networking infrastructure on

Google Cloud to match these requirements. What should you do?

A.

1. Create a single VPC with a subnet for the DMZ and a subnet for the LAN. 2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public ingress traffic for the DMZ.

B.

1. Create a single VPC with a subnet for the DMZ and a subnet for the LAN. 2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public egress traffic for the DMZ.

C.

1. Create a VPC with a subnet for the DMZ and another VPC with a subnet for the LAN. 2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public ingress traffic for the DMZ.

D.

1. Create a VPC with a subnet for the DMZ and another VPC with a subnet for the LAN. 2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public egress traffic for the DMZ.

Full Access
Question # 57

You need to reduce GCP service costs for a division of your company using the fewest possible steps. You need to turn off all configured services in an existing GCP project. What should you do?

A.

1. Verify that you are assigned the Project Owners IAM role for this project.2. Locate the project in the GCP console, click Shut down and then enter the project ID.

B.

1. Verify that you are assigned the Project Owners IAM role for this project.2. Switch to the project in the GCP console, locate the resources and delete them.

C.

1. Verify that you are assigned the Organizational Administrator IAM role for this project.2. Locate the project in the GCP console, enter the project ID and then click Shut down.

D.

1. Verify that you are assigned the Organizational Administrators IAM role for this project.2. Switch to the project in the GCP console, locate the resources and delete them.

Full Access
Question # 58

Your company is closely monitoring their cloud spend. You need to allow different teams to monitor their Google Cloud costs. You must ensure that team members receive notifications when their cloud spend reaches certain thresholds and give team members the ability to create dashboards for additional insights with detailed billing data. You want to follow Google-recommended practices and minimize engineering costs. What should you do?

A.

Set up alerts for each team based on required thresholds. Set up billing exports to BigQuery. Grant team members access to BigQuery.

B.

Set up alerts for each team based on required thresholds. Create a shell script to read data from the Cloud Billing API, and push the results to BigQuery. Grant team members access to BigQuery.

C.

Deploy Grafana to Compute Engine. Create a dashboard for each team that uses the data from the Cloud Billing API. Ask each team to create their own alerts in Cloud Monitoring.

D.

Deploy Grafana to Compute Engine. Create a dashboard for each team that uses the data from the Cloud Billing Budget API. Ask each team to create their own alerts in Grafana.

Full Access
Question # 59

You need to create and manage service accounts for your workloads running on Google Cloud. You want to follow Google-recommended practices. What should you do?

Choose 2 answers

A.

Create as few service accounts as possible.

B.

Delete any unused service accounts immediately.

C.

Create single-purpose service accounts.

D.

Manage service accounts as resources.

E.

Use random names for the service accounts.

Full Access
Question # 60

Your managed instance group raised an alert stating that new instance creation has failed to create new instances. You need to maintain the number of running instances specified by the template to be able to process expected application traffic. What should you do?

A.

Create an instance template that contains valid syntax which will be used by the instance group. Delete any persistent disks with the same name as instance names.

B.

Create an instance template that contains valid syntax that will be used by the instance group. Verify that the instance name and persistent disk name values are not the same in the template.

C.

Verify that the instance template being used by the instance group contains valid syntax. Delete any persistent disks with the same name as instance names. Set the disks.autoDelete property to true in the instance template.

D.

Delete the current instance template and replace it with a new instance template. Verify that the instance name and persistent disk name values are not the same in the template. Set the disks.autoDelete property to true in the instance template.

Full Access
Question # 61

You are migrating a business critical application from your local data center into Google Cloud. As part of your high-availability strategy, you want to ensure that any data used by the application will be immediately available if a zonal failure occurs. What should you do?

A.

Store the application data on a zonal persistent disk. Create a snapshot schedule for the disk. If an outage occurs, create a new disk from the most recent snapshot and attach it to a new VM in another zone.

B.

Store the application data on a zonal persistent disk. If an outage occurs, create an instance in another zone with this disk attached.

C.

Store the application data on a regional persistent disk. Create a snapshot schedule for the disk. If an outage occurs, create a new disk from the most recent snapshot and attach it to a new VM in another zone.

D.

Store the application data on a regional persistent disk If an outage occurs, create an instance in another zone with this disk attached.

