Associate Cloud Engineer Practice Exam (2021.07.21)

Ace Your Associate Cloud Engineer with Practice Exams.

Google Cloud Certified – Associate Cloud Engineer Practice Exam (Q 85)

QUESTION 1

You recently deployed a new version of an application to Google App Engine and then discovered a bug in the release.
You need to immediately revert to the prior version of the application.
What should you do?

• A. Run gcloud app restore.
• B. On the Google App Engine page of the Google Cloud Console, select the application that needs to be reverted and click Revert.
• C. On the Google App Engine Versions page of the Google Cloud Console, route 100% of the traffic to the previous version.
• D. Deploy the original version as a separate application.
• Then go to Google App Engine settings and split traffic between applications so that the original version serves 100% of the requests.

Correct Answer: C

You can migrate all the traffic back to the previous version.Refer GCP documentation – Google App Engine Overview Having multiple versions of your app within each service allows you to quickly switch between different versions of that app for rollbacks, testing, or other temporary events.

QUESTION 2 

You are given a project with a single virtual private cloud (VPC) and a single subnetwork in the us-central1 region.
There is a Google Compute Engine instance hosting an application in this subnetwork. You need to deploy a new instance in the same project in the europe-west1 region. This new instance needs access to the application. You want to follow Google-recommended practices.
What should you do?

• A.
  • 1. Create a VPC and a subnetwork in europe-west1.
  • 2. Peer the 2 VPCs.
  • 3. Create the new instance in the new subnetwork and use the first instance’s private address as the endpoint.
• B.
  • 1. Create a VPC and a subnetwork in europe-west1. 
  • 2. Expose the application with an internal load balancer.
  • 3. Create the new instance in the new subnetwork and use the load balancer’s address as the endpoint.
• C.
  • 1. Create a subnetwork in the same VPC, in europe-west1.
  • 2. Create the new instance in the new subnetwork and use the first instance’s private address as the endpoint.
• D.
  • 1. Create a subnetwork in the same VPC, in europe-west1.
  • 2. Use Cloud VPN to connect the two subnetworks.
  • 3. Create the new instance in the new subnetwork and use the first instance’s private address as the endpoint.

Correct Answer: C

QUESTION 3

Several employees at your company have been creating projects with Google Cloud Platform and paying for it with their personal credit cards, which the company reimburses. The company wants to centralize all these projects under a single, new billing account.
What should you do?

• A. Contact cloud-billing@google.com with your bank account details and request a corporate billing account for your company.
• B. Create a ticket with Google Support and wait for their call to share your credit card details over the phone.
• C. In the Google Platform Console, go to the Resource Manage and move all projects to the root Organization.
• D. In the Google Cloud Console, create a new billing account and set up a payment method.

Correct Answer: C

Once a Google Cloud Organization resource has been created for your domain, you can move your existing projects into the organization.

Reference contents:
– Migrating projects | Resource Manager Documentation

QUESTION 4

You manage an Google App Engine Service that aggregates and visualizes data from Google BigQuery.
The application is deployed with the default Google App Engine Service account. The data that needs to be visualized resides in a different project managed by another team. You do not have access to this project, but you want your application to be able to read data from the Google BigQuery dataset.
What should you do?

• A. Ask the other team to grant your default Google App Engine Service account the role of Google BigQuery Job User.
• B. Ask the other team to grant your default Google App Engine Service account the role of Google BigQuery Data Viewer.
• C. In Cloud IAM of your project, ensure that the default Google App Engine service account has the role of Google BigQuery Data Viewer.
• D. In Cloud IAM of your project, grant a newly created service account from the other team the role of Google BigQuery Job User in your project.

Correct Answer: B

The Owner, Editor, and Viewer primitive roles include the Google BigQuery Admin (roles/bigquery.dataOwner), Google BigQuery Data Editor (roles/bigquery.dataEditor), and Google BigQuery Data Viewer (roles/bigquery.dataViewer) roles, respectively. This means the Owner, Editor, and Viewer primitive roles have Google BigQuery access as defined for the respective Google BigQuery roles.

Reference contents:
– Predefined roles and permissions | BigQuery

QUESTION 5

You need to set a budget alert for use of Google Compute Engineer services on one of the three Google Cloud Platform projects that you manage.
All three projects are linked to a single billing account.
What should you do?

• A. Verify that you are the project billing administrator. Select the associated billing account and create a budget and alert for the appropriate project.
• B. Verify that you are the project billing administrator. Select the associated billing account and create a budget and a custom alert.
• C. Verify that you are the project administrator. Select the associated billing account and create a budget for the appropriate project.
• D. Verify that you are project administrator. Select the associated billing account and create a budget and a custom alert.

Correct Answer: A

You can rely on default alerts. No need for custom alerts.

QUESTION 6

You need to manage a third-party application that will run on a Google Compute Engine instance.
Other Google Compute Engine instances are already running with default configuration. Application installation files are hosted on Google Cloud Storage. You need to access these files from the new instance without allowing other virtual machines (VMs) to access these files.
What should you do?

• A. Create a new service account and assign this service account to the new instance. Grant the service account permissions on Google Cloud Storage.
• B. Create a new service account and assign this service account to the new instance. Add metadata to the objects on Google Cloud Storage that matches the metadata on the new instance.
• C. Create the instance with the default Google Compute Engine service account. Add metadata to the objects on Google Cloud Storage that matches the metadata on the new instance.
• D. Create the instance with the default Google Compute Engine service account. Grant the service account permissions on Google Cloud Storage.

Correct Answer: A

QUESTION 7

You are deploying an application to Google App Engine.
You want the number of instances to scale based on request rate. You need at least 3 unoccupied instances at all times.
Which scaling type should you use?

• A. Basic Scaling with min_instances set to 3.
• B. Basic Scaling with max_instances set to 3.
• C. Manual Scaling with 3 instances.
• D. Automatic Scaling with min_idle_instances set to 3.

Correct Answer: D

QUESTION 8

You are hosting an application on bare-metal servers in your own data center.
The application needs access to Google Cloud Storage. However, security policies prevent the servers hosting the application from having public IP addresses or access to the internet. You want to follow Google recommended practices to provide the application with access to Google Cloud Storage.
What should you do?

• A.
  • 1. Use nslookup to get the IP address for storage.googleapis.com.
  • 2. Negotiate with the security team to be able to give a public IP address to the servers.
  • 3. Only allow egress traffic from those servers to the IP addresses for storage.googleapis.com.
• B.
  • 1. Using Cloud VPN, create a VPN tunnel to a Virtual Private Cloud (VPC) in Google Cloud Platform (GCP).
  • 2. In this VPC, create a Google Compute Engine instance and install the Squid proxy server on this instance.
  • 3. Configure your servers to use that instance as a proxy to access Google Cloud Storage.
• C.
  • 1. Use Migrate for Google Compute Engine (formerly known as Velostrata) to migrate those servers to Google Compute Engine.
  • 2. Create an internal load balancer (ILB) that uses storage.googleapis.com as backend.
  • 3. Configure your new instances to use this ILB as proxy.
• D.
  • 1. Using Cloud VPN or Interconnect, create a tunnel to a VPC in GCP.
  • 2. Use Cloud Router to create a custom route advertisement for 199.36.153.4/30. Announce that network to your on-premises network through the VPN tunnel. 
  • 3. In your on-premises network, configure your DNS server to resolve *.googleapis.com as a CNAME to restricted.googleapis.com. 

Correct Answer: D

Reference contents:
– Configuring Private Google Access for on-premises hosts | VPC

QUESTION 9

You are operating a Google Kubernetes Engine (GKE) cluster for your company where different teams can run non-production workloads.
Your Machine Learning (ML) team needs access to Nvidia Tesla P100 GPUs to train their models. You want to minimize effort and cost.
What should you do?

