Google Professional Cloud Developer Exam Questions

Page: 1 / 14
Total 265 questions

Want more questions? Get Premium Access.
()

Question 1

Which database should HipLocal use for storing user activity?

ABigQuery

BCloud SQL

CCloud Spanner

DCloud Datastore

Answer : A

Question 2

You want to notify on-call engineers about a service degradation in production while minimizing development

time.

What should you do?

AUse Cloud Function to monitor resources and raise alerts.

BUse Cloud Pub/Sub to monitor resources and raise alerts.

CUse Stackdriver Error Reporting to capture errors and raise alerts.

DUse Stackdriver Monitoring to monitor resources and raise alerts.

Answer : A

Question 3

This architectural diagram depicts a system that streams data from thousands of devices. You want to ingest data into a pipeline, store the data, and analyze the data using SQL statements. Which Google Cloud services should you use for steps 1, 2, 3, and 4?

A1) App Engine
2) Pub/Sub
3) BigQuery
4) Firestore

B1) Dataflow
2) Pub/Sub
3) Firestore
4) BigQuery

C1) Pub/Sub
2) Dataflow
3) BigQuery
4) Firestore

D1) Pub/Sub
2) Dataflow
3) Firestore
4) BigQuery

Answer : D

Question 4

Your web application is deployed to the corporate intranet. You need to migrate the web application to Google Cloud. The web application must be available only to company employees and accessible to employees as they travel. You need to ensure the security and accessibility of the web application while minimizing application changes. What should you do?

AConfigure the application to check authentication credentials for each HTTP(S) request to the application.

BConfigure Identity-Aware Proxy to allow employees to access the application through its public IP address.

CConfigure a Compute Engine instance that requests users to log in to their corporate account. Change the web application DNS to point to the proxy Compute Engine instance. After authenticating, the Compute Engine instance forwards requests to and from the web application.

DConfigure a Compute Engine instance that requests users to log in to their corporate account. Change the web application DNS to point to the proxy Compute Engine instance. After authenticating, the Compute Engine issues an HTTP redirect to a public IP address hosting the web application.

Answer : B

Question 5

You want to upload files from an on-premises virtual machine to Google Cloud Storage as part of a data

migration. These files will be consumed by Cloud DataProc Hadoop cluster in a GCP environment.

Which command should you use?

Agsutil cp [LOCAL_OBJECT] gs://[DESTINATION_BUCKET_NAME]/

Bgcloud cp [LOCAL_OBJECT] gs://[DESTINATION_BUCKET_NAME]/

Chadoop fs cp [LOCAL_OBJECT] gs://[DESTINATION_BUCKET_NAME]/

Dgcloud dataproc cp [LOCAL_OBJECT] gs://[DESTINATION_BUCKET_NAME]/

Answer : A

The gsutil cp command allows you to copy data between your local file. storage. boto files generated by

running 'gsutil config'

Question 6

You need to migrate a standalone Java application running in an on-premises Linux virtual machine (VM) to Google Cloud in a cost-effective manner. You decide not to take the lift-and-shift approach, and instead you plan to modernize the application by converting it to a container. How should you accomplish this task?

AUse Migrate for Anthos to migrate the VM to your Google Kubernetes Engine (GKE) cluster as a container.

BExport the VM as a raw disk and import it as an image. Create a Compute Engine instance from the Imported image.

CUse Migrate for Compute Engine to migrate the VM to a Compute Engine instance, and use Cloud Build to convert it to a container.

DUse Jib to build a Docker image from your source code, and upload it to Artifact Registry. Deploy the application in a GKE cluster, and test the application.

Answer : D

https://cloud.google.com/blog/products/application-development/introducing-jib-build-java-docker-images-better

Question 7

You are deploying your applications on Compute Engine. One of your Compute Engine instances failed to launch. What should you do? (Choose two.)

ADetermine whether your file system is corrupted.

BAccess Compute Engine as a different SSH user.

CTroubleshoot firewall rules or routes on an instance.

DCheck whether your instance boot disk is completely full.

ECheck whether network traffic to or from your instance is being dropped.

Answer : A, D

https://cloud.google.com/compute/docs/troubleshooting/vm-startup

Question 8

AUse Migrate for Anthos to migrate the VM to your Google Kubernetes Engine (GKE) cluster as a container.

BExport the VM as a raw disk and import it as an image. Create a Compute Engine instance from the Imported image.

CUse Migrate for Compute Engine to migrate the VM to a Compute Engine instance, and use Cloud Build to convert it to a container.

DUse Jib to build a Docker image from your source code, and upload it to Artifact Registry. Deploy the application in a GKE cluster, and test the application.

Answer : D

https://cloud.google.com/blog/products/application-development/introducing-jib-build-java-docker-images-better

Question 9

You are deploying a microservices application to Google Kubernetes Engine (GKE). The application will receive daily updates. You expect to deploy a large number of distinct containers that will run on the Linux operating system (OS). You want to be alerted to any known OS vulnerabilities in the new containers. You want to follow Google-recommended best practices. What should you do?

AUse the gcloud CLI to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

BEnable Container Analysis, and upload new container images to Artifact Registry. Review the vulnerability results before each deployment.

CEnable Container Analysis, and upload new container images to Artifact Registry. Review the critical vulnerability results before each deployment.

DUse the Container Analysis REST API to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

Answer : D

https://cloud.google.com/container-analysis/docs/automated-scanning-howto

https://cloud.google.com/container-analysis/docs/os-overview says: The Container Scanning API allows you to automate OS vulnerability detection, scanning each time you push an image to Container Registry or Artifact Registry. Enabling this API also triggers language package scans for Go and Java vulnerabilities (Preview).

Question 10

You are tasked with using C++ to build and deploy a microservice for an application hosted on Google Cloud. The code needs to be containerized and use several custom software libraries that your team has built. You do not want to maintain the underlying infrastructure of the application How should you deploy the microservice?

AUse Cloud Functions to deploy the microservice.

BUse Cloud Build to create the container, and deploy it on Cloud Run.

CUse Cloud Shell to containerize your microservice. and deploy it on GKE Standard.

DUse Cloud Shell to containerize your microservice. and deploy it on a Container-Optimized OS Compute Engine instance.

Answer : B

Question 11

Your company stores their source code in a Cloud Source Repositories repository. Your company wants to build and test their code on each source code commit to the repository and requires a solution that is managed and has minimal operations overhead.

Which method should they use?

AUse Cloud Build with a trigger configured for each source code commit.

BUse Jenkins deployed via the Google Cloud Platform Marketplace, configured to watch for source code commits.

CUse a Compute Engine virtual machine instance with an open source continuous integration tool, configured to watch for source code commits.

DUse a source code commit trigger to push a message to a Cloud Pub/Sub topic that triggers an App Engine service to build the source code.

Answer : A

https://cloud.google.com/build/docs/automating-builds/create-manage-triggers#:~:text=A%20Cloud%20Build%20trigger%20automatically,changes%20that%20match%20certain%20criteria.

Question 12

You are developing a new application that has the following design requirements:

Creation and changes to the application infrastructure are versioned and auditable.

The application and deployment infrastructure uses Google-managed services as much as possible.

The application runs on a serverless compute platform.

How should you design the application's architecture?

A1. Store the application and infrastructure source code in a Git repository.
2. Use Cloud Build to deploy the application infrastructure with Terraform.
3. Deploy the application to a Cloud Function as a pipeline step.

B1. Deploy Jenkins from the Google Cloud Marketplace, and define a continuous integration pipeline in Jenkins.
2. Configure a pipeline step to pull the application source code from a Git repository.
3. Deploy the application source code to App Engine as a pipeline step.

C1. Create a continuous integration pipeline on Cloud Build, and configure the pipeline to deploy the application infrastructure using Deployment Manager templates.
2. Configure a pipeline step to create a container with the latest application source code.
3. Deploy the container to a Compute Engine instance as a pipeline step.

D1. Deploy the application infrastructure using gcloud commands.
2. Use Cloud Build to define a continuous integration pipeline for changes to the application source code.
3. Configure a pipeline step to pull the application source code from a Git repository, and create a containerized application.
4. Deploy the new container on Cloud Run as a pipeline step.

Answer : D

Question 13

You plan to deploy a new application revision with a Deployment resource to Google Kubernetes Engine (GKE) in production. The container might not work correctly. You want to minimize risk in case there are issues after deploying the revision. You want to follow Google-recommended best practices. What should you do?

APerform a rolling update with a PodDisruptionBudget of 80%.

BPerform a rolling update with a HorizontalPodAutoscaler scale-down policy value of 0.

CConvert the Deployment to a StatefulSet, and perform a rolling update with a PodDisruptionBudget of 80%.

DConvert the Deployment to a StatefulSet, and perform a rolling update with a HorizontalPodAutoscaler scale-down policy value of 0.

Answer : A

https://cloud.google.com/blog/products/containers-kubernetes/ensuring-reliability-and-uptime-for-your-gke-cluster

Setting PodDisruptionBudget ensures that your workloads have a sufficient number of replicas, even during maintenance. Using the PDB, you can define a number (or percentage) of pods that can be terminated, even if terminating them brings the current replica count below the desired value. With PDB configured, Kubernetes will drain a node following the configured disruption schedule. New pods will be deployed on other available nodes. This approach ensures Kubernetes schedules workloads in an optimal way while controlling the disruption based on the PDB configuration.

https://blog.knoldus.com/how-to-avoid-outages-in-your-kubernetes-cluster-using-pdb/

Question 14

You are using Cloud Build to build and test application source code stored in Cloud Source Repositories. The

build process requires a build tool not available in the Cloud Build environment.

What should you do?

ADownload the binary from the internet during the build process.

BBuild a custom cloud builder image and reference the image in your build steps.

CInclude the binary in your Cloud Source Repositories repository and reference it in your build scripts.

DAsk to have the binary added to the Cloud Build environment by filing a feature request against the Cloud
Build public Issue Tracker.

Answer : B

Question 15

Your development team has built several Cloud Functions using Java along with corresponding integration and service tests. You are building and deploying the functions and launching the tests using Cloud Build. Your Cloud Build job is reporting deployment failures immediately after successfully validating the code. What should you do?

ACheck the maximum number of Cloud Function instances.

BVerify that your Cloud Build trigger has the correct build parameters.

CRetry the tests using the truncated exponential backoff polling strategy.

DVerify that the Cloud Build service account is assigned the Cloud Functions Developer role.

Answer : D

https://cloud.google.com/build/docs/securing-builds/configure-access-for-cloud-build-service-account

Question 16

You have two tables in an ANSI-SQL compliant database with identical columns that you need to quickly

combine into a single table, removing duplicate rows from the result set.

What should you do?

AUse the JOIN operator in SQL to combine the tables.

BUse nested WITH statements to combine the tables.

CUse the UNION operator in SQL to combine the tables.

DUse the UNION ALL operator in SQL to combine the tables.

Answer : C

Question 17

You have deployed an HTTP(s) Load Balancer with the gcloud commands shown below.

Health checks to port 80 on the Compute Engine virtual machine instance are failing and no traffic is sent to your instances. You want to resolve the problem.

Which commands should you run?

Agcloud compute instances add-access-config ${NAME}-backend-instance-1

Bgcloud compute instances add-tags ${NAME}-backend-instance-1 --tags http-server

Cgcloud compute firewall-rules create allow-lb --network load-balancer --allow
tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

Dgcloud compute firewall-rules create allow-lb --network load-balancer --allow
tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

Answer : C

Question 18

Your team manages a Google Kubernetes Engine (GKE) cluster where an application is running. A different team is planning to integrate with this application. Before they start the integration, you need to ensure that the other team cannot make changes to your application, but they can deploy the integration on GKE. What should you do?

AUsing Identity and Access Management (IAM), grant the Viewer IAM role on the cluster project to the other team.

BCreate a new GKE cluster. Using Identity and Access Management (IAM), grant the Editor role on the cluster project to the other team.

CCreate a new namespace in the existing cluster. Using Identity and Access Management (IAM), grant the Editor role on the cluster project to the other team.

DCreate a new namespace in the existing cluster. Using Kubernetes role-based access control (RBAC), grant the Admin role on the new namespace to the other team.

Answer : D

Question 19

Your application is built as a custom machine image. You have multiple unique deployments of the machine image. Each deployment is a separate managed instance group with its own template. Each deployment requires a unique set of configuration values. You want to provide these unique values to each deployment but use the same custom machine image in all deployments. You want to use out-of-the-box features of Compute Engine. What should you do?

APlace the unique configuration values in the persistent disk.

BPlace the unique configuration values in a Cloud Bigtable table.

CPlace the unique configuration values in the instance template startup script.

DPlace the unique configuration values in the instance template instance metadata.

Answer : A

Question 20

You have an application written in Python running in production on Cloud Run. Your application needs to read/write data stored in a Cloud Storage bucket in the same project. You want to grant access to your application following the principle of least privilege. What should you do?

ACreate a user-managed service account with a custom Identity and Access Management (IAM) role.

BCreate a user-managed service account with the Storage Admin Identity and Access Management (IAM) role.

CCreate a user-managed service account with the Project Editor Identity and Access Management (IAM) role.

DUse the default service account linked to the Cloud Run revision in production.

Answer : A

https://cloud.google.com/iam/docs/understanding-roles#storage.admin

Question 21

Your team is writing a backend application to implement the business logic for an interactive voice response (IVR) system that will support a payroll application. The IVR system has the following technical characteristics:

* Each customer phone call is associated with a unique IVR session.

* The IVR system creates a separate persistent gRPC connection to the backend for each session.

* If the connection is interrupted, the IVR system establishes a new connection, causing a slight latency for that call.

You need to determine which compute environment should be used to deploy the backend application. Using current call data, you determine that:

* Call duration ranges from 1 to 30 minutes.

* Calls are typically made during business hours.

* There are significant spikes of calls around certain known dates (e.g., pay days), or when large payroll changes occur.

You want to minimize cost, effort, and operational overhead. Where should you deploy the backend application?

ACompute Engine

BGoogle Kubernetes Engine cluster in Standard mode

CCloud Functions

DCloud Run

Answer : D

This page shows Cloud Run-specific details for developers who want to use gRPC to connect a Cloud Run service with other services, for example, to provide simple, high performance communication between internal microservices. You can use all gRPC types, streaming or unary, with Cloud Run.

Possible use cases include:

Communication between internal microservices.

High loads of data (gRPC uses protocol buffers, which are up to seven times faster than REST calls).

Only a simple service definition is needed, you don't want to write a full client library.

Use streaming gRPCs in your gRPC server to build more responsive applications and APIs.

https://cloud.google.com/run/docs/tutorials/secure-services#:~:text=The%20backend%20service%20is%20private,Google%20Cloud%20except%20where%20necessary.

Question 22

You are planning to add unit tests to your application. You need to be able to assert that published Pub/Sub messages are processed by your subscriber in order. You want the unit tests to be cost-effective and reliable. What should you do?

AImplement a mocking framework.

BCreate a topic and subscription for each tester.

CAdd a filter by tester to the subscription.

DUse the Pub/Sub emulator.

Answer : D

https://cloud.google.com/pubsub/docs/emulator, 'Testing apps locally with the emulator'.

Question 23

Which service should HipLocal use for their public APIs?

ACloud Armor

BCloud Functions

CCloud Endpoints

DShielded Virtual Machines

Answer : D

Question 24

Your organization has recently begun an initiative to replatform their legacy applications onto Google Kubernetes Engine. You need to decompose a monolithic application into microservices. Multiple instances have read and write access to a configuration file, which is stored on a shared file system. You want to minimize the effort required to manage this transition, and you want to avoid rewriting the application code. What should you do?

ACreate a new Cloud Storage bucket, and mount it via FUSE in the container.

BCreate a new persistent disk, and mount the volume as a shared PersistentVolume.

CCreate a new Filestore instance, and mount the volume as an NFS PersistentVolume.

DCreate a new ConfigMap and volumeMount to store the contents of the configuration file.

Answer : D

https://cloud.google.com/kubernetes-engine/docs/concepts/configmap

ConfigMaps bind non-sensitive configuration artifacts such as configuration files, command-line arguments, and environment variables to your Pod containers and system components at runtime.

A ConfigMap separates your configurations from your Pod and components, which helps keep your workloads portable. This makes their configurations easier to change and manage, and prevents hardcoding configuration data to Pod specifications.

Question 25

Your company's development teams want to use Cloud Build in their projects to build and push Docker images

to Container Registry. The operations team requires all Docker images to be published to a centralized,

securely managed Docker registry that the operations team manages.

What should you do?

AUse Container Registry to create a registry in each development team's project. Configure the Cloud Build
build to push the Docker image to the project's registry. Grant the operations team access to each
development team's registry.

BCreate a separate project for the operations team that has Container Registry configured. Assign
appropriate permissions to the Cloud Build service account in each developer team's project to allow
access to the operation team's registry.

CCreate a separate project for the operations team that has Container Registry configured. Create a Service
Account for each development team and assign the appropriate permissions to allow it access to the
operations team's registry. Store the service account key file in the source code repository and use it to
authenticate against the operations team's registry.

DCreate a separate project for the operations team that has the open source Docker Registry deployed on a
Compute Engine virtual machine instance. Create a username and password for each development team.
Store the username and password in the source code repository and use it to authenticate against the
operations team's Docker registry.

Answer : A

Question 26

You have an HTTP Cloud Function that is called via POST. Each submission's request body has a flat, unnested JSON structure containing numeric and text dat

a. After the Cloud Function completes, the collected data should be immediately available for ongoing and complex analytics by many users in parallel. How should you persist the submissions?

ADirectly persist each POST request's JSON data into Datastore.

BTransform the POST request's JSON data, and stream it into BigQuery.

CTransform the POST request's JSON data, and store it in a regional Cloud SQL cluster.

DPersist each POST request's JSON data as an individual file within Cloud Storage, with the file name containing the request identifier.

Answer : D

Question 27

Your analytics system executes queries against a BigQuery dataset. The SQL query is executed in batch and passes the contents of a SQL file to the BigQuery CLI. Then it redirects the BigQuery CLI output to another process. However, you are getting a permission error from the BigQuery CLI when the queries are executed. You want to resolve the issue. What should you do?

AGrant the service account BigQuery Data Viewer and BigQuery Job User roles.

BGrant the service account BigQuery Data Editor and BigQuery Data Viewer roles.

CCreate a view in BigQuery from the SQL query and SELECT* from the view in the CLI.

DCreate a new dataset in BigQuery, and copy the source table to the new dataset Query the new dataset and table from the CLI.

Answer : B

Question 28

Which service should HipLocal use to enable access to internal apps?

ACloud VPN

BCloud Armor

CVirtual Private Cloud

DCloud Identity-Aware Proxy

Answer : D

Question 29

You are developing a corporate tool on Compute Engine for the finance department, which needs to authenticate users and verify that they are in the finance department. All company employees use G Suite.

What should you do?

AEnable Cloud Identity-Aware Proxy on the HTTP(s) load balancer and restrict access to a Google Group containing users in the finance department. Verify the provided JSON Web Token within the application.

BEnable Cloud Identity-Aware Proxy on the HTTP(s) load balancer and restrict access to a Google Group containing users in the finance department. Issue client-side certificates to everybody in the finance team and verify the certificates in the application.

CConfigure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Verify the provided JSON Web Token within the application.

DConfigure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Issue client side certificates to everybody in the finance team and verify the certificates in the application.

Answer : A

https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers

(https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id).

https://cloud.google.com/armor/docs/security-policy-overview#:~:text=Google%20Cloud%20Armor%20security%20policies%20enable%20you%20to%20allow%20or,Private%20Cloud%20(VPC)%20networks

'Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes to potentially block traffic before it reaches your load balanced backend services or backend buckets'

Question 30

You have recently instrumented a new application with OpenTelemetry, and you want to check the latency of your application requests in Trace. You want to ensure that a specific request is always traced. What should you do?

AWait 10 minutes, then verify that Trace captures those types of requests automatically.

BWrite a custom script that sends this type of request repeatedly from your dev project.

CUse the Trace API to apply custom attributes to the trace.

DAdd the X-Cloud-Trace-Context header to the request with the appropriate parameters.

Answer : D

https://cloud.google.com/trace/docs/setup#force-trace

Cloud Trace doesn't sample every request. To force a specific request to be traced, add an X-Cloud-Trace-Context header to the request.

Question 31

You are deploying your application on a Compute Engine instance that communicates with Cloud SQL. You will use Cloud SQL Proxy to allow your application to communicate to the database using the service account associated with the application's instance. You want to follow the Google-recommended best practice of providing minimum access for the role assigned to the service account. What should you do?

AAssign the Project Editor role.

BAssign the Project Owner role.

CAssign the Cloud SQL Client role.

DAssign the Cloud SQL Editor role.

Answer : C

Question 32

Your team develops stateless services that run on Google Kubernetes Engine (GKE). You need to deploy a new service that will only be accessed by other services running in the GKE cluster. The service will need to scale as quickly as possible to respond to changing load. What should you do?

AUse a Vertical Pod Autoscaler to scale the containers, and expose them via a ClusterIP Service.

BUse a Vertical Pod Autoscaler to scale the containers, and expose them via a NodePort Service.

CUse a Horizontal Pod Autoscaler to scale the containers, and expose them via a ClusterIP Service.

DUse a Horizontal Pod Autoscaler to scale the containers, and expose them via a NodePort Service.

Answer : C

https://cloud.google.com/kubernetes-engine/docs/concepts/service

Question 33

You are working on a social media application. You plan to add a feature that allows users to upload images. These images will be 2 MB -- 1 GB in size. You want to minimize their infrastructure operations overhead for this feature. What should you do?

AChange the application to accept images directly and store them in the database that stores other user information.

BChange the application to create signed URLs for Cloud Storage. Transfer these signed URLs to the client application to upload images to Cloud Storage.

CSet up a web server on GCP to accept user images and create a file store to keep uploaded files. Change the application to retrieve images from the file store.

DCreate a separate bucket for each user in Cloud Storage. Assign a separate service account to allow write access on each bucket. Transfer service account credentials to the client application based on user information. The application uses this service account to upload images to Cloud Storage.

Answer : B

Question 34

You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a Spanner database. You want to follow security best practices while minimizing code changes. How should you configure your application to retrieve Spanner credentials?

AConfigure the appropriate service accounts, and use Workload Identity to run the pods.

BStore the application credentials as Kubernetes Secrets, and expose them as environment variables.

CConfigure the appropriate routing rules, and use a VPC-native cluster to directly connect to the database.

DStore the application credentials using Cloud Key Management Service, and retrieve them whenever a database connection is made.

Answer : A

https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity

Question 35

You are a developer at a large organization. You are deploying a web application to Google Kubernetes Engine (GKE). The DevOps team has built a CI/CD pipeline that uses Cloud Deploy to deploy the application to Dev Test, and Prod clusters in GKE. After Cloud Deploy successfully deploys the application to the Dev cluster you want to automatically promote it to the Test Cluster. How should you configure this process following Google-recommended best practices?

A1 Create a Cloud Build trigger that listens for SUCCEEDED Pub/Sub messages from the clouddeploy-operations topic.
2 Configure Cloud Build to include a step that promotes the application to the Test cluster

B1 Create a Cloud Function that calls the Google Cloud Deploy API to promote the application to the Test cluster
2 Configure this function to be triggered by SUCCEEDED Pub/Sub messages from the cloud-builds topic

C1 Create a Cloud Function that calls the Google Cloud Deploy API to promote the application to the Test cluster
2 Configure this function to be triggered by SUCCEEDED Pub/Sub messages from the clouddeploy operations topic

D1 Create a Cloud Build pipeline that uses the gke-deploy builder
2 Create a Cloud Build trigger that listens to SUCCEEDED Pub/Sub messages from the cloud-builds topic
3 Configure this pipeline to run a deployment step to the Test cluster

Answer : B

Question 36

Your company has a BigQuery data mart that provides analytics information to hundreds of employees. One

user of wants to run jobs without interrupting important workloads. This user isn't concerned about the time it

takes to run these jobs. You want to fulfill this request while minimizing cost to the company and the effort

required on your part.

What should you do?

AAsk the user to run the jobs as batch jobs.

BCreate a separate project for the user to run jobs.

CAdd the user as a job.user role in the existing project.

DAllow the user to run jobs when important workloads are not running.

Answer : B

Question 37

Which service should HipLocal use for their public APIs?

ACloud Armor

BCloud Functions

CCloud Endpoints

DShielded Virtual Machines

Answer : D

Question 38

You are designing a chat room application that will host multiple rooms and retain the message history for each room. You have selected Firestore as your database. How should you represent the data in Firestore?

ACreate a collection for the rooms. For each room, create a document that lists the contents of the messages

BCreate a collection for the rooms. For each room, create a collection that contains a document for each message

CCreate a collection for the rooms. For each room, create a document that contains a collection for documents, each of which contains a message.

DCreate a collection for the rooms, and create a document for each room. Create a separate collection for messages, with one document per message. Each room's document contains a list of references to the messages.

Answer : C

https://firebase.google.com/docs/firestore/data-model#hierarchical-data

Question 39

You need to migrate an internal file upload API with an enforced 500-MB file size limit to App Engine.

What should you do?

AUse FTP to upload files.

BUse CPanel to upload files.

CUse signed URLs to upload files.

DChange the API to be a multipart file upload API.

Answer : C

Question 40

You are configuring a continuous integration pipeline using Cloud Build to automate the deployment of new container images to Google Kubernetes Engine (GKE). The pipeline builds the application from its source code, runs unit and integration tests in separate steps, and pushes the container to Container Registry. The application runs on a Python web server.

The Dockerfile is as follows:

FROM python:3.7-alpine -

COPY . /app -

WORKDIR /app -

RUN pip install -r requirements.txt

CMD [ "gunicorn", "-w 4", "main:app" ]

You notice that Cloud Build runs are taking longer than expected to complete. You want to decrease the build time. What should you do? (Choose two.)

ASelect a virtual machine (VM) size with higher CPU for Cloud Build runs.

BDeploy a Container Registry on a Compute Engine VM in a VPC, and use it to store the final images.

CCache the Docker image for subsequent builds using the -- cache-from argument in your build config file.

DChange the base image in the Dockerfile to ubuntu:latest, and install Python 3.7 using a package manager utility.

EStore application source code on Cloud Storage, and configure the pipeline to use gsutil to download the source code.

Answer : A, C

https://cloud.google.com/build/docs/optimize-builds/increase-vcpu-for-builds

By default, Cloud Build runs your builds on a standard virtual machine (VM). In addition to the standard VM, Cloud Build provides several high-CPU VM types to run builds. To increase the speed of your build, select a machine with a higher vCPU to run builds. Keep in mind that although selecting a high vCPU machine increases your build speed, it may also increase the startup time of your build as Cloud Build only starts non-standard machines on demand.

https://cloud.google.com/build/docs/optimize-builds/speeding-up-builds#using_a_cached_docker_image

The easiest way to increase the speed of your Docker image build is by specifying a cached image that can be used for subsequent builds. You can specify the cached image by adding the --cache-from argument in your build config file, which will instruct Docker to build using that image as a cache source.

Question 41

A1) App Engine
2) Pub/Sub
3) BigQuery
4) Firestore

B1) Dataflow
2) Pub/Sub
3) Firestore
4) BigQuery

C1) Pub/Sub
2) Dataflow
3) BigQuery
4) Firestore

D1) Pub/Sub
2) Dataflow
3) Firestore
4) BigQuery

Answer : D

Question 42

For this question refer to the HipLocal case study.