Full Access
Question # 62

You recently discovered that your developers are using many service account keys during their development process. While you work on a long term improvement, you need to quickly implement a process to enforce short-lived service account credentials in your company. You have the following requirements:

• All service accounts that require a key should be created in a centralized project called pj-sa.

• Service account keys should only be valid for one day.

You need a Google-recommended solution that minimizes cost. What should you do?

A.

Implement a Cloud Run job to rotate all service account keys periodically in pj-sa. Enforce an org policy to deny service account key creation with an exception to pj-sa.

B.

Implement a Kubernetes Cronjob to rotate all service account keys periodically. Disable attachment ofservice accounts to resources in all projects with an exception to pj-sa.

C.

Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hours. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.

D.

Enforce a DENY org policy constraint over the lifetime of service account keys for 24 hours. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.

Full Access
Question # 63

You need to deploy an application, which is packaged in a container image, in a new project. The application exposes an HTTP endpoint and receives very few requests per day. You want to minimize costs. What should you do

A.

Deploy the container on Cloud Run.

B.

Deploy the container on Cloud Run on GKE.

C.

Deploy the container on App Engine Flexible.

D.

Deploy the container on Google Kubernetes Engine, with cluster autoscaling and horizontal pod autoscaling enabled.

Full Access
Question # 64

Your company would like to store invoices and other financial documents in Google Cloud. You need to identify a Google-managed solution to store this information for your company. You must ensure that the documents are kept for a duration of three years. Your company ' s analysts need frequent access to invoices from the past six months. After six months, invoices should be archived for audit purposes only. You want to minimize costs and follow Google-recommended practices. What should you do?

A.

Use Cloud Storage with Object Lifecycle Management to change the object storage class to Standard after six months.

B.

Use Cloud Storage with Object Lifecycle Management to change the object storage class to Coldline after six months.

C.

Store your documents on Filestore, and move the documents to Cloud Storage with object storage class set to Standard after six months.

D.

Store your documents on Filestore, and move the documents to Cloud Storage with object storage class set to Coldline after six months.

Full Access
Question # 65

You are using the gcloud container clusters create app-cluster command to deploy a Google Kubernetes Engine (GKE) cluster in a new Google Cloud project. The command fails with the following error:

ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Kubernetes Engine API has not been used in the project before or it is disabled.

You need to resolve the issue. What should you do?

A.

Run the gcloud services enable container.googleapis.com command, and then run the cluster creation command again.

B.

Disable the " Require enabling Workload Identity Federation for GKE " organization policy, and then run the cluster creation command again.

C.

Rerun the command with the --enable-autoprovisioning flag.

D.

Add the Kubernetes Engine Admin IAM role to your user account, and then run the cluster creation command again.

Full Access
Question # 66

Your company requires all developers to have the same permissions, regardless of the Google Cloud project they are working on. Your company ' s security policy also restricts developer permissions to Compute Engine. Cloud Functions, and Cloud SQL. You want to implement the security policy with minimal effort. What should you do?

A.

• Create a custom role with Compute Engine, Cloud Functions, and Cloud SQL permissions in one project within the Google Cloud organization.• Copy the role across all projects created within the organization with the gcloud iam roles copy command.• Assign the role to developers in those projects.

B.

• Add all developers to a Google group in Google Groups for Workspace.• Assign the predefined role of Compute Admin to the Google group at the Google Cloud organization level.

C.

• Add all developers to a Google group in Cloud Identity.• Assign predefined roles for Compute Engine, Cloud Functions, and Cloud SQL permissions to the Google group for each project in the Google Cloud organization.

D.

• Add all developers to a Google group in Cloud Identity.• Create a custom role with Compute Engine, Cloud Functions, and Cloud SQL permissions at the Google Cloud organization level.• Assign the custom role to the Google group.

Full Access
Question # 67

After a recent security incident, your startup company wants better insight into what is happening in the Google Cloud environment. You need to monitor unexpected firewall changes and instance creation. Your company prefers simple solutions. What should you do?

A.

Use Cloud Logging filters to create log-based metrics for firewall and instance actions. Monitor the changes and set up reasonable alerts.

B.

Install Kibana on a compute Instance. Create a log sink to forward Cloud Audit Logs filtered for firewalls andcompute instances to Pub/Sub. Target the Pub/Sub topic to push messages to the Kibana instance. Analyze the logs on Kibana in real time.