• A. Ask your ML team to add the “accelerator: gpu” annotation to their pod specification.
• B. Recreate all the nodes of the GKE cluster to enable GPUs on all of them.
• C. Create your own Kubernetes cluster on top of Google Compute Engine with nodes that have GPUs. Dedicate this cluster to your ML team. 
• D. Add a new, GPU-enabled, node pool to the GKE cluster. Ask your ML team to add the cloud.google.com/gke -accelerator: nvidia-tesla-p100 nodeSelectorto to their pod specification.

Correct Answer: D

Reference contents:
– Running GPUs | Kubernetes Engine Documentation

QUESTION 10

You work for a retail company that has a busy online store.
As you are approaching New Year, you find that your e-store is getting more and more traffic. You ensure that your web servers are behind a managed instance group. However, you notice that the web tier is frequently scaling, sometimes multiple times in an hour. You need to keep the instance group from scaling up and down so rapidly.
Which of the following options would help you to achieve this? 

• A. Increase the cool down period. 
• B. Reduce the number of maximum instance count. 
• C. Change the auto scaling metric to use multiple metrics instead of just one metric.
• D. Associate a health check with the instance group. 

Correct Answer: A

QUESTION 11

You need to create a custom VPC with a single subnet.
The subnet’s range must be as large as possible.
Which range should you use? 

• A. 0.0.0.0/0 
• B. 10.0.0.0/8 
• C. 172.16.0.0/12 
• D. 192.168.0.0/16 

Correct Answer: B

From the RFC 1918 defined ranges, 10.0.0.0/8 is the “largest”. 

Reference contents:
– VPC network overview

QUESTION 12

You are building an application that stores relational data from users.
Users across the globe will use this application. Your CTO is concerned about the scaling requirements because the size of the user base is unknown. You need to implement a database solution that can scale with your user growth with minimum configuration changes.
Which storage solution should you use?

• A. Google Cloud SQL
• B. Google Cloud Spanner 
• C. Google Cloud Firestore
• D. Google Cloud Datastore 

Google CloudSpanner supports relational data models, globally. Option D is incorrect, Google Cloud Datastore is to store NonRelational data. 

Correct Answer: B

QUESTION 13

You need to update a deployment in Deployment Manager without any resource downtime in the deployment.
Which command should you use? 

• A. gcloud deployment-manager deployments create –config <deployment-config- path>
• B. gcloud deployment-manager deployments update –config <deployment-config- path>
  C. gcloud deployment-manager resources create –config <deployment-config-path>
• D. gcloud deployment-manager resources update –config <deployment-config-path>

Correct Answer: B

Reference contents:
– gcloud deployment-manager deployments update | Cloud SDK Documentation

QUESTION 14

You are running an application on multiple virtual machines within a managed instance group and have auto scaling enabled.
The autoscaling policy is configured so that additional instances are added to the group if the CPU utilization of instances goes above 80%. VMs are added until the instance group reaches its maximum limit of five VMs or until CPU utilization of instances lowers to 80%. The initial delay for HTTP health checks against the instances is set to 30 seconds. The virtual machine instances take around three minutes to become available for users. You observe that when the instance group autoscales, it adds more instances than necessary to support the levels of end-user traffic. You want to properly maintain instance group sizes when autoscaling.
What should you do? 

• A. Decrease the maximum number of instances to 3. 
• B. Set the maximum number of instances to 1. 
• C. Increase the initial delay of the HTTP health check to 200 seconds. 
• D. Use a TCP health check instead of an HTTP health check. 

Correct Answer: C

QUESTION 15

You need a dynamic way of provisioning VMs on Google Compute Engine.
The exact specifications will be in a dedicated configuration file. You want to follow Google’s recommended practices.
Which method should you use? 

• A. Deployment Manager 
• B. Google Cloud Composer
• C. Managed Instance Group 
• D. Unmanaged Instance Group 

Correct Answer: A

Google Cloud Deployment Manager allows you to specify all the resources needed for your application in a declarative format using yaml. You can also use Python or Jinja2 templates to parameterize the configuration and allow reuse of common deployment paradigms such as a load balanced, auto-scaled instance group. Treat your configuration as code and perform repeatable deployments. 

Reference contents:
– Google Cloud Deployment Manager documentation

QUESTION 16

You need to produce a list of the enabled Google Cloud Platform APIs for a GCP project using the gcloud command line in the Google Cloud Shell.
The project name is my-project.
What should you do? 

• A. Run gcloud projects describe <project ID>to verify the project value, and then run gcloud services list –available. 
• B. Run gcloud infoto view the account value, and then run gcloud services list — account <Account>. 
• C. Run gcloud init to set the current project to my-project, and then run gcloud services list — available. 
• D. Run gcloud projects list to get the project ID, and then run gcloud services list – -project <project ID>. 

Correct Answer: D

QUESTION 17

Your company has an internal application for managing transactional orders.
The application is used exclusively by employees in a single physical location. The application requires strong consistency, fast queries, and ACID guarantees for multi-table transactional updates. The first version of the application is implemented inPostgreSQL, and you want to deploy it to the cloud with minimal code changes.
Which database is most appropriate for this application?

• A. Google Cloud Datastore 
• B. Google Cloud Spanner 
• C. Google BigQuery 
• D. Google Cloud SQL

Correct Answer: D

QUESTION 18

You have created a subnet named subnetace1 with 16,382 addresses using 192.168.0.0. Later you realize that you won’t require too many addresses, and so you want to reduce addresses to 254.
Which of the following command would you use?

• A. gcloud compute networks subnets expand-ip-range subnetace1 –size=248
• B. gcloud compute networks subnets expand-ip-range subnetace1 –prefix-length=28
• C. gcloud compute networks subnets expand-ip-range subnetace1 –prefix-length=-12
• D. There is no command in google cloud to reduce the number of available addresses in a subnet. 

Correct Answer: D

QUESTION 19

You are working for a hospital that stores Its medical images in an on-premises data room.
The hospital wants to use Google Cloud Storage for archival storage of these images. The hospital wants an automated process to upload any new medical images to Google Cloud Storage. You need to design and implement a solution.
What should you do? 

• A. Create a script that uses the gsutil command line interface to synchronize the on- premises storage with Google Cloud Storage Schedule the script as a cron job 
• B. In the Google Cloud Console, go to Google Cloud Storage Upload the relevant images to the appropriate bucket 
• C. Create a Google Cloud Pub/Sub topic, and enable a Google Cloud Storage trigger for the Google Cloud Pub/Sub topic. Create an application that sends all medical images to the Google Cloud Pub/Sub lope 
• D. Deploy a Google Cloud Dataflow job from the batch template “Google Cloud Datastore to Google Cloud Storage” Schedule the batch job on the desired interval 

Correct Answer: D

QUESTION 20

Your customer has implemented a solution that uses Google Cloud Spanner and notices some read latency-related performance issues on one table.
This table is accessed only by their users using a primary key.
The table schema is shown below. 

GREATE TABLE Persons {
  person_id INT64 NOT NULL, // sequential unmber based on number of registration
  account_creation_date DATE, // system date
  birthdate // customer birthdate
  firstname STRING (255), // first name
  lastname STRING (255) // last name
  profile_picture BYTES (255) profile picture
} PRIMARY KEY (person_id)

You want to resolve the issue. What should you do? 

• A. Change the primary key to not have monotonically increasing values.
• B. Create a secondary index using the following Data Definition Language (DDL):

CREATE INDEX preson_id_ix
ON Persons (
  preson_id,
  firstname,
  lastbname
) STORING (
  profile_picture
)

• C. Add a secondary index on the person_id column. 
• D. Remove the profile_picture field from the table. 

Correct Answer: B

QUESTION 21

Your management has asked an external auditor to review all the resources in a specific project.
The security team has enabled the Organization Policy called Domain Restricted Sharing on the organization node by specifying only your Cloud Identity domain. You want the auditor to only be able to view, but not modify, the resources in that project.
What should you do? 

• A. Ask the auditor for their Google account, and give them the Viewer role on the project. B. Ask the auditor for their Google account, and give them the Security Reviewer role on the project. 
• C. Create a temporary account for the auditor in Cloud Identity, and give that account the Viewer role on the project. 
• D. Create a temporary account for the auditor in Cloud Identity, and give that account the Security Reviewer role on the project. 