HipLocal wants to reduce the latency of their services for users in global locations. They have created read replicas of their database in locations where their users reside and configured their service to read traffic using those replicas. How should they further reduce latency for all database interactions with the least amount of effort?

AMigrate the database to Bigtable and use it to serve all global user traffic.

BMigrate the database to Cloud Spanner and use it to serve all global user traffic.

CMigrate the database to Firestore in Datastore mode and use it to serve all global user traffic.

DMigrate the services to Google Kubernetes Engine and use a load balancer service to better scale the application.

Answer : D

Question 43

You are designing a schema for a table that will be moved from MySQL to Cloud Bigtable. The MySQL table is as follows:

How should you design a row key for Cloud Bigtable for this table?

ASet Account_id as a key.

BSet Account_id_Event_timestamp as a key.

CSet Event_timestamp_Account_id as a key.

DSet Event_timestamp as a key.

Answer : C

Question 44

Your application is deployed in a Google Kubernetes Engine (GKE) cluster. You want to expose this application publicly behind a Cloud Load Balancing HTTP(S) load balancer. What should you do?

AConfigure a GKE Ingress resource.

BConfigure a GKE Service resource.

CConfigure a GKE Ingress resource with type: LoadBalancer.

DConfigure a GKE Service resource with type: LoadBalancer.

Answer : A

Question 45

You have containerized a legacy application that stores its configuration on an NFS share. You need to deploy this application to Google Kubernetes Engine (GKE) and do not want the application serving traffic until after the configuration has been retrieved. What should you do?

AUse the gsutil utility to copy files from within the Docker container at startup, and start the service using an ENTRYPOINT script.

BCreate a PersistentVolumeClaim on the GKE cluster. Access the configuration files from the volume, and start the service using an ENTRYPOINT script.

CUse the COPY statement in the Dockerfile to load the configuration into the container image. Verify that the configuration is available, and start the service using an ENTRYPOINT script.

DAdd a startup script to the GKE instance group to mount the NFS share at node startup. Copy the configuration files into the container, and start the service using an ENTRYPOINT script.

Answer : B

Question 46

You have an on-premises application that authenticates to the Cloud Storage API using a user-managed service account with a user-managed key. The application connects to Cloud Storage using Private Google Access over a Dedicated Interconnect link. You discover that requests from the application to access objects in the Cloud Storage bucket are failing with a 403 Permission Denied error code. What is the likely cause of this issue?

AThe folder structure inside the bucket and object paths have changed.

BThe permissions of the service account's predefined role have changed.

CThe service account key has been rotated but not updated on the application server.

DThe Interconnect link from the on-premises data center to Google Cloud is experiencing a temporary outage.

Answer : C

Question 47

AUsing Identity and Access Management (IAM), grant the Viewer IAM role on the cluster project to the other team.

BCreate a new GKE cluster. Using Identity and Access Management (IAM), grant the Editor role on the cluster project to the other team.

CCreate a new namespace in the existing cluster. Using Identity and Access Management (IAM), grant the Editor role on the cluster project to the other team.

DCreate a new namespace in the existing cluster. Using Kubernetes role-based access control (RBAC), grant the Admin role on the new namespace to the other team.

Answer : D

Question 48

You have an application that uses an HTTP Cloud Function to process user activity from both desktop browser and mobile application clients. This function will serve as the endpoint for all metric submissions using HTTP POST.

Due to legacy restrictions, the function must be mapped to a domain that is separate from the domain requested by users on web or mobile sessions. The domain for the Cloud Function is https://fn.example.com. Desktop and mobile clients use the domain https://www.example.com. You need to add a header to the function's HTTP response so that only those browser and mobile sessions can submit metrics to the Cloud Function. Which response header should you add?

AAccess-Control-Allow-Origin: *

BAccess-Control-Allow-Origin: https://*.example.com

CAccess-Control-Allow-Origin: https://fn.example.com

DAccess-Control-Allow-origin: https://www.example.com

Answer : D

Question 49

You are building a CI/CD pipeline that consists of a version control system, Cloud Build, and Container Registry. Each time a new tag is pushed to the repository, a Cloud Build job is triggered, which runs unit tests on the new code builds a new Docker container image, and pushes it into Container Registry. The last step of your pipeline should deploy the new container to your production Google Kubernetes Engine (GKE) cluster. You need to select a tool and deployment strategy that meets the following requirements:

* Zero downtime is incurred

* Testing is fully automated

* Allows for testing before being rolled out to users

* Can quickly rollback if needed

What should you do?

ATrigger a Spinnaker pipeline configured as an A/B test of your new code and, if it is successful, deploy the container to production.

BTrigger a Spinnaker pipeline configured as a canary test of your new code and, if it is successful, deploy the container to production.

CTrigger another Cloud Build job that uses the Kubernetes CLI tools to deploy your new container to your GKE cluster, where you can perform a canary test.

DTrigger another Cloud Build job that uses the Kubernetes CLI tools to deploy your new container to your GKE cluster, where you can perform a shadow test.

Answer : D

https://cloud.google.com/architecture/implementing-deployment-and-testing-strategies-on-gke#perform_a_shadow_test With a shadow test, you test the new version of your application by mirroring user traffic from the current application version without impacting the user requests.

Question 50

You are running a web application on Google Kubernetes Engine that you inherited. You want to determine whether the application is using libraries with known vulnerabilities or is vulnerable to XSS attacks. Which service should you use?

AGoogle Cloud Armor

BDebugger

CWeb Security Scanner

DError Reporting

Answer : C

https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview

Web Security Scanner identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. It crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible.

Question 51

You are using Cloud Build to create a new Docker image on each source code commit to a Cloud Source Repositoties repository. Your application is built on every commit to the master branch. You want to release specific commits made to the master branch in an automated method. What should you do?

AManually trigger the build for new releases.

BCreate a build trigger on a Git tag pattern. Use a Git tag convention for new releases.

CCreate a build trigger on a Git branch name pattern. Use a Git branch naming convention for new releases.

DCommit your source code to a second Cloud Source Repositories repository with a second Cloud Build trigger. Use this repository for new releases only.

Answer : C

Question 52

You recently migrated a monolithic application to Google Cloud by breaking it down into microservices. One of the microservices is deployed using Cloud Functions. As you modernize the application, you make a change to the API of the service that is backward-incompatible. You need to support both existing callers who use the original API and new callers who use the new API. What should you do?

ALeave the original Cloud Function as-is and deploy a second Cloud Function with the new API. Use a load balancer to distribute calls between the versions.

BLeave the original Cloud Function as-is and deploy a second Cloud Function that includes only the changed API. Calls are automatically routed to the correct function.

CLeave the original Cloud Function as-is and deploy a second Cloud Function with the new API. Use Cloud Endpoints to provide an API gateway that exposes a versioned API.

DRe-deploy the Cloud Function after making code changes to support the new API. Requests for both versions of the API are fulfilled based on a version identifier included in the call.

Answer : D

Question 53

Your company has deployed a new API to a Compute Engine instance. During testing, the API is not behaving as expected. You want to monitor the application over 12 hours to diagnose the problem within the application code without redeploying the application. Which tool should you use?

ACloud Trace

BCloud Monitoring

CCloud Debugger logpoints

DCloud Debugger snapshots

Answer : C

https://cloud.google.com/debugger/docs/using/logpoints

Logpoints allow you to inject logging into running services without restarting or interfering with the normal function of the service

Question 54

You need to configure a Deployment on Google Kubernetes Engine (GKE). You want to include a check that verifies that the containers can connect to the database. If the Pod is failing to connect, you want a script on the container to run to complete a graceful shutdown. How should you configure the Deployment?

ACreate two jobs: one that checks whether the container can connect to the database, and another that runs the shutdown script if the Pod is failing.

BCreate the Deployment with a livenessProbe for the container that will fail if the container can't connect to the database. Configure a Prestop lifecycle handler that runs the shutdown script if the container is failing.

CCreate the Deployment with a PostStart lifecycle handler that checks the service availability. Configure a PreStop lifecycle handler that runs the shutdown script if the container is failing.

DCreate the Deployment with an initContainer that checks the service availability. Configure a Prestop lifecycle handler that runs the shutdown script if the Pod is failing.

Answer : B

https://cloud.google.com/architecture/best-practices-for-running-cost-effective-kubernetes-applications-on-gke#make_sure_your_applications_are_shutting_down_in_accordance_with_kubernetes_expectations

Question 55

HipLocal's.net-based auth service fails under intermittent load.

What should they do?

AUse App Engine for autoscaling.

BUse Cloud Functions for autoscaling.

CUse a Compute Engine cluster for the service.

DUse a dedicated Compute Engine virtual machine instance for the service.

Answer : D

Question 56

The development teams in your company want to manage resources from their local environments. You have been asked to enable developer access to each team's Google Cloud projects. You want to maximize efficiency while following Google-recommended best practices. What should you do?

AAdd the users to their projects, assign the relevant roles to the users, and then provide the users with each relevant Project ID.

BAdd the users to their projects, assign the relevant roles to the users, and then provide the users with each relevant Project Number.

CCreate groups, add the users to their groups, assign the relevant roles to the groups, and then provide the users with each relevant Project ID.

DCreate groups, add the users to their groups, assign the relevant roles to the groups, and then provide the users with each relevant Project Number.

Answer : C

Question 57

You are deploying your application to a Compute Engine virtual machine instance. Your application is

configured to write its log files to disk. You want to view the logs in Stackdriver Logging without changing the

application code.

What should you do?

AInstall the Stackdriver Logging Agent and configure it to send the application logs.

BUse a Stackdriver Logging Library to log directly from the application to Stackdriver Logging.

CProvide the log file folder path in the metadata of the instance to configure it to send the application logs.

DChange the application to log to /var/log so that its logs are automatically sent to Stackdriver Logging.

Answer : A

Question 58

AAssign the Project Editor role.

BAssign the Project Owner role.

CAssign the Cloud SQL Client role.

DAssign the Cloud SQL Editor role.

Answer : C

Question 59

Your application is logging to Stackdriver. You want to get the count of all requests on all /api/alpha/*

endpoints.

What should you do?

AAdd a Stackdriver counter metric for path:/api/alpha/.

BAdd a Stackdriver counter metric for endpoint:/api/alpha/*.

CExport the logs to Cloud Storage and count lines matching /api/alphA.

DExport the logs to Cloud Pub/Sub and count lines matching /api/alphA.

Answer : C

Question 60

Your company's product team has a new requirement based on customer demand to autoscale your stateless and distributed service running in a Google Kubernetes Engine (GKE) duster. You want to find a solution that minimizes changes because this feature will go live in two weeks. What should you do?

ADeploy a Vertical Pod Autoscaler, and scale based on the CPU load.

BDeploy a Vertical Pod Autoscaler, and scale based on a custom metric.

CDeploy a Horizontal Pod Autoscaler, and scale based on the CPU toad.

DDeploy a Horizontal Pod Autoscaler, and scale based on a custom metric.

Answer : C

https://cloud.google.com/kubernetes-engine/docs/concepts/horizontalpodautoscaler

The Horizontal Pod Autoscaler changes the shape of your Kubernetes workload by automatically increasing or decreasing the number of Pods in response to the workload's CPU or memory consumption, or in response to custom metrics reported from within Kubernetes or external metrics from sources outside of your cluster.

Question 61

AChange the application to accept images directly and store them in the database that stores other user information.

BChange the application to create signed URLs for Cloud Storage. Transfer these signed URLs to the client application to upload images to Cloud Storage.

CSet up a web server on GCP to accept user images and create a file store to keep uploaded files. Change the application to retrieve images from the file store.

Answer : B

Question 62

Your security team is auditing all deployed applications running in Google Kubernetes Engine. After completing the audit, your team discovers that some of the applications send traffic within the cluster in clear text. You need to ensure that all application traffic is encrypted as quickly as possible while minimizing changes to your applications and maintaining support from Google. What should you do?

AUse Network Policies to block traffic between applications.

BInstall Istio, enable proxy injection on your application namespace, and then enable mTLS.

CDefine Trusted Network ranges within the application, and configure the applications to allow traffic only from those networks.

DUse an automated process to request SSL Certificates for your applications from Let's Encrypt and add them to your applications.

Answer : D

Question 63

The new version of your containerized application has been tested and is ready to deploy to production on Google Kubernetes Engine. You were not able to fully load-test the new version in pre-production environments, and you need to make sure that it does not have performance problems once deployed. Your deployment must be automated. What should you do?

AUse Cloud Load Balancing to slowly ramp up traffic between versions. Use Cloud Monitoring to look for performance issues.

BDeploy the application via a continuous delivery pipeline using canary deployments. Use Cloud Monitoring to look for performance issues. and ramp up traffic as the metrics support it.

CDeploy the application via a continuous delivery pipeline using blue/green deployments. Use Cloud Monitoring to look for performance issues, and launch fully when the metrics support it.

DDeploy the application using kubectl and set the spec.updateStrategv.type to RollingUpdate. Use Cloud Monitoring to look for performance issues, and run the kubectl rollback command if there are any issues.

Answer : C

https://cloud.google.com/architecture/implementing-deployment-and-testing-strategies-on-gke#perform_a_bluegreen_deployment

Question 64

You want to view the memory usage of your application deployed on Compute Engine. What should you do?

AInstall the Stackdriver Client Library.

BInstall the Stackdriver Monitoring Agent.

CUse the Stackdriver Metrics Explorer.

DUse the Google Cloud Platform Console.

Answer : C

Question 65

You are a developer at a large organization. Your team uses Git for source code management (SCM). You want to ensure that your team follows Google-recommended best practices to manage code to drive higher rates of software delivery. Which SCM process should your team use?

AEach group of developers creates a feature branch from the main branch for their work, commits their changes to their branch, and merges their code into the main branch before each major release.

BEach developer commits their code to the main branch before each product release, conducts testing, and rolls back if integration issues are detected.

CEach group of developers copies the repository, commits their changes to their repository, and merges their code into the main repository before each product release.

DEach developer creates a branch for their own work, commits their changes to their branch, and merges their code into the main branch after peer review.

Answer : D

Question 66

You are developing a single-player mobile game backend that has unpredictable traffic patterns as users interact with the game throughout the day and night. You want to optimize costs by ensuring that you have enough resources to handle requests, but minimize over-provisioning. You also want the system to handle traffic spikes efficiently. Which compute platform should you use?

ACloud Run

BCompute Engine with managed instance groups

CCompute Engine with unmanaged instance groups

DGoogle Kubernetes Engine using cluster autoscaling

Answer : A

Question 67

You work for an organization that manages an online ecommerce website. Your company plans to expand across the world; however, the estore currently serves one specific region. You need to select a SQL database and configure a schema that will scale as your organization grows. You want to create a table that stores all customer transactions and ensure that the customer (CustomerId) and the transaction (TransactionId) are unique. What should you do?

ACreate a Cloud SQL table that has TransactionId and CustomerId configured as primary keys. Use an incremental number for the TransactionId.

BCreate a Cloud SQL table that has TransactionId and CustomerId configured as primary keys. Use a random string (UUID) for the Transactionid.

CCreate a Cloud Spanner table that has TransactionId and CustomerId configured as primary keys. Use a random string (UUID) for the TransactionId.

DCreate a Cloud Spanner table that has TransactionId and CustomerId configured as primary keys. Use an incremental number for the TransactionId.

Answer : C

Question 68

You are developing an application hosted on Google Cloud that uses a MySQL relational database schem

a. The application will have a large volume of reads and writes to the database and will require backups and ongoing capacity planning. Your team does not have time to fully manage the database but can take on small administrative tasks. How should you host the database?

AConfigure Cloud SQL to host the database, and import the schema into Cloud SQL.

BDeploy MySQL from the Google Cloud Marketplace to the database using a client, and import the schema.

CConfigure Bigtable to host the database, and import the data into Bigtable.

DConfigure Cloud Spanner to host the database, and import the schema into Cloud Spanner.

EConfigure Firestore to host the database, and import the data into Firestore.

Answer : A

https://cloud.google.com/spanner/docs/migrating-mysql-to-spanner#migration-process

Cloud SQL: Cloud SQL is a web service that allows you to create, configure, and use relational databases that live in Google's cloud. It is a fully-managed service that maintains, manages, and administers your databases, allowing you to focus on your applications and services.

https://cloud.google.com/sql/docs/mysql Cloud SQL for MySQL is a fully-managed database service that helps you set up, maintain, manage, and administer your MySQL relational databases on Google Cloud Platform.

Question 69

The Dockerfile is as follows:

FROM python:3.7-alpine -

COPY . /app -

WORKDIR /app -

RUN pip install -r requirements.txt

CMD [ "gunicorn", "-w 4", "main:app" ]

You notice that Cloud Build runs are taking longer than expected to complete. You want to decrease the build time. What should you do? (Choose two.)

ASelect a virtual machine (VM) size with higher CPU for Cloud Build runs.

BDeploy a Container Registry on a Compute Engine VM in a VPC, and use it to store the final images.

CCache the Docker image for subsequent builds using the -- cache-from argument in your build config file.

DChange the base image in the Dockerfile to ubuntu:latest, and install Python 3.7 using a package manager utility.

EStore application source code on Cloud Storage, and configure the pipeline to use gsutil to download the source code.

Answer : A, C

https://cloud.google.com/build/docs/optimize-builds/increase-vcpu-for-builds

https://cloud.google.com/build/docs/optimize-builds/speeding-up-builds#using_a_cached_docker_image

Question 70

You are writing a single-page web application with a user-interface that communicates with a third-party API

for content using XMLHttpRequest. The data displayed on the UI by the API results is less critical than other

data displayed on the same web page, so it is acceptable for some requests to not have the API data

displayed in the UI. However, calls made to the API should not delay rendering of other parts of the user

interface. You want your application to perform well when the API response is an error or a timeout.

What should you do?

ASet the asynchronous option for your requests to the API to false and omit the widget displaying the API
results when a timeout or error is encountered.

BSet the asynchronous option for your request to the API to true and omit the widget displaying the API
results when a timeout or error is encountered.

CCatch timeout or error exceptions from the API call and keep trying with exponential backoff until the API
response is successful.

DCatch timeout or error exceptions from the API call and display the error response in the UI widget.

Answer : A

Question 71

ACreate a new Cloud Storage bucket, and mount it via FUSE in the container.

BCreate a new persistent disk, and mount the volume as a shared PersistentVolume.

CCreate a new Filestore instance, and mount the volume as an NFS PersistentVolume.

DCreate a new ConfigMap and volumeMount to store the contents of the configuration file.

Answer : D

https://cloud.google.com/kubernetes-engine/docs/concepts/configmap

ConfigMaps bind non-sensitive configuration artifacts such as configuration files, command-line arguments, and environment variables to your Pod containers and system components at runtime.

Question 72

You are planning to deploy hundreds of microservices in your Google Kubernetes Engine (GKE) cluster. How should you secure communication between the microservices on GKE using a managed service?

AUse global HTTP(S) Load Balancing with managed SSL certificates to protect your services

BDeploy open source Istio in your GKE cluster, and enable mTLS in your Service Mesh

CInstall cert-manager on GKE to automatically renew the SSL certificates.

DInstall Anthos Service Mesh, and enable mTLS in your Service Mesh.

Answer : D

https://cloud.google.com/service-mesh/docs/overview#security_benefits

- Ensures encryption in transit. Using mTLS for authentication also ensures that all TCP communications are encrypted in transit.

Question 73

Which database should HipLocal use for storing user activity?

ABigQuery

BCloud SQL

CCloud Spanner

DCloud Datastore

Answer : A

Question 74

AUse Cloud Load Balancing to slowly ramp up traffic between versions. Use Cloud Monitoring to look for performance issues.

BDeploy the application via a continuous delivery pipeline using canary deployments. Use Cloud Monitoring to look for performance issues. and ramp up traffic as the metrics support it.

CDeploy the application via a continuous delivery pipeline using blue/green deployments. Use Cloud Monitoring to look for performance issues, and launch fully when the metrics support it.

Answer : C

https://cloud.google.com/architecture/implementing-deployment-and-testing-strategies-on-gke#perform_a_bluegreen_deployment

Question 75

AAdd the users to their projects, assign the relevant roles to the users, and then provide the users with each relevant Project ID.

BAdd the users to their projects, assign the relevant roles to the users, and then provide the users with each relevant Project Number.

CCreate groups, add the users to their groups, assign the relevant roles to the groups, and then provide the users with each relevant Project ID.

DCreate groups, add the users to their groups, assign the relevant roles to the groups, and then provide the users with each relevant Project Number.

Answer : C

Question 76

You have an application in production. It is deployed on Compute Engine virtual machine instances controlled

by a managed instance group. Traffic is routed to the instances via a HTTP(s) load balancer. Your users are

unable to access your application. You want to implement a monitoring technique to alert you when the

application is unavailable.

Which technique should you choose?

ASmoke tests

BStackdriver uptime checks

CCloud Load Balancing - heath checks

DManaged instance group - heath checks

Answer : B

476b8507f59c

Question 77

You are developing an application that will handle requests from end users. You need to secure a Cloud Function called by the application to allow authorized end users to authenticate to the function via the application while restricting access to unauthorized users. You will integrate Google Sign-In as part of the solution and want to follow Google-recommended best practices. What should you do?

ADeploy from a source code repository and grant users the roles/cloudfunctions.viewer role.

BDeploy from a source code repository and grant users the roles/cloudfunctions.invoker role

CDeploy from your local machine using gcloud and grant users the roles/cloudfunctions.admin role

DDeploy from your local machine using gcloud and grant users the roles/cloudfunctions.developer role

Answer : C

Question 78

In order for HipLocal to store application state and meet their stated business requirements, which database service should they migrate to?

ACloud Spanner

BCloud Datastore

CCloud Memorystore as a cache

DSeparate Cloud SQL clusters for each region

Answer : D

Question 79

AGoogle Cloud Armor

BDebugger

CWeb Security Scanner

DError Reporting

Answer : C

https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview

Question 80

Your teammate has asked you to review the code below. Its purpose is to efficiently add a large number of small rows to a BigQuery table.

Which improvement should you suggest your teammate make?

AInclude multiple rows with each request.

BPerform the inserts in parallel by creating multiple threads.

CWrite each row to a Cloud Storage object, then load into BigQuery.

DWrite each row to a Cloud Storage object in parallel, then load into BigQuery.

Answer : B

Question 81

Your existing application keeps user state information in a single MySQL database. This state information is

very user-specific and depends heavily on how long a user has been using an application. The MySQL

database is causing challenges to maintain and enhance the schema for various users.

Which storage option should you choose?

ACloud SQL

BCloud Storage

CCloud Spanner

DCloud Datastore/Firestore

Answer : A

Question 82

You want to view the memory usage of your application deployed on Compute Engine. What should you do?

AInstall the Stackdriver Client Library.

BInstall the Stackdriver Monitoring Agent.

CUse the Stackdriver Metrics Explorer.

DUse the Google Cloud Platform Console.

Answer : C

Question 83

You are running an application on App Engine that you inherited. You want to find out whether the application is using insecure binaries or is vulnerable to XSS attacks. Which service should you use?

ACloud Amor

BStackdriver Debugger

CCloud Security Scanner

DStackdriver Error Reporting

Answer : C

Question 84

You are a developer at a financial institution You use Cloud Shell to interact with Google Cloud services. User data is currently stored on an ephemeral disk however a recently passed regulation mandates that you can no longer store sensitive information on an ephemeral disk. You need to implement a new storage solution for your user data You want to minimize code changes Where should you store your user data'?

AStore user data on a Cloud Shell home disk and log in at least every 120 days to prevent its deletion

BStore user data on a persistent disk in a Compute Engine instance

CStore user data m BigQuery tables

DStore user data in a Cloud Storage bucket

Answer : B

Question 85

You have written a Cloud Function that accesses other Google Cloud resources. You want to secure the environment using the principle of least privilege. What should you do?

ACreate a new service account that has Editor authority to access the resources. The deployer is given permission to get the access token.

BCreate a new service account that has a custom IAM role to access the resources. The deployer is given permission to get the access token.

CCreate a new service account that has Editor authority to access the resources. The deployer is given permission to act as the new service account.

DCreate a new service account that has a custom IAM role to access the resources. The deployer is given permission to act as the new service account.

Answer : D

Question 86

For this question, refer to the HipLocal case study.

HipLocal's application uses Cloud Client Libraries to interact with Google Cloud. HipLocal needs to configure authentication and authorization in the Cloud Client Libraries to implement least privileged access for the application. What should they do?

ACreate an API key. Use the API key to interact with Google Cloud.

BUse the default compute service account to interact with Google Cloud.

CCreate a service account for the application. Export and deploy the private key for the application. Use the service account to interact with Google Cloud.

DCreate a service account for the application and for each Google Cloud API used by the application. Export and deploy the private keys used by the application. Use the service account with one Google Cloud API to interact with Google Cloud.

Answer : A

Question 87

Your team is developing unit tests for Cloud Function code. The code is stored in a Cloud Source Repositories repository. You are responsible for implementing the tests. Only a specific service account has the necessary permissions to deploy the code to Cloud Functions. You want to ensure that the code cannot be deployed without first passing the tests. How should you configure the unit testing process?

AConfigure Cloud Build to deploy the Cloud Function. If the code passes the tests, a deployment approval is sent to you.

BConfigure Cloud Build to deploy the Cloud Function, using the specific service account as the build agent. Run the unit tests after successful deployment.

CConfigure Cloud Build to run the unit tests. If the code passes the tests, the developer deploys the Cloud Function.

DConfigure Cloud Build to run the unit tests, using the specific service account as the build agent. If the code passes the tests, Cloud Build deploys the Cloud Function.

Answer : D

Question 88

You are developing an application that will allow clients to download a file from your website for a specific period of time. How should you design the application to complete this task while following Google-recommended best practices?

AConfigure the application to send the file to the client as an email attachment.

BGenerate and assign a Cloud Storage-signed URL for the file. Make the URL available for the client to download.

CCreate a temporary Cloud Storage bucket with time expiration specified, and give download permissions to the bucket. Copy the file, and send it to the client.

DGenerate the HTTP cookies with time expiration specified. If the time is valid, copy the file from the Cloud Storage bucket, and make the file available for the client to download.

Answer : B

Question 89

AEach group of developers creates a feature branch from the main branch for their work, commits their changes to their branch, and merges their code into the main branch before each major release.

BEach developer commits their code to the main branch before each product release, conducts testing, and rolls back if integration issues are detected.

CEach group of developers copies the repository, commits their changes to their repository, and merges their code into the main repository before each product release.

DEach developer creates a branch for their own work, commits their changes to their branch, and merges their code into the main branch after peer review.

Answer : D

Question 90

You are deploying your application to a Compute Engine virtual machine instance. Your application is

configured to write its log files to disk. You want to view the logs in Stackdriver Logging without changing the

application code.

What should you do?

AInstall the Stackdriver Logging Agent and configure it to send the application logs.

BUse a Stackdriver Logging Library to log directly from the application to Stackdriver Logging.

CProvide the log file folder path in the metadata of the instance to configure it to send the application logs.

DChange the application to log to /var/log so that its logs are automatically sent to Stackdriver Logging.

Answer : A

Question 91

You are developing an application that reads credit card data from a Pub/Sub subscription. You have written code and completed unit testing. You need to test the Pub/Sub integration before deploying to Google Cloud. What should you do?