C.

Turn on Google Cloud firewall rules logging, and set up alerts for any insert, update, or delete events.

D.

Create a log sink to forward Cloud Audit Logs filtered for firewalls and compute instances to Cloud Storage.Use BigQuery to periodically analyze log events in the storage bucket.

Full Access
Question # 68

You are building an application that stores relational data from users. Users across the globe will use this application. Your CTO is concerned about the scaling requirements because the size of the user base is unknown. You need to implement a database solution that can scale with your user growth with minimum configuration changes. Which storage solution should you use?

A.

Cloud SQL

B.

Cloud Spanner

C.

Cloud Firestore

D.

Cloud Datastore

Full Access
Question # 69

You need to create a copy of a custom Compute Engine virtual machine (VM) to facilitate an expected increase in application traffic due to a business acquisition. What should you do?

A.

Create a Compute Engine snapshot of your base VM. Create your images from that snapshot.

B.

Create a Compute Engine snapshot of your base VM. Create your instances from that snapshot.

C.

Create a custom Compute Engine image from a snapshot. Create your images from that image.

D.

Create a custom Compute Engine image from a snapshot. Create your instances from that image.

Full Access
Question # 70

Your learn wants to deploy a specific content management system (CMS) solution lo Google Cloud. You need a quick and easy way to deploy and install the solution. What should you do?

A.

Search for the CMS solution in Google Cloud Marketplace. Use gcloud CLI to deploy the solution.

B.

Search for the CMS solution in Google Cloud Marketplace. Deploy the solution directly from Cloud Marketplace.

C.

Search for the CMS solution in Google Cloud Marketplace. Use Terraform and the Cloud Marketplace ID to deploy the solution with the appropriate parameters.

D.

Use the installation guide of the CMS provider. Perform the installation through your configuration management system.

Full Access
Question # 71

You are creating and deploying an application on Cloud Run that uses Cloud SQL for data storage. You need to track the number of database connections created by the application to ensure that database connections are reused. What should you do?

A.

In Cloud Monitoring, create a custom metric that tracks the creation of Cloud Run instances, and display the metric on a dashboard.

B.

Log each new database connection in the application. In Cloud Monitoring, create a custom metric for these logs, and display the metric on a dashboard.

C.

In the Google Cloud console, navigate to the Cloud SQL instance, and review the instance logs.

D.

In Cloud Trace, enable trace storage for your project, and use a filter to check for new database connections.

Full Access
Question # 72

You have an application on a general-purpose Compute Engine instance that is experiencing excessive disk read throttling on its Zonal SSD Persistent Disk. The application primarily reads large files from disk. The disk size is currently 350 GB. You want to provide the maximum amount of throughput while minimizing costs. What should you do?

A.

Increase the size of the disk to 1 TB.

B.

Increase the allocated CPU to the instance.

C.

Migrate to use a Local SSD on the instance.

D.

Migrate to use a Regional SSD on the instance.

Full Access
Question # 73

Your company uses Cloud Storage to store application backup files for disaster recovery purposes. You want to follow Google’s recommended practices. Which storage option should you use?

A.

Multi-Regional Storage

B.

Regional Storage

C.

Nearline Storage

D.

Coldline Storage

Full Access
Question # 74

You are designing an application that lets users upload and share photos. You expect your application to grow really fast and you are targeting a worldwide audience. You want to delete uploaded photos after 30 days. You want to minimize costs while ensuring your application is highly available. Which GCP storage solution should you choose?

A.

Persistent SSD on VM instances.

B.

Cloud Filestore.

C.

Multiregional Cloud Storage bucket.

D.

Cloud Datastore database.

Full Access
Question # 75

You want to deploy an application on Cloud Run that processes messages from a Cloud Pub/Sub topic. You want to follow Google-recommended practices. What should you do?

A.

1. Create a Cloud Function that uses a Cloud Pub/Sub trigger on that topic.2. Call your application on Cloud Run from the Cloud Function for every message.

B.

1. Grant the Pub/Sub Subscriber role to the service account used by Cloud Run.2. Create a Cloud Pub/Sub subscription for that topic.3. Make your application pull messages from that subscription.

C.

1. Create a service account.2. Give the Cloud Run Invoker role to that service account for your Cloud Run application.3. Create a Cloud Pub/Sub subscription that uses that service account and uses your Cloud Run application as the push endpoint.