Correct Answer: C

Reference contents:
– IAM roles for auditing-related job functions | Cloud IAM Documentation

QUESTION 22

You are deploying a production application on Google Compute Engine.
You want to prevent anyone from accidentally destroying the instance by clicking the wrong button.
What should you do?

• A. Disable the flag “Delete boot disk when instance is deleted.” 
• B. Enable delete protection on the instance. 
• C. Disable Automatic restart on the instance. 
• D. Enable Preemptibility on the instance. 

Correct Answer: A

Reference contents:
– Set “Delete boot disk when instance is deleted” to “false” by default

QUESTION 23

You created several resources in multiple Google Cloud projects.
All projects are linked to different billing accounts. To better estimate future charges, you want to have a single visual representation of all costs incurred. You want to include new cost data as soon as possible.
What should you do? 

• A. Configure Billing Data Export to Google BigQuery and visualize the data in Data Studio.
• B. Visit the Cost Table page to get a CSV export and visualize it using Data Studio. C. Fill all resources in the Pricing Calculator to get an estimate of the monthly cost. 
• D. Use the Reports view in the Google Cloud Billing Console to view the desired cost information.

Correct Answer: A 

Reference contents:
– Visualize spend over time with Google Data Studio | Cloud Billing

QUESTION 24

You have production and test workloads that you want to deploy on Google Compute Engine.
Production VMs need to be in a different subnet than the test VMs. All the VMs must be able to reach each other over internal IP without creating additional routes. You need to set up VPC and the 2 subnets.
Which configuration meets these requirements?

• A.
  • Create 2 custom VPCs, each with a single subnet. 
  • Create each subnet is a different region and with a different CIDR range. 
• B.
  • Create a single custom VPC with 2 subnets. 
  • Create each subnet in the same region and with the same CIDR range. 
• C.
  • Create 2 custom VPCs, each with a single subnet. 
  • Create each subnet in the same region and with the same CIDR range. 
• D.
  • Create a single custom VPC with 2 subnets. 
  • Create each subnet in a different region and with a different CIDR range. 

Correct Answer: D

QUESTION 25

You need to monitor resources that are distributed over different projects in Google Cloud Platform.
You want to consolidate reporting under the same Stackdriver Monitoring dashboard.
What should you do? 

• A. Use Shared VPC to connect all projects, and link Stackdriver to one of the projects.
• B. For each project, create a Stackdriver account. In each project, create a service account for that project and grant it the role of Stackdriver Account Editor in all other projects.
• C. Configure a single Stackdriver account, and link all projects to the same account.
• D. Configure a single Stackdriver account for one of the projects. In Stackdriver, create a Group and add the other project names as criteria for that Group. 

Correct Answer: C

Reference contents:
– Configure Cloud Monitoring

QUESTION 26

You want to configure an SSH connection to a single Google Compute Engine instance for users in the dev1 group.
This instance is the only resource in this particular Google Cloud Platform project that the dev1 users should be able to connect to.
What should you do?

• A. Set metadata to enable-oslogin=truefor the instance. Set the service account to no service accountfor that instance. Direct them to use the Google Cloud Shell to ssh to that instance.
• B. Set metadata to enable-oslogin=truefor the instance. Grant the dev1 group the compute.osLoginrole. Direct them to use the Google Cloud Shell to ssh to that instance.
• C. Enable block project wide keysfor the instance. Generate an SSH key and associate the key with that instance. Distribute the key to dev1 users and direct them to use their third-party tools to connect. 
• D. Enable block project wide keysfor the instance. Generate an SSH key for each user in the dev1 group. Distribute the keys to dev1 users and direct them to use their third-party tools to connect. 

Correct Answer: B

QUESTION 27

Your company uses a large number of Google Cloud services centralized in a single project. All teams have specific projects for testing and development. The DevOps team needs access to all of the production services in order to perform their job. You want to prevent Google Cloud product changes from broadening their permissions in the future. You want to follow Google recommended practices. What should you do? 

• A. Grant all members of the DevOps team the role of Project Editor on the organization level.
• B. Grant all members of the DevOps team the role of Project Editor on the production project.
• C. Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the organization level.
• D. Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the production project. 

Correct Answer: A

QUESTION 28

You have a website hosted on Google App Engine standard environment.
You want 1% of your users to see a new test version of the website. You want to minimize complexity.
What should you do?

• A. Deploy the new version in the same application and use the –splits option to give a weight of 99 to the current version and a weight of 1 to the new version. 
• B. Create a new Google App Engine application in the same project. Deploy the new version in that application. Configure your network load balancer to send 1% of the traffic to that new application.
• C. Deploy the new version in the same application and use the –migrate option.
• D. Create a new Google App Engine application in the same project. Deploy the new version in that application. Use the Google App Engine library to proxy 1% of the requests to the new version.

Correct Answer: A

QUESTION 29

Your company has a mission-critical application that serves users globally.
You need to select a transactional, relational data storage system for this application.
Which two products should you consider ?

• A. Google BigQuery 
• B. Google Cloud SQL
• C. Google Cloud Spanner 
• D. Google Cloud Bigtable 
• E. Google Cloud Datastore 

Correct Answer: B, C

A is not correct because Google BigQuery is not a transactional system.
B is correct because Google Cloud SQLis a relational and transactional database in the list.
C Is correct because Spanner is a relational and transactional database in the list.
D is not correct because Google Cloud Bigtable provides transactional support but it’s not relational. E Is not correct because Datastore is not a relational data storage system. 

QUESTION 30 

You are building a pipeline to process time-series data.
Which Google Cloud Platform services should you put in boxes 1,2,3, and 4?

• A. Google Cloud Pub/Sub, Google Cloud Dataflow, Google Cloud Datastore, Google BigQuery 
• B. Firebase Messages, Google Cloud Pub/Sub, Google Cloud Spanner, Google BigQuery 
• C. Google Cloud Pub/Sub, Google Cloud Storage, Google BigQuery, Google Cloud Bigtable 
• D. Google Cloud Pub/Sub, Google Cloud Dataflow, Google Cloud Bigtable, Google BigQuery 

Correct Answer: D

Correct answer is D as Google Cloud Pub/Sub for data ingestion, Dataflow for data handling and transformation, Bigtable for storage to provide low latency data access and Google BigQuery for analytics Whenever we want to process time series data look for BigTable.
Also you want to perform analytics in Box 4 ..look for Google BigQuery 

QUESTION 31

You want to add a new auditor to a Google Cloud Platform project.
The auditor should be allowed to read, but not modify, all project items.
How should you configure the auditor’s permissions? 

• A. Create a custom role with view-only project permissions. Add the user’s account to the custom role. 
• B. Create a custom role with view-only service permissions. Add the user’s account to the custom role. 
• C. Select the built-in IAM project Viewer role. Add the user’s account to this role. D. Select the built-in IAM service Viewer role. Add the user’s account to this role.

Correct Answer: C

Reference contents:
– Access control for projects using IAM | Resource Manager Documentation

QUESTION 32

You will have several applications running on different Google Compute Engine instances in the same project.
You want to specify at a more granular level the service account each instance uses when calling Google Cloud APIs.
What should you do? 

• A. When creating the instances, specify a Service Account for each instance.
• B. When creating the instances, assign the name of each Service Account as instance metadata.
• C. After starting the instances, use gcloud compute instances update to assign the name of the relevant Service Account as instance metadata.
• D. After starting the instances, use gcloud compute instances update to specify a Service Account for each instance.

Correct Answer: D

QUESTION 33

You have one project called proj-sa where you manage all your service accounts. You want to be able to use a service account from this project to take snapshots of VMs running in another project called.
What should you do?

• A. Grant the service account the IAM Role of Compute Storage Admin in the project called proj vm. 
• B. Download the private key from the service account, and add the private key to each VM’s SSH keys. 
• C. Download the private key from the service account, and add it to each VMs custom metadata. D. When creating the VMs, set the service account’s API scope for Google Compute Engine to read/write.