ACreate a service to publish messages, and deploy the Pub/Sub emulator. Generate random content in the publishing service, and publish to the emulator.

BCreate a service to publish messages to your application. Collect the messages from Pub/Sub in production, and replay them through the publishing service.

CCreate a service to publish messages, and deploy the Pub/Sub emulator. Collect the messages from Pub/Sub in production, and publish them to the emulator.

DCreate a service to publish messages, and deploy the Pub/Sub emulator. Publish a standard set of testing messages from the publishing service to the emulator.

Answer : D

Question 92

You want to create ''fully baked'' or ''golden'' Compute Engine images for your application. You need to bootstrap your application to connect to the appropriate database according to the environment the application is running on (test, staging, production). What should you do?

AEmbed the appropriate database connection string in the image. Create a different image for each environment.

BWhen creating the Compute Engine instance, add a tag with the name of the database to be connected. In your application, query the Compute Engine API to pull the tags for the current instance, and use the tag to construct the appropriate database connection string.

CWhen creating the Compute Engine instance, create a metadata item with a key of ''DATABASE'' and a value for the appropriate database connection string. In your application, read the ''DATABASE'' environment variable, and use the value to connect to the appropriate database.

DWhen creating the Compute Engine instance, create a metadata item with a key of ''DATABASE'' and a value for the appropriate database connection string. In your application, query the metadata server for the ''DATABASE'' value, and use the value to connect to the appropriate database.

Answer : D

Question 93

You want to re-architect a monolithic application so that it follows a microservices model. You want to

accomplish this efficiently while minimizing the impact of this change to the business.

Which approach should you take?

ADeploy the application to Compute Engine and turn on autoscaling.

BReplace the application's features with appropriate microservices in phases.

CRefactor the monolithic application with appropriate microservices in a single effort and deploy it.

DBuild a new application with the appropriate microservices separate from the monolith and replace it when
it is complete.

Answer : C

Question 94

You have a container deployed on Google Kubernetes Engine. The container can sometimes be slow to launch, so you have implemented a liveness probe. You notice that the liveness probe occasionally fails on launch. What should you do?

AAdd a startup probe.

BIncrease the initial delay for the liveness probe.

CIncrease the CPU limit for the container.

DAdd a readiness probe.

Answer : B

https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes

Question 95

You are writing from a Go application to a Cloud Spanner database. You want to optimize your application's performance using Google-recommended best practices. What should you do?

AWrite to Cloud Spanner using Cloud Client Libraries.

BWrite to Cloud Spanner using Google API Client Libraries

CWrite to Cloud Spanner using a custom gRPC client library.

DWrite to Cloud Spanner using a third-party HTTP client library.

Answer : A

https://cloud.google.com/apis/docs/cloud-client-libraries

''Cloud Client Libraries are the recommended option for accessing Cloud APIs programmatically, where available. Cloud Client Libraries use the latest client library models''

https://cloud.google.com/apis/docs/client-libraries-explained

https://cloud.google.com/go/docs/reference

Question 96

You are a developer working with the CI/CD team to troubleshoot a new feature that your team introduced. The CI/CD team used HashiCorp Packer to create a new Compute Engine image from your development branch. The image was successfully built, but is not booting up. You need to investigate the issue with the CI/CD team. What should you do?

ACreate a new feature branch, and ask the build team to rebuild the image.

BShut down the deployed virtual machine, export the disk, and then mount the disk locally to access the boot logs.

CInstall Packer locally, build the Compute Engine image locally, and then run it in your personal Google Cloud project.

DCheck Compute Engine OS logs using the serial port, and check the Cloud Logging logs to confirm access to the serial port.

Answer : D

https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-using-serial-console

Question 97

You migrated some of your applications to Google Cloud. You are using a legacy monitoring platform deployed on-premises for both on-premises and cloud-deployed applications. You discover that your notification system is responding slowly to time-critical problems in the cloud applications. What should you do?

AReplace your monitoring platform with Cloud Monitoring.

BInstall the Cloud Monitoring agent on your Compute Engine instances.

CMigrate some traffic back to your old platform. Perform A/B testing on the two platforms concurrently.

DUse Cloud Logging and Cloud Monitoring to capture logs, monitor, and send alerts. Send them to your existing platform.

Answer : D

Question 98

Your existing application keeps user state information in a single MySQL database. This state information is

very user-specific and depends heavily on how long a user has been using an application. The MySQL

database is causing challenges to maintain and enhance the schema for various users.

Which storage option should you choose?

ACloud SQL

BCloud Storage

CCloud Spanner

DCloud Datastore/Firestore

Answer : A

Question 99

Which service should HipLocal use to enable access to internal apps?

ACloud VPN

BCloud Armor

CVirtual Private Cloud

DCloud Identity-Aware Proxy

Answer : D

Question 100

You are building a new API. You want to minimize the cost of storing and reduce the latency of serving

images.

Which architecture should you use?

AApp Engine backed by Cloud Storage

BCompute Engine backed by Persistent Disk

CTransfer Appliance backed by Cloud Filestore

DCloud Content Delivery Network (CDN) backed by Cloud Storage

Answer : B

Question 101

ACloud Trace

BCloud Monitoring

CCloud Debugger logpoints

DCloud Debugger snapshots

Answer : C

https://cloud.google.com/debugger/docs/using/logpoints

Logpoints allow you to inject logging into running services without restarting or interfering with the normal function of the service

Question 102

AUse a Vertical Pod Autoscaler to scale the containers, and expose them via a ClusterIP Service.

BUse a Vertical Pod Autoscaler to scale the containers, and expose them via a NodePort Service.

CUse a Horizontal Pod Autoscaler to scale the containers, and expose them via a ClusterIP Service.

DUse a Horizontal Pod Autoscaler to scale the containers, and expose them via a NodePort Service.

Answer : C

https://cloud.google.com/kubernetes-engine/docs/concepts/service

Question 103

You have written a Cloud Function that accesses other Google Cloud resources. You want to secure the environment using the principle of least privilege. What should you do?

ACreate a new service account that has Editor authority to access the resources. The deployer is given permission to get the access token.

BCreate a new service account that has a custom IAM role to access the resources. The deployer is given permission to get the access token.

CCreate a new service account that has Editor authority to access the resources. The deployer is given permission to act as the new service account.

DCreate a new service account that has a custom IAM role to access the resources. The deployer is given permission to act as the new service account.

Answer : D

Question 104

ACloud Run

BCompute Engine with managed instance groups

CCompute Engine with unmanaged instance groups

DGoogle Kubernetes Engine using cluster autoscaling

Answer : A

Question 105

Your company's development teams want to use various open source operating systems in their Docker builds. When images are created in published containers in your company's environment, you need to scan them for Common Vulnerabilities and Exposures (CVEs). The scanning process must not impact software development agility. You want to use managed services where possible. What should you do?

AEnable the Vulnerability scanning setting in the Container Registry.

BCreate a Cloud Function that is triggered on a code check-in and scan the code for CVEs.

CDisallow the use of non-commercially supported base images in your development environment.

DUse Cloud Monitoring to review the output of Cloud Build to determine whether a vulnerable version has been used.

Answer : A

https://cloud.google.com/container-analysis/docs/os-overview

Question 106

Your team is creating a serverless web application on Cloud Run. The application needs to access images stored in a private Cloud Storage bucket. You want to give the application Identity and Access Management (IAM) permission to access the images in the bucket, while also securing the services using Google-recommended best practices What should you do?

AEnforce signed URLs for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.

BEnforce public access prevention for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine
default service account.

CEnforce signed URLs for the desired bucket Create and update the Cloud Run service to use a user -managed service account. Grant the Storage Object Viewer IAM role on the bucket to the service account

DEnforce public access prevention for the desired bucket.
Create and update the Cloud Run service to use a user-managed service account. Grant the Storage Object Viewer IAM role on the bucket to the service account.

Answer : B

Question 107

You need to deploy resources from your laptop to Google Cloud using Terraform. Resources in your Google Cloud environment must be created using a service account. Your Cloud Identity has the roles/iam.serviceAccountTokenCreator Identity and Access Management (IAM) role and the necessary permissions to deploy the resources using Terraform. You want to set up your development environment to deploy the desired resources following Google-recommended best practices. What should you do?

A1) Download the service account's key file in JSON format, and store it locally on your laptop.
2) Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of your downloaded key file.

B1) Run the following command from a command line: gcloud config set auth/impersonate_service_account service-account-name@project.iam.gserviceacccount.com.
2) Set the GOOGLE_OAUTH_ACCESS_TOKEN environment variable to the value that is returned by the gcloud auth print-access-token command.

C1) Run the following command from a command line: gcloud auth application-default login.
2) In the browser window that opens, authenticate using your personal credentials.

D1) Store the service account's key file in JSON format in Hashicorp Vault.
2) Integrate Terraform with Vault to retrieve the key file dynamically, and authenticate to Vault using a short-lived access token.

Answer : D

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#file-system

Whenever possible, avoid storing service account keys on a file system. If you can't avoid storing keys on disk, make sure to restrict access to the key file, configure file access auditing, and encrypt the underlying disk.

https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#software-keystore

In situations where using a hardware-based key store isn't viable, use a software-based key store to manage service account keys. Similar to hardware-based options, a software-based key store lets users or applications use service account keys without revealing the private key. Software-based key store solutions can help you control key access in a fine-grained manner and can also ensure that each key access is logged.

Question 108

You have decided to migrate your Compute Engine application to Google Kubernetes Engine. You need to build a container image and push it to Artifact Registry using Cloud Build. What should you do? (Choose two.)

Run gcloud builds submit in the directory that contains the application source code.

Run gcloud run deploy app-name --image gcr.io/$PROJECT_ID/app-name in the directory that contains the application source code.

Run gcloud container images add-tag gcr.io/$PROJECT_ID/app-name gcr.io/$PROJECT_ID/app-name:latest in the directory that contains the application source code.

In the application source directory, create a file named cloudbuild.yaml that contains the following contents:

AOption A

BOption B

COption C

DOption D

EOption E

Answer : A, D

https://cloud.google.com/sdk/gcloud/reference/builds/submit

https://cloud.google.com/artifact-registry/docs/configure-cloud-build

Question 109

Your team is developing an application in Google Cloud that executes with user identities maintained by Cloud Identity. Each of your application's users will have an associated Pub/Sub topic to which messages are published, and a Pub/Sub subscription where the same user will retrieve published messages. You need to ensure that only authorized users can publish and subscribe to their own specific Pub/Sub topic and subscription. What should you do?

ABind the user identity to the pubsub.publisher and pubsub.subscriber roles at the resource level.

BGrant the user identity the pubsub.publisher and pubsub.subscriber roles at the project level.

CGrant the user identity a custom role that contains the pubsub.topics.create and pubsub.subscriptions.create permissions.

DConfigure the application to run as a service account that has the pubsub.publisher and pubsub.subscriber roles.

Answer : C

Question 110

AAssign the Project Editor role.

BAssign the Project Owner role.

CAssign the Cloud SQL Client role.

DAssign the Cloud SQL Editor role.

Answer : C

Question 111

Your team develops services that run on Google Cloud. You want to process messages sent to a Pub/Sub topic, and then store them. Each message must be processed exactly once to avoid duplication of data and any data conflicts. You need to use the cheapest and most simple solution. What should you do?

AProcess the messages with a Dataproc job, and write the output to storage.

BProcess the messages with a Dataflow streaming pipeline using Apache Beam's PubSubIO package, and write the output to storage.

CProcess the messages with a Cloud Function, and write the results to a BigQuery location where you can run a job to deduplicate the data.

DRetrieve the messages with a Dataflow streaming pipeline, store them in Cloud Bigtable, and use another Dataflow streaming pipeline to deduplicate messages.

Answer : B

https://cloud.google.com/dataflow/docs/concepts/streaming-with-cloud-pubsub

Question 112

You are a SaaS provider deploying dedicated blogging software to customers in your Google Kubernetes Engine (GKE) cluster. You want to configure a secure multi-tenant platform to ensure that each customer has access to only their own blog and can't affect the workloads of other customers. What should you do?

AEnable Application-layer Secrets on the GKE cluster to protect the cluster.

BDeploy a namespace per tenant and use Network Policies in each blog deployment.

CUse GKE Audit Logging to identify malicious containers and delete them on discovery.

DBuild a custom image of the blogging software and use Binary Authorization to prevent untrusted image deployments.

Answer : B

Question 113

Your company wants to expand their users outside the United States for their popular application. The

company wants to ensure 99.999% availability of the database for their application and also wants to minimize the read latency for their users across the globe.

Which two actions should they take? (Choose two.)

ACreate a multi-regional Cloud Spanner instance with 'nam-asia-eur1' configuration.

BCreate a multi-regional Cloud Spanner instance with 'nam3' configuration.

CCreate a cluster with at least 3 Spanner nodes.

DCreate a cluster with at least 1 Spanner node.

ECreate a minimum of two Cloud Spanner instances in separate regions with at least one node.

FCreate a Cloud Dataflow pipeline to replicate data across different databases.

Answer : B, F

Question 114

You are porting an existing Apache/MySQL/PHP application stack from a single machine to Google Kubernetes Engine. You need to determine how to containerize the application. Your approach should follow Google-recommended best practices for availability. What should you do?

APackage each component in a separate container. Implement readiness and liveness probes.

BPackage the application in a single container. Use a process management tool to manage each component.

CPackage each component in a separate container. Use a script to orchestrate the launch of the components.

DPackage the application in a single container. Use a bash script as an entrypoint to the container, and then spawn each component as a background job.

Answer : A

https://cloud.google.com/blog/products/containers-kubernetes/7-best-practices-for-building-containers

https://cloud.google.com/architecture/best-practices-for-building-containers

'classic Apache/MySQL/PHP stack: you might be tempted to run all the components in a single container. However, the best practice is to use two or three different containers: one for Apache, one for MySQL, and potentially one for PHP if you are running PHP-FPM.'

Question 115

Your company has a BigQuery data mart that provides analytics information to hundreds of employees. One

user of wants to run jobs without interrupting important workloads. This user isn't concerned about the time it

takes to run these jobs. You want to fulfill this request while minimizing cost to the company and the effort

required on your part.

What should you do?

AAsk the user to run the jobs as batch jobs.

BCreate a separate project for the user to run jobs.

CAdd the user as a job.user role in the existing project.

DAllow the user to run jobs when important workloads are not running.

Answer : B

Question 116

AConfigure the application to check authentication credentials for each HTTP(S) request to the application.

BConfigure Identity-Aware Proxy to allow employees to access the application through its public IP address.

Answer : B

Question 117

AThe folder structure inside the bucket and object paths have changed.

BThe permissions of the service account's predefined role have changed.

CThe service account key has been rotated but not updated on the application server.

DThe Interconnect link from the on-premises data center to Google Cloud is experiencing a temporary outage.

Answer : C

Question 118

Your code is running on Cloud Functions in project

AIt is supposed to write an object in a Cloud Storage
bucket owned by project B. However, the write call is failing with the error '403 Forbidden'.
What should you do to correct the problem?

AGrant your user account the roles/storage.objectCreator role for the Cloud Storage bucket.

BGrant your user account the roles/iam.serviceAccountUser role for the service-PROJECTA@gcf-adminrobot.
iam.gserviceaccount.com service account.

CGrant the service-PROJECTA@gcf-admin-robot.iam.gserviceaccount.com service account the roles/
storage.objectCreator role for the Cloud Storage bucket.

DEnable the Cloud Storage API in project B.

Answer : B

Question 119

AUse the gcloud CLI to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

BEnable Container Analysis, and upload new container images to Artifact Registry. Review the vulnerability results before each deployment.

CEnable Container Analysis, and upload new container images to Artifact Registry. Review the critical vulnerability results before each deployment.

DUse the Container Analysis REST API to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

Answer : D

https://cloud.google.com/container-analysis/docs/automated-scanning-howto

Question 120

You are developing an application that needs to store files belonging to users in Cloud Storage. You want each user to have their own subdirectory in Cloud Storage. When a new user is created, the corresponding empty subdirectory should also be created. What should you do?

ACreate an object with the name of the subdirectory ending with a trailing slash ('/') that is zero bytes in length.

BCreate an object with the name of the subdirectory, and then immediately delete the object within that subdirectory.

CCreate an object with the name of the subdirectory that is zero bytes in length and has WRITER access control list permission.

DCreate an object with the name of the subdirectory that is zero bytes in length. Set the Content-Type metadata to CLOUDSTORAGE_FOLDER.

Answer : A

https://cloud.google.com/storage/docs/folders

If you create an empty folder using the Google Cloud console, Cloud Storage creates a zero-byte object as a placeholder. For example, if you create a folder called folder in a bucket called my-bucket, a zero- byte object called gs://my-bucket/folder/ is created. This placeholder is discoverable by other tools when listing the objects in the bucket, for example when using the gsutil ls command.

Question 121

Your company needs a database solution that stores customer purchase history and meets the following requirements:

Customers can query their purchase immediately after submission.

Purchases can be sorted on a variety of fields.

Distinct record formats can be stored at the same time.

Which storage option satisfies these requirements?

AFirestore in Native mode

BCloud Storage using an object read

CCloud SQL using a SQL SELECT statement

DFirestore in Datastore mode using a global query

Answer : A

Question 122

Your data is stored in Cloud Storage buckets. Fellow developers have reported that data downloaded from Cloud Storage is resulting in slow API performance. You want to research the issue to provide details to the GCP support team. Which command should you run?

Agsutil test --o output.json gs://my-bucket

Bgsutil perfdiag --o output.json gs://my-bucket

Cgcloud compute scp example-instance:~/test-data --o output.json gs://my-bucket

Dgcloud services test --o output.json gs://my-bucket

Answer : B

Question 123

AEnforce signed URLs for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.

BEnforce public access prevention for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine
default service account.

Answer : B

Question 124

Your company has a data warehouse that keeps your application information in BigQuery. The BigQuery data warehouse keeps 2 PBs of user dat

a. Recently, your company expanded your user base to include EU users and needs to comply with these requirements:

Your company must be able to delete all user account information upon user request.

All EU user data must be stored in a single region specifically for EU users.

Which two actions should you take? (Choose two.)

AUse BigQuery federated queries to query data from Cloud Storage.

BCreate a dataset in the EU region that will keep information about EU users only.

CCreate a Cloud Storage bucket in the EU region to store information for EU users only.

DRe-upload your data using to a Cloud Dataflow pipeline by filtering your user records out.

EUse DML statements in BigQuery to update/delete user records based on their requests.

Answer : C, E

Question 125

You have an application deployed in production. When a new version is deployed, you want to ensure that all production traffic is routed to the new version of your application. You also want to keep the previous version deployed so that you can revert to it if there is an issue with the new version.

Which deployment strategy should you use?

ABlue/green deployment

BCanary deployment

CRolling deployment

DRecreate deployment

Answer : A

Question 126

What should you do?

CConfigure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Verify the provided JSON Web Token within the application.

Answer : A

https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers

(https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id).

https://cloud.google.com/armor/docs/security-policy-overview#:~:text=Google%20Cloud%20Armor%20security%20policies%20enable%20you%20to%20allow%20or,Private%20Cloud%20(VPC)%20networks

Question 127

You are load testing your server application. During the first 30 seconds, you observe that a previously inactive

Cloud Storage bucket is now servicing 2000 write requests per second and 7500 read requests per second.

Your application is now receiving intermittent 5xx and 429 HTTP responses from the Cloud Storage JSON API

as the demand escalates. You want to decrease the failed responses from the Cloud Storage API.

What should you do?

ADistribute the uploads across a large number of individual storage buckets.

BUse the XML API instead of the JSON API for interfacing with Cloud Storage.

CPass the HTTP response codes back to clients that are invoking the uploads from your application.

DLimit the upload rate from your application clients so that the dormant bucket's peak request rate is
reached more gradually.

Answer : A

Question 128

You are deploying your applications on Compute Engine. One of your Compute Engine instances failed to launch. What should you do? (Choose two.)

ADetermine whether your file system is corrupted.

BAccess Compute Engine as a different SSH user.

CTroubleshoot firewall rules or routes on an instance.

DCheck whether your instance boot disk is completely full.

ECheck whether network traffic to or from your instance is being dropped.

Answer : A, D

https://cloud.google.com/compute/docs/troubleshooting/vm-startup

Question 129

You manage a microservices application on Google Kubernetes Engine (GKE) using Istio. You secure the communication channels between your microservices by implementing an Istio AuthorizationPolicy, a Kubernetes NetworkPolicy, and mTLS on your GKE cluster. You discover that HTTP requests between two Pods to specific URLs fail, while other requests to other URLs succeed. What is the cause of the connection issue?

AA Kubernetes NetworkPolicy resource is blocking HTTP traffic between the Pods.

BThe Pod initiating the HTTP requests is attempting to connect to the target Pod via an incorrect TCP port.

CThe Authorization Policy of your cluster is blocking HTTP requests for specific paths within your application.

DThe cluster has mTLS configured in permissive mode, but the Pod's sidecar proxy is sending unencrypted traffic in plain text.

Answer : C

Question 130

You are designing an application that uses a microservices architecture. You are planning to deploy the application in the cloud and on-premises. You want to make sure the application can scale up on demand and also use managed services as much as possible. What should you do?

ADeploy open source Istio in a multi-cluster deployment on multiple Google Kubernetes Engine (GKE) clusters managed by Anthos.

BCreate a GKE cluster in each environment with Anthos, and use Cloud Run for Anthos to deploy your application to each cluster.

CInstall a GKE cluster in each environment with Anthos, and use Cloud Build to create a Deployment for your application in each cluster.

DCreate a GKE cluster in the cloud and install open-source Kubernetes on-premises. Use an external load balancer service to distribute traffic across the two environments.

Answer : B

https://cloud.google.com/anthos/run

Integrated with Anthos, Cloud Run for Anthos provides a flexible serverless development platform for hybrid and multicloud environments. Cloud Run for Anthos is Google's managed and fully supported Knative offering, an open source project that enables serverless workloads on Kubernetes.

Question 131

AUse a Vertical Pod Autoscaler to scale the containers, and expose them via a ClusterIP Service.

BUse a Vertical Pod Autoscaler to scale the containers, and expose them via a NodePort Service.

CUse a Horizontal Pod Autoscaler to scale the containers, and expose them via a ClusterIP Service.

DUse a Horizontal Pod Autoscaler to scale the containers, and expose them via a NodePort Service.

Answer : C

https://cloud.google.com/kubernetes-engine/docs/concepts/service

Question 132

You plan to make a simple HTML application available on the internet. This site keeps information about FAQs for your application. The application is static and contains images, HTML, CSS, and Javascript. You want to make this application available on the internet with as few steps as possible.

What should you do?

AUpload your application to Cloud Storage.

BUpload your application to an App Engine environment.

CCreate a Compute Engine instance with Apache web server installed. Configure Apache web server to
host the application.

DContainerize your application first. Deploy this container to Google Kubernetes Engine (GKE) and assign
an external IP address to the GKE pod hosting the application.

Answer : A

Question 133

AUse Migrate for Anthos to migrate the VM to your Google Kubernetes Engine (GKE) cluster as a container.

BExport the VM as a raw disk and import it as an image. Create a Compute Engine instance from the Imported image.

CUse Migrate for Compute Engine to migrate the VM to a Compute Engine instance, and use Cloud Build to convert it to a container.

DUse Jib to build a Docker image from your source code, and upload it to Artifact Registry. Deploy the application in a GKE cluster, and test the application.

Answer : D

https://cloud.google.com/blog/products/application-development/introducing-jib-build-java-docker-images-better

Question 134

AUse the gsutil utility to copy files from within the Docker container at startup, and start the service using an ENTRYPOINT script.

BCreate a PersistentVolumeClaim on the GKE cluster. Access the configuration files from the volume, and start the service using an ENTRYPOINT script.

CUse the COPY statement in the Dockerfile to load the configuration into the container image. Verify that the configuration is available, and start the service using an ENTRYPOINT script.

DAdd a startup script to the GKE instance group to mount the NFS share at node startup. Copy the configuration files into the container, and start the service using an ENTRYPOINT script.

Answer : B

Question 135

You want to migrate an on-premises container running in Knative to Google Cloud. You need to make sure that the migration doesn't affect your application's deployment strategy, and you want to use a fully managed service. Which Google Cloud service should you use to deploy your container?

ACloud Run

BCompute Engine

CGoogle Kubernetes Engine

DApp Engine flexible environment

Answer : A

https://cloud.google.com/blog/products/serverless/knative-based-cloud-run-services-are-ga

Question 136

Which service should HipLocal use to enable access to internal apps?

ACloud VPN

BCloud Armor

CVirtual Private Cloud

DCloud Identity-Aware Proxy

Answer : D

Question 137

Your application is deployed in a Google Kubernetes Engine (GKE) cluster. You want to expose this application publicly behind a Cloud Load Balancing HTTP(S) load balancer. What should you do?

AConfigure a GKE Ingress resource.

BConfigure a GKE Service resource.

CConfigure a GKE Ingress resource with type: LoadBalancer.

DConfigure a GKE Service resource with type: LoadBalancer.

Answer : A

Question 138

You are designing an application that consists of several microservices. Each microservice has its own RESTful API and will be deployed as a separate Kubernetes Service. You want to ensure that the consumers of these APIs aren't impacted when there is a change to your API, and also ensure that third-party systems aren't interrupted when new versions of the API are released. How should you configure the connection to the application following Google-recommended best practices?

AUse an Ingress that uses the API's URL to route requests to the appropriate backend.

BLeverage a Service Discovery system, and connect to the backend specified by the request.

CUse multiple clusters, and use DNS entries to route requests to separate versioned backends.

DCombine multiple versions in the same service, and then specify the API version in the POST request.

Answer : D

Question 139

You are deploying your application to a Compute Engine virtual machine instance. Your application is

configured to write its log files to disk. You want to view the logs in Stackdriver Logging without changing the

application code.

What should you do?

AInstall the Stackdriver Logging Agent and configure it to send the application logs.

BUse a Stackdriver Logging Library to log directly from the application to Stackdriver Logging.

CProvide the log file folder path in the metadata of the instance to configure it to send the application logs.

DChange the application to log to /var/log so that its logs are automatically sent to Stackdriver Logging.

Answer : A

Question 140

Your company has deployed a new API to App Engine Standard environment. During testing, the API is not behaving as expected. You want to monitor the application over time to diagnose the problem within the application code without redeploying the application.

Which tool should you use?

AStackdriver Trace

BStackdriver Monitoring

CStackdriver Debug Snapshots

DStackdriver Debug Logpoints

Answer : B

1ba49e4780e6

Question 141

You are developing an ecommerce web application that uses App Engine standard environment and Memorystore for Redis. When a user logs into the app, the application caches the user's information (e.g., session, name, address, preferences), which is stored for quick retrieval during checkout.

While testing your application in a browser, you get a 502 Bad Gateway error. You have determined that the application is not connecting to Memorystore. What is the reason for this error?

AYour Memorystore for Redis instance was deployed without a public IP address.

BYou configured your Serverless VPC Access connector in a different region than your App Engine instance.

CThe firewall rule allowing a connection between App Engine and Memorystore was removed during an infrastructure update by the DevOps team.

DYou configured your application to use a Serverless VPC Access connector on a different subnet in a different availability zone than your App Engine instance.