D.

1. Deploy your application on Cloud Run on GKE with the connectivity set to Internal.2. Create a Cloud Pub/Sub subscription for that topic.3. In the same Google Kubernetes Engine cluster as your application, deploy a container that takes the messages and sends them to your application.

Full Access
Question # 76

You need to verify that a Google Cloud Platform service account was created at a particular time. What should you do?

A.

Filter the Activity log to view the Configuration category. Filter the Resource type to Service Account.

B.

Filter the Activity log to view the Configuration category. Filter the Resource type to Google Project.

C.

Filter the Activity log to view the Data Access category. Filter the Resource type to Service Account.

D.

Filter the Activity log to view the Data Access category. Filter the Resource type to Google Project.

Full Access
Question # 77

You have a number of applications that have bursty workloads and are heavily dependent on topics to decouple publishing systems from consuming systems. Your company would like to go serverless to enable developers to focus on writing code without worrying about infrastructure. Your solution architect has already identified Cloud Pub/Sub as a suitable alternative for decoupling systems. You have been asked to identify a suitable GCP Serverless service that is easy to use with Cloud Pub/Sub. You want the ability to scale down to zero when there is no traffic in order to minimize costs. You want to follow Google recommended practices. What should you suggest?

A.

Cloud Run for Anthos

B.

Cloud Run

C.

App Engine Standard

D.

Cloud Functions.

Full Access
Question # 78

You created a cluster.YAML file containing

resources:

name: cluster

type: container.v1.cluster

properties:

zone: europe-west1-b

cluster:

description: My GCP ACE cluster

initialNodeCount: 2

You want to use Cloud Deployment Manager to create this cluster in GKE. What should you do?

A.

gcloud deployment-manager deployments create my-gcp-ace-cluster --config cluster.yaml

B.

gcloud deployment-manager deployments create my-gcp-ace-cluster --type container.v1.cluster --config cluster.yaml

C.

gcloud deployment-manager deployments apply my-gcp-ace-cluster --type container.v1.cluster --config cluster.yaml

D.

gcloud deployment-manager deployments apply my-gcp-ace-cluster --config cluster.yaml

Full Access
Question # 79

You want to host your video encoding software on Compute Engine. Your user base is growing rapidly, and users need to be able 3 to encode their videos at any time without interruption or CPU limitations. You must ensure that your encoding solution is highly available, and you want to follow Google-recommended practices to automate operations. What should you do?

A.

Deploy your solution on multiple standalone Compute Engine instances, and increase the number of existing instances wnen CPU utilization on Cloud Monitoring reaches a certain threshold.

B.

Deploy your solution on multiple standalone Compute Engine instances, and replace existing instances with high-CPUinstances when CPU utilization on Cloud Monitoring reaches a certain threshold.

C.

Deploy your solution to an instance group, and increase the number of available instances whenever you see high CPU utilization in Cloud Monitoring.

D.

Deploy your solution to an instance group, and set the autoscaling based on CPU utilization.

Full Access
Question # 80

You are running an application on multiple virtual machines within a managed instance group and have autoscaling enabled. The autoscaling policy is configured so that additional instances are added to the group if the CPU utilization of instances goes above 80%. VMs are added until the instance group reaches its maximum limit of five VMs or until CPU utilization of instances lowers to 80%. The initial delay for HTTP health checks against the instances is set to 30 seconds. The virtual machine instances take around three minutes to become available for users. You observe that when the instance group autoscales, it adds more instances then necessary to support the levels of end-user traffic. You want to properly maintain instance group sizes when autoscaling. What should you do?

A.

Set the maximum number of instances to 1.

B.

Decrease the maximum number of instances to 3.

C.

Use a TCP health check instead of an HTTP health check.

D.

Increase the initial delay of the HTTP health check to 200 seconds.

Full Access
Question # 81

All development (dev) teams in your organization are located in the United States. Each dev team has its own Google Cloud project. You want to restrict access so that each dev team can only create cloud resources in the United States (US). What should you do?

A.

Create a folder to contain all the dev projects Create an organization policy to limit resources in US locations.

B.

Create an organization to contain all the dev projects. Create an Identity and Access Management (IAM) policy to limit the resources in US regions.

C.