Correct Answer: A

QUESTION 34 

You need to set up permissions for a set of Google Compute Engine instances to enable them to write data into a particular Google Cloud Storage bucket. You want to follow Google-recommended practices.
What should you do? 

• A. Create a service account with an access scope. Use the access scope `https://www.googleapis.com/ auth/devstorage.write_only’.
• B. Create a service account with an access scope. Use the access scope `https://www.googleapis.com/ auth/cloud-platform’. 
• C. Create a service account and add it to the IAM role `storage.objectCreator’ for that bucket.
• D. Create a service account and add it to the IAM role `storage.objectAdmin’ for that bucket.

Correct Answer: B

There are many access scopes that you can choose from but you can also just set the cloud platform access scope, which is an OAuth scope for all Google Cloud services, and then securely limit the service account’s access by granting it IAM roles. 

Reference contents:
– Service accounts | Compute Engine Documentation

QUESTION 35

Your organization is a financial company that needs to store audit log files for 3 years.
Your organization has hundreds of Google Cloud projects. You need to implement a cost-effective approach for log file retention.
What should you do? 

• A. Export these logs to Google Cloud Pub/Sub and write a Google Cloud Dataflow pipeline to store logs to Google Cloud SQL. 
• B. Create an export to the sink that saves logs from Cloud Audit to Google BigQuery.
• C. Create an export to the sink that saves logs from Cloud Audit to a Coldline Storage bucket.
• D. Write a custom script that uses logging API to copy the logs from Stackdriver logs to Google BigQuery.

Correct Answer: C

QUESTION 36

Your company uses Google Cloud Storage to store application backup files for disaster recovery purposes.
You want to follow Google’s recommended practices.
Which storage option should you use? 

• A. Multi-Regional Storage 
• B. Regional Storage 
• C. Nearline Storage 
• D. Coldline Storage 

Correct Answer: D

Coldline is a new Google Cloud Storage class designed for long-term archival and disaster recovery. 

Reference contents:
– Announcing new storage classes for Google Cloud Storage: simplifying the storage and management of hot and cold data

QUESTION 37 

You want to send and consume Google Cloud Pub/Sub messages from your Google App Engine application.
The Google Cloud Pub/Sub API is currently disabled. You will use a service account to authenticate your application to the API.
You want to make sure your application can use Google Cloud Pub/Sub. What should you do? 

• A. Rely on the automatic enablement of the Google Cloud Pub/Sub API when the Service Account accesses it. 
• B. Enable the Google Cloud Pub/Sub API in the API Library on the Google Cloud Console.
• C. Use the Deployment Manager to deploy your application. 
• Rely on the automatic enablement of all APIs used by the application being deployed.
• D. Grant the Google App Engine Default service account the role of Google Cloud Pub/Sub Admin. Have your application enable the API on the first connection to Google Cloud Pub/Sub.

Correct Answer: B

QUESTION 38 

A cloud engineer has been assigned to work on a running project.
He wants to know which VMs are running in the project.
How could the cloud engineer get the information of all VMs running in the project? 

• A. Execute the command gcloud compute list.
• B. Execute the command gcloud instances list.
• C. Execute the command gcloud list instances.
• D. Execute the command gcloud compute instances list.

Correct Answer: D

QUESTION 39 

You have deployed multiple Linux instances on Google Compute Engine.
You plan on adding more instances in the coming weeks. You want to be able to access all of these instances through your SSH client over the Internet without having to configure specific access on the existing and new instances. You do not want the Google Compute Engine instances to have a public IP.
What should you do? 

• A. Create an SSH keypair and store the private key as a project-wide SSH Key.
• B. Create an SSH keypair and store the public key as a project-wide SSH Key.
• C. Configure Cloud Identity-Aware Proxy for SSH and TCP resources. 
• D. Configure Cloud Identity-Aware Proxy or HTTPS resources. 

Correct Answer: B

QUESTION 40 

You are storing sensitive information in a Google Cloud Storage bucket. For legal reasons, you need to be able to record all requests that read any of the stored data.
You want to make sure you comply with these requirements.
What should you do? 

• A. Enable the Identity Aware Proxy API on the project. 
• B. Scan the bucker using the Data Loss Prevention API. 
• C. Allow only a single Service Account access to read the data. 
• D. Enable Data Access audit logs for the Google Cloud Storage API. 

Correct Answer: D

Reference contents:
– Cloud Audit Logs with Cloud Storage

QUESTION 41 

You are working with a Google Cloud SQLMySQL database at your company.
You need to retain a month-end copy of the database for three years for audit purposes.
What should you do?

• A. Save file automatic first-of-the- month backup for three years Store the backup file in an Archive class Google Cloud Storage bucket 
• B. Set up an on-demand backup tor the first of the month Write the backup to an Archive class Google Cloud Storage bucket 
• C. Set up an export job for the first of the month Write the export file to an Archive class Google Cloud Storage bucket 
• D. Convert the automatic first-of-the-month backup to an export file Write the export file to a Coldline class Google Cloud Storage bucket 

Correct Answer: A

QUESTION 42 

You are using Container Registry to centrally store your company’s container images in a separate project.
In another project, you want to create a Google Kubernetes Engine (GKE) cluster. You want to ensure that Kubernetes can download images from the Container Registry.
What should you do? 

• A. In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes. 
• B. When you create the GKE cluster, choose the Allow full access to all Cloud APIs option under `Access scopes’.
• C. Create a service account, and give it access to Google Cloud Storage. Create a P12 key for this service account and use it as an imagePullSecrets in Kubernetes. 
• D. Configure the ACLs on each image in Google Cloud Storage to give read-only access to the default Google Compute Engine service account. 

Correct Answer: A

If the cluster is in a different project or if the VMs in the cluster use a different service account, you must grant the service account the appropriate permissions to access the storage bucket used by Container Registry.
For the service account used by Google Compute Engine VMs, including VMs in Google Kubernetes Engine clusters, access is based on both Cloud IAM permissions and storage access scopes.

Reference contents:
– Configuring access control | Container Registry documentation
– Using Container Registry with Google Cloud

QUESTION 43 

You want to configure 10 Google Compute Engine instances for availability when maintenance occurs.
Your requirements state that these instances should attempt to automatically restart if they crash. Also, the instances should be highly available including during system maintenance.
What should you do? 

• A.
  • Create an instance template for the instances. 
  • Set the `Automatic Restart’ to on. Set the `On-host maintenance’ to Migrate VM instance. Add the instance template to an intsance group. 
• B.
  • Create an instance template for the instances. 
  • `Automatic Restart’ to off. Set `On-host maintenance’ to Terminate VM instances. Add the instance template to an instance group. 
• C.
  • Create an instance group for the instances. 
  • Set the `Autohealing’ health check to healthy (HTTP). 
• D.
  • Create an instance group for the instance. 
  • Verify that the `Advanced creation options’ setting for `do not retry machine creation’ is set to off.

Configure an instance’s maintenance behavior and automatic restart setting using the onHostMaintenance and automaticRestart properties. All instances are configured with default values unless you explicitly specify otherwise.
onHostMaintenance: Determines the behavior when a maintenance event occurs that might cause your instance to reboot.
[Default] migrate, which causes Google Compute Engine to live migrate an instance when there is a maintenance event. terminate, which terminates an instance instead of migrating it. 

Correct Answer: A

QUESTION 44 

You want to create a new role for your colleagues that will apply to all current and future projects created in your organization.
The role should have the permissions of the Google BigQuery Job User and Google Cloud Bigtable User roles. You want to follow Google’s recommended practices.
How should you create the new role? 

• A. Use “gcloud iam combine-roles –global” to combine the 2 roles into a new custom role.
• B. For one of your projects, in the Google Cloud Console under Roles, select both roles and combine them into a new custom role. Use “gcloud iam promote-role” to promote the role from a project role to an organization role. 
• C. For all projects, in the Google Cloud Console under Roles, select both roles and combine them into a new custom role. 
• D. For your organization, in the Google Cloud Console under Roles, select both roles and combine them into a new custom role. 