Answer : A

Question 142

You are developing a marquee stateless web application that will run on Google Cloud. The rate of the incoming user traffic is expected to be unpredictable, with no traffic on some days and large spikes on other days. You need the application to automatically scale up and down, and you need to minimize the cost associated with running the application. What should you do?

ABuild the application in Python with Firestore as the database. Deploy the application to Cloud Run.

BBuild the application in C# with Firestore as the database. Deploy the application to App Engine flexible environment.

CBuild the application in Python with CloudSQL as the database. Deploy the application to App Engine standard environment.

DBuild the application in Python with Firestore as the database. Deploy the application to a Compute Engine managed instance group with autoscaling.

Answer : A

Question 143

Your application is deployed on hundreds of Compute Engine instances in a managed instance group (MIG) in multiple zones. You need to deploy a new instance template to fix a critical vulnerability immediately but must avoid impact to your service. What setting should be made to the MIG after updating the instance template?

ASet the Max Surge to 100%.

BSet the Update mode to Opportunistic.

CSet the Maximum Unavailable to 100%.

DSet the Minimum Wait time to 0 seconds.

Answer : B

https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups#type Alternatively, if an automated update is potentially too disruptive, you can choose to perform an opportunistic update. The MIG applies an opportunistic update only when you manually initiate the update on selected instances or when new instances are created. New instances can be created when you or another service, such as an autoscaler, resizes the MIG. Compute Engine does not actively initiate requests to apply opportunistic updates on existing instances.

Question 144

You have an application deployed in Google Kubernetes Engine (GKE) that reads and processes Pub/Sub messages. Each Pod handles a fixed number of messages per minute. The rate at which messages are published to the Pub/Sub topic varies considerably throughout the day and week, including occasional large batches of messages published at a single moment.

You want to scale your GKE Deployment to be able to process messages in a timely manner. What GKE feature should you use to automatically adapt your workload?

AVertical Pod Autoscaler in Auto mode

BVertical Pod Autoscaler in Recommendation mode

CHorizontal Pod Autoscaler based on an external metric

DHorizontal Pod Autoscaler based on resources utilization

Answer : C

https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

Question 145

Your operations team has asked you to create a script that lists the Cloud Bigtable, Memorystore, and Cloud SQL databases running within a project. The script should allow users to submit a filter expression to limit the results presented. How should you retrieve the data?

AUse the HBase API, Redis API, and MySQL connection to retrieve database lists. Combine the results, and then apply the filter to display the results

BUse the HBase API, Redis API, and MySQL connection to retrieve database lists. Filter the results individually, and then combine them to display the results

CRun gcloud bigtable instances list, gcloud redis instances list, and gcloud sql databases list. Use a filter within the application, and then display the results

DRun gcloud bigtable instances list, gcloud redis instances list, and gcloud sql databases list. Use --filter flag with each command, and then display the results

Answer : D

https://cloud.google.com/sdk/gcloud/reference/topic/filters

Most gcloud commands return a list of resources on success. By default they are pretty-printed on the standard output. The --format=NAME[ATTRIBUTES](PROJECTION) and --filter=EXPRESSION flags along with projections can be used to format and change the default output to a more meaningful result. Use the --format flag to change the default output format of a command. For details run $ gcloud topic formats.

Question 146

You manage an ecommerce application that processes purchases from customers who can subsequently cancel or change those purchases. You discover that order volumes are highly variable and the backend order-processing system can only process one request at a time. You want to ensure seamless performance for customers regardless of usage volume. It is crucial that customers' order update requests are performed in the sequence in which they were generated. What should you do?

ASend the purchase and change requests over WebSockets to the backend.

BSend the purchase and change requests as REST requests to the backend.

CUse a Pub/Sub subscriber in pull mode and use a data store to manage ordering.

DUse a Pub/Sub subscriber in push mode and use a data store to manage ordering.

Answer : C

https://cloud.google.com/pubsub/docs/pull

Question 147

The Dockerfile is as follows:

FROM python:3.7-alpine -

COPY . /app -

WORKDIR /app -

RUN pip install -r requirements.txt

CMD [ "gunicorn", "-w 4", "main:app" ]

You notice that Cloud Build runs are taking longer than expected to complete. You want to decrease the build time. What should you do? (Choose two.)

ASelect a virtual machine (VM) size with higher CPU for Cloud Build runs.

BDeploy a Container Registry on a Compute Engine VM in a VPC, and use it to store the final images.

CCache the Docker image for subsequent builds using the -- cache-from argument in your build config file.

DChange the base image in the Dockerfile to ubuntu:latest, and install Python 3.7 using a package manager utility.

EStore application source code on Cloud Storage, and configure the pipeline to use gsutil to download the source code.

Answer : A, C

https://cloud.google.com/build/docs/optimize-builds/increase-vcpu-for-builds

https://cloud.google.com/build/docs/optimize-builds/speeding-up-builds#using_a_cached_docker_image

Question 148

You are developing an application that will store and access sensitive unstructured data objects in a Cloud Storage bucket. To comply with regulatory requirements, you need to ensure that all data objects are available for at least 7 years after their initial creation. Objects created more than 3 years ago are accessed very infrequently (less than once a year). You need to configure object storage while ensuring that storage cost is optimized. What should you do? (Choose two.)

ASet a retention policy on the bucket with a period of 7 years.

BUse IAM Conditions to provide access to objects 7 years after the object creation date.

CEnable Object Versioning to prevent objects from being accidentally deleted for 7 years after object creation.

DCreate an object lifecycle policy on the bucket that moves objects from Standard Storage to Archive Storage after 3 years.

EImplement a Cloud Function that checks the age of each object in the bucket and moves the objects older than 3 years to a second bucket with the Archive Storage class. Use Cloud Scheduler to trigger the Cloud Function on a daily schedule.

Answer : A, D

https://cloud.google.com/storage/docs/bucket-lock

This page discusses the Bucket Lock feature, which allows you to configure a data retention policy for a Cloud Storage bucket that governs how long objects in the bucket must be retained. The feature also allows you to lock the data retention policy, permanently preventing the policy from being reduced or removed.

https://cloud.google.com/storage/docs/storage-classes#archive

Archive storage is the lowest-cost, highly durable storage service for data archiving, online backup, and disaster recovery. Unlike the 'coldest' storage services offered by other Cloud providers, your data is available within milliseconds, not hours or days.

Archive storage is the best choice for data that you plan to access less than once a year.

Question 149

You configured your Compute Engine instance group to scale automatically according to overall CPU usage. However, your application's response latency increases sharply before the cluster has finished adding up instances. You want to provide a more consistent latency experience for your end users by changing the configuration ot the instance group autoscaler. Which two configuration changes should you make? (Choose two.)

AAdd the label ''AUTOSCALE'' to the instance group template.

BDecrease the cool-down period for instances added to the group.

CIncrease the target CPU usage for the instance group autoscaler.

DDecrease the target CPU usage for the instance group autoscaler.

ERemove the health-check for individual VMs in the instance group.

Answer : A, C

Question 150

You are using Cloud Build for your CI/CD pipeline to complete several tasks, including copying certain files to Compute Engine virtual machines. Your pipeline requires a flat file that is generated in one builder in the pipeline to be accessible by subsequent builders in the same pipeline. How should you store the file so that all the builders in the pipeline can access it?

AStore and retrieve the file contents using Compute Engine instance metadata.

BOutput the file contents to a file in /workspace. Read from the same /workspace file in the subsequent build step.

CUse gsutil to output the file contents to a Cloud Storage object. Read from the same object in the subsequent build step.

DAdd a build argument that runs an HTTP POST via curl to a separate web server to persist the value in one builder. Use an HTTP GET via curl from the subsequent build step to read the value.

Answer : B

https://cloud.google.com/build/docs/build-config-file-schema

Question 151

Your development team has been tasked with maintaining a .NET legacy application. The application incurs occasional changes and was recently updated. Your goal is to ensure that the application provides consistent results while moving through the CI/CD pipeline from environment to environment. You want to minimize the cost of deployment while making sure that external factors and dependencies between hosting environments are not problematic. Containers are not yet approved in your organization. What should you do?

ARewrite the application using .NET Core, and deploy to Cloud Run. Use revisions to separate the environments.

BUse Cloud Build to deploy the application as a new Compute Engine image for each build. Use this image in each environment.

CDeploy the application using MS Web Deploy, and make sure to always use the latest, patched MS Windows Server base image in Compute Engine.

DUse Cloud Build to package the application, and deploy to a Google Kubernetes Engine cluster. Use namespaces to separate the environments.

Answer : B

https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud#phase_1_rehost_in_the_cloud

https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud

Question 152

You want to re-architect a monolithic application so that it follows a microservices model. You want to

accomplish this efficiently while minimizing the impact of this change to the business.

Which approach should you take?

ADeploy the application to Compute Engine and turn on autoscaling.

BReplace the application's features with appropriate microservices in phases.

CRefactor the monolithic application with appropriate microservices in a single effort and deploy it.

DBuild a new application with the appropriate microservices separate from the monolith and replace it when
it is complete.

Answer : C

Question 153

AUse an Ingress that uses the API's URL to route requests to the appropriate backend.

BLeverage a Service Discovery system, and connect to the backend specified by the request.

CUse multiple clusters, and use DNS entries to route requests to separate versioned backends.

DCombine multiple versions in the same service, and then specify the API version in the POST request.

Answer : D

Question 154

Your website is deployed on Compute Engine. Your marketing team wants to test conversion rates between 3

different website designs.

Which approach should you use?

ADeploy the website on App Engine and use traffic splitting.

BDeploy the website on App Engine as three separate services.

CDeploy the website on Cloud Functions and use traffic splitting.

DDeploy the website on Cloud Functions as three separate functions.

Answer : A

Question 155

You have an application running in App Engine. Your application is instrumented with Stackdriver Trace. The /product-details request reports details about four known unique products at /sku-details as shown below. You want to reduce the time it takes for the request to complete. What should you do?

AIncrease the size of the instance class.

BChange the Persistent Disk type to SSD.

CChange /product-details to perform the requests in parallel.

DStore the /sku-details information in a database, and replace the webservice call with a database query.

Answer : C

Question 156

Your company has created an application that uploads a report to a Cloud Storage bucket. When the report is uploaded to the bucket, you want to publish a message to a Cloud Pub/Sub topic. You want to implement a solution that will take a small amount to effort to implement. What should you do?

AConfigure the Cloud Storage bucket to trigger Cloud Pub/Sub notifications when objects are modified.

BCreate an App Engine application to receive the file; when it is received, publish a message to the Cloud Pub/Sub topic.

CCreate a Cloud Function that is triggered by the Cloud Storage bucket. In the Cloud Function, publish a message to the Cloud Pub/Sub topic.

DCreate an application deployed in a Google Kubernetes Engine cluster to receive the file; when it is received, publish a message to the Cloud Pub/Sub topic.

Answer : C

: https://cloud.google.com/storage/docs/pubsub-notifications

Question 157

You are using Cloud Build build to promote a Docker image to Development, Test, and Production environments. You need to ensure that the same Docker image is deployed to each of these environments. How should you identify the Docker image in your build?

AUse the latest Docker image tag.

BUse a unique Docker image name.

CUse the digest of the Docker image.

DUse a semantic version Docker image tag.

Answer : D

Question 158

Your service adds text to images that it reads from Cloud Storage. During busy times of the year, requests to

Cloud Storage fail with an HTTP 429 "Too Many Requests" status code.

How should you handle this error?

AAdd a cache-control header to the objects.

BRequest a quota increase from the GCP Console.

CRetry the request with a truncated exponential backoff strategy.

DChange the storage class of the Cloud Storage bucket to Multi-regional.

Answer : C

Question 159

What should you do?

CConfigure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Verify the provided JSON Web Token within the application.

Answer : A

https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers

(https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id).

https://cloud.google.com/armor/docs/security-policy-overview#:~:text=Google%20Cloud%20Armor%20security%20policies%20enable%20you%20to%20allow%20or,Private%20Cloud%20(VPC)%20networks

Question 160

Your team has created an application that is hosted on a Google Kubernetes Engine (GKE) cluster You need to connect the application to a legacy REST service that is deployed in two GKE clusters in two different regions. You want to connect your application to the legacy service in a way that is resilient and requires the fewest number of steps You also want to be able to run probe-based health checks on the legacy service on a separate port How should you set up the connection?

AUse Traffic Director with a sidecar proxy to connect the application to the service.

BUse a proxyless Traffic Director configuration to connect the application to the service.

CConfigure the legacy service's firewall to allow health checks originating from the proxy.

DConfigure the legacy service's firewall to allow health checks originating from the application.

EConfigure the legacy service's firewall to allow health checks originating from the Traffic Director control plane.

Answer : A, C

https://cloud.google.com/traffic-director/docs/advanced-setup#routing-rule-maps https://cloud.google.com/traffic-director/docs/advanced-setup

A) Using Traffic Director with a sidecar proxy can provide resilience for your application by allowing for failover to the secondary region in the event of an outage. The sidecar proxy can route traffic to the legacy service in either of the two GKE clusters, ensuring high availability. C. Configuring the legacy service's firewall to allow health checks originating from the proxy allows the proxy to periodically check the health of the legacy service and ensure that it is functioning properly. This helps to ensure that traffic is only routed to healthy instances of the legacy service, further improving the resilience of the setup.

Question 161

AEnforce signed URLs for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.

BEnforce public access prevention for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine
default service account.

Answer : B

Question 162

Your company needs a database solution that stores customer purchase history and meets the following requirements:

Customers can query their purchase immediately after submission.

Purchases can be sorted on a variety of fields.

Distinct record formats can be stored at the same time.

Which storage option satisfies these requirements?

AFirestore in Native mode

BCloud Storage using an object read

CCloud SQL using a SQL SELECT statement

DFirestore in Datastore mode using a global query

Answer : A

Question 163

You have a mixture of packaged and internally developed applications hosted on a Compute Engine instance that is running Linux. These applications write log records as text in local files. You want the logs to be written to Cloud Logging. What should you do?

APipe the content of the files to the Linux Syslog daemon.

BInstall a Google version of fluentd on the Compute Engine instance.

CInstall a Google version of collectd on the Compute Engine instance.

DUsing cron, schedule a job to copy the log files to Cloud Storage once a day.

Answer : B

Question 164

Your application is running in multiple Google Kubernetes Engine clusters. It is managed by a Deployment in each cluster. The Deployment has created multiple replicas of your Pod in each cluster. You want to view the logs sent to stdout for all of the replicas in your Deployment in all clusters. Which command should you use?

Akubectl logs [PARAM]

Bgcloud logging read [PARAM]

Ckubectl exec --it [PARAM] journalctl

Dgcloud compute ssh [PARAM] ---command= ''sudo journalctl''

Answer : D

Question 165

You are developing an application using different microservices that should remain internal to the cluster. You want to be able to configure each microservice with a specific number of replicas. You also want to be able to address a specific microservice from any other microservice in a uniform way, regardless of the number of replicas the microservice scales to. You need to implement this solution on Google Kubernetes Engine. What should you do?

ADeploy each microservice as a Deployment. Expose the Deployment in the cluster using a Service, and use the Service DNS name to address it from other microservices within the cluster.

BDeploy each microservice as a Deployment. Expose the Deployment in the cluster using an Ingress, and use the Ingress IP address to address the Deployment from other microservices within the cluster.

CDeploy each microservice as a Pod. Expose the Pod in the cluster using a Service, and use the Service DNS name to address the microservice from other microservices within the cluster.

DDeploy each microservice as a Pod. Expose the Pod in the cluster using an Ingress, and use the Ingress IP address name to address the Pod from other microservices within the cluster.

Answer : A

Question 166

You work for a web development team at a small startup. Your team is developing a Node.js application using Google Cloud services, including Cloud Storage and Cloud Build. The team uses a Git repository for version control. Your manager calls you over the weekend and instructs you to make an emergency update to one of the company's websites, and you're the only developer available. You need to access Google Cloud to make the update, but you don't have your work laptop. You are not allowed to store source code locally on a non-corporate computer. How should you set up your developer environment?

AUse a text editor and the Git command line to send your source code updates as pull requests from a public computer.

BUse a text editor and the Git command line to send your source code updates as pull requests from a virtual machine running on a public computer.

CUse Cloud Shell and the built-in code editor for development. Send your source code updates as pull requests.

DUse a Cloud Storage bucket to store the source code that you need to edit. Mount the bucket to a public computer as a drive, and use a code editor to update the code. Turn on versioning for the bucket, and point it to the team's Git repository.

Answer : C

https://cloud.google.com/shell/docs

Question 167

AEnable the Vulnerability scanning setting in the Container Registry.

BCreate a Cloud Function that is triggered on a code check-in and scan the code for CVEs.

CDisallow the use of non-commercially supported base images in your development environment.

DUse Cloud Monitoring to review the output of Cloud Build to determine whether a vulnerable version has been used.

Answer : A

https://cloud.google.com/container-analysis/docs/os-overview

Question 168

* Zero downtime is incurred

* Testing is fully automated

* Allows for testing before being rolled out to users

* Can quickly rollback if needed

What should you do?

ATrigger a Spinnaker pipeline configured as an A/B test of your new code and, if it is successful, deploy the container to production.

BTrigger a Spinnaker pipeline configured as a canary test of your new code and, if it is successful, deploy the container to production.

CTrigger another Cloud Build job that uses the Kubernetes CLI tools to deploy your new container to your GKE cluster, where you can perform a canary test.

DTrigger another Cloud Build job that uses the Kubernetes CLI tools to deploy your new container to your GKE cluster, where you can perform a shadow test.

Answer : D

Question 169

You are planning to deploy your application in a Google Kubernetes Engine (GKE) cluster The application

exposes an HTTP-based health check at /healthz. You want to use this health check endpoint to determine whether traffic should be routed to the pod by the load balancer.

Which code snippet should you include in your Pod configuration?

AOption A

BOption B

COption C

DOption D

Answer : B

For the GKE ingress controller to use your readinessProbes as health checks, the Pods for an Ingress must exist at the time of Ingress creation. If your replicas are scaled to 0, the default health check will apply.

Question 170

AUse Cloud Functions to deploy the microservice.

BUse Cloud Build to create the container, and deploy it on Cloud Run.

CUse Cloud Shell to containerize your microservice. and deploy it on GKE Standard.

DUse Cloud Shell to containerize your microservice. and deploy it on a Container-Optimized OS Compute Engine instance.

Answer : B

Question 171

AAdd the users to their projects, assign the relevant roles to the users, and then provide the users with each relevant Project ID.

BAdd the users to their projects, assign the relevant roles to the users, and then provide the users with each relevant Project Number.

CCreate groups, add the users to their groups, assign the relevant roles to the groups, and then provide the users with each relevant Project ID.

DCreate groups, add the users to their groups, assign the relevant roles to the groups, and then provide the users with each relevant Project Number.

Answer : C

Question 172

AUse the gsutil utility to copy files from within the Docker container at startup, and start the service using an ENTRYPOINT script.

BCreate a PersistentVolumeClaim on the GKE cluster. Access the configuration files from the volume, and start the service using an ENTRYPOINT script.

CUse the COPY statement in the Dockerfile to load the configuration into the container image. Verify that the configuration is available, and start the service using an ENTRYPOINT script.

DAdd a startup script to the GKE instance group to mount the NFS share at node startup. Copy the configuration files into the container, and start the service using an ENTRYPOINT script.

Answer : B

Question 173

Your company is planning to migrate their on-premises Hadoop environment to the cloud. Increasing storage cost and maintenance of data stored in HDFS is a major concern for your company. You also want to make minimal changes to existing data analytics jobs and existing architecture. How should you proceed with the migration?

AMigrate your data stored in Hadoop to BigQuery. Change your jobs to source their information from BigQuery instead of the on-premises Hadoop environment.

BCreate Compute Engine instances with HDD instead of SSD to save costs. Then perform a full migration of your existing environment into the new one in Compute Engine instances.

CCreate a Cloud Dataproc cluster on Google Cloud Platform, and then migrate your Hadoop environment to the new Cloud Dataproc cluster. Move your HDFS data into larger HDD disks to save on storage costs.

DCreate a Cloud Dataproc cluster on Google Cloud Platform, and then migrate your Hadoop code objects to the new cluster. Move your data to Cloud Storage and leverage the Cloud Dataproc connector to run jobs on that data.

Answer : D

Question 174

AStore and retrieve the file contents using Compute Engine instance metadata.

BOutput the file contents to a file in /workspace. Read from the same /workspace file in the subsequent build step.

CUse gsutil to output the file contents to a Cloud Storage object. Read from the same object in the subsequent build step.

DAdd a build argument that runs an HTTP POST via curl to a separate web server to persist the value in one builder. Use an HTTP GET via curl from the subsequent build step to read the value.

Answer : B

https://cloud.google.com/build/docs/build-config-file-schema

Question 175

AManually trigger the build for new releases.

BCreate a build trigger on a Git tag pattern. Use a Git tag convention for new releases.

CCreate a build trigger on a Git branch name pattern. Use a Git branch naming convention for new releases.

DCommit your source code to a second Cloud Source Repositories repository with a second Cloud Build trigger. Use this repository for new releases only.

Answer : C

Question 176

You want to use the Stackdriver Logging Agent to send an application's log file to Stackdriver from a Compute Engine virtual machine instance.

After installing the Stackdriver Logging Agent, what should you do first?

AEnable the Error Reporting API on the project.

BGrant the instance full access to all Cloud APIs.

CConfigure the application log file as a custom source.

DCreate a Stackdriver Logs Export Sink with a filter that matches the application's log entries.

Answer : B

Question 177

Your application stores customers' content in a Cloud Storage bucket, with each object being encrypted with the customer's encryption key. The key for each object in Cloud Storage is entered into your application by the customer. You discover that your application is receiving an HTTP 4xx error when reading the object from Cloud Storage What is a possible cause of this error?

AYou attempted the read operation without the base64-encoded SHA256 hash of the encryption key.

BYou entered the same encryption algorithm specified by the customer when attempting the read operation.

CYou attempted the read operation on the object with the base64-encoded SHA256 hash of the customer's key.

DYou attempted the read operation on the object with the customers base64-encoded key.

Answer : D

Question 178

Which tool should you use?

AStackdriver Trace

BStackdriver Monitoring

CStackdriver Debug Snapshots

DStackdriver Debug Logpoints

Answer : B

1ba49e4780e6

Question 179

AUse the gcloud CLI to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

BEnable Container Analysis, and upload new container images to Artifact Registry. Review the vulnerability results before each deployment.

CEnable Container Analysis, and upload new container images to Artifact Registry. Review the critical vulnerability results before each deployment.

DUse the Container Analysis REST API to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

Answer : D

https://cloud.google.com/container-analysis/docs/automated-scanning-howto

Question 180

ASend the purchase and change requests over WebSockets to the backend.

BSend the purchase and change requests as REST requests to the backend.

CUse a Pub/Sub subscriber in pull mode and use a data store to manage ordering.

DUse a Pub/Sub subscriber in push mode and use a data store to manage ordering.

Answer : C

https://cloud.google.com/pubsub/docs/pull

Question 181

You are developing an internal application that will allow employees to organize community events within your company. You deployed your application on a single Compute Engine instance. Your company uses Google Workspace (formerly G Suite), and you need to ensure that the company employees can authenticate to the application from anywhere. What should you do?

AAdd a public IP address to your instance, and restrict access to the instance using firewall rules. Allow your company's proxy as the only source IP address.

BAdd an HTTP(S) load balancer in front of the instance, and set up Identity-Aware Proxy (IAP). Configure the IAP settings to allow your company domain to access the website.

CSet up a VPN tunnel between your company network and your instance's VPC location on Google Cloud. Configure the required firewall rules and routing information to both the on-premises and Google Cloud networks.

DAdd a public IP address to your instance, and allow traffic from the internet. Generate a random hash, and create a subdomain that includes this hash and points to your instance. Distribute this DNS address to your company's employees.

Answer : B

https://cloud.google.com/blog/topics/developers-practitioners/control-access-your-web-sites-identity-aware-proxy

Question 182

For this question refer to the HipLocal case study.

AMigrate the database to Bigtable and use it to serve all global user traffic.

BMigrate the database to Cloud Spanner and use it to serve all global user traffic.

CMigrate the database to Firestore in Datastore mode and use it to serve all global user traffic.

DMigrate the services to Google Kubernetes Engine and use a load balancer service to better scale the application.

Answer : D

Question 183

ARewrite the application using .NET Core, and deploy to Cloud Run. Use revisions to separate the environments.

BUse Cloud Build to deploy the application as a new Compute Engine image for each build. Use this image in each environment.

CDeploy the application using MS Web Deploy, and make sure to always use the latest, patched MS Windows Server base image in Compute Engine.

DUse Cloud Build to package the application, and deploy to a Google Kubernetes Engine cluster. Use namespaces to separate the environments.

Answer : B

https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud#phase_1_rehost_in_the_cloud

https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud

Question 184

AEnable the Vulnerability scanning setting in the Container Registry.

BCreate a Cloud Function that is triggered on a code check-in and scan the code for CVEs.

CDisallow the use of non-commercially supported base images in your development environment.

DUse Cloud Monitoring to review the output of Cloud Build to determine whether a vulnerable version has been used.

Answer : A

https://cloud.google.com/container-analysis/docs/os-overview

Question 185

You are developing a new application that has the following design requirements:

Creation and changes to the application infrastructure are versioned and auditable.

The application and deployment infrastructure uses Google-managed services as much as possible.

The application runs on a serverless compute platform.

How should you design the application's architecture?

Answer : D

Question 186

You recently deployed your application in Google Kubernetes Engine, and now need to release a new version of your application. You need the ability to instantly roll back to the previous version in case there are issues with the new version. Which deployment model should you use?

APerform a rolling deployment, and test your new application after the deployment is complete.

BPerform A/B testing, and test your application periodically after the new tests are implemented.

CPerform a blue/green deployment, and test your new application after the deployment is. complete.

DPerform a canary deployment, and test your new application periodically after the new version is deployed.

Answer : C

Question 187

AGoogle Cloud Armor

BDebugger

CWeb Security Scanner

DError Reporting

Answer : C

https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview

Question 188

You need to load-test a set of REST API endpoints that are deployed to Cloud Run. The API responds to HTTP POST requests Your load tests must meet the following requirements:

* Load is initiated from multiple parallel threads

* User traffic to the API originates from multiple source IP addresses.

* Load can be scaled up using additional test instances

You want to follow Google-recommended best practices How should you configure the load testing'?

ACreate an image that has cURL installed and configure cURLto run a test plan Deploy the image in a
managed instance group, and run one instance of the image for each VM.

BCreate an image that has cURL installed and configure cURL to run a test plan Deploy the image in an
unmanaged instance group, and run one instance of the image for each VM.

CDeploy a distributed load testing framework on a private Google Kubernetes Engine Cluster Deploy
additional Pods as needed to initiate more traffic and support the number of concurrent users.

DDownload the container image of a distributed load testing framework on Cloud Shell Sequentially start
several instances of the container on Cloud Shell to increase the load on the API.

Answer : C

Question 189

Your company has a BigQuery data mart that provides analytics information to hundreds of employees. One

user of wants to run jobs without interrupting important workloads. This user isn't concerned about the time it

takes to run these jobs. You want to fulfill this request while minimizing cost to the company and the effort

required on your part.

What should you do?

AAsk the user to run the jobs as batch jobs.