Create an Identity and Access Management < IAM) policy to restrict the resources locations in the US. Apply the policy to all dev projects.

D.

Create an Identity and Access Management (IAM)policy to restrict the resources locations in all dev projects. Apply the policy to all dev roles.

Full Access
Question # 82

You have a web application deployed as a managed instance group. You have a new version of the application to gradually deploy. Your web application is currently receiving live web traffic. You want to ensure that the available capacity does not decrease during the deployment. What should you do?

A.

Perform a rolling-action start-update with maxSurge set to 0 and maxUnavailable set to 1.

B.

Perform a rolling-action start-update with maxSurge set to 1 and maxUnavailable set to 0.

C.

Create a new managed instance group with an updated instance template. Add the group to the backend service for the load balancer. When all instances in the new managed instance group are healthy, delete the old managed instance group.

D.

Create a new instance template with the new application version. Update the existing managed instance group with the new instance template. Delete the instances in the managed instance group to allow the managed instance group to recreate the instance using the new instance template.

Full Access
Question # 83

Your coworker has helped you set up several configurations for gcloud. You ' ve noticed that you ' re running commands against the wrong project. Being new to the company, you haven ' t yet memorized any of the projects. With the fewest steps possible, what ' s the fastest way to switch to the correct configuration?

A.

Run gcloud configurations list followed by gcloud configurations activate .

B.

Run gcloud config list followed by gcloud config activate.

C.

Run gcloud config configurations list followed by gcloud config configurations activate.

D.

Re-authenticate with the gcloud auth login command and select the correct configurations on login.

Full Access
Question # 84

You need to update a deployment in Deployment Manager without any resource downtime in the deployment. Which command should you use?

A.

gcloud deployment-manager deployments create --config < deployment-config-path >

B.

gcloud deployment-manager deployments update --config < deployment-config-path >

C.

gcloud deployment-manager resources create --config < deployment-config-path >

D.

gcloud deployment-manager resources update --config < deployment-config-path >

Full Access
Question # 85

You created a Google Cloud Platform project with an App Engine application inside the project. You initially configured the application to be served from the us-central region. Now you want the application to be served from the asia-northeast1 region. What should you do?

A.

Change the default region property setting in the existing GCP project to asia-northeast1.

B.

Change the region property setting in the existing App Engine application from us-central to asia-northeast1.

C.

Create a second App Engine application in the existing GCP project and specify asia-northeast1 as the region to serve your application.

D.

Create a new GCP project and create an App Engine application inside this new project. Specify asia-northeast1 as the region to serve your application.

Full Access
Question # 86

You have a VM instance running in a VPC with single-stack subnets. You need to ensure that the VM instance has a fixed IP address so that other services hosted in the same VPC can communicate with the VM. You want to follow Google-recommended practices while minimizing cost. What should you do?

A.

Reserve a new static external IP address and assign the new IP address to the VM.

B.

Promote the existing IP address of the VM to become a static external IP address.

C.

Reserve a new static external IPv6 address and assign the new IP address to the VM.

D.

Promote the existing IP address of the VM to become a static internal IP address.

Full Access
Question # 87

You are planning to migrate a database and a backend application to a Standard Google Kubernetes Engine (GKE) cluster. You need to prevent data loss and make sure there are enough nodes available for your backend application based on the demands of your workloads. You want to follow Google-recommended practices and minimize the amount of manual work required. What should you do?

A.

Run your database as a StatefulSet. Configure cluster autoscaling to handle changes in the demands of your workloads.

B.

Run your database as a single Pod. Run the resize command when you notice changes in the demands of your workloads.

C.

Run your database as a Deployment. Configure cluster autoscaling to handle changes in the demands of your workloads.

D.

Run your database as a DaemonSet. Run the resize command when you notice changes in the demands of your workloads.

Full Access
Question # 88

You have a single binary application that you want to run on Google Cloud Platform. You decided to automatically scale the application based on underlying infrastructure CPU usage. Your organizational policies require you to use virtual machines directly. You need to ensure that the application scaling is operationally efficient and completed as quickly as possible. What should you do?

A.

Create a Google Kubernetes Engine cluster, and use horizontal pod autoscaling to scale the application.

B.

Create an instance template, and use the template in a managed instance group with autoscaling configured.

C.

Create an instance template, and use the template in a managed instance group that scales up and down based on the time of day.