Correct Answer: D

A is not correct because this does not create a new role.
B is not correct because gcloud cannot promote a role to org level.
C is not correct because it’s recommended to define the role on the organization level. Also, the role will not be applied on new projects.
D is correct because this creates a new role with the combined permissions on the organization level. 

QUESTION 45 

You have experimented with Google Cloud using your own credit card and expensed the costs to your company. Your company wants to streamline the billing process and charge the costs of your projects to their monthly invoice.
What should you do? 

• A. Create a ticket with Google Billing Support to ask them to send the invoice to your company.
• B. Grant the financial team the IAM role of “Billing Account User” on the billing account linked to your credit card. 
• C. Set up Google BigQuery billing export and grant your financial department IAM access to query the data. 
• D. Change the billing account of your projects to the billing account of your company.

Correct Answer: D

QUESTION 46 

Your company runs its Linux workloads on Google Compute Engine instances.
Your company will be working with a new operations partner that does not use Google Accounts. You need to grant access to the instances to your operations partner so they can maintain the installed tooling.
What should you do? 

• A. Enable Google Cloud IAP for the Google Compute Engine instances, and add the operations partner as a Google Cloud IAP Tunnel User. 
• B. Tag all the instances with the same network tag. Create a firewall rule in the VPC to grant TCP access on port 22 for traffic from the operations partner to instances with the network tag.
• C. Set up Cloud VPN between your Google Cloud VPC and the internal network of the operations partner. 
• D. Ask the operations partner to generate SSH key pairs, and add the public keys to the VM instances. 

Correct Answer: B

Reference contents:
– VPC firewall rules overview

QUESTION 47

You have designed a solution on Google Cloud Platform (GCP) that uses multiple GCP products. Your company has asked you to estimate the costs of the solution. You need to provide estimates for the monthly total cost.
What should you do?

• A. Provision the solution on GCP. Leave the solution provisioned for 1 week. Use Stackdriver to determine the provisioned and used resource amounts. Multiply the 1 week cost to determine the monthly costs. 
• B. For each GCP product in the solution, review the pricing details on the products pricing page. Use the pricing calculator to total the monthly costs for each GCP product.
• C. For each GCP product in the solution, review the pricing details on the products pricing page. Create a Google Sheet that summarizes the expected monthly costs for each product.
• D. Provision the solution on GCP. Leave the solution provisioned for 1 week. Navigate to the Billing Report page in the Google Cloud Console. Multiply the 1 week cost to determine the monthly costs. 

Correct Answer: B

QUESTION 48

You have an application server running on Google Compute Engine in the europe-west1-d zone.
You need to ensure high availability and replicate the server to the europe-west2-c zone using the fewest steps possible.
What should you do? 

• A. Create a snapshot from the disk. Create a disk from the snapshot in the europe-west2-c zone. Create a new VM with that disk. 
• B. Create a snapshot from the disk. Create a disk from the snapshot in the europe-west1-d zone and then move the disk to europe-west2-c. Create a new VM with that disk.
• C. Use “gcloud” to copy the disk to the europe-west2-c zone. Create a new VM with that disk.
• D. Use “gcloud compute instances move” with parameter “–destination-zone europe-west2-c” to move the instance to the new zone. 

Correct Answer: A

A is correct because this makes sure the VM gets replicated in the new zone. B is not correct because this takes more steps than A.
C is not correct because this will generate an error, because gcloud cannot copy disks. D is not correct because the original VM will be moved, not replicated. 

QUESTION 49

You need to manage multiple Google Cloud Platform (GCP) projects in the fewest steps possible.
You want to configure the Google Cloud SDK command line interface (CLI) so that you can easily manage multiple GCP projects.
What should you? 

• A.
  • 1. Create a configuration for each project you need to manage. 
  • 2. Activate the appropriate configuration when you work with each of your assigned GCP projects.
• B.
  • 1. Create a configuration for each project you need to manage. 
  • 2. Use gcloud init to update the configuration values when you need to work with a non-default project 
• C.
  • 1. Use the default configuration for one project you need to manage. 
  • 2. Activate the appropriate configuration when you work with each of your assigned GCP projects.
• D.
  • 1. Use the default configuration for one project you need to manage. 
  • 2. Use gcloud init to update the configuration values when you need to work with a non-default project. 

Correct Answer: A

Reference contents:
– gcloud tool overview | Cloud SDK Documentation
– Managing Cloud SDK configurations | Cloud SDK Documentation

If you’d like to work with multiple projects or authorization accounts, you can set up multiple configurations with gcloud config configurations and switch among them accordingly. Within these configurations, you can customize properties. For example, to set your project within an active configuration use the project property: gcloud config set project <project-id> Multiple projects require multiple configurations. 

QUESTION 50

You are building a new version of an application hosted in an Google App Engine environment.
You want to test the new version with 1% of users before you completely switch your application over to the new version.
What should you do? 

• A. Deploy a new version of your application in Google Kubernetes Engine instead of Google App Engine and then use Google Cloud Console to split traffic. 
• B. Deploy a new version of your application in a Google Compute Engine instance instead of Google App Engine and then use Google Cloud Console to split traffic.
• C. Deploy a new version as a separate app in Google App Engine. Then configure Google App Engine using Google Cloud Console to split traffic between the two apps. 
• D. Deploy a new version of your application in Google App Engine. Then go to Google App Engine settings in Google Cloud Console and split traffic between the current version and newly deployed versions accordingly. 

Correct Answer: D

Reference contents:
– Splitting Traffic | App Engine standard environment for Python 2

QUESTION 51

You have a single binary application that you want to run on Google Cloud Platform.
You decided to automatically scale the application based on underlying infrastructure CPU usage. Your organizational policies require you to use virtual machines directly. You need to ensure that the application scaling is operationally efficient and completed as quickly as possible.
What should you do? 

• A. Create a Google Kubernetes Engine cluster, and use horizontal pod autoscaling to scale the application. 
• B. Create an instance template, and use the template in a managed instance group with autoscaling configured. 
• C. Create an instance template, and use the template in a managed instance group that scales up and down based on the time of day. 
• D. Use a set of third-party tools to build automation around scaling the application up and down, based on Stackdriver CPU usage monitoring. 

Correct Answer: B

A managed instance group can help use virtual machines directly and with autoscaling can scale as per the demand.Refer GCP documentation. Managed Instance Groups AutoScaling Managed instance groups offer auto scaling capabilities that allow you to automatically add or delete instances from a managed instance group based on increases or decreases in load.

QUESTION 52

A VM instance is trying to read from a Google Cloud Storage bucket.
IAM roles assigned to the VM service account allows the VM instance to read from the bucket. But the scopes assigned to the VM deny the reading bucket.
What will happen when the VM tries to read from the bucket?

• A. The read will succeed because the most permissive permission is allowed.
• B. The application performing the read will drop the read operation.
• C. The read will not execute as IAM roles and scopes both determine what operations will be performed.
• D. The read operation will execute, but a message will be sent to the Stackdriver Logging.

Correct Answer: C

QUESTION 53

Your development team needs a new Jenkins server for their project.
You need to deploy the server using the fewest steps possible.
What should you do? 

• A. Download and deploy the Jenkins Java WAR to Google App Engine Standard.
• B. Create a new Google Compute Engine instance and install Jenkins through the command line interface. 
• C. Create a Kubernetes cluster on Google Compute Engine and create a deployment with the Jenkins Docker image. 
• D. Use GCP Marketplace to launch the Jenkins solution. 

Correct Answer: D

Reference contents:
– Using Jenkins for distributed builds on Compute Engine

QUESTION 54

You need to configure optimal data storage for files stored in Google Cloud Storage for minimal cost.
The files are used in a mission-critical analytics pipeline that is used continually. The users are in Boston, MA (United States).
What should you do? 