BCreate a separate project for the user to run jobs.

CAdd the user as a job.user role in the existing project.

DAllow the user to run jobs when important workloads are not running.

Answer : B

Question 190

For this question, refer to the HipLocal case study.

How should HipLocal increase their API development speed while continuing to provide the QA team with a stable testing environment that meets feature requirements?

AInclude unit tests in their code, and prevent deployments to QA until all tests have a passing status.

BInclude performance tests in their code, and prevent deployments to QA until all tests have a passing status.

CCreate health checks for the QA environment, and redeploy the APIs at a later time if the environment is unhealthy.

DRedeploy the APIs to App Engine using Traffic Splitting. Do not move QA traffic to the new versions if errors are found.

Answer : B

Question 191

You have an HTTP Cloud Function that is called via POST. Each submission's request body has a flat, unnested JSON structure containing numeric and text dat

a. After the Cloud Function completes, the collected data should be immediately available for ongoing and complex analytics by many users in parallel. How should you persist the submissions?

ADirectly persist each POST request's JSON data into Datastore.

BTransform the POST request's JSON data, and stream it into BigQuery.

CTransform the POST request's JSON data, and store it in a regional Cloud SQL cluster.

DPersist each POST request's JSON data as an individual file within Cloud Storage, with the file name containing the request identifier.

Answer : D

Question 192

You are designing a schema for a table that will be moved from MySQL to Cloud Bigtable. The MySQL table is as follows:

How should you design a row key for Cloud Bigtable for this table?

ASet Account_id as a key.

BSet Account_id_Event_timestamp as a key.

CSet Event_timestamp_Account_id as a key.

DSet Event_timestamp as a key.

Answer : C

Question 193

Your development team is using Cloud Build to promote a Node.js application built on App Engine from your staging environment to production. The application relies on several directories of photos stored in a Cloud Storage bucket named webphotos-staging in the staging environment. After the promotion, these photos must be available in a Cloud Storage bucket named webphotos-prod in the production environment. You want to automate the process where possible. What should you do?

Manually copy the photos to webphotos-prod.

Add a startup script in the application's app.yami file to move the photos from webphotos-staging to webphotos-prod.

Add a build step in the cloudbuild.yaml file before the promotion step with the arguments:

AOption A

BOption B

COption C

DOption D

Answer : C

https://cloud.google.com/storage/docs/gsutil/commands/cp

Question 194

Which service should HipLocal use to enable access to internal apps?

ACloud VPN

BCloud Armor

CVirtual Private Cloud

DCloud Identity-Aware Proxy

Answer : D

Question 195

You are developing a JPEG image-resizing API hosted on Google Kubernetes Engine (GKE). Callers of the service will exist within the same GKE cluster. You want clients to be able to get the IP address of the service.

What should you do?

ADefine a GKE Service. Clients should use the name of the A record in Cloud DNS to find the service's
cluster IP address.

BDefine a GKE Service. Clients should use the service name in the URL to connect to the service.

CDefine a GKE Endpoint. Clients should get the endpoint name from the appropriate environment variable in
the client container.

DDefine a GKE Endpoint. Clients should get the endpoint name from Cloud DNS.

Answer : C

Question 196

You have an application controlled by a managed instance group. When you deploy a new version of the application, costs should be minimized and the number of instances should not increase. You want to ensure that, when each new instance is created, the deployment only continues if the new instance is healthy. What should you do?

APerform a rolling-action with maxSurge set to 1, maxUnavailable set to 0.

BPerform a rolling-action with maxSurge set to 0, maxUnavailable set to 1

CPerform a rolling-action with maxHealthy set to 1, maxUnhealthy set to 0.

DPerform a rolling-action with maxHealthy set to 0, maxUnhealthy set to 1.

Answer : A

Question 197

You are building a new API. You want to minimize the cost of storing and reduce the latency of serving

images.

Which architecture should you use?

AApp Engine backed by Cloud Storage

BCompute Engine backed by Persistent Disk

CTransfer Appliance backed by Cloud Filestore

DCloud Content Delivery Network (CDN) backed by Cloud Storage

Answer : B

Question 198

What should you do?

CConfigure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Verify the provided JSON Web Token within the application.

Answer : A

https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers

(https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id).

https://cloud.google.com/armor/docs/security-policy-overview#:~:text=Google%20Cloud%20Armor%20security%20policies%20enable%20you%20to%20allow%20or,Private%20Cloud%20(VPC)%20networks

Question 199

You have two tables in an ANSI-SQL compliant database with identical columns that you need to quickly

combine into a single table, removing duplicate rows from the result set.

What should you do?

AUse the JOIN operator in SQL to combine the tables.

BUse nested WITH statements to combine the tables.

CUse the UNION operator in SQL to combine the tables.

DUse the UNION ALL operator in SQL to combine the tables.

Answer : C

Question 200

Your application takes an input from a user and publishes it to the user's contacts. This input is stored in a

table in Cloud Spanner. Your application is more sensitive to latency and less sensitive to consistency.

How should you perform reads from Cloud Spanner for this application?

APerform Read-Only transactions.

BPerform stale reads using single-read methods.

CPerform strong reads using single-read methods.

DPerform stale reads using read-write transactions.

Answer : D

Question 201

HipLocal's.net-based auth service fails under intermittent load.

What should they do?

AUse App Engine for autoscaling.

BUse Cloud Functions for autoscaling.

CUse a Compute Engine cluster for the service.

DUse a dedicated Compute Engine virtual machine instance for the service.

Answer : D

Question 202

You want to notify on-call engineers about a service degradation in production while minimizing development

time.

What should you do?

AUse Cloud Function to monitor resources and raise alerts.

BUse Cloud Pub/Sub to monitor resources and raise alerts.

CUse Stackdriver Error Reporting to capture errors and raise alerts.

DUse Stackdriver Monitoring to monitor resources and raise alerts.

Answer : A

Question 203

You are developing a Java Web Server that needs to interact with Google Cloud services via the Google Cloud API on the user's behalf. Users should be able to authenticate to the Google Cloud API using their Google Cloud identities. Which workflow should you implement in your web application?

A1) When a user arrives at your application, prompt them for their Google username and password.
2) Store an SHA password hash in your application's database along with the user's username.
3) The application authenticates to the Google Cloud API using HTTPs requests with the user's username and password hash in the Authorization request header.

B1) When a user arrives at your application, prompt them for their Google username and password.
2) Forward the user's username and password in an HTTPS request to the Google Cloud authorization server, and request an access token.
3) The Google server validates the user's credentials and returns an access token to the application.
4) The application uses the access token to call the Google Cloud API.

C1) When a user arrives at your application, route them to a Google Cloud consent screen with a list of requested permissions that prompts the user to sign in with SSO to their Google Account.
2) After the user signs in and provides consent, your application receives an authorization code from a Google server.
3) The Google server returns the authorization code to the user, which is stored in the browser's cookies.
4) The user authenticates to the Google Cloud API using the authorization code in the cookie.

D1) When a user arrives at your application, route them to a Google Cloud consent screen with a list of requested permissions that prompts the user to sign in with SSO to their Google Account.
2) After the user signs in and provides consent, your application receives an authorization code from a Google server.
3) The application requests a Google Server to exchange the authorization code with an access token.
4) The Google server responds with the access token that is used by the application to call the Google Cloud API.

Answer : D

https://developers.google.com/identity/protocols/oauth2#webserver

The Google OAuth 2.0 endpoint supports web server applications that use languages and frameworks such as PHP, Java, Python, Ruby, and ASP.NET. The authorization sequence begins when your application redirects a browser to a Google URL; the URL includes query parameters that indicate the type of access being requested. Google handles the user authentication, session selection, and user consent. The result is an authorization code, which the application can exchange for an access token and a refresh token.

Question 204

Users are complaining that your Cloud Run-hosted website responds too slowly during traffic spikes. You want to provide a better user experience during traffic peaks. What should you do?

ARead application configuration and static data from the database on application startup.

BPackage application configuration and static data into the application image during build time.

CPerform as much work as possible in the background after the response has been returned to the user.

DEnsure that timeout exceptions and errors cause the Cloud Run instance to exit quickly so a replacement instance can be started.

Answer : C

Question 205

You work for a financial services company that has a container-first approach. Your team develops microservices applications You have a Cloud Build pipeline that creates a container image, runs regression tests, and publishes the image to Artifact Registry You need to ensure that only containers that have passed the regression tests are deployed to Google Kubernetes Engine (GKE) clusters You have already enabled Binary Authorization on the GKE clusters What should you do next?

ADeploy Voucher Server and Voucher Client Components. After a container image has passed the regression tests, run Voucher Client as a step in the Cloud Build pipeline.

BSet the Pod Security Standard level to Restricted for the relevant namespaces Digitally sign the container
images that have passed the regression tests as a step in the Cloud Build pipeline.

CCreate an attestor and a policy. Create an attestation for the container images that have passed the regression tests as a step in the Cloud Build pipeline.

DCreate an attestor and a policy Run a vulnerability scan to create an attestation for the container image as a step in the Cloud Build pipeline.

Answer : C

Question 206

AConfigure the Cloud Storage bucket to trigger Cloud Pub/Sub notifications when objects are modified.

BCreate an App Engine application to receive the file; when it is received, publish a message to the Cloud Pub/Sub topic.

CCreate a Cloud Function that is triggered by the Cloud Storage bucket. In the Cloud Function, publish a message to the Cloud Pub/Sub topic.

DCreate an application deployed in a Google Kubernetes Engine cluster to receive the file; when it is received, publish a message to the Cloud Pub/Sub topic.

Answer : C

: https://cloud.google.com/storage/docs/pubsub-notifications

Question 207

AConfigure the application to send the file to the client as an email attachment.

BGenerate and assign a Cloud Storage-signed URL for the file. Make the URL available for the client to download.

CCreate a temporary Cloud Storage bucket with time expiration specified, and give download permissions to the bucket. Copy the file, and send it to the client.

DGenerate the HTTP cookies with time expiration specified. If the time is valid, copy the file from the Cloud Storage bucket, and make the file available for the client to download.

Answer : B

Question 208

AWait 10 minutes, then verify that Trace captures those types of requests automatically.

BWrite a custom script that sends this type of request repeatedly from your dev project.

CUse the Trace API to apply custom attributes to the trace.

DAdd the X-Cloud-Trace-Context header to the request with the appropriate parameters.

Answer : D

https://cloud.google.com/trace/docs/setup#force-trace

Cloud Trace doesn't sample every request. To force a specific request to be traced, add an X-Cloud-Trace-Context header to the request.

Question 209

In order to meet their business requirements, how should HipLocal store their application state?

AUse local SSDs to store state.

BPut a memcache layer in front of MySQL.

CMove the state storage to Cloud Spanner.

DReplace the MySQL instance with Cloud SQL.

Answer : B

Question 210

You want to re-architect a monolithic application so that it follows a microservices model. You want to

accomplish this efficiently while minimizing the impact of this change to the business.

Which approach should you take?

ADeploy the application to Compute Engine and turn on autoscaling.

BReplace the application's features with appropriate microservices in phases.

CRefactor the monolithic application with appropriate microservices in a single effort and deploy it.

DBuild a new application with the appropriate microservices separate from the monolith and replace it when
it is complete.

Answer : C

Question 211

You have two tables in an ANSI-SQL compliant database with identical columns that you need to quickly

combine into a single table, removing duplicate rows from the result set.

What should you do?

AUse the JOIN operator in SQL to combine the tables.

BUse nested WITH statements to combine the tables.

CUse the UNION operator in SQL to combine the tables.

DUse the UNION ALL operator in SQL to combine the tables.

Answer : C

Question 212

You recently developed an application. You need to call the Cloud Storage API from a Compute Engine instance that doesn't have a public IP address. What should you do?

AUse Carrier Peering

BUse VPC Network Peering

CUse Shared VPC networks

DUse Private Google Access

Answer : D

https://cloud.google.com/vpc/docs/private-google-access

Question 213

AStore user data on a Cloud Shell home disk and log in at least every 120 days to prevent its deletion

BStore user data on a persistent disk in a Compute Engine instance

CStore user data m BigQuery tables

DStore user data in a Cloud Storage bucket

Answer : B

Question 214

You have an application running on Google Kubernetes Engine (GKE). The application is currently using a logging library and is outputting to standard output You need to export the logs to Cloud Logging, and you need the logs to include metadata about each request. You want to use the simplest method to accomplish this. What should you do?

AChange your application s logging library to the Cloud Logging library and configure your application to export logs to Cloud Logging

BUpdate your application to output logs in CSV format, and add the necessary metadata to the CSV.

CInstall the Fluent Bit agent on each of your GKE nodes, and have the agent export all logs from /var/ log.

DUpdate your application to output logs in JSON format, and add the necessary metadata to the JSON

Answer : B

Question 215

Your App Engine standard configuration is as follows:

service: production

instance_class: B1

You want to limit the application to 5 instances. Which code snippet should you include in your configuration?

Amanual_scaling:instances: 5min_pending_latency: 30ms

Bmanual_scaling:max_instances: 5idle_timeout: 10m

Cbasic_scaling:instances: 5min_pending_latency: 30ms

Dbasic_scaling:max_instances: 5idle_timeout: 10m

Answer : C

Question 216

You recently deployed a Go application on Google Kubernetes Engine (GKE). The operations team has noticed that the application's CPU usage is high even when there is low production traffic. The operations team has asked you to optimize your application's CPU resource consumption. You want to determine which Go functions consume the largest amount of CPU. What should you do?

ADeploy a Fluent Bit daemonset on the GKE cluster to log data in Cloud Logging. Analyze the logs to get insights into your application code's performance.

BCreate a custom dashboard in Cloud Monitoring to evaluate the CPU performance metrics of your application.

CConnect to your GKE nodes using SSH. Run the top command on the shell to extract the CPU utilization of your application.

DModify your Go application to capture profiling data. Analyze the CPU metrics of your application in flame graphs in Profiler.

Answer : D

https://cloud.google.com/profiler/docs/about-profiler

Cloud Profiler is a statistical, low-overhead profiler that continuously gathers CPU usage and memory-allocation information from your production applications. It attributes that information to the source code that generated it, helping you identify the parts of your application that are consuming the most resources, and otherwise illuminating your applications performance characteristics.

https://cloud.google.com/profiler/docs

Question 217

APlace the unique configuration values in the persistent disk.

BPlace the unique configuration values in a Cloud Bigtable table.

CPlace the unique configuration values in the instance template startup script.

DPlace the unique configuration values in the instance template instance metadata.

Answer : A

Question 218

AGrant the service account BigQuery Data Viewer and BigQuery Job User roles.

BGrant the service account BigQuery Data Editor and BigQuery Data Viewer roles.

CCreate a view in BigQuery from the SQL query and SELECT* from the view in the CLI.

DCreate a new dataset in BigQuery, and copy the source table to the new dataset Query the new dataset and table from the CLI.

Answer : B

Question 219

You are developing a microservice-based application that will run on Google Kubernetes Engine (GKE). Some of the services need to access different Google Cloud APIs. How should you set up authentication of these services in the cluster following Google-recommended best practices? (Choose two.)

AUse the service account attached to the GKE node.

BEnable Workload Identity in the cluster via the gcloud command-line tool.

CAccess the Google service account keys from a secret management service.

DStore the Google service account keys in a central secret management service.

EUse gcloud to bind the Kubernetes service account and the Google service account using roles/iam.workloadIdentity.

Answer : B, E

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

Question 220

You recently developed a new service on Cloud Run. The new service authenticates using a custom service and then writes transactional information to a Cloud Spanner database. You need to verify that your application can support up to 5,000 read and 1,000 write transactions persecond while identifying any bottlenecks that occur. Your test infrastructure must be able to autoscale. What should you do?

ABuild a test harness to generate requests and deploy it to Cloud Run. Analyze the VPC Flow Logs using Cloud Logging.

BCreate a Google Kubernetes Engine cluster running the Locust or JMeter images to dynamically generate load tests. Analyze the results using Cloud Trace.

CCreate a Cloud Task to generate a test load. Use Cloud Scheduler to run 60,000 Cloud Task transactions perminute for 10minutes. Analyze the results using Cloud Monitoring.

DCreate a Compute Engine instance that uses a LAMP stack image from the Marketplace, and use Apache Bench to generate load tests against the service. Analyze the results using Cloud Trace.

Answer : B

https://cloud.google.com/architecture/distributed-load-testing-using-gke

Question 221

You manage an application that runs in a Compute Engine instance. You also have multiple backend services executing in stand-alone Docker containers running in Compute Engine instances. The Compute Engine instances supporting the backend services are scaled by managed instance groups in multiple regions. You want your calling application to be loosely coupled. You need to be able to invoke distinct service implementations that are chosen based on the value of an HTTP header found in the request. Which Google Cloud feature should you use to invoke the backend services?

ATraffic Director

BService Directory

CAnthos Service Mesh

DInternal HTTP(S) Load Balancing

Answer : D

Question 222

You have an application deployed in Google Kubernetes Engine (GKE). You need to update the application to make authorized requests to Google Cloud managed services. You want this to be a one-time setup, and you need to follow security best practices of auto-rotating your security keys and storing them in an encrypted store. You already created a service account with appropriate access to the Google Cloud service. What should you do next?

AAssign the Google Cloud service account to your GKE Pod using Workload Identity.

BExport the Google Cloud service account, and share it with the Pod as a Kubernetes Secret.

CExport the Google Cloud service account, and embed it in the source code of the application.

DExport the Google Cloud service account, and upload it to HashiCorp Vault to generate a dynamic service account for your application.

Answer : A

https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity

Applications running on GKE might need access to Google Cloud APIs such as Compute Engine API, BigQuery Storage API, or Machine Learning APIs.

Workload Identity allows a Kubernetes service account in your GKE cluster to act as an IAM service account. Pods that use the configured Kubernetes service account automatically authenticate as the IAM service account when accessing Google Cloud APIs. Using Workload Identity allows you to assign distinct, fine-grained identities and authorization for each application in your cluster.

Question 223

AManually trigger the build for new releases.

BCreate a build trigger on a Git tag pattern. Use a Git tag convention for new releases.

CCreate a build trigger on a Git branch name pattern. Use a Git branch naming convention for new releases.

DCommit your source code to a second Cloud Source Repositories repository with a second Cloud Build trigger. Use this repository for new releases only.

Answer : C

Question 224

Your company's development teams want to use Cloud Build in their projects to build and push Docker images

to Container Registry. The operations team requires all Docker images to be published to a centralized,

securely managed Docker registry that the operations team manages.

What should you do?

Answer : A

Question 225

Run gcloud builds submit in the directory that contains the application source code.

Run gcloud run deploy app-name --image gcr.io/$PROJECT_ID/app-name in the directory that contains the application source code.

Run gcloud container images add-tag gcr.io/$PROJECT_ID/app-name gcr.io/$PROJECT_ID/app-name:latest in the directory that contains the application source code.

In the application source directory, create a file named cloudbuild.yaml that contains the following contents:

AOption A

BOption B

COption C

DOption D

EOption E

Answer : A, D

https://cloud.google.com/sdk/gcloud/reference/builds/submit

https://cloud.google.com/artifact-registry/docs/configure-cloud-build

Question 226

Which deployment strategy should you use?

ABlue/green deployment

BCanary deployment

CRolling deployment

DRecreate deployment

Answer : A

Question 227

You have an application in production. It is deployed on Compute Engine virtual machine instances controlled

by a managed instance group. Traffic is routed to the instances via a HTTP(s) load balancer. Your users are

unable to access your application. You want to implement a monitoring technique to alert you when the

application is unavailable.

Which technique should you choose?

ASmoke tests

BStackdriver uptime checks

CCloud Load Balancing - heath checks

DManaged instance group - heath checks

Answer : B

476b8507f59c

Question 228

What should you do?

ADefine a GKE Service. Clients should use the name of the A record in Cloud DNS to find the service's
cluster IP address.

BDefine a GKE Service. Clients should use the service name in the URL to connect to the service.

CDefine a GKE Endpoint. Clients should get the endpoint name from the appropriate environment variable in
the client container.

DDefine a GKE Endpoint. Clients should get the endpoint name from Cloud DNS.

Answer : C

Question 229

AAdd a startup probe.

BIncrease the initial delay for the liveness probe.

CIncrease the CPU limit for the container.

DAdd a readiness probe.

Answer : B

https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes

Question 230

ACreate an object with the name of the subdirectory ending with a trailing slash ('/') that is zero bytes in length.

BCreate an object with the name of the subdirectory, and then immediately delete the object within that subdirectory.

CCreate an object with the name of the subdirectory that is zero bytes in length and has WRITER access control list permission.

DCreate an object with the name of the subdirectory that is zero bytes in length. Set the Content-Type metadata to CLOUDSTORAGE_FOLDER.

Answer : A

https://cloud.google.com/storage/docs/folders

Question 231

You are responsible for deploying a new API. That API will have three different URL paths:

* https://yourcompany.com/students

* https://yourcompany.com/teachers

* https://yourcompany.com/classes

You need to configure each API URL path to invoke a different function in your code. What should you do?

ACreate one Cloud Function as a backend service exposed using an HTTPS load balancer.

BCreate three Cloud Functions exposed directly.

CCreate one Cloud Function exposed directly.

DCreate three Cloud Functions as three backend services exposed using an HTTPS load balancer.

Answer : D

https://cloud.google.com/load-balancing/docs/https/setup-global-ext-https-serverless

Question 232

AUse Cloud Functions to deploy the microservice.

BUse Cloud Build to create the container, and deploy it on Cloud Run.

CUse Cloud Shell to containerize your microservice. and deploy it on GKE Standard.

DUse Cloud Shell to containerize your microservice. and deploy it on a Container-Optimized OS Compute Engine instance.

Answer : B

Question 233

Your application performs well when tested locally, but it runs significantly slower when you deploy it to App Engine standard environment. You want to diagnose the problem. What should you do?

AFile a ticket with Cloud Support indicating that the application performs faster locally.

BUse Stackdriver Debugger Snapshots to look at a point-in-time execution of the application.

CUse Stackdriver Trace to determine which functions within the application have higher latency.

DAdd logging commands to the application and use Stackdriver Logging to check where the latency problem occurs.

Answer : D

Question 234

AUse an Ingress that uses the API's URL to route requests to the appropriate backend.

BLeverage a Service Discovery system, and connect to the backend specified by the request.

CUse multiple clusters, and use DNS entries to route requests to separate versioned backends.

DCombine multiple versions in the same service, and then specify the API version in the POST request.

Answer : D

Question 235

You are building a new API. You want to minimize the cost of storing and reduce the latency of serving

images.

Which architecture should you use?

AApp Engine backed by Cloud Storage

BCompute Engine backed by Persistent Disk

CTransfer Appliance backed by Cloud Filestore

DCloud Content Delivery Network (CDN) backed by Cloud Storage

Answer : B

Question 236

Before promoting your new application code to production, you want to conduct testing across a variety of different users. Although this plan is risky, you want to test the new version of the application with production users and you want to control which users are forwarded to the new version of the application based on their operating system. If bugs are discovered in the new version, you want to roll back the newly deployed version of the application as quickly as possible.

What should you do?

ADeploy your application on Cloud Run. Use traffic splitting to direct a subset of user traffic to the new version based on the revision tag.

BDeploy your application on Google Kubernetes Engine with Anthos Service Mesh. Use traffic splitting to direct a subset of user traffic to the new version based on the user-agent header.

CDeploy your application on App Engine. Use traffic splitting to direct a subset of user traffic to the new version based on the IP address.

DDeploy your application on Compute Engine. Use Traffic Director to direct a subset of user traffic to the new version based on predefined weights.

Answer : B

Question 237

You are planning to deploy your application in a Google Kubernetes Engine (GKE) cluster. Your application

can scale horizontally, and each instance of your application needs to have a stable network identity and its

own persistent disk.

Which GKE object should you use?

ADeployment

BStatefulSet

CReplicaSet

DReplicaController

Answer : B

Question 238

For this question, refer to the HipLocal case study.

HipLocal is expanding into new locations. They must capture additional data each time the application is launched in a new European country. This is causing delays in the development process due to constant schema changes and a lack of environments for conducting testing on the application changes. How should they resolve the issue while meeting the business requirements?

ACreate new Cloud SQL instances in Europe and North America for testing and deployment. Provide developers with local MySQL instances to conduct testing on the application changes.

BMigrate data to Bigtable. Instruct the development teams to use the Cloud SDK to emulate a local Bigtable development environment.

CMove from Cloud SQL to MySQL hosted on Compute Engine. Replicate hosts across regions in the Americas and Europe. Provide developers with local MySQL instances to conduct testing on the application changes.

DMigrate data to Firestore in Native mode and set up instan

Answer : B

Question 239

HipLocal has connected their Hadoop infrastructure to GCP using Cloud Interconnect in order to query data stored on persistent disks.

Which IP strategy should they use?

ACreate manual subnets.

BCreate an auto mode subnet.

CCreate multiple peered VPCs.

DProvision a single instance for NAT.

Answer : A

Question 240

Your team develops services that run on Google Cloud. You need to build a data processing service and will use Cloud Functions. The data to be processed by the function is sensitive. You need to ensure that invocations can only happen from authorized services and follow Google-recommended best practices for securing functions. What should you do?

AEnable Identity-Aware Proxy in your project. Secure function access using its permissions.

BCreate a service account with the Cloud Functions Viewer role. Use that service account to invoke the function.

CCreate a service account with the Cloud Functions Invoker role. Use that service account to invoke the function.

DCreate an OAuth 2.0 client ID for your calling service in the same project as the function you want to secure. Use those credentials to invoke the function.

Answer : C

Question 241

Your application is deployed in a Google Kubernetes Engine (GKE) cluster. When a new version of your application is released, your CI/CD tool updates the spec.template.spec.containers[0].image value to reference the Docker image of your new application version. When the Deployment object applies the change, you want to deploy at least 1 replica of the new version and maintain the previous replicas until the new replica is healthy.

Which change should you make to the GKE Deployment object shown below?

ASet the Deployment strategy to RollingUpdate with maxSurge set to 0, maxUnavailable set to 1.

BSet the Deployment strategy to RollingUpdate with maxSurge set to 1, maxUnavailable set to 0.

CSet the Deployment strategy to Recreate with maxSurge set to 0, maxUnavailable set to 1.

DSet the Deployment strategy to Recreate with maxSurge set to 1, maxUnavailable set to 0.

Answer : D

Question 242

ADeploy open source Istio in a multi-cluster deployment on multiple Google Kubernetes Engine (GKE) clusters managed by Anthos.

BCreate a GKE cluster in each environment with Anthos, and use Cloud Run for Anthos to deploy your application to each cluster.

CInstall a GKE cluster in each environment with Anthos, and use Cloud Build to create a Deployment for your application in each cluster.

DCreate a GKE cluster in the cloud and install open-source Kubernetes on-premises. Use an external load balancer service to distribute traffic across the two environments.

Answer : B

https://cloud.google.com/anthos/run

Question 243

You are planning to deploy hundreds of microservices in your Google Kubernetes Engine (GKE) cluster. How should you secure communication between the microservices on GKE using a managed service?

AUse global HTTP(S) Load Balancing with managed SSL certificates to protect your services

BDeploy open source Istio in your GKE cluster, and enable mTLS in your Service Mesh

CInstall cert-manager on GKE to automatically renew the SSL certificates.

DInstall Anthos Service Mesh, and enable mTLS in your Service Mesh.