D.

Use a set of third-party tools to build automation around scaling the application up and down, based on Stackdriver CPU usage monitoring.

Full Access
Question # 89

You want to add a new auditor to a Google Cloud Platform project. The auditor should be allowed to read, but not modify, all project items.

How should you configure the auditor ' s permissions?

A.

Create a custom role with view-only project permissions. Add the user ' s account to the custom role.

B.

Create a custom role with view-only service permissions. Add the user ' s account to the custom role.

C.

Select the built-in IAM project Viewer role. Add the user ' s account to this role.

D.

Select the built-in IAM service Viewer role. Add the user ' s account to this role.

Full Access
Question # 90

You have production and test workloads that you want to deploy on Compute Engine. Production VMs need to be in a different subnet than the test VMs. All the VMs must be able to reach each other over internal IP without creating additional routes. You need to set up VPC and the 2 subnets. Which configuration meets these requirements?

A.

Create a single custom VPC with 2 subnets. Create each subnet in a different region and with a different CIDR range.

B.

Create a single custom VPC with 2 subnets. Create each subnet in the same region and with the same CIDR range.

C.

Create 2 custom VPCs, each with a single subnet. Create each subnet is a different region and with a different CIDR range.

D.

Create 2 custom VPCs, each with a single subnet. Create each subnet in the same region and with the same CIDR range.

Full Access
Question # 91

You are planning to migrate your containerized workloads to Google Kubernetes Engine (GKE). You need to determine which GKE option to use. Your solution must have high availability, minimal downtime, and the ability to promptly apply security updates to your nodes. You also want to pay only for the compute resources that your workloads use without managing nodes. You want to follow Google-recommended practices and minimize operational costs. What should you do?

A.

Configure a Standard multi-zonal GKE cluster.

B.

Configure an Autopilot GKE cluster.

C.

Configure a Standard zonal GKE cluster.

D.

Configure a Standard regional GKE cluster.

Full Access
Question # 92

You are planning to manage all of your Google Cloud resources by using Terraform. You have multiple applications that you want to manage independently of each other. You need to structure your Terraform code repository to facilitate this separation. What should you do?

A.

Create a single module for each resource type, and place all modules in the same directory.

B.

Put the Terraform configuration resources for each application in its own root directory.

C.

Create a single module for each application, and place all modules in the same directory.

D.

Put resources of the same type in their own root directory.

Full Access
Question # 93

You are managing resources in a Google Cloud project. A new service account needs the ability to invoke a Cloud Run service. You need to gain the permissions to modify IAM policies for service accounts while adhering to the principle of least privilege. What should you do?

A.

Request the roles/run.invoker role for your user account.

B.

Request the roles/iam.serviceAccountAdmin role for your user account.

C.

Request the Editor role for your user account.

D.

Request the Owner role for your user account.

Full Access
Question # 94

You need to manage a third-party application that will run on a Compute Engine instance. Other Compute Engine instances are already running with default configuration. Application installation files are hosted on Cloud Storage. You need to access these files from the new instance without allowing other virtual machines (VMs) to access these files. What should you do?

A.

Create the instance with the default Compute Engine service account Grant the service account permissions on Cloud Storage.

B.

Create the instance with the default Compute Engine service account Add metadata to the objects on Cloud Storage that matches the metadata on the new instance.

C.

Create a new service account and assig n this service account to the new instance Grant the service account permissions on Cloud Storage.

D.

Create a new service account and assign this service account to the new instance Add metadata to the objects on Cloud Storage that matches the metadata on the new instance.

Full Access
Question # 95

You are managing a web application that needs to read objects from a shared Cloud Storage bucket. You need to grant a Cloud Run service access to objects in the existing bucket that are named with the site1-data/ prefix while ensuring that the Cloud Run service has access to new objects as they are uploaded. Your solution should require minimal work to implement and maintain. What should you do?

A.

Enable fine-grained access control, and configure the uploader to set a per object access control list for the Cloud Run service identity to have the READER role when objects with the site1-data/ prefix are uploaded.

B.

Create a new bucket to store only objects with the site1-data/ prefix. Grant the Cloud Run service identity the roles/storage.objectViewer IAM role on the bucket.

C.