• A.
  • Configure regional storage for the region closest to the users. 
  • Configure a Nearline storage class 
• B.
  • Configure dual-regional storage for the dual region closest to the users.
  • Configure a Standard storage class 
• C.
  • Configure dual-regional storage for the dual region closest to the users.
  • Configure a Nearline storage class 
• D.
  • Configure regional storage for the region closest to the users. 
  • Configure a Standard storage class 

Correct Answer: D

QUESTION 55

You have created a code snippet that should be triggered whenever a new file is uploaded to a Google Cloud Storage bucket. You want to deploy this code snippet.
What should you do?

• A. Use Google App Engine and configure Cloud Scheduler to trigger the application using Pub/Sub.
• B. Use Google Cloud Functions and configure the bucket as a trigger resource. 
• C. Use Google Kubernetes Engine and configure a CronJob to trigger the application using Pub/Sub. 
• D. Use Dataflow as a batch job, and configure the bucket as a data source.

Correct Answer: A

Reference contents:
– Using Pub/Sub to trigger a Cloud Function

QUESTION 56 

You are running multiple microservices in a Kubernetes Engine cluster.
One microservice is rendering images. The microservice responsible for the image rendering requires a large amount of CPU time compared to the memory it requires. The other microservices are workloads that are optimized for n1-standard machine types. You need to optimize your cluster so that all workloads are using resources as efficiently as possible.
What should you do? 

• A. Configure the required amount of CPU and memory in the resource requests specification of the image rendering microservice deployment. Keep the resource requests for the other microservices at the default.
• B. Use the node pool with general-purpose machine type nodes for lite mage rendering microservice.
• Create a nodepool with compute-optimized machine type nodes for the other microservices C. Assign the pods of the image rendering microservice a higher pod priority than the older microservices. 
• D. Create a node pool with compute-optimized machine type nodes for the image rendering microservice. 
• Use the node pool with general-purpose machine type nodes for the other microservices.

Correct Answer: D

QUESTION 57

You have a developer laptop with the Google Cloud SDK installed on Ubuntu.
The Google Cloud SDK was installed from the Google Cloud Ubuntu package repository. You want to test your application locally on your laptop with Google Cloud Datastore.
What should you do? 

• A. Install the google-cloud-sdk-datastore-emulator component using the apt get install command.
• B. Install the cloud-datastore-emulator component using the gcloud components install command.
• C. Export Google Cloud Datastore data using Google Cloud Datastore export. 
• D. Create a Google Cloud Datastore index using Google Cloud Datastore indexes.

Correct Answer: B

QUESTION 58

You are performing a monthly security check of your Google Cloud environment and want to know who has access to view data stored in your Google Cloud Project.
What should you?

• A. Enable Audit Logs for all APIs that are related to data storage. 
• B. Review the Identity-Aware Proxy settings for each resource. 
• C. Review the IAM permissions for any role that allows for data access. 
• D. Create a Data Loss Prevention job. 

Correct Answer: C

QUESTION 59 

Your company has a 3-tier solution running on Google Compute Engine.
The configuration of the current infrastructure is shown below.

Each tier has a service account that is associated with all instances within it. You need to enable communication on TCP port 8080 between tiers as follows:
– Instances in tier #1 must communicate with tier #2.
– Instances in tier #2 must communicate with tier #3.
What should you do? 

• A.
  • 1. Create an ingress firewall rule with the following settings:
    • Targets: all instances with tier #2 service account 
    • Source filter: all instances with tier #1 service account 
    • Protocols: allow all 
  • 2. Create an ingress firewall rule with the following settings:
    • Targets: all instances with tier #3 service account 
    • Source filter: all instances with tier #2 service account
    • Protocols: allow all 
  • B. 1. Create an ingress firewall rule with the following settings:
    • Targets: all instances 
    • Source filter: IP ranges (with the range set to 10.0.2.0/24) 
    • Protocols: allow all 
  • 2. Create an ingress firewall rule with the following settings:
    • Targets: all instances 
    • Source filter: IP ranges (with the range set to 10.0.1.0/24) 
    • Protocols: allow all 
  • C. 1. Create an egress firewall rule with the following settings:
    • Targets: all instances 
    • Source filter: IP ranges (with the range set to 10.0.2.0/24) 
    • Protocols: allow TCP: 8080 
    • 2. Create an egress firewall rule with the following settings: 
    • Targets: all instances 
    • Source filter: IP ranges (with the range set to 10.0.1.0/24) 
    • Protocols: allow TCP: 8080 
  • D. 1. Create an ingress firewall rule with the following settings:
    • Targets: all instances with tier #2 service account 
    • Source filter: all instances with tier #1 service account 
    • Protocols: allow TCP:8080 
  • 2. Create an ingress firewall rule with the following settings:
    • Targets: all instances with tier #3 service account 
    • Source filter: all instances with tier #2 service account 
    • Protocols: allow TCP: 8080 

Correct Answer: D

QUESTION 60

You created an update for your application on Google App Engine.
You want to deploy the update without impacting your users. You want to be able to roll back as quickly as possible if it fails.
What should you do? 

• A. Delete the current version of your application. Deploy the update using the same version identifier as the deleted version. 
• B. Notify your users of an upcoming maintenance window. Deploy the update in that maintenance window. 
• C. Deploy the update as the same version that is currently running. 
• D. Deploy the update as a new version. Migrate traffic from the current version to the new version. 

Correct Answer: D

A and B are not correct because this will make the application temporarily unavailable to users.

C is not correct because to roll back, you’ll need to redeploy the previous deployment because the app was overwritten with the same version number. Therefore this takes longer than a rollback using method D.
D is correct because this makes sure there is no downtime and you can roll back the fastest.

Reference contents:
– Migrating and Splitting Traffic with the Admin API

QUESTION 61

Your company set up a complex organizational structure on Google Cloud Platform.
The structure includes hundreds of folders and projects. Only a few team members should be able to view the hierarchical structure. You need to assign minimum permissions to these team members and you want to follow Google-recommended practices.
What should you do? 

• A. Add the users to roles/browser role. 
• B. Add the users to roles/iam.roleViewer role. 
• C. Add the users to a group, and add this group to roles/browser role. 
• D. Add the users to a group, and add this group to roles/iam.roleViewer role.

Correct Answer: C

Google recommends groups and roles/browser provides Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn’t include permission to view resources in the project. 

QUESTION 62 

You have a large 5-TB AVRO file stored in a Google Cloud Storage bucket.
Your analysts are proficient only in SQL and need access to the data stored in this file. You want to find a cost-effective way to complete their request as soon as possible.
What should you do? 

• A. Create a Hadoop cluster and copy the AVRO file to NDFS by compressing it. Load the file in a hive table and provide access to your analysts so that they can run SQL queries.
• B. Load data in Google Cloud Datastore and run a SQL query against it. 
• C. Create a Google BigQuery table and load data in Google BigQuery. Run a SQL query on this table and drop this table after you complete your request. 
• D. Create external tables in Google BigQuery that point to Google Cloud Storage buckets and run a SQL query on these external tables to complete your request. 

Correct Answer: D

QUESTION 63

You have an application that uses Google Cloud Spanner as a backend database. The application has a very predictable traffic pattern.
You want to automatically scale up or down the number of Spanner nodes depending on traffic.
What should you do? 

• A. Create a cron job that runs on a scheduled basis to review stackdriver monitoring metrics, and then resize the Spanner instance accordingly. 
• B. Create a Stackdriver alerting policy to send an alert to webhook when Google Cloud Spanner CPU is over or under your threshold. Create a Google Cloud Functions that listens to HTTP and resizes Spanner resources accordingly. 
• C. Create a Stackdriver alerting policy to send an alert to oncall SRE emails when Google Cloud Spanner CPU exceeds the threshold. SREs would scale resources up or down accordingly.
  D. Create a Stackdriver alerting policy to send an alert to Google Cloud Support email when Google Cloud Spanner CPU exceeds your threshold. Google support would scale resources up or down accordingly. 

Correct Answer: B

QUESTION 64

You have been asked to automate the infrastructure deployment using Google Deployment Manager service.
Which all formats do Deployment manager templates support?

• A. YAML 
• B. Python 
• C. Powershell 
• D. JSON 

Correct Answer: A, B

QUESTION 65

You are building an architecture for one of your clients with a requirement of streaming millions of requests with high availability and durability along with HIPAA compliance.
Which managed service will you prefer? 