Answer : D

https://cloud.google.com/service-mesh/docs/overview#security_benefits

- Ensures encryption in transit. Using mTLS for authentication also ensures that all TCP communications are encrypted in transit.

Question 244

AManually trigger the build for new releases.

BCreate a build trigger on a Git tag pattern. Use a Git tag convention for new releases.

CCreate a build trigger on a Git branch name pattern. Use a Git branch naming convention for new releases.

DCommit your source code to a second Cloud Source Repositories repository with a second Cloud Build trigger. Use this repository for new releases only.

Answer : C

Question 245

You need to migrate an internal file upload API with an enforced 500-MB file size limit to App Engine.

What should you do?

AUse FTP to upload files.

BUse CPanel to upload files.

CUse signed URLs to upload files.

DChange the API to be a multipart file upload API.

Answer : C

Question 246

AAdd a public IP address to your instance, and restrict access to the instance using firewall rules. Allow your company's proxy as the only source IP address.

BAdd an HTTP(S) load balancer in front of the instance, and set up Identity-Aware Proxy (IAP). Configure the IAP settings to allow your company domain to access the website.

Answer : B

https://cloud.google.com/blog/topics/developers-practitioners/control-access-your-web-sites-identity-aware-proxy

Question 247

You are deploying your application to a Compute Engine virtual machine instance with the Stackdriver

Monitoring Agent installed. Your application is a unix process on the instance. You want to be alerted if the unix process has not run for at least 5 minutes. You are not able to change the application to generate metrics or logs.

Which alert condition should you configure?

AUptime check

BProcess health

CMetric absence

DMetric threshold

Answer : B

Question 248

You want to use the Stackdriver Logging Agent to send an application's log file to Stackdriver from a Compute Engine virtual machine instance.

After installing the Stackdriver Logging Agent, what should you do first?

AEnable the Error Reporting API on the project.

BGrant the instance full access to all Cloud APIs.

CConfigure the application log file as a custom source.

DCreate a Stackdriver Logs Export Sink with a filter that matches the application's log entries.

Answer : B

Question 249

ADeploy from a source code repository and grant users the roles/cloudfunctions.viewer role.

BDeploy from a source code repository and grant users the roles/cloudfunctions.invoker role

CDeploy from your local machine using gcloud and grant users the roles/cloudfunctions.admin role

DDeploy from your local machine using gcloud and grant users the roles/cloudfunctions.developer role

Answer : C

Question 250

You are designing a deployment technique for your new applications on Google Cloud. As part of your deployment planning, you want to use live traffic to gather performance metrics for both new and existing applications. You need to test against the full production load prior to launch. What should you do?

AUse canary deployment

BUse blue/green deployment

CUse rolling updates deployment

DUse A/B testing with traffic mirroring during deployment

Answer : A

Question 251

Answer : D

https://developers.google.com/identity/protocols/oauth2#webserver

Question 252

AUse the gcloud CLI to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

BEnable Container Analysis, and upload new container images to Artifact Registry. Review the vulnerability results before each deployment.

CEnable Container Analysis, and upload new container images to Artifact Registry. Review the critical vulnerability results before each deployment.

DUse the Container Analysis REST API to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

Answer : D

https://cloud.google.com/container-analysis/docs/automated-scanning-howto

Question 253

You have an application in production. It is deployed on Compute Engine virtual machine instances controlled

by a managed instance group. Traffic is routed to the instances via a HTTP(s) load balancer. Your users are

unable to access your application. You want to implement a monitoring technique to alert you when the

application is unavailable.

Which technique should you choose?

ASmoke tests

BStackdriver uptime checks

CCloud Load Balancing - heath checks

DManaged instance group - heath checks

Answer : B

476b8507f59c

Question 254

You are writing from a Go application to a Cloud Spanner database. You want to optimize your application's performance using Google-recommended best practices. What should you do?

AWrite to Cloud Spanner using Cloud Client Libraries.

BWrite to Cloud Spanner using Google API Client Libraries

CWrite to Cloud Spanner using a custom gRPC client library.

DWrite to Cloud Spanner using a third-party HTTP client library.

Answer : A

https://cloud.google.com/apis/docs/cloud-client-libraries

''Cloud Client Libraries are the recommended option for accessing Cloud APIs programmatically, where available. Cloud Client Libraries use the latest client library models''

https://cloud.google.com/apis/docs/client-libraries-explained

https://cloud.google.com/go/docs/reference

Question 255

You are planning to deploy your application in a Google Kubernetes Engine (GKE) cluster. Your application

can scale horizontally, and each instance of your application needs to have a stable network identity and its

own persistent disk.

Which GKE object should you use?

ADeployment

BStatefulSet

CReplicaSet

DReplicaController

Answer : B

Question 256

What should you do?

CConfigure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Verify the provided JSON Web Token within the application.

Answer : A

https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers

(https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id).

https://cloud.google.com/armor/docs/security-policy-overview#:~:text=Google%20Cloud%20Armor%20security%20policies%20enable%20you%20to%20allow%20or,Private%20Cloud%20(VPC)%20networks

Question 257

APackage each component in a separate container. Implement readiness and liveness probes.

BPackage the application in a single container. Use a process management tool to manage each component.

CPackage each component in a separate container. Use a script to orchestrate the launch of the components.

DPackage the application in a single container. Use a bash script as an entrypoint to the container, and then spawn each component as a background job.

Answer : A

https://cloud.google.com/blog/products/containers-kubernetes/7-best-practices-for-building-containers

https://cloud.google.com/architecture/best-practices-for-building-containers

Question 258

You want to view the memory usage of your application deployed on Compute Engine. What should you do?

AInstall the Stackdriver Client Library.

BInstall the Stackdriver Monitoring Agent.

CUse the Stackdriver Metrics Explorer.

DUse the Google Cloud Platform Console.

Answer : C

Question 259

You are developing an ecommerce application that stores customer, order, and inventory data as relational tables inside Cloud Spanner. During a recent load test, you discover that Spanner performance is not scaling linearly as expected. Which of the following is the cause?

AThe use of 64-bit numeric types for 32-bit numbers.

BThe use of the STRING data type for arbitrary-precision values.

CThe use of Version 1 UUIDs as primary keys that increase monotonically.

DThe use of LIKE instead of STARTS_WITH keyword for parameterized SQL queries.

Answer : C

Question 260

You are writing a Compute Engine hosted application in project A that needs to securely authenticate to a Cloud Pub/Sub topic in project B.

What should you do?

AConfigure the instances with a service account owned by project B. Add the service account as a Cloud Pub/Sub publisher to project A.

BConfigure the instances with a service account owned by project A. Add the service account as a publisher on the topic.

CConfigure Application Default Credentials to use the private key of a service account owned by project B. Add the service account as a Cloud Pub/Sub publisher to project A.

DConfigure Application Default Credentials to use the private key of a service account owned by project A. Add the service account as a publisher on the topic

Answer : B

https://cloud.google.com/pubsub/docs/access-control

'For example, suppose a service account in Cloud Project A wants to publish messages to a topic in Cloud Project B. You could accomplish this by granting the service account Edit permission in Cloud Project B'

Question 261

You are planning to migrate a MySQL database to the managed Cloud SQL database for Google Cloud. You have Compute Engine virtual machine instances that will connect with this Cloud SQL instance. You do not want to whitelist IPs for the Compute Engine instances to be able to access Cloud SQL.

What should you do?

AEnable private IP for the Cloud SQL instance.

BWhitelist a project to access Cloud SQL, and add Compute Engine instances in the whitelisted project.

CCreate a role in Cloud SQL that allows access to the database from external instances, and assign the
Compute Engine instances to that role.

DCreate a CloudSQL instance on one project. Create Compute engine instances in a different project.
Create a VPN between these two projects to allow internal access to CloudSQL.

Answer : C

Question 262

For this question, refer to the HipLocal case study.

How should HipLocal redesign their architecture to ensure that the application scales to support a large increase in users?

AUse Google Kubernetes Engine (GKE) to run the application as a microservice. Run the MySQL database on a dedicated GKE node.

BUse multiple Compute Engine instances to run MySQL to store state information. Use a Google Cloud-managed load balancer to distribute the load between instances. Use managed instance groups for scaling.

CUse Memorystore to store session information and CloudSQL to store state information. Use a Google Cloud-managed load balancer to distribute the load between instances. Use managed instance groups for scaling.

DUse a Cloud Storage bucket to serve the application as a static website, and use another Cloud Storage bucket to store user state information.

Answer : D

Question 263

Which service should HipLocal use for their public APIs?

ACloud Armor

BCloud Functions

CCloud Endpoints

DShielded Virtual Machines

Answer : D

Question 264

ADeploy a Fluent Bit daemonset on the GKE cluster to log data in Cloud Logging. Analyze the logs to get insights into your application code's performance.

BCreate a custom dashboard in Cloud Monitoring to evaluate the CPU performance metrics of your application.

CConnect to your GKE nodes using SSH. Run the top command on the shell to extract the CPU utilization of your application.

DModify your Go application to capture profiling data. Analyze the CPU metrics of your application in flame graphs in Profiler.

Answer : D

https://cloud.google.com/profiler/docs/about-profiler

https://cloud.google.com/profiler/docs

Question 265

You are building a new API. You want to minimize the cost of storing and reduce the latency of serving

images.

Which architecture should you use?

AApp Engine backed by Cloud Storage

BCompute Engine backed by Persistent Disk

CTransfer Appliance backed by Cloud Filestore

DCloud Content Delivery Network (CDN) backed by Cloud Storage

Answer : B

Question 266

You are designing an application that will subscribe to and receive messages from a single Pub/Sub topic and insert corresponding rows into a database. Your application runs on Linux and leverages preemptible virtual machines to reduce costs. You need to create a shutdown script that will initiate a graceful shutdown. What should you do?

AWrite a shutdown script that uses inter-process signals to notify the application process to disconnect from the database.

BWrite a shutdown script that broadcasts a message to all signed-in users that the Compute Engine instance is going down and instructs them to save current work and sign out.

CWrite a shutdown script that writes a file in a location that is being polled by the application once every five minutes. After the file is read, the application disconnects from the database.

DWrite a shutdown script that publishes a message to the Pub/Sub topic announcing that a shutdown is in progress. After the application reads the message, it disconnects from the database.

Answer : D

Question 267

Your company has a new security initiative that requires all data stored in Google Cloud to be encrypted by customer-managed encryption keys. You plan to use Cloud Key Management Service (KMS) to configure access to the keys. You need to follow the "separation of duties" principle and Google-recommended best practices. What should you do? (Choose two.)

AProvision Cloud KMS in its own project.

BDo not assign an owner to the Cloud KMS project.

CProvision Cloud KMS in the project where the keys are being used.

DGrant the roles/cloudkms.admin role to the owner of the project where the keys from Cloud KMS are being used.

EGrant an owner role for the Cloud KMS project to a different user than the owner of the project where the keys from Cloud KMS are being used.

Answer : A, B

https://cloud.google.com/kms/docs/separation-of-duties#using_separate_project

Question 268

You are developing an application that will be launched on Compute Engine instances into multiple distinct projects, each corresponding to the environments in your software development process (development, QA, staging, and production). The instances in each project have the same application code but a different configuration. During deployment, each instance should receive the application's configuration based on the environment it serves. You want to minimize the number of steps to configure this flow.

What should you do?

AWhen creating your instances, configure a startup script using the gcloud command to determine the project name that indicates the correct environment.

BIn each project, configure a metadata key ''environment'' whose value is the environment it serves. Use your deployment tool to query the instance metadata and configure the application based on the ''environment'' value.

CDeploy your chosen deployment tool on an instance in each project. Use a deployment job to retrieve the appropriate configuration file from your version control system, and apply the configuration when deploying the application on each instance.

DDuring each instance launch, configure an instance custom-metadata key named ''environment'' whose value is the environment the instance serves. Use your deployment tool to query the instance metadata, and configure the application based on the ''environment'' value.

Answer : B

Question 269

You are responsible for deploying a new API. That API will have three different URL paths:

* https://yourcompany.com/students

* https://yourcompany.com/teachers

* https://yourcompany.com/classes

You need to configure each API URL path to invoke a different function in your code. What should you do?

ACreate one Cloud Function as a backend service exposed using an HTTPS load balancer.

BCreate three Cloud Functions exposed directly.

CCreate one Cloud Function exposed directly.

DCreate three Cloud Functions as three backend services exposed using an HTTPS load balancer.

Answer : D

https://cloud.google.com/load-balancing/docs/https/setup-global-ext-https-serverless

Question 270

You are creating and running containers across different projects in Google Cloud. The application you are developing needs to access Google Cloud services from within Google Kubernetes Engine (GKE).

What should you do?

AAssign a Google service account to the GKE nodes.

BUse a Google service account to run the Pod with Workload Identity.

CStore the Google service account credentials as a Kubernetes Secret.

DUse a Google service account with GKE role-based access control (RBAC).

Answer : B

https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity

Question 271

Which database should HipLocal use for storing user activity?

ABigQuery

BCloud SQL

CCloud Spanner

DCloud Datastore

Answer : A

Question 272

ACreate a new feature branch, and ask the build team to rebuild the image.

BShut down the deployed virtual machine, export the disk, and then mount the disk locally to access the boot logs.

CInstall Packer locally, build the Compute Engine image locally, and then run it in your personal Google Cloud project.

DCheck Compute Engine OS logs using the serial port, and check the Cloud Logging logs to confirm access to the serial port.

Answer : D

https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-using-serial-console

Question 273

ABuild the application in Python with Firestore as the database. Deploy the application to Cloud Run.

BBuild the application in C# with Firestore as the database. Deploy the application to App Engine flexible environment.

CBuild the application in Python with CloudSQL as the database. Deploy the application to App Engine standard environment.

DBuild the application in Python with Firestore as the database. Deploy the application to a Compute Engine managed instance group with autoscaling.

Answer : A

Question 274

Manually copy the photos to webphotos-prod.

Add a startup script in the application's app.yami file to move the photos from webphotos-staging to webphotos-prod.

Add a build step in the cloudbuild.yaml file before the promotion step with the arguments:

AOption A

BOption B

COption C

DOption D

Answer : C

https://cloud.google.com/storage/docs/gsutil/commands/cp

Question 275

ACreate a user-managed service account with a custom Identity and Access Management (IAM) role.

BCreate a user-managed service account with the Storage Admin Identity and Access Management (IAM) role.

CCreate a user-managed service account with the Project Editor Identity and Access Management (IAM) role.

DUse the default service account linked to the Cloud Run revision in production.

Answer : A

https://cloud.google.com/iam/docs/understanding-roles#storage.admin

Question 276

AUse a text editor and the Git command line to send your source code updates as pull requests from a public computer.

BUse a text editor and the Git command line to send your source code updates as pull requests from a virtual machine running on a public computer.

CUse Cloud Shell and the built-in code editor for development. Send your source code updates as pull requests.

Answer : C

https://cloud.google.com/shell/docs

Question 277

AUse Cloud Load Balancing to slowly ramp up traffic between versions. Use Cloud Monitoring to look for performance issues.

BDeploy the application via a continuous delivery pipeline using canary deployments. Use Cloud Monitoring to look for performance issues. and ramp up traffic as the metrics support it.

CDeploy the application via a continuous delivery pipeline using blue/green deployments. Use Cloud Monitoring to look for performance issues, and launch fully when the metrics support it.

Answer : C

https://cloud.google.com/architecture/implementing-deployment-and-testing-strategies-on-gke#perform_a_bluegreen_deployment

Question 278

AConfigure the Cloud Storage bucket to trigger Cloud Pub/Sub notifications when objects are modified.

BCreate an App Engine application to receive the file; when it is received, publish a message to the Cloud Pub/Sub topic.

CCreate a Cloud Function that is triggered by the Cloud Storage bucket. In the Cloud Function, publish a message to the Cloud Pub/Sub topic.

DCreate an application deployed in a Google Kubernetes Engine cluster to receive the file; when it is received, publish a message to the Cloud Pub/Sub topic.

Answer : C

: https://cloud.google.com/storage/docs/pubsub-notifications

Question 279

ARewrite the application using .NET Core, and deploy to Cloud Run. Use revisions to separate the environments.

BUse Cloud Build to deploy the application as a new Compute Engine image for each build. Use this image in each environment.

CDeploy the application using MS Web Deploy, and make sure to always use the latest, patched MS Windows Server base image in Compute Engine.

DUse Cloud Build to package the application, and deploy to a Google Kubernetes Engine cluster. Use namespaces to separate the environments.

Answer : B

https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud#phase_1_rehost_in_the_cloud

https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud

Question 280

You recently developed a new application. You want to deploy the application on Cloud Run without a Dockerfile. Your organization requires that all container images are pushed to a centrally managed container repository. How should you build your container using Google Cloud services? (Choose two.)

APush your source code to Artifact Registry.

BSubmit a Cloud Build job to push the image.

CUse the pack build command with pack CLI.

DInclude the --source flag with the gcloud run deploy CLI command.

EInclude the --platform=kubernetes flag with the gcloud run deploy CLI command.

Answer : A, C

https://cloud.google.com/run/docs/deploying#images

https://cloud.google.com/blog/products/containers-kubernetes/google-cloud-now-supports-buildpacks

Question 281

ACreate a service to publish messages, and deploy the Pub/Sub emulator. Generate random content in the publishing service, and publish to the emulator.

BCreate a service to publish messages to your application. Collect the messages from Pub/Sub in production, and replay them through the publishing service.

CCreate a service to publish messages, and deploy the Pub/Sub emulator. Collect the messages from Pub/Sub in production, and publish them to the emulator.

DCreate a service to publish messages, and deploy the Pub/Sub emulator. Publish a standard set of testing messages from the publishing service to the emulator.

Answer : D

Question 282

ACloud Run

BCompute Engine

CGoogle Kubernetes Engine

DApp Engine flexible environment

Answer : A

https://cloud.google.com/blog/products/serverless/knative-based-cloud-run-services-are-ga

Question 283

AThe folder structure inside the bucket and object paths have changed.

BThe permissions of the service account's predefined role have changed.

CThe service account key has been rotated but not updated on the application server.

DThe Interconnect link from the on-premises data center to Google Cloud is experiencing a temporary outage.

Answer : C

Question 284

AAdd a public IP address to your instance, and restrict access to the instance using firewall rules. Allow your company's proxy as the only source IP address.

BAdd an HTTP(S) load balancer in front of the instance, and set up Identity-Aware Proxy (IAP). Configure the IAP settings to allow your company domain to access the website.

Answer : B

https://cloud.google.com/blog/topics/developers-practitioners/control-access-your-web-sites-identity-aware-proxy

Question 285

ATraffic Director

BService Directory

CAnthos Service Mesh

DInternal HTTP(S) Load Balancing

Answer : D

Question 286

While testing your application in a browser, you get a 502 Bad Gateway error. You have determined that the application is not connecting to Memorystore. What is the reason for this error?

AYour Memorystore for Redis instance was deployed without a public IP address.

BYou configured your Serverless VPC Access connector in a different region than your App Engine instance.

CThe firewall rule allowing a connection between App Engine and Memorystore was removed during an infrastructure update by the DevOps team.

DYou configured your application to use a Serverless VPC Access connector on a different subnet in a different availability zone than your App Engine instance.

Answer : A

Question 287

Your team develops services that run on Google Kubernetes Engine. Your team's code is stored in Cloud Source Repositories. You need to quickly identify bugs in the code before it is deployed to production. You want to invest in automation to improve developer feedback and make the process as efficient as possible. What should you do?

AUse Spinnaker to automate building container images from code based on Git tags.

BUse Cloud Build to automate building container images from code based on Git tags.

CUse Spinnaker to automate deploying container images to the production environment.

DUse Cloud Build to automate building container images from code based on forked versions.

Answer : A

Question 288

You want to notify on-call engineers about a service degradation in production while minimizing development

time.

What should you do?

AUse Cloud Function to monitor resources and raise alerts.

BUse Cloud Pub/Sub to monitor resources and raise alerts.

CUse Stackdriver Error Reporting to capture errors and raise alerts.

DUse Stackdriver Monitoring to monitor resources and raise alerts.

Answer : A

Question 289

You have written a Cloud Function that accesses other Google Cloud resources. You want to secure the environment using the principle of least privilege. What should you do?

ACreate a new service account that has Editor authority to access the resources. The deployer is given permission to get the access token.

BCreate a new service account that has a custom IAM role to access the resources. The deployer is given permission to get the access token.

CCreate a new service account that has Editor authority to access the resources. The deployer is given permission to act as the new service account.

DCreate a new service account that has a custom IAM role to access the resources. The deployer is given permission to act as the new service account.

Answer : D

Question 290

AEnforce signed URLs for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.

BEnforce public access prevention for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine
default service account.

Answer : B

Question 291

You are deploying your application to a Compute Engine virtual machine instance with the Stackdriver

Which alert condition should you configure?

AUptime check

BProcess health

CMetric absence

DMetric threshold

Answer : B

Question 292

You are deploying your application to a Compute Engine virtual machine instance. Your application is

configured to write its log files to disk. You want to view the logs in Stackdriver Logging without changing the

application code.

What should you do?

AInstall the Stackdriver Logging Agent and configure it to send the application logs.

BUse a Stackdriver Logging Library to log directly from the application to Stackdriver Logging.

CProvide the log file folder path in the metadata of the instance to configure it to send the application logs.

DChange the application to log to /var/log so that its logs are automatically sent to Stackdriver Logging.

Answer : A

Question 293

What should you do?

ADeploy your application on Cloud Run. Use traffic splitting to direct a subset of user traffic to the new version based on the revision tag.

BDeploy your application on Google Kubernetes Engine with Anthos Service Mesh. Use traffic splitting to direct a subset of user traffic to the new version based on the user-agent header.

CDeploy your application on App Engine. Use traffic splitting to direct a subset of user traffic to the new version based on the IP address.

DDeploy your application on Compute Engine. Use Traffic Director to direct a subset of user traffic to the new version based on predefined weights.

Answer : B

Question 294

In order for HipLocal to store application state and meet their stated business requirements, which database service should they migrate to?

ACloud Spanner

BCloud Datastore

CCloud Memorystore as a cache

DSeparate Cloud SQL clusters for each region

Answer : D

Question 295

AUse the gcloud CLI to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

BEnable Container Analysis, and upload new container images to Artifact Registry. Review the vulnerability results before each deployment.

CEnable Container Analysis, and upload new container images to Artifact Registry. Review the critical vulnerability results before each deployment.

DUse the Container Analysis REST API to call Container Analysis to scan new container images. Review the vulnerability results before each deployment.

Answer : D

https://cloud.google.com/container-analysis/docs/automated-scanning-howto

Question 296

You have two tables in an ANSI-SQL compliant database with identical columns that you need to quickly

combine into a single table, removing duplicate rows from the result set.

What should you do?

AUse the JOIN operator in SQL to combine the tables.

BUse nested WITH statements to combine the tables.

CUse the UNION operator in SQL to combine the tables.

DUse the UNION ALL operator in SQL to combine the tables.

Answer : C

Question 297

AYou attempted the read operation without the base64-encoded SHA256 hash of the encryption key.

BYou entered the same encryption algorithm specified by the customer when attempting the read operation.

CYou attempted the read operation on the object with the base64-encoded SHA256 hash of the customer's key.

DYou attempted the read operation on the object with the customers base64-encoded key.

Answer : D

Question 298

AStore and retrieve the file contents using Compute Engine instance metadata.

BOutput the file contents to a file in /workspace. Read from the same /workspace file in the subsequent build step.

CUse gsutil to output the file contents to a Cloud Storage object. Read from the same object in the subsequent build step.

DAdd a build argument that runs an HTTP POST via curl to a separate web server to persist the value in one builder. Use an HTTP GET via curl from the subsequent build step to read the value.

Answer : B

https://cloud.google.com/build/docs/build-config-file-schema

Question 299

ADeploy Voucher Server and Voucher Client Components. After a container image has passed the regression tests, run Voucher Client as a step in the Cloud Build pipeline.

BSet the Pod Security Standard level to Restricted for the relevant namespaces Digitally sign the container
images that have passed the regression tests as a step in the Cloud Build pipeline.

CCreate an attestor and a policy. Create an attestation for the container images that have passed the regression tests as a step in the Cloud Build pipeline.

DCreate an attestor and a policy Run a vulnerability scan to create an attestation for the container image as a step in the Cloud Build pipeline.

Answer : C

Question 300

Your company has a BigQuery dataset named "Master" that keeps information about employee travel and

expenses. This information is organized by employee department. That means employees should only be able

to view information for their department. You want to apply a security framework to enforce this requirement

with the minimum number of steps.

What should you do?

ACreate a separate dataset for each department. Create a view with an appropriate WHERE clause to
select records from a particular dataset for the specific department. Authorize this view to access records
from your Master dataset. Give employees the permission to this department-specific dataset.

BCreate a separate dataset for each department. Create a data pipeline for each department to copy
appropriate information from the Master dataset to the specific dataset for the department. Give employees
the permission to this department-specific dataset.

CCreate a dataset named Master dataset. Create a separate view for each department in the Master
dataset. Give employees access to the specific view for their department.

DCreate a dataset named Master dataset. Create a separate table for each department in the Master
dataset. Give employees access to the specific table for their department.

Answer : B

Question 301

You are planning to deploy your application in a Google Kubernetes Engine (GKE) cluster The application

exposes an HTTP-based health check at /healthz. You want to use this health check endpoint to determine whether traffic should be routed to the pod by the load balancer.

Which code snippet should you include in your Pod configuration?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 302

You are a developer working on an internal application for payroll processing. You are building a component of the application that allows an employee to submit a timesheet, which then initiates several steps:

* An email is sent to the employee and manager, notifying them that the timesheet was submitted.

* A timesheet is sent to payroll processing for the vendor's API.

* A timesheet is sent to the data warehouse for headcount planning.

These steps are not dependent on each other and can be completed in any order. New steps are being considered and will be implemented by different development teams. Each development team will implement the error handling specific to their step. What should you do?

ADeploy a Cloud Function for each step that calls the corresponding downstream system to complete the required action.

BCreate a Pub/Sub topic for each step. Create a subscription for each downstream development team to subscribe to their step's topic.

CCreate a Pub/Sub topic for timesheet submissions. Create a subscription for each downstream development team to subscribe to the topic.

DCreate a timesheet microservice deployed to Google Kubernetes Engine. The microservice calls each downstream step and waits for a successful response before calling the next step.

Answer : C

Question 303

You recently developed an application. You need to call the Cloud Storage API from a Compute Engine instance that doesn't have a public IP address. What should you do?

AUse Carrier Peering

BUse VPC Network Peering

CUse Shared VPC networks

DUse Private Google Access

Answer : D

https://cloud.google.com/vpc/docs/private-google-access

Question 304

AUse Network Policies to block traffic between applications.

BInstall Istio, enable proxy injection on your application namespace, and then enable mTLS.

CDefine Trusted Network ranges within the application, and configure the applications to allow traffic only from those networks.

DUse an automated process to request SSL Certificates for your applications from Let's Encrypt and add them to your applications.

Answer : D

Question 305

AUse Spinnaker to automate building container images from code based on Git tags.

BUse Cloud Build to automate building container images from code based on Git tags.

CUse Spinnaker to automate deploying container images to the production environment.

DUse Cloud Build to automate building container images from code based on forked versions.