Enable uniform bucket-level access, and configure an IAM binding on the existing bucket. Grant the Cloud Run service identity the roles/storage.objectViewer IAM role on the bucket with an IAM condition for objects with the site1-data/ prefix.

D.

Create a new bucket to store only objects with the site1-data/ prefix. Grant the Cloud Run service identity the roles/storage.objectViewer IAM role on the project.

Full Access
Question # 96

You are building a data lake on Google Cloud for your Internet of Things (loT) application. The loT application has millions of sensors that are constantly streaming structured and unstructured data to your backend in the cloud. You want to build a highly available and resilient architecture based on Google-recommended practices. What should you do?

A.

Stream data to Pub/Sub, and use Dataflow to send data to Cloud Storage

B.

Stream data to Pub/Sub. and use Storage Transfer Service to send data to BigQuery.

C.

Stream data to Dataflow, and use Storage Transfer Service to send data to BigQuery.

D.

Stream data to Dataflow, and use Dataprep by Trifacta to send data to Bigtable.

Full Access
Question # 97

You are designing an application that uses WebSockets and HTTP sessions that are not distributed across the web servers. You want to ensure the application runs properly on Google Cloud Platform. What should you do?

A.

Meet with the cloud enablement team to discuss load balancer options.

B.

Redesign the application to use a distributed user session service that does not rely on WebSockets and HTTP sessions.

C.

Review the encryption requirements for WebSocket connections with the security team.

D.

Convert the WebSocket code to use HTTP streaming.

Full Access
Question # 98

Your projects incurred more costs than you expected last month. Your research reveals that a development GKE container emitted a huge number of logs, which resulted in higher costs. You want to disable the logs quickly using the minimum number of steps. What should you do?

A.

1. Go to the Logs ingestion window in Stackdriver Logging, and disable the log source for the GKE container resource.

B.

1. Go to the Logs ingestion window in Stackdriver Logging, and disable the log source for the GKE Cluster Operations resource.

C.

1. Go to the GKE console, and delete existing clusters.2. Recreate a new cluster.3. Clear the option to enable legacy Stackdriver Logging.

D.

1. Go to the GKE console, and delete existing clusters.2. Recreate a new cluster.3. Clear the option to enable legacy Stackdriver Monitoring.

Full Access
Question # 99

You created a Kubernetes deployment by running kubectl run nginx image=nginx labels=app=prod. Your Kubernetes cluster is also used by a number of other deployments. How can you find the identifier of the pods for this nginx deployment?

A.

kubectl get deployments –output=pods

B.

gcloud get pods –selector=”app=prod”

C.

kubectl get pods -I “app=prod”

D.

gcloud list gke-deployments -filter={pod }

Full Access
Question # 100

You have a Compute Engine instance hosting a production application. You want to receive an email if the instance consumes more than 90% of its CPU resources for more than 15 minutes. You want to use Google services. What should you do?

A.

1. Create a consumer Gmail account.2.Write a script that monitors the CPU usage.3.When the CPU usage exceeds the threshold, have that script send an email using the Gmail account and smtp.gmail.com on port 25 as SMTP server.

B.

1. Create a Stackdriver Workspace, and associate your Google Cloud Platform (GCP) project with it.2.Create an Alerting Policy in Stackdriver that uses the threshold as a trigger condition.3.Configure your email address in the notification channel.

C.

1. Create a Stackdriver Workspace, and associate your GCP project with it.2.Write a script that monitors the CPU usage and sends it as a custom metric to Stackdriver.3.Create an uptime check for the instance in Stackdriver.

D.

1. In Stackdriver Logging, create a logs-based metric to extract the CPU usage by using this regular expression: CPU Usage: ([0-9] {1,3}) %2.In Stackdriver Monitoring, create an Alerting Policy based on this metric.3.Configure your email address in the notification channel.

Full Access
Question # 101

(Your company is modernizing its applications and refactoring them to containerized microservices. You need to deploy the infrastructure on Google Cloud so that teams can deploy their applications. The applications cannot be exposed publicly. You want to minimize management and operational overhead. What should you do?)

A.

Provision a Standard zonal Google Kubernetes Engine (GKE) cluster.

B.

Provision a fleet of Compute Engine instances and install Kubernetes.

C.

Provision a Google Kubernetes Engine (GKE) Autopilot cluster.

D.

Provision a Standard regional Google Kubernetes Engine (GKE) cluster.