• A. Google Cloud Dataproc 
• B. Google Cloud Functions 
• C. Google Cloud Pub/Sub 
• D. RabbitMQ 

Correct Answer: C

QUESTION 66

The sales team has a project named Sales Data Digest that has the ID acme-data-digest.
You need to set up similar Google Cloud resources for the marketing team but their resources must be organized independently of the sales team.
What should you do? 

• A. Grant the Project Editor role to the Marketing learn for acme data digest
• B. Create a new protect named Meeting Data Digest and use the ID acme-data-digest Grant the Project Editor role to the Marketing team. 
• C. Create a Project Lien on acme-data digest and then grant the Project Editor role to the Marketing team 
• D. Create another protect with the ID acme-marketing-data-digest for the Marketing team and deploy the resources there 

Correct Answer: D

QUESTION 67

You have been asked to deploy a highly available Kubernetes cluster using Google Kubernetes Engine by your manager.
While spinning up the cluster you realize you do not see option of creating a master.
What can be the reason? 

• A. GKE does not use master node to control child nodes. 
• B. None of the above. 
• C. Master node is created automatically by GKE. 
• D. You need to spin up a compute instance and set it up as master node.

Correct Answer: C

QUESTION 68

You have a Google Compute Engine instance hosting a production application.
You want to receive an email if the instance consumes more than 90% of its CPU resources for more than 15 minutes. You want to use Google services.
What should you do? 

• A.
  • 1. Create a Stackdriver Workspace, and associate your Google Cloud Platform (GCP) project with it. 
  • 2. Create an Alerting Policy in Stackdriver that uses the threshold as a trigger condition.
  • 3. Configure your email address in the notification channel. 
• B.
  • 1. Create a consumer Gmail account. 
  • 2. Write a script that monitors the CPU usage. 
  • 3. When the CPU usage exceeds the threshold, have that script send an email using the Gmail account and smtp.gmail.com on port 25 as SMTP server. 
• C.
  • 1. In Stackdriver Logging, create a logs-based metric to extract the CPU usage by using this regular expression: CPU Usage: ([0-9] {1,3})% 
  • 2. In Stackdriver Monitoring, create an Alerting Policy based on this metric.
  • 3. Configure your email address in the notification channel. 
• D.
  • 1. Create a Stackdriver Workspace, and associate your GCP project with it.
  • 2. Write a script that monitors the CPU usage and sends it as a custom metric to Stackdriver.
  • 3. Create an uptime check for the instance in Stackdriver. 

Correct Answer: C

QUESTION 69

You need to reduce GCP service costs for a division of your company using the fewest possible steps.
You need to turn off all configured services in an existing GCP project.
What should you do? 

• A.
  • 1. Verify that you are assigned the Project Owners IAM role for this project.
  • 2. Locate the project in the Google Cloud Console, click Shut down and then enter the project ID.
• B.
  • 1. Verify that you are assigned the Project Owners IAM role for this project.
  • 2. Switch to the project in the Google Cloud Console, locate the resources and delete them.
• C.
  • 1. Verify that you are assigned the Organizational Administrator IAM role for this project.
  • 2. Locate the project in the Google Cloud Console, enter the project ID and then click Shut down.
• D.
  • 1. Verify that you are assigned the Organizational Administrators IAM role for this project.
  • 2. Switch to the project in the Google Cloud Console, locate the resources and delete them.

Correct Answer: A

No need of giving the Organization admin role for doing this. If you have the project owner role, you can locate the project and shut it down. 

QUESTION 70

You are building an application that processes data files uploaded from thousands of suppliers.
Your primary goals for the application are data security and the expiration of aged data.
You need to design the application to:
– Restrict access so that suppliers can access only their own data.
– Give suppliers write access to data only for 30 minutes.
– Delete data that is over 45 days old.
You have a very short development cycle, and you need to make sure that the application requires minimal maintenance.
Which two strategies should you use? (Choose two.)

• A. Set up an SFTP server for your application, and create a separate user for each supplier.
• B. Develop a script that loops through all Google Cloud Storage buckets and deletes any buckets that are older than 45 days. 
• C. Build a lifecycle policy to delete Google Cloud Storage objects after 45 days. 
• D. Build a Google Cloud Functions that triggers a timer of 45 days to delete objects that have expired.
• E. Use signed URLs to allow suppliers limited time access to store their objects.

Correct Answer: B, C

QUESTION 71

Your company has a large quantity of unstructured data in different file formats.
You want to perform ETL transformations on the data. You need to make the data accessible on Google Cloud so it can be processed by a Dataflow job.
What should you do? 

• A. Upload the data to Google BigQuery using the bq command line tool. 
• B. Upload the data to Google Cloud Storage using the gsutil command line tool. 
• C. Upload the data into Google Cloud SQLusing the import function in the console.
• D. Upload the data into Google Cloud Spanner using the import function in the console.

Correct Answer: B

Reference contents:
– Performing ETL from a relational database into BigQuery using Dataflow 

QUESTION 72

You are using Data Studio to visualize a table from your data warehouse that is built on top of Google BigQuery.
Data is appended to the data warehouse during the day. At night, the daily summary is recalculated by overwriting the table. You just noticed that the charts in Data Studio are broken, and you want to analyze the problem.
What should you do? 

• A. Use the Google BigQuery interface to review the nightly Job and look for any errors.
• B. Review the Error Reporting page in the Google Cloud Console to find any errors.
• C. Use Google Cloud Debugger to find out why the data was not refreshed correctly.
• D. In Google Cloud Logging create a filter for your Data Studio report 

Correct Answer: C

QUESTION 73

You have successfully created a development environment in a project for an application.
This application uses Google Compute Engine and Google Cloud SQL. Now, you need to create a production environment for this application. The security team has forbidden the existence of network routes between these 2 environments, and asks you to follow Google-recommended practices.
What should you do? 

• A. Ask the security team to grant you the Project Editor role in an existing production project used by another division of your company. Once they grant you that role, replicate the setup you have in the development environment in that project. 
• B. Create a new project, modify your existing VPC to be a Shared VPC, share that VPC with your new project, and replicate the setup you have in the development environment in that new project, in the Shared VPC. 
• C. Create a new project, enable the Google Compute Engine and Google Cloud SQLAPIs in that project, and replicate the setup you have created in the development environment. 
• D. Create a new production subnet in the existing VPC and a new production Google Cloud SQLinstance in your existing project, and deploy your application using those resources.

Correct Answer: C

QUESTION 74

You are assigned to maintain a Google Kubernetes Engine (GKE) cluster named dev that was deployed on Google Cloud.
You want to manage the GKE configuration using the command line interface (CLI). You have just downloaded and installed the Google Cloud SDK. You want to ensure that future CLI commands by default address this specific cluster.
What should you do?

• A. Use the command gcloud container clusters update dev.
• B. Create a file called defaults. j son in the -/.gcioud folder that contains the cluster name.
• C. Use the command gcloud config sot container/cluster dev.
• D. Create a file called gke. default in the -/ .gcloud folder that contains the cluster name.

Correct Answer: A

QUESTION 75 

You have sensitive data stored in three Google Cloud Storage buckets and have enabled data access logging.
You want to verify activities for a particular user for these buckets, using the fewest possible steps. You need to verify the addition of metadata labels and which files have been viewed from those buckets.
What should you do? 

• A. Using the Google Cloud Console, filter the Activity log to view the information. 
• B. Using the Google Cloud Console, filter the Stackdriver log to view the information.
• C. View the bucket in the Storage section of the Google Cloud Console. 
• D. Create a trace in Stackdriver to view the information. 

Correct Answer: B

The data access logs are not an option in the activity log. 

QUESTION 76 

Your existing application running in Google Kubernetes Engine (GKE) consists of multiple pods running on four GKE n1-standard-2 nodes. You need to deploy additional pods requiring n2- highmem-16 nodes without any downtime. What should you do? 