Answer : A

Question 306

You are developing an application hosted on Google Cloud that uses a MySQL relational database schem

AConfigure Cloud SQL to host the database, and import the schema into Cloud SQL.

BDeploy MySQL from the Google Cloud Marketplace to the database using a client, and import the schema.

CConfigure Bigtable to host the database, and import the data into Bigtable.

DConfigure Cloud Spanner to host the database, and import the schema into Cloud Spanner.

EConfigure Firestore to host the database, and import the data into Firestore.

Answer : A

https://cloud.google.com/spanner/docs/migrating-mysql-to-spanner#migration-process

Question 307

You have an HTTP Cloud Function that is called via POST. Each submission's request body has a flat, unnested JSON structure containing numeric and text dat

a. After the Cloud Function completes, the collected data should be immediately available for ongoing and complex analytics by many users in parallel. How should you persist the submissions?

ADirectly persist each POST request's JSON data into Datastore.

BTransform the POST request's JSON data, and stream it into BigQuery.

CTransform the POST request's JSON data, and store it in a regional Cloud SQL cluster.

DPersist each POST request's JSON data as an individual file within Cloud Storage, with the file name containing the request identifier.

Answer : D

Question 308

Answer : D

https://developers.google.com/identity/protocols/oauth2#webserver

Question 309

You are evaluating developer tools to help drive Google Kubernetes Engine adoption and integration with your development environment, which includes VS Code and IntelliJ. What should you do?

AUse Cloud Code to develop applications.

BUse the Cloud Shell integrated Code Editor to edit code and configuration files.

CUse a Cloud Notebook instance to ingest and process data and deploy models.

DUse Cloud Shell to manage your infrastructure and applications from the command line.

Answer : A

Question 310

APerform a rolling-action with maxSurge set to 1, maxUnavailable set to 0.

BPerform a rolling-action with maxSurge set to 0, maxUnavailable set to 1

CPerform a rolling-action with maxHealthy set to 1, maxUnhealthy set to 0.

DPerform a rolling-action with maxHealthy set to 0, maxUnhealthy set to 1.

Answer : A

Question 311

AStore and retrieve the file contents using Compute Engine instance metadata.

BOutput the file contents to a file in /workspace. Read from the same /workspace file in the subsequent build step.

CUse gsutil to output the file contents to a Cloud Storage object. Read from the same object in the subsequent build step.

DAdd a build argument that runs an HTTP POST via curl to a separate web server to persist the value in one builder. Use an HTTP GET via curl from the subsequent build step to read the value.

Answer : B

https://cloud.google.com/build/docs/build-config-file-schema

Question 312

You are designing a schema for a table that will be moved from MySQL to Cloud Bigtable. The MySQL table is as follows:

How should you design a row key for Cloud Bigtable for this table?

ASet Account_id as a key.

BSet Account_id_Event_timestamp as a key.

CSet Event_timestamp_Account_id as a key.

DSet Event_timestamp as a key.

Answer : C

Question 313

Your company has a BigQuery dataset named "Master" that keeps information about employee travel and

expenses. This information is organized by employee department. That means employees should only be able

to view information for their department. You want to apply a security framework to enforce this requirement

with the minimum number of steps.

What should you do?

CCreate a dataset named Master dataset. Create a separate view for each department in the Master
dataset. Give employees access to the specific view for their department.

DCreate a dataset named Master dataset. Create a separate table for each department in the Master
dataset. Give employees access to the specific table for their department.

Answer : B

Question 314

You are running a containerized application on Google Kubernetes Engine. Your container images are stored in Container Registry. Your team uses CI/CD practices. You need to prevent the deployment of containers with known critical vulnerabilities. What should you do?

A* Use Web Security Scanner to automatically crawl your application
* Review your application logs for scan results, and provide an attestation that the container is free of known critical vulnerabilities
* Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed

B* Use Web Security Scanner to automatically crawl your application
* Review the scan results in the scan details page in the Cloud Console, and provide an attestation that the container is free of known critical vulnerabilities
* Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed

C* Enable the Container Scanning API to perform vulnerability scanning
* Review vulnerability reporting in Container Registry in the Cloud Console, and provide an attestation that the container is free of known critical vulnerabilities
* Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed

D* Enable the Container Scanning API to perform vulnerability scanning
* Programmatically review vulnerability reporting through the Container Scanning API, and provide an attestation that the container is free of known critical vulnerabilities
* Use Binary Authorization to implement a policy that forces the attestation to be provided before the container is deployed

Answer : D

https://cloud.google.com/binary-authorization/docs/creating-attestations-kritis

https://cloud.google.com/container-analysis/docs/os-overview

Question 315

ADeploy a Fluent Bit daemonset on the GKE cluster to log data in Cloud Logging. Analyze the logs to get insights into your application code's performance.

BCreate a custom dashboard in Cloud Monitoring to evaluate the CPU performance metrics of your application.

CConnect to your GKE nodes using SSH. Run the top command on the shell to extract the CPU utilization of your application.

DModify your Go application to capture profiling data. Analyze the CPU metrics of your application in flame graphs in Profiler.

Answer : D

https://cloud.google.com/profiler/docs/about-profiler

https://cloud.google.com/profiler/docs

Question 316

Your company needs a database solution that stores customer purchase history and meets the following requirements:

Customers can query their purchase immediately after submission.

Purchases can be sorted on a variety of fields.

Distinct record formats can be stored at the same time.

Which storage option satisfies these requirements?

AFirestore in Native mode

BCloud Storage using an object read

CCloud SQL using a SQL SELECT statement

DFirestore in Datastore mode using a global query

Answer : A

Question 317

Agsutil test --o output.json gs://my-bucket

Bgsutil perfdiag --o output.json gs://my-bucket

Cgcloud compute scp example-instance:~/test-data --o output.json gs://my-bucket

Dgcloud services test --o output.json gs://my-bucket

Answer : B

Question 318

Your application requires service accounts to be authenticated to GCP products via credentials stored on its host Compute Engine virtual machine instances. You want to distribute these credentials to the host instances as securely as possible. What should you do?

AUse HTTP signed URLs to securely provide access to the required resources.

BUse the instance's service account Application Default Credentials to authenticate to the required resources.

CGenerate a P12 file from the GCP Console after the instance is deployed, and copy the credentials to the host instance before starting the application.

DCommit the credential JSON file into your application's source repository, and have your CI/CD process package it with the software that is deployed to the instance.

Answer : B

Question 319

Your team is developing an ecommerce platform for your company. Users will log in to the website and add items to their shopping cart. Users will be automatically logged out after 30minutes of inactivity. When users log back in, their shopping cart should be saved. How should you store users' session and shopping cart information while following Google-recommended best practices?

AStore the session information in Pub/Sub, and store the shopping cart information in Cloud SQL.

BStore the shopping cart information in a file on Cloud Storage where the filename is the SESSION ID.

CStore the session and shopping cart information in a MySQL database running on multiple Compute Engine instances.

DStore the session information in Memorystore for Redis or Memorystore for Memcached, and store the shopping cart information in Firestore.

Answer : D

Question 320

AAdd a public IP address to your instance, and restrict access to the instance using firewall rules. Allow your company's proxy as the only source IP address.

BAdd an HTTP(S) load balancer in front of the instance, and set up Identity-Aware Proxy (IAP). Configure the IAP settings to allow your company domain to access the website.

Answer : B

https://cloud.google.com/blog/topics/developers-practitioners/control-access-your-web-sites-identity-aware-proxy

Question 321

ARewrite the application using .NET Core, and deploy to Cloud Run. Use revisions to separate the environments.

BUse Cloud Build to deploy the application as a new Compute Engine image for each build. Use this image in each environment.

CDeploy the application using MS Web Deploy, and make sure to always use the latest, patched MS Windows Server base image in Compute Engine.

DUse Cloud Build to package the application, and deploy to a Google Kubernetes Engine cluster. Use namespaces to separate the environments.

Answer : B

https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud#phase_1_rehost_in_the_cloud

https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud

Question 322

AUse the gsutil utility to copy files from within the Docker container at startup, and start the service using an ENTRYPOINT script.

BCreate a PersistentVolumeClaim on the GKE cluster. Access the configuration files from the volume, and start the service using an ENTRYPOINT script.

CUse the COPY statement in the Dockerfile to load the configuration into the container image. Verify that the configuration is available, and start the service using an ENTRYPOINT script.

DAdd a startup script to the GKE instance group to mount the NFS share at node startup. Copy the configuration files into the container, and start the service using an ENTRYPOINT script.

Answer : B

Question 323

Your team is developing a new application using a PostgreSQL database and Cloud Run. You are responsible for ensuring that all traffic is kept private on Google Cloud. You want to use managed services and follow Google-recommended best practices. What should you do?

A1. Enable Cloud SQL and Cloud Run in the same project.
2. Configure a private IP address for Cloud SQL. Enable private services access.
3. Create a Serverless VPC Access connector.
4. Configure Cloud Run to use the connector to connect to Cloud SQL.

B1. Install PostgreSQL on a Compute Engine virtual machine (VM), and enable Cloud Run in the same project.
2. Configure a private IP address for the VM. Enable private services access.
3. Create a Serverless VPC Access connector.
4. Configure Cloud Run to use the connector to connect to the VM hosting PostgreSQL.

C1. Use Cloud SQL and Cloud Run in different projects.
2. Configure a private IP address for Cloud SQL. Enable private services access.
3. Create a Serverless VPC Access connector.
4. Set up a VPN connection between the two projects. Configure Cloud Run to use the connector to connect to Cloud SQL.

D1. Install PostgreSQL on a Compute Engine VM, and enable Cloud Run in different projects.
2. Configure a private IP address for the VM. Enable private services access.
3. Create a Serverless VPC Access connector.
4. Set up a VPN connection between the two projects. Configure Cloud Run to use the connector to access the VM hosting PostgreSQL

Answer : A

https://cloud.google.com/sql/docs/postgres/connect-run#private-ip

Question 324

Your application performs well when tested locally, but it runs significantly slower when you deploy it to App Engine standard environment. You want to diagnose the problem. What should you do?

AFile a ticket with Cloud Support indicating that the application performs faster locally.

BUse Stackdriver Debugger Snapshots to look at a point-in-time execution of the application.

CUse Stackdriver Trace to determine which functions within the application have higher latency.

DAdd logging commands to the application and use Stackdriver Logging to check where the latency problem occurs.

Answer : D

Question 325

Answer : D

https://developers.google.com/identity/protocols/oauth2#webserver

Question 326

ACreate a service to publish messages, and deploy the Pub/Sub emulator. Generate random content in the publishing service, and publish to the emulator.

BCreate a service to publish messages to your application. Collect the messages from Pub/Sub in production, and replay them through the publishing service.

CCreate a service to publish messages, and deploy the Pub/Sub emulator. Collect the messages from Pub/Sub in production, and publish them to the emulator.

DCreate a service to publish messages, and deploy the Pub/Sub emulator. Publish a standard set of testing messages from the publishing service to the emulator.

Answer : D

Question 327

You want to re-architect a monolithic application so that it follows a microservices model. You want to

accomplish this efficiently while minimizing the impact of this change to the business.

Which approach should you take?

ADeploy the application to Compute Engine and turn on autoscaling.

BReplace the application's features with appropriate microservices in phases.

CRefactor the monolithic application with appropriate microservices in a single effort and deploy it.

DBuild a new application with the appropriate microservices separate from the monolith and replace it when
it is complete.

Answer : C

Question 328

You are creating and running containers across different projects in Google Cloud. The application you are developing needs to access Google Cloud services from within Google Kubernetes Engine (GKE).

What should you do?

AAssign a Google service account to the GKE nodes.

BUse a Google service account to run the Pod with Workload Identity.

CStore the Google service account credentials as a Kubernetes Secret.

DUse a Google service account with GKE role-based access control (RBAC).

Answer : B

https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity

Question 329

AReplace your monitoring platform with Cloud Monitoring.

BInstall the Cloud Monitoring agent on your Compute Engine instances.

CMigrate some traffic back to your old platform. Perform A/B testing on the two platforms concurrently.

DUse Cloud Logging and Cloud Monitoring to capture logs, monitor, and send alerts. Send them to your existing platform.

Answer : D

Question 330

What should you do?

CConfigure Cloud Armor Security Policies to restrict access to only corporate IP address ranges. Verify the provided JSON Web Token within the application.

Answer : A

https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers

(https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id).

https://cloud.google.com/armor/docs/security-policy-overview#:~:text=Google%20Cloud%20Armor%20security%20policies%20enable%20you%20to%20allow%20or,Private%20Cloud%20(VPC)%20networks

Question 331

AConfigure the application to check authentication credentials for each HTTP(S) request to the application.

BConfigure Identity-Aware Proxy to allow employees to access the application through its public IP address.

Answer : B

Question 332

Run gcloud builds submit in the directory that contains the application source code.

Run gcloud run deploy app-name --image gcr.io/$PROJECT_ID/app-name in the directory that contains the application source code.

Run gcloud container images add-tag gcr.io/$PROJECT_ID/app-name gcr.io/$PROJECT_ID/app-name:latest in the directory that contains the application source code.

In the application source directory, create a file named cloudbuild.yaml that contains the following contents:

AOption A

BOption B

COption C

DOption D

EOption E

Answer : A, D

https://cloud.google.com/sdk/gcloud/reference/builds/submit

https://cloud.google.com/artifact-registry/docs/configure-cloud-build

Question 333

For this question, refer to the HipLocal case study.

ACreate new Cloud SQL instances in Europe and North America for testing and deployment. Provide developers with local MySQL instances to conduct testing on the application changes.

BMigrate data to Bigtable. Instruct the development teams to use the Cloud SDK to emulate a local Bigtable development environment.

DMigrate data to Firestore in Native mode and set up instan

Answer : B

Question 334

APerform a rolling-action with maxSurge set to 1, maxUnavailable set to 0.

BPerform a rolling-action with maxSurge set to 0, maxUnavailable set to 1

CPerform a rolling-action with maxHealthy set to 1, maxUnhealthy set to 0.

DPerform a rolling-action with maxHealthy set to 0, maxUnhealthy set to 1.

Answer : A

Question 335

The Dockerfile is as follows:

FROM python:3.7-alpine -

COPY . /app -

WORKDIR /app -

RUN pip install -r requirements.txt

CMD [ "gunicorn", "-w 4", "main:app" ]

You notice that Cloud Build runs are taking longer than expected to complete. You want to decrease the build time. What should you do? (Choose two.)

ASelect a virtual machine (VM) size with higher CPU for Cloud Build runs.

BDeploy a Container Registry on a Compute Engine VM in a VPC, and use it to store the final images.

CCache the Docker image for subsequent builds using the -- cache-from argument in your build config file.

DChange the base image in the Dockerfile to ubuntu:latest, and install Python 3.7 using a package manager utility.

EStore application source code on Cloud Storage, and configure the pipeline to use gsutil to download the source code.

Answer : A, C

https://cloud.google.com/build/docs/optimize-builds/increase-vcpu-for-builds

https://cloud.google.com/build/docs/optimize-builds/speeding-up-builds#using_a_cached_docker_image

Question 336

Which service should HipLocal use to enable access to internal apps?

ACloud VPN

BCloud Armor

CVirtual Private Cloud

DCloud Identity-Aware Proxy

Answer : D

Question 337

APush your source code to Artifact Registry.

BSubmit a Cloud Build job to push the image.

CUse the pack build command with pack CLI.

DInclude the --source flag with the gcloud run deploy CLI command.

EInclude the --platform=kubernetes flag with the gcloud run deploy CLI command.

Answer : A, C

https://cloud.google.com/run/docs/deploying#images

https://cloud.google.com/blog/products/containers-kubernetes/google-cloud-now-supports-buildpacks

Question 338

ACreate an object with the name of the subdirectory ending with a trailing slash ('/') that is zero bytes in length.

BCreate an object with the name of the subdirectory, and then immediately delete the object within that subdirectory.

CCreate an object with the name of the subdirectory that is zero bytes in length and has WRITER access control list permission.

DCreate an object with the name of the subdirectory that is zero bytes in length. Set the Content-Type metadata to CLOUDSTORAGE_FOLDER.

Answer : A

https://cloud.google.com/storage/docs/folders

Question 339

APackage each component in a separate container. Implement readiness and liveness probes.

BPackage the application in a single container. Use a process management tool to manage each component.

CPackage each component in a separate container. Use a script to orchestrate the launch of the components.

DPackage the application in a single container. Use a bash script as an entrypoint to the container, and then spawn each component as a background job.

Answer : A

https://cloud.google.com/blog/products/containers-kubernetes/7-best-practices-for-building-containers

https://cloud.google.com/architecture/best-practices-for-building-containers

Question 340

* An email is sent to the employee and manager, notifying them that the timesheet was submitted.

* A timesheet is sent to payroll processing for the vendor's API.

* A timesheet is sent to the data warehouse for headcount planning.

ADeploy a Cloud Function for each step that calls the corresponding downstream system to complete the required action.

BCreate a Pub/Sub topic for each step. Create a subscription for each downstream development team to subscribe to their step's topic.

CCreate a Pub/Sub topic for timesheet submissions. Create a subscription for each downstream development team to subscribe to the topic.

DCreate a timesheet microservice deployed to Google Kubernetes Engine. The microservice calls each downstream step and waits for a successful response before calling the next step.

Answer : C

Question 341

A1) App Engine
2) Pub/Sub
3) BigQuery
4) Firestore

B1) Dataflow
2) Pub/Sub
3) Firestore
4) BigQuery

C1) Pub/Sub
2) Dataflow
3) BigQuery
4) Firestore

D1) Pub/Sub
2) Dataflow
3) Firestore
4) BigQuery

Answer : D

Question 342

AEach group of developers creates a feature branch from the main branch for their work, commits their changes to their branch, and merges their code into the main branch before each major release.

BEach developer commits their code to the main branch before each product release, conducts testing, and rolls back if integration issues are detected.

CEach group of developers copies the repository, commits their changes to their repository, and merges their code into the main repository before each product release.

DEach developer creates a branch for their own work, commits their changes to their branch, and merges their code into the main branch after peer review.

Answer : D

Question 343

AEmbed the appropriate database connection string in the image. Create a different image for each environment.

Answer : D

Question 344

You are evaluating developer tools to help drive Google Kubernetes Engine adoption and integration with your development environment, which includes VS Code and IntelliJ. What should you do?

AUse Cloud Code to develop applications.

BUse the Cloud Shell integrated Code Editor to edit code and configuration files.

CUse a Cloud Notebook instance to ingest and process data and deploy models.

DUse Cloud Shell to manage your infrastructure and applications from the command line.

Answer : A

Question 345

You have deployed an HTTP(s) Load Balancer with the gcloud commands shown below.

Health checks to port 80 on the Compute Engine virtual machine instance are failing and no traffic is sent to your instances. You want to resolve the problem.

Which commands should you run?

Agcloud compute instances add-access-config ${NAME}-backend-instance-1

Bgcloud compute instances add-tags ${NAME}-backend-instance-1 --tags http-server

Cgcloud compute firewall-rules create allow-lb --network load-balancer --allow
tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

Dgcloud compute firewall-rules create allow-lb --network load-balancer --allow
tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

Answer : C

Question 346

Your application is running on Compute Engine and is showing sustained failures for a small number of requests. You have narrowed the cause down to a single Compute Engine instance, but the instance is unresponsive to SSH. What should you do next?

AReboot the machine.

BEnable and check the serial port output.

CDelete the machine and create a new one.

DTake a snapshot of the disk and attach it to a new machine.

Answer : A

Question 347

HipLocal wants to reduce the number of on-call engineers and eliminate manual scaling.

Which two services should they choose? (Choose two.)

AUse Google App Engine services.

BUse serverless Google Cloud Functions.

CUse Knative to build and deploy serverless applications.

DUse Google Kubernetes Engine for automated deployments.

EUse a large Google Compute Engine cluster for deployments.

Answer : B, C

Question 348

You are planning to deploy hundreds of microservices in your Google Kubernetes Engine (GKE) cluster. How should you secure communication between the microservices on GKE using a managed service?

AUse global HTTP(S) Load Balancing with managed SSL certificates to protect your services

BDeploy open source Istio in your GKE cluster, and enable mTLS in your Service Mesh

CInstall cert-manager on GKE to automatically renew the SSL certificates.

DInstall Anthos Service Mesh, and enable mTLS in your Service Mesh.

Answer : D

https://cloud.google.com/service-mesh/docs/overview#security_benefits

- Ensures encryption in transit. Using mTLS for authentication also ensures that all TCP communications are encrypted in transit.

Question 349

Your service adds text to images that it reads from Cloud Storage. During busy times of the year, requests to

Cloud Storage fail with an HTTP 429 "Too Many Requests" status code.

How should you handle this error?

AAdd a cache-control header to the objects.

BRequest a quota increase from the GCP Console.

CRetry the request with a truncated exponential backoff strategy.

DChange the storage class of the Cloud Storage bucket to Multi-regional.

Answer : C

Question 350

AEnable Identity-Aware Proxy in your project. Secure function access using its permissions.

BCreate a service account with the Cloud Functions Viewer role. Use that service account to invoke the function.

CCreate a service account with the Cloud Functions Invoker role. Use that service account to invoke the function.

DCreate an OAuth 2.0 client ID for your calling service in the same project as the function you want to secure. Use those credentials to invoke the function.

Answer : C

Question 351

Users are complaining that your Cloud Run-hosted website responds too slowly during traffic spikes. You want to provide a better user experience during traffic peaks. What should you do?

ARead application configuration and static data from the database on application startup.

BPackage application configuration and static data into the application image during build time.

CPerform as much work as possible in the background after the response has been returned to the user.

DEnsure that timeout exceptions and errors cause the Cloud Run instance to exit quickly so a replacement instance can be started.

Answer : C

Question 352

You are developing an application that consists of several microservices running in a Google Kubernetes Engine cluster. One microservice needs to connect to a third-party database running on-premises. You need to store credentials to the database and ensure that these credentials can be rotated while following security best practices. What should you do?

AStore the credentials in a sidecar container proxy, and use it to connect to the third-party database.

BConfigure a service mesh to allow or restrict traffic from the Pods in your microservice to the database.

CStore the credentials in an encrypted volume mount, and associate a Persistent Volume Claim with the client Pod.

DStore the credentials as a Kubernetes Secret, and use the Cloud Key Management Service plugin to handle encryption and decryption.

Answer : D

https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets

By default, Google Kubernetes Engine (GKE) encrypts customer content stored at rest, including Secrets. GKE handles and manages this default encryption for you without any additional action on your part.

Application-layer secrets encryption provides an additional layer of security for sensitive data, such as Secrets, stored in etcd. Using this functionality, you can use a key managed with Cloud KMS to encrypt data at the application layer. This encryption protects against attackers who gain access to an offline copy of etcd.

Question 353

You made a typo in a low-level Linux configuration file that prevents your Compute Engine instance from booting to a normal run level. You just created the Compute Engine instance today and have done no other maintenance on it, other than tweaking files. How should you correct this error?

ADownload the file using scp, change the file, and then upload the modified version

BConfigure and log in to the Compute Engine instance through SSH, and change the file

CConfigure and log in to the Compute Engine instance through the serial port, and change the file

DConfigure and log in to the Compute Engine instance using a remote desktop client, and change the file

Answer : C

https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-using-serial-console

Question 354

You are developing an application hosted on Google Cloud that uses a MySQL relational database schem

AConfigure Cloud SQL to host the database, and import the schema into Cloud SQL.

BDeploy MySQL from the Google Cloud Marketplace to the database using a client, and import the schema.

CConfigure Bigtable to host the database, and import the data into Bigtable.

DConfigure Cloud Spanner to host the database, and import the schema into Cloud Spanner.

EConfigure Firestore to host the database, and import the data into Firestore.

Answer : A

https://cloud.google.com/spanner/docs/migrating-mysql-to-spanner#migration-process

Question 355

ACloud Run

BCompute Engine

CGoogle Kubernetes Engine

DApp Engine flexible environment

Answer : A

https://cloud.google.com/blog/products/serverless/knative-based-cloud-run-services-are-ga

Question 356

AGrant the service account BigQuery Data Viewer and BigQuery Job User roles.

BGrant the service account BigQuery Data Editor and BigQuery Data Viewer roles.

CCreate a view in BigQuery from the SQL query and SELECT* from the view in the CLI.

DCreate a new dataset in BigQuery, and copy the source table to the new dataset Query the new dataset and table from the CLI.

Answer : B

Question 357

AThe use of 64-bit numeric types for 32-bit numbers.

BThe use of the STRING data type for arbitrary-precision values.

CThe use of Version 1 UUIDs as primary keys that increase monotonically.

DThe use of LIKE instead of STARTS_WITH keyword for parameterized SQL queries.

Answer : C

Question 358

AStore the session information in Pub/Sub, and store the shopping cart information in Cloud SQL.

BStore the shopping cart information in a file on Cloud Storage where the filename is the SESSION ID.

CStore the session and shopping cart information in a MySQL database running on multiple Compute Engine instances.

DStore the session information in Memorystore for Redis or Memorystore for Memcached, and store the shopping cart information in Firestore.

Answer : D

Question 359

ABuild the application in Python with Firestore as the database. Deploy the application to Cloud Run.

BBuild the application in C# with Firestore as the database. Deploy the application to App Engine flexible environment.

CBuild the application in Python with CloudSQL as the database. Deploy the application to App Engine standard environment.

DBuild the application in Python with Firestore as the database. Deploy the application to a Compute Engine managed instance group with autoscaling.

Answer : A

Question 360

You are developing a web application that will be accessible over both HTTP and HTTPS and will run on Compute Engine instances. On occasion, you will need to SSH from your remote laptop into one of the Compute Engine instances to conduct maintenance on the app. How should you configure the instances while following Google-recommended best practices?

ASet up a backend with Compute Engine web server instances with a private IP address behind a TCP proxy load balancer.

BConfigure the firewall rules to allow all ingress traffic to connect to the Compute Engine web servers, with each server having a unique external IP address.

CConfigure Cloud Identity-Aware Proxy API for SSH access. Then configure the Compute Engine servers with private IP addresses behind an HTTP(s) load balancer for the application web traffic.

DSet up a backend with Compute Engine web server instances with a private IP address behind an HTTP(S) load balancer. Set up a bastion host with a public IP address and open firewall ports. Connect to the web instances using the bastion host.

Answer : C

https://cloud.google.com/solutions/connecting-securely#storing_host_keys_by_enabling_guest_attributes

Question 361

You need to redesign the ingestion of audit events from your authentication service to allow it to handle a large increase in traffic. Currently, the audit service and the authentication system run in the same Compute Engine virtual machine. You plan to use the following Google Cloud tools in the new architecture:

Multiple Compute Engine machines, each running an instance of the authentication service

Multiple Compute Engine machines, each running an instance of the audit service

Pub/Sub to send the events from the authentication services.

How should you set up the topics and subscriptions to ensure that the system can handle a large volume of messages and can scale efficiently?

ACreate one Pub/Sub topic. Create one pull subscription to allow the audit services to share the messages.

BCreate one Pub/Sub topic. Create one pull subscription per audit service instance to allow the services to share the messages.

CCreate one Pub/Sub topic. Create one push subscription with the endpoint pointing to a load balancer in front of the audit services.

DCreate one Pub/Sub topic per authentication service. Create one pull subscription per topic to be used by one audit service.