Full Access
Question # 102

Your company wants to standardize the creation and management of multiple Google Cloud resources using Infrastructure as Code. You want to minimize the amount of repetitive code needed to manage the environment What should you do?

A.

Create a bash script that contains all requirement steps as gcloud commands

B.

Develop templates for the environment using Cloud Deployment Manager

C.

Use curl in a terminal to send a REST request to the relevant Google API for each individual resource.

D.

Use the Cloud Console interface to provision and manage all related resources

Full Access
Question # 103

You are assisting a new Google Cloud user who just installed the Google Cloud SDK on their VM. The server needs access to Cloud Storage. The user wants your help to create a new storage bucket. You need to make this change in multiple environments. What should you do?

A.

Use a Deployment Manager script to automate creating storage buckets in an appropriate region

B.

Use a local SSD to improve performance of the VM for the targeted workload

C.

Use the gsutii command to create a storage bucket in the same region as the VM

D.

Use a Persistent Disk SSD in the same zone as the VM to improve performance of the VM

Full Access
Question # 104

You have been asked to create robust Virtual Private Network (VPN) connectivity between a new Virtual Private Cloud (VPC) and a remote site. Key requirements include dynamic routing, a shared address space of 10.19.0.1/22, and no overprovisioning of tunnels during a failover event. You want to follow Google-recommended practices to set up a high availability Cloud VPN. What should you do?

A.

Use a custom mode VPC network, configure static routes, and use active/passive routing

B.

Use an automatic mode VPC network, configure static routes, and use active/active routing

C.

Use a custom mode VPC network use Cloud Router border gateway protocol (86P) routes, and use active/passive routing

D.

Use an automatic mode VPC network, use Cloud Router border gateway protocol (BGP) routes and configure policy-based routing

Full Access
Question # 105

You need to grant access for three users so that they can view and edit table data on a Cloud Spanner instance. What should you do?

A.

Run gcloud iam roles describe roles/spanner.databaseUser. Add the users to the role.

B.

Run gcloud iam roles describe roles/spanner.databaseUser. Add the users to a new group. Add the group to the role.

C.

Run gcloud iam roles describe roles/spanner.viewer --project my-project. Add the users to the role.

D.

Run gcloud iam roles describe roles/spanner.viewer --project my-project. Add the users to a new group. Add the group to the role.

Full Access
Question # 106

Your organization uses Active Directory (AD) to manage user identities. Each user uses this identity for federated access to various on-premises systems. Your security team has adopted a policy that requires users to log into Google Cloud with their AD identity instead of their own login. You want to follow the Google-recommended practices to implement this policy. What should you do?

A.

Sync Identities with Cloud Directory Sync, and then enable SAML for single sign-on

B.

Sync Identities in the Google Admin console, and then enable Oauth for single sign-on

C.

Sync identities with 3rd party LDAP sync, and then copy passwords to allow simplified login with (he same credentials

D.

Sync identities with Cloud Directory Sync, and then copy passwords to allow simplified login with the same credentials.

Full Access
Question # 107

Your company ' s Human Resources department publishes a BigQuery dataset with anonymized information about company sales and products. All employees in your company are managed in the terramearth.com Cloud Identity account and must be able to view this dataset as an authenticated user. You need to grant all employees in your company read-only access to this BigQuery dataset. What should you do?

A.

Grant the roles/bigquery.dataViewer role to the domain:terramearth.com principal on the dataset ' s IAM policy.

B.

Grant the roles/bigquery.dataViewer role to the allUsers principal on the dataset ' s IAM policy.

C.

Grant the roles/bigquery.dataViewer role to a new service account on the dataset ' s IAM policy.

D.

Grant the roles/bigquery.dataViewer role to the allAuthenticatedUsers principal on the dataset ' s IAM policy.

Full Access
Question # 108

Your company uses a large number of Google Cloud services centralized in a single project. All teams have specific projects for testing and development. The DevOps team needs access to all of theproduction services in order to perform their job. You want to prevent Google Cloud product changes from broadening their permissions in the future. You want to follow Google-recommended practices. What should you do?

A.

Grant all members of the DevOps team the role of Project Editor on the organization level.

B.

Grant all members of the DevOps team the role of Project Editor on the production project.

C.

Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the production project.

D.

Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the organization level.

Full Access