• A. Create a new cluster with n2-highmem-16 nodes. Redeploy the pods and delete the old cluster. 
• B. Create a new Node Pool and specify machine type n2-highmem-16. Deploy the new pods. 
• C. Use gcloud container clusters upgrade. Deploy the new services. 
• D. Create a new cluster with both n1-standard-2 and n2-highmem-16 nodes. Redeploy the pods and delete the old cluster. 

Correct Answer: B

QUESTION 77 

You need to create a new billing account and then link it with an existing Google Cloud Platform project.
What should you do? 

• A. Verify that you are Project Billing Manager for the GCP project. Update the existing project to link it to the existing billing account. 
• B. Verify that you are Project Billing Manager for the GCP project. Create a new billing account and link the new billing account to the existing project.
• C. Verify that you are Billing Administrator for the billing account. Create a new project and link the new project to the existing billing account.
• D. Verify that you are Billing Administrator for the billing account. Update the existing project to link it to the existing billing account. 

Correct Answer: A

Both the roles cannot create a new billing account. So we assume the account is already created. Now we have to attach an existing project to an existing account. So it could not be B and C as they want roles to create new accounts which is not possible. Both A & D are confusing because the Project Billing Manager can link & unlink a project from a billing account while a Billing Account Admin can link & unlink projects while managing user roles on the billing account. I’d go with A because option D refers to a Billing Admin and there’s nothing like a Billing Admin only a Billing Account Admin. 

Reference contents:
– Overview of Cloud Billing access control

QUESTION 78 

You want to run a single caching HTTP reverse proxy on GCP for a latency-sensitive website.
This specific reverse proxy consumes almost no CPU. You want to have a 30-GB in-memory cache, and need an additional 2 GB of memory for the rest of the processes. You want to minimize cost.
How should you run this reverse proxy? 

• A. Create a Google Cloud Memorystore for Redis instance with 32-GB capacity. 
• B. Run it on Google Compute Engine, and choose a custom instance type with 6 vCPUs and 32 GB of memory. 
• C. Package it in a container image, and run it on Kubernetes Engine, using n1-standard-32 instances as nodes. 
• D. Run it on Google Compute Engine, choose the instance type n1-standard-1, and add an SSD persistent disk of 32 GB. 

Correct Answer: A

It will be almost the same price, but if you choose option B you are loosing 6 VCPU that doesn’t do anything.

QUESTION 79 

Your company has workloads running on Google Compute Engine and on-premises.
The Google Cloud Virtual Private Cloud (VPC) is connected to your WAN over a Virtual Private Network (VPN). You need to deploy a new Google Compute Engine instance and ensure that no public Internet traffic can be routed to it.
What should you do? 

• A. Create the instance without a public IP address. 
• B. Create the instance with Private Google Access enabled.
• C. Create a deny-all egress firewall rule on the VPC network. 
• D. Create a route on the VPC to route all traffic to the instance over the VPN tunnel.

Correct Answer: B

Get private access to Google services, such as storage, big data, analytics, or machine learning, without having to give your service a public IP address.

Reference contents:
– Virtual Private Cloud (VPC)

QUESTION 80 

You have an object in a Google Cloud Storage bucket that you want to share with an external company. The object contains sensitive data.
You want access to the content to be removed after four hours. The external company does not have a Google account to which you can grant specific user-based access privileges.
You want to use the most secure method that requires the fewest steps. What should you do?

• A. Configure the storage bucket as a static website and furnish the object’s URL to the company. Delete the object from the storage bucket after four hours. 
• B. Set object access to `public’ and use object lifecycle management to remove the object after four hours. 
• C. Create a new Google Cloud Storage bucket specifically for the external company to access. Copy the object to that bucket. Delete the bucket after four hours have passed.
• D. Create a signed URL with a four-hour expiration and share the URL with the company.

Correct Answer: D

QUESTION 81 

Your project has all its Google Compute Engine resources in the europe-west1 region.
You want to set europe-west1 as the default region for gcloud commands.
What should you do?

• A. Use Google Cloud Shell instead of the command line interface of your device. Launch Google Cloud Shell after you navigate to a resource in the europe-west1 region.
  The europe-west1 region will automatically become the default region. 
• B. Use “gcloud config set compute/region europe-west1” to set the default region for future gcloud commands. 
• C. Use “gcloud config set compute/zone europe-west1” to set the default region for future gcloud commands. 
• D. Create a VPN from on-premises to a subnet in europe-west1, and use that connection when executing gcloud commands. 

Correct Answer: B

A is not correct because Google Cloud Shell will not default to the location that it’s launched from.
B is correct because this will ensure that the relevant region is used when not overwritten by a command parameter.
C is not correct because this command should be used to set a zone, not a region.
D is not correct because a VPN to a specific subnet does not have any effect on the gcloud command region.

Reference contents:
– Changing the default region or zone | Compute Engine Documentation 

QUESTION 82

You want to deploy an application on Google Cloud Run that processes messages from a Google Cloud Pub/Sub topic. You want to follow Google-recommended practices.
What should you do?

• A.
  • 1. Create a service account. 
  • 2. Give the Google Cloud Run Invoker role to that service account for your Google Cloud Run application.
  • 3. Create a Google Cloud Pub/Sub subscription that uses that service account and uses your Google Cloud Run application as the push endpoint. 
• B.
  1. Grant the Pub/Sub Subscriber role to the service account used by Google Cloud Run.
  • 2. Create a Google Cloud Pub/Sub subscription for that topic. 
  • 3. Make your application pull messages from that subscription. 
• C.
  • 1. Create a Google Cloud Functions that uses a Google Cloud Pub/Sub trigger on that topic.
  • 2. Call your application on Google Cloud Run from the Google Cloud Functions for every message.
• D.
  • 1. Deploy your application on Google Cloud Run on GKE with the connectivity set to Internal.
  • 2. Create a Google Cloud Pub/Sub subscription for that topic. 
  • 3. In the same Google Kubernetes Engine cluster as your application, deploy a container that takes the messages and sends them to your application. 

Correct Answer: A

QUESTION 83

You want to find out when users were added to Google Cloud Spanner Identity Access Management (IAM) roles on your Google Cloud Platform (GCP) project.
What should you do in the Google Cloud Console? 

• A. Open the IAM & admin console to review IAM policies for Google Cloud Spanner roles.
• B. Go to the Stackdriver Monitoring console and review information for Google Cloud Spanner.
• C. Go to the Stackdriver Logging console, review admin activity logs, and filter them for Google Cloud Spanner IAM roles. 
• D. Open the Google Cloud Spanner console to review configurations. 

Correct Answer: C

QUESTION 84

Your web application has been running successfully on Google Cloud Run for Anthos.
You want to evaluate an updated version of the application with a specific percentage of your production users (canary deployment).
What should you do? 

• A. Create a new revision with the new version of the application. Add HTTP Load Balancer in front of both revisions. 
• B. Create a new service with the new version of the application. Add HTTP Load Balancer in front of both services. 
• C. Create a new revision with the new version of the application. Split traffic between this version and the version that is currently running. 
• D. Create a new service with the new version of the application. Split traffic between this version and the version that is currently running. 

Correct Answer: D

QUESTION 85

You have a project using Google BigQuery.
You want to list all Google BigQuery jobs for that project. You want to set this project as the default for the bq command-line tool.
What should you do?

• A. Use “gcloud config set project” to set the default project. 
• B. Use “bq config set project” to set the default project. 
• C. Use “gcloud generate config-url” to generate a URL to the Google Cloud Console to set the default project. 
• D. Use “bq generate config-url” to generate a URL to the Google Cloud Console to set the default project. 

Correct Answer: A

A is correct because you need to use gcloud to manage the config/defaults.
B is not correct because the bq command-line tool assumes the gcloud configuration settings and can’t be set through Google BigQuery.
C is not correct because entering this command will not achieve the desired result and will generate an error.
D is not correct because entering this command will not achieve the desired result and will generate an error. 

Reference contents:
– bq command-line tool reference | BigQuery
– gcloud config set | Cloud SDK Documentation