ECreate one Pub/Sub topic per authentication service. Create one push subscription per topic, with the endpoint pointing to one audit service.

Answer : A

https://cloud.google.com/pubsub/docs/subscriber 'Multiple subscribers can make pull calls to the same 'shared' subscription. Each subscriber will receive a subset of the messages.'

Question 362

Your company wants to expand their users outside the United States for their popular application. The

company wants to ensure 99.999% availability of the database for their application and also wants to minimize the read latency for their users across the globe.

Which two actions should they take? (Choose two.)

ACreate a multi-regional Cloud Spanner instance with 'nam-asia-eur1' configuration.

BCreate a multi-regional Cloud Spanner instance with 'nam3' configuration.

CCreate a cluster with at least 3 Spanner nodes.

DCreate a cluster with at least 1 Spanner node.

ECreate a minimum of two Cloud Spanner instances in separate regions with at least one node.

FCreate a Cloud Dataflow pipeline to replicate data across different databases.

Answer : B, F

Question 363

AUse Cloud Functions to deploy the microservice.

BUse Cloud Build to create the container, and deploy it on Cloud Run.

CUse Cloud Shell to containerize your microservice. and deploy it on GKE Standard.

DUse Cloud Shell to containerize your microservice. and deploy it on a Container-Optimized OS Compute Engine instance.

Answer : B

Question 364

You have deployed an HTTP(s) Load Balancer with the gcloud commands shown below.

Health checks to port 80 on the Compute Engine virtual machine instance are failing and no traffic is sent to your instances. You want to resolve the problem.

Which commands should you run?

Agcloud compute instances add-access-config ${NAME}-backend-instance-1

Bgcloud compute instances add-tags ${NAME}-backend-instance-1 --tags http-server

Cgcloud compute firewall-rules create allow-lb --network load-balancer --allow
tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

Dgcloud compute firewall-rules create allow-lb --network load-balancer --allow
tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

Answer : C

Question 365

Your application is deployed in a Google Kubernetes Engine (GKE) cluster. You want to expose this application publicly behind a Cloud Load Balancing HTTP(S) load balancer. What should you do?

AConfigure a GKE Ingress resource.

BConfigure a GKE Service resource.

CConfigure a GKE Ingress resource with type: LoadBalancer.

DConfigure a GKE Service resource with type: LoadBalancer.

Answer : A

Question 366

You are deploying your applications on Compute Engine. One of your Compute Engine instances failed to launch. What should you do? (Choose two.)

ADetermine whether your file system is corrupted.

BAccess Compute Engine as a different SSH user.

CTroubleshoot firewall rules or routes on an instance.

DCheck whether your instance boot disk is completely full.

ECheck whether network traffic to or from your instance is being dropped.

Answer : A, D

https://cloud.google.com/compute/docs/troubleshooting/vm-startup

Question 367

AEmbed the appropriate database connection string in the image. Create a different image for each environment.

Answer : D

Question 368

ADeploy each microservice as a Deployment. Expose the Deployment in the cluster using a Service, and use the Service DNS name to address it from other microservices within the cluster.

BDeploy each microservice as a Deployment. Expose the Deployment in the cluster using an Ingress, and use the Ingress IP address to address the Deployment from other microservices within the cluster.

CDeploy each microservice as a Pod. Expose the Pod in the cluster using a Service, and use the Service DNS name to address the microservice from other microservices within the cluster.

DDeploy each microservice as a Pod. Expose the Pod in the cluster using an Ingress, and use the Ingress IP address name to address the Pod from other microservices within the cluster.

Answer : A

Question 369

AEnable the Vulnerability scanning setting in the Container Registry.

BCreate a Cloud Function that is triggered on a code check-in and scan the code for CVEs.

CDisallow the use of non-commercially supported base images in your development environment.

DUse Cloud Monitoring to review the output of Cloud Build to determine whether a vulnerable version has been used.

Answer : A

https://cloud.google.com/container-analysis/docs/os-overview

Question 370

You are developing an application that will allow users to read and post comments on news articles. You want to configure your application to store and display user-submitted comments using Firestore. How should you design the schema to support an unknown number of comments and articles?

AStore each comment in a subcollection of the article.

BAdd each comment to an array property on the article.

CStore each comment in a document, and add the comment's key to an array property on the article.

DStore each comment in a document, and add the comment's key to an array property on the user profile.

Answer : D

Question 371

ACreate a collection for the rooms. For each room, create a document that lists the contents of the messages

BCreate a collection for the rooms. For each room, create a collection that contains a document for each message

CCreate a collection for the rooms. For each room, create a document that contains a collection for documents, each of which contains a message.

Answer : C

https://firebase.google.com/docs/firestore/data-model#hierarchical-data

Question 372

What should you do?

ADeploy your application on Cloud Run. Use traffic splitting to direct a subset of user traffic to the new version based on the revision tag.

BDeploy your application on Google Kubernetes Engine with Anthos Service Mesh. Use traffic splitting to direct a subset of user traffic to the new version based on the user-agent header.

CDeploy your application on App Engine. Use traffic splitting to direct a subset of user traffic to the new version based on the IP address.

DDeploy your application on Compute Engine. Use Traffic Director to direct a subset of user traffic to the new version based on predefined weights.

Answer : B

Question 373

AEach group of developers creates a feature branch from the main branch for their work, commits their changes to their branch, and merges their code into the main branch before each major release.

BEach developer commits their code to the main branch before each product release, conducts testing, and rolls back if integration issues are detected.

CEach group of developers copies the repository, commits their changes to their repository, and merges their code into the main repository before each product release.

DEach developer creates a branch for their own work, commits their changes to their branch, and merges their code into the main branch after peer review.

Answer : D

Question 374

Which deployment strategy should you use?

ABlue/green deployment

BCanary deployment

CRolling deployment

DRecreate deployment

Answer : A

Question 375

Answer : B

Question 376

You need to deploy a new European version of a website hosted on Google Kubernetes Engine. The current and new websites must be accessed via the same HTTP(S) load balancer's external IP address, but have different domain names. What should you do?

ADefine a new Ingress resource with a host rule matching the new domain

BModify the existing Ingress resource with a host rule matching the new domain

CCreate a new Service of type LoadBalancer specifying the existing IP address as the loadBalancerIP

DGenerate a new Ingress resource and specify the existing IP address as the kubernetes.io/ingress.global-static-ip-name annotation value

Answer : B

https://kubernetes.io/docs/concepts/services-networking/ingress/#name-based-virtual-hosting Name-based virtual hosts support routing HTTP traffic to multiple host names at the same IP address.

Question 377

A1) App Engine
2) Pub/Sub
3) BigQuery
4) Firestore

B1) Dataflow
2) Pub/Sub
3) Firestore
4) BigQuery

C1) Pub/Sub
2) Dataflow
3) BigQuery
4) Firestore

D1) Pub/Sub
2) Dataflow
3) Firestore
4) BigQuery

Answer : D

Question 378

ACreate a user-managed service account with a custom Identity and Access Management (IAM) role.

BCreate a user-managed service account with the Storage Admin Identity and Access Management (IAM) role.

CCreate a user-managed service account with the Project Editor Identity and Access Management (IAM) role.

DUse the default service account linked to the Cloud Run revision in production.

Answer : A

https://cloud.google.com/iam/docs/understanding-roles#storage.admin

Question 379

You want to re-architect a monolithic application so that it follows a microservices model. You want to

accomplish this efficiently while minimizing the impact of this change to the business.

Which approach should you take?

ADeploy the application to Compute Engine and turn on autoscaling.

BReplace the application's features with appropriate microservices in phases.

CRefactor the monolithic application with appropriate microservices in a single effort and deploy it.

DBuild a new application with the appropriate microservices separate from the monolith and replace it when
it is complete.

Answer : C

Question 380

* An email is sent to the employee and manager, notifying them that the timesheet was submitted.

* A timesheet is sent to payroll processing for the vendor's API.

* A timesheet is sent to the data warehouse for headcount planning.

ADeploy a Cloud Function for each step that calls the corresponding downstream system to complete the required action.

BCreate a Pub/Sub topic for each step. Create a subscription for each downstream development team to subscribe to their step's topic.

CCreate a Pub/Sub topic for timesheet submissions. Create a subscription for each downstream development team to subscribe to the topic.

DCreate a timesheet microservice deployed to Google Kubernetes Engine. The microservice calls each downstream step and waits for a successful response before calling the next step.

Answer : C

Question 381

ASend the purchase and change requests over WebSockets to the backend.

BSend the purchase and change requests as REST requests to the backend.

CUse a Pub/Sub subscriber in pull mode and use a data store to manage ordering.

DUse a Pub/Sub subscriber in push mode and use a data store to manage ordering.

Answer : C

https://cloud.google.com/pubsub/docs/pull

Question 382

HipLocal wants to reduce the number of on-call engineers and eliminate manual scaling.

Which two services should they choose? (Choose two.)

AUse Google App Engine services.

BUse serverless Google Cloud Functions.

CUse Knative to build and deploy serverless applications.

DUse Google Kubernetes Engine for automated deployments.

EUse a large Google Compute Engine cluster for deployments.

Answer : B, C

Question 383

APackage each component in a separate container. Implement readiness and liveness probes.

BPackage the application in a single container. Use a process management tool to manage each component.

CPackage each component in a separate container. Use a script to orchestrate the launch of the components.

DPackage the application in a single container. Use a bash script as an entrypoint to the container, and then spawn each component as a background job.

Answer : A

https://cloud.google.com/blog/products/containers-kubernetes/7-best-practices-for-building-containers

https://cloud.google.com/architecture/best-practices-for-building-containers

Question 384

You have an application deployed in production. When a new version is deployed, some issues don't arise until the application receives traffic from users in production. You want to reduce both the impact and the number of users affected.

Which deployment strategy should you use?

ABlue/green deployment

BCanary deployment

CRolling deployment

DRecreate deployment

Answer : A

Question 385

You need to load-test a set of REST API endpoints that are deployed to Cloud Run. The API responds to HTTP POST requests Your load tests must meet the following requirements:

* Load is initiated from multiple parallel threads

* User traffic to the API originates from multiple source IP addresses.

* Load can be scaled up using additional test instances

You want to follow Google-recommended best practices How should you configure the load testing'?

ACreate an image that has cURL installed and configure cURLto run a test plan Deploy the image in a
managed instance group, and run one instance of the image for each VM.

BCreate an image that has cURL installed and configure cURL to run a test plan Deploy the image in an
unmanaged instance group, and run one instance of the image for each VM.

CDeploy a distributed load testing framework on a private Google Kubernetes Engine Cluster Deploy
additional Pods as needed to initiate more traffic and support the number of concurrent users.

DDownload the container image of a distributed load testing framework on Cloud Shell Sequentially start
several instances of the container on Cloud Shell to increase the load on the API.

Answer : C

Question 386

Your application performs well when tested locally, but it runs significantly slower when you deploy it to App Engine standard environment. You want to diagnose the problem. What should you do?

AFile a ticket with Cloud Support indicating that the application performs faster locally.

BUse Stackdriver Debugger Snapshots to look at a point-in-time execution of the application.

CUse Stackdriver Trace to determine which functions within the application have higher latency.

DAdd logging commands to the application and use Stackdriver Logging to check where the latency problem occurs.

Answer : D

Question 387

You are using the Cloud Client Library to upload an image in your application to Cloud Storage. Users of the application report that occasionally the upload does not complete and the client library reports an HTTP 504 Gateway Timeout error. You want to make the application more resilient to errors. What changes to the application should you make?

AWrite an exponential backoff process around the client library call.

BWrite a one-second wait time backoff process around the client library call.

CDesign a retry button in the application and ask users to click if the error occurs.

DCreate a queue for the object and inform the users that the application will try again in 10 minutes.

Answer : A

Question 388

Your teammate has asked you to review the code below. Its purpose is to efficiently add a large number of small rows to a BigQuery table.

Which improvement should you suggest your teammate make?

AInclude multiple rows with each request.

BPerform the inserts in parallel by creating multiple threads.

CWrite each row to a Cloud Storage object, then load into BigQuery.

DWrite each row to a Cloud Storage object in parallel, then load into BigQuery.

Answer : B

Question 389

AConfigure the application to check authentication credentials for each HTTP(S) request to the application.

BConfigure Identity-Aware Proxy to allow employees to access the application through its public IP address.

Answer : B

Question 390

AA Kubernetes NetworkPolicy resource is blocking HTTP traffic between the Pods.

BThe Pod initiating the HTTP requests is attempting to connect to the target Pod via an incorrect TCP port.

CThe Authorization Policy of your cluster is blocking HTTP requests for specific paths within your application.

DThe cluster has mTLS configured in permissive mode, but the Pod's sidecar proxy is sending unencrypted traffic in plain text.

Answer : C

Question 391

ACreate a new feature branch, and ask the build team to rebuild the image.

BShut down the deployed virtual machine, export the disk, and then mount the disk locally to access the boot logs.

CInstall Packer locally, build the Compute Engine image locally, and then run it in your personal Google Cloud project.

DCheck Compute Engine OS logs using the serial port, and check the Cloud Logging logs to confirm access to the serial port.

Answer : D

https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-using-serial-console

Question 392

Answer : A

https://cloud.google.com/sql/docs/postgres/connect-run#private-ip

Question 393

Manually copy the photos to webphotos-prod.

Add a startup script in the application's app.yami file to move the photos from webphotos-staging to webphotos-prod.

Add a build step in the cloudbuild.yaml file before the promotion step with the arguments:

AOption A

BOption B

COption C

DOption D

Answer : C

https://cloud.google.com/storage/docs/gsutil/commands/cp

Question 394

You developed a JavaScript web application that needs to access Google Drive's API and obtain permission from users to store files in their Google Drives. You need to select an authorization approach for your application. What should you do?

ACreate an API key.

BCreate a SAML token.

CCreate a service account.

DCreate an OAuth Client ID.

Answer : D

Question 395

ADeploy each microservice as a Deployment. Expose the Deployment in the cluster using a Service, and use the Service DNS name to address it from other microservices within the cluster.

BDeploy each microservice as a Deployment. Expose the Deployment in the cluster using an Ingress, and use the Ingress IP address to address the Deployment from other microservices within the cluster.

CDeploy each microservice as a Pod. Expose the Pod in the cluster using a Service, and use the Service DNS name to address the microservice from other microservices within the cluster.

DDeploy each microservice as a Pod. Expose the Pod in the cluster using an Ingress, and use the Ingress IP address name to address the Pod from other microservices within the cluster.

Answer : A

Question 396

AManually trigger the build for new releases.

BCreate a build trigger on a Git tag pattern. Use a Git tag convention for new releases.

CCreate a build trigger on a Git branch name pattern. Use a Git branch naming convention for new releases.

DCommit your source code to a second Cloud Source Repositories repository with a second Cloud Build trigger. Use this repository for new releases only.

Answer : C

Question 397

Your company's corporate policy states that there must be a copyright comment at the very beginning of all source files. You want to write a custom step in Cloud Build that is triggered by each source commit. You need the trigger to validate that the source contains a copyright and add one for subsequent steps if not there. What should you do?

ABuild a new Docker container that examines the files in /workspace and then checks and adds a copyright for each source file. Changed files are explicitly committed back to the source repository.

BBuild a new Docker container that examines the files in /workspace and then checks and adds a copyright for each source file. Changed files do not need to be committed back to the source repository.

CBuild a new Docker container that examines the files in a Cloud Storage bucket and then checks and adds a copyright for each source file. Changed files are written back to the Cloud Storage bucket.

DBuild a new Docker container that examines the files in a Cloud Storage bucket and then checks and adds a copyright for each source file. Changed files are explicitly committed back to the source repository.

Answer : A

https://cloud.google.com/build/docs/configuring-builds/pass-data-between-steps#passing_data_using_workspaces

To pass data between build steps, store the assets produced by the build step in /workspace and these assets will be available to any subsequent build steps.

Question 398

ADeploy a Vertical Pod Autoscaler, and scale based on the CPU load.

BDeploy a Vertical Pod Autoscaler, and scale based on a custom metric.

CDeploy a Horizontal Pod Autoscaler, and scale based on the CPU toad.

DDeploy a Horizontal Pod Autoscaler, and scale based on a custom metric.

Answer : C

https://cloud.google.com/kubernetes-engine/docs/concepts/horizontalpodautoscaler

Question 399

AEnforce signed URLs for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine default service account.

BEnforce public access prevention for the desired bucket. Grant the Storage Object Viewer IAM role on the bucket to the Compute Engine
default service account.

Answer : B

Question 400

Answer : D

https://developers.google.com/identity/protocols/oauth2#webserver

Question 401

Your API backend is running on multiple cloud providers. You want to generate reports for the network latency of your API.

Which two steps should you take? (Choose two.)

AUse Zipkin collector to gather data.

BUse Fluentd agent to gather data.

CUse Stackdriver Trace to generate reports.

DUse Stackdriver Debugger to generate report.

EUse Stackdriver Profiler to generate report.

Answer : A, C

https://cloud.google.com/trace/docs/zipkin

'receive traces from Zipkin clients and forward those traces to Cloud Trace for analysis.'

https://cloud.google.com/trace/docs/quickstart#analysis_reports_window

Question 402

AStore the session information in Pub/Sub, and store the shopping cart information in Cloud SQL.

BStore the shopping cart information in a file on Cloud Storage where the filename is the SESSION ID.

CStore the session and shopping cart information in a MySQL database running on multiple Compute Engine instances.

DStore the session information in Memorystore for Redis or Memorystore for Memcached, and store the shopping cart information in Firestore.

Answer : D

Question 403

ASet the Max Surge to 100%.

BSet the Update mode to Opportunistic.

CSet the Maximum Unavailable to 100%.

DSet the Minimum Wait time to 0 seconds.

Answer : B

Question 404

AConfigure Cloud Build to deploy the Cloud Function. If the code passes the tests, a deployment approval is sent to you.

BConfigure Cloud Build to deploy the Cloud Function, using the specific service account as the build agent. Run the unit tests after successful deployment.

CConfigure Cloud Build to run the unit tests. If the code passes the tests, the developer deploys the Cloud Function.

DConfigure Cloud Build to run the unit tests, using the specific service account as the build agent. If the code passes the tests, Cloud Build deploys the Cloud Function.

Answer : D

Question 405

AStore each comment in a subcollection of the article.

BAdd each comment to an array property on the article.

CStore each comment in a document, and add the comment's key to an array property on the article.

DStore each comment in a document, and add the comment's key to an array property on the user profile.

Answer : D

Question 406

What should you do?

ADefine a GKE Service. Clients should use the name of the A record in Cloud DNS to find the service's
cluster IP address.

BDefine a GKE Service. Clients should use the service name in the URL to connect to the service.

CDefine a GKE Endpoint. Clients should get the endpoint name from the appropriate environment variable in
the client container.

DDefine a GKE Endpoint. Clients should get the endpoint name from Cloud DNS.

Answer : C

Question 407

AUse a text editor and the Git command line to send your source code updates as pull requests from a public computer.

BUse a text editor and the Git command line to send your source code updates as pull requests from a virtual machine running on a public computer.

CUse Cloud Shell and the built-in code editor for development. Send your source code updates as pull requests.

Answer : C

https://cloud.google.com/shell/docs

Question 408

Answer : B

Question 409

Your App Engine standard configuration is as follows:

service: production

instance_class: B1

You want to limit the application to 5 instances. Which code snippet should you include in your configuration?

Amanual_scaling:instances: 5min_pending_latency: 30ms

Bmanual_scaling:max_instances: 5idle_timeout: 10m

Cbasic_scaling:instances: 5min_pending_latency: 30ms

Dbasic_scaling:max_instances: 5idle_timeout: 10m

Answer : C

Question 410

ACreate an object with the name of the subdirectory ending with a trailing slash ('/') that is zero bytes in length.

BCreate an object with the name of the subdirectory, and then immediately delete the object within that subdirectory.

CCreate an object with the name of the subdirectory that is zero bytes in length and has WRITER access control list permission.

DCreate an object with the name of the subdirectory that is zero bytes in length. Set the Content-Type metadata to CLOUDSTORAGE_FOLDER.

Answer : A

https://cloud.google.com/storage/docs/folders

Question 411

You are developing an online gaming platform as a microservices application on Google Kubernetes Engine (GKE). Users on social media are complaining about long loading times for certain URL requests to the application. You need to investigate performance bottlenecks in the application and identify which HTTP requests have a significantly high latency span in user requests. What should you do9

AUpdate your microservices lo log HTTP request methods and URL paths to STDOUT Use the logs router to send container logs to Cloud Logging. Create fillers in Cloud Logging to evaluate the latency of user requests across different methods and URL paths.

BInstall tcpdiimp on your GKE nodes. Run tcpdunm-- to capture network traffic over an extended period of time to collect data. Analyze the
data files using Wireshark to determine the cause of high latency

CInstrument your microservices by installing the Open Telemetry tracing package. Update your application code to send traces to Trace for inspection and analysis. Create an analysis report on Trace to analyze user requests

DConfigure GKE workload metrics using kubect1. Select all Pods to send their metrics to Cloud Monitoring. Create a custom dashboard of application metrics in Cloud Monitoring to determine performance bottlenecks of your GKE cluster.

Answer : D

Question 412

AChange the application to accept images directly and store them in the database that stores other user information.

BChange the application to create signed URLs for Cloud Storage. Transfer these signed URLs to the client application to upload images to Cloud Storage.

CSet up a web server on GCP to accept user images and create a file store to keep uploaded files. Change the application to retrieve images from the file store.

Answer : B

Question 413

ACreate an API key.

BCreate a SAML token.

CCreate a service account.

DCreate an OAuth Client ID.

Answer : D

Question 414

What should you do?

AWhen creating your instances, configure a startup script using the gcloud command to determine the project name that indicates the correct environment.

Answer : B

Question 415

ALeave the original Cloud Function as-is and deploy a second Cloud Function with the new API. Use a load balancer to distribute calls between the versions.

BLeave the original Cloud Function as-is and deploy a second Cloud Function that includes only the changed API. Calls are automatically routed to the correct function.

CLeave the original Cloud Function as-is and deploy a second Cloud Function with the new API. Use Cloud Endpoints to provide an API gateway that exposes a versioned API.

DRe-deploy the Cloud Function after making code changes to support the new API. Requests for both versions of the API are fulfilled based on a version identifier included in the call.

Answer : D

Question 416

AUse Traffic Director with a sidecar proxy to connect the application to the service.

BUse a proxyless Traffic Director configuration to connect the application to the service.

CConfigure the legacy service's firewall to allow health checks originating from the proxy.

DConfigure the legacy service's firewall to allow health checks originating from the application.

EConfigure the legacy service's firewall to allow health checks originating from the Traffic Director control plane.

Answer : A, C

https://cloud.google.com/traffic-director/docs/advanced-setup#routing-rule-maps https://cloud.google.com/traffic-director/docs/advanced-setup

Question 417

HipLocal's.net-based auth service fails under intermittent load.

What should they do?

AUse App Engine for autoscaling.

BUse Cloud Functions for autoscaling.

CUse a Compute Engine cluster for the service.

DUse a dedicated Compute Engine virtual machine instance for the service.

Answer : D

Question 418

You are using Cloud Run to host a web application. You need to securely obtain the application project ID and region where the application is running and display this information to users. You want to use the most performant approach. What should you do?

AUse HTTP requests to query the available metadata server at the http://metadata.google.internal/ endpoint with the Metadata-Flavor: Google header.

BIn the Google Cloud console, navigate to the Project Dashboard and gather configuration details. Navigate to the Cloud Run ''Variables & Secrets'' tab, and add the desired environment variables in Key:Value format.

CIn the Google Cloud console, navigate to the Project Dashboard and gather configuration details. Write the application configuration information to Cloud Run's in-memory container filesystem.

DMake an API call to the Cloud Asset Inventory API from the application and format the request to include instance metadata.

Answer : B

Question 419

AUse the HBase API, Redis API, and MySQL connection to retrieve database lists. Combine the results, and then apply the filter to display the results

BUse the HBase API, Redis API, and MySQL connection to retrieve database lists. Filter the results individually, and then combine them to display the results

CRun gcloud bigtable instances list, gcloud redis instances list, and gcloud sql databases list. Use a filter within the application, and then display the results

DRun gcloud bigtable instances list, gcloud redis instances list, and gcloud sql databases list. Use --filter flag with each command, and then display the results

Answer : D

https://cloud.google.com/sdk/gcloud/reference/topic/filters

Question 420

For this question, refer to the HipLocal case study.

ACreate new Cloud SQL instances in Europe and North America for testing and deployment. Provide developers with local MySQL instances to conduct testing on the application changes.

BMigrate data to Bigtable. Instruct the development teams to use the Cloud SDK to emulate a local Bigtable development environment.

DMigrate data to Firestore in Native mode and set up instan

Answer : B

Question 421

Your application is deployed in a Google Kubernetes Engine (GKE) cluster. You want to expose this application publicly behind a Cloud Load Balancing HTTP(S) load balancer. What should you do?

AConfigure a GKE Ingress resource.

BConfigure a GKE Service resource.

CConfigure a GKE Ingress resource with type: LoadBalancer.

DConfigure a GKE Service resource with type: LoadBalancer.

Answer : A

Question 422

You are designing a schema for a Cloud Spanner customer database. You want to store a phone number array field in a customer table. You also want to allow users to search customers by phone number. How should you design this schema?

ACreate a table named Customers. Add an Array field in a table that will hold phone numbers for the customer.

BCreate a table named Customers. Create a table named Phones. Add a CustomerId field in the Phones table to find the CustomerId from a phone number.

CCreate a table named Customers. Add an Array field in a table that will hold phone numbers for the customer. Create a secondary index on the Array field.

DCreate a table named Customers as a parent table. Create a table named Phones, and interleave this table into the Customer table. Create an index on the phone number field in the Phones table.

Answer : C

Question 423

You are using Cloud Build to build and test application source code stored in Cloud Source Repositories. The

build process requires a build tool not available in the Cloud Build environment.

What should you do?

ADownload the binary from the internet during the build process.

BBuild a custom cloud builder image and reference the image in your build steps.

CInclude the binary in your Cloud Source Repositories repository and reference it in your build scripts.

DAsk to have the binary added to the Cloud Build environment by filing a feature request against the Cloud
Build public Issue Tracker.

Answer : B

Question 424

AThe use of 64-bit numeric types for 32-bit numbers.

BThe use of the STRING data type for arbitrary-precision values.

CThe use of Version 1 UUIDs as primary keys that increase monotonically.

DThe use of LIKE instead of STARTS_WITH keyword for parameterized SQL queries.

Answer : C

Question 425

Answer : D

https://developers.google.com/identity/protocols/oauth2#webserver

Question 426

ACreate a user-managed service account with a custom Identity and Access Management (IAM) role.

BCreate a user-managed service account with the Storage Admin Identity and Access Management (IAM) role.

CCreate a user-managed service account with the Project Editor Identity and Access Management (IAM) role.

DUse the default service account linked to the Cloud Run revision in production.

Answer : A

https://cloud.google.com/iam/docs/understanding-roles#storage.admin

Question 427

Your teammate has asked you to review the code below, which is adding a credit to an account balance in Cloud Datastore. Which improvement should you suggest your teammate make?

AGet the entity with an ancestor query.

BGet and put the entity in a transaction.

CUse a strongly consistent transactional database.

DDon't return the account entity from the function.

Answer : A