Question 1

When creating a new subnet in a custom mode VPC, what must you verify to ensure existing services are not disrupted?

Question 2

Which Google Cloud service provides rapid instance startup and automatic scaling for an HTTP API that may surge from dozens to thousands of requests within 30 seconds?

Question 3

In the App Engine standard environment, what action lets you immediately switch all traffic back to the previously serving version without redeploying?

Question 4

Which Google Cloud service enables a web application to scale automatically in response to unpredictable traffic while minimizing cost?

Question 5

What is the most efficient way to replicate custom IAM roles from a staging project to a production project with minimal effort?

Question 6

How can you ensure that a Compute Engine VM retains the same internal IP address after it is recreated so clients continue to use the same address?

Question 7

How should you stage 5 TB of on-premises files in Google Cloud so that Dataflow SQL can access them?

Question 8

What is the quickest way to grant specific Google Workspace users access to a new Google Cloud project?

Question 9

Which Google Cloud option supports a lift and shift approach for virtual machine workloads and can autoscale when average CPU utilization exceeds 65 percent?

Question 10

On a Dataproc cluster, individual Spark tasks run for about 30 minutes and aggressive scale down is extending run time. What should you configure to reduce cost while preventing task interruption during scale down?

Question 11

Which native Compute Engine feature provides automated boot disk backups every 6 hours, retains them for 45 days, and enables fast restores?

Question 12

Which Google Cloud service offers serverless autoscaling stream processing for 500,000 events per minute, delivers insights within 3 seconds, and uses usage based pricing?

Question 13

A company streams vehicle telemetry every 12 seconds and requires the transformed data to be queryable within three seconds. Which Google Cloud architecture provides real time processing with immediate availability for analysis?

Question 14

In Google Cloud, what is the best practice for granting auditors read-only access to the objects in a specific Cloud Storage bucket?

Question 15

Which Google Cloud service should you use to run approximately 12,000 independent CPU jobs in parallel at night, each lasting about 30 minutes, while lowering cost with disposable capacity?

Question 16

How should you configure Cloud Monitoring to send an alert when CPU utilization on any Compute Engine VM exceeds 90% for 10 minutes?

Question 17

Which Google Cloud approach offers the simplest managed way to schedule batch jobs with variable CPU and memory requirements to run once every 12 hours?

Question 18

You need to ingest continuous time-series data from sensors with very low write latency, retain approximately 8 PB of data, and enable cost-effective analytics. What should you implement?

Question 19

In a shared billing account, which Google Cloud billing configuration sends a notification when any single project’s monthly spend exceeds $800?

Question 20

Which Google Cloud load balancer provides global Anycast termination for non HTTP TLS traffic over TCP to deliver the lowest latency for users worldwide?

Question 1

The correct option is Choose a non overlapping CIDR range for the new subnet.

Subnets within the same VPC network cannot have IP ranges that overlap. Verifying a non overlapping CIDR range ensures the subnet can be created and that existing routing remains predictable for current workloads. In a custom mode VPC you select ranges explicitly, so you must confirm the new primary range and any secondary ranges do not overlap with those of any existing subnets in the network.

Configure Cloud NAT for egress internet access is not something you must verify before adding a subnet. Cloud NAT provides internet egress for instances without external IPs, which is unrelated to preventing disruption caused by overlapping subnet ranges.

Enable Private Google Access on the subnet is optional and controls access to Google APIs from instances without external IPs. It does not affect whether a new subnet will disrupt existing services and it does not address IP range conflicts.

Place the subnet in a different region does not solve the overlap requirement. Subnets are regional, yet their IP ranges must still be unique across the entire VPC, so choosing another region will not prevent conflicts if the CIDR overlaps.

Question 2

The correct option is App Engine Standard environment.

This service is designed for rapid web request handling and it brings up instances very quickly because runtimes are preconfigured and optimized. It automatically scales based on incoming HTTP requests and can surge to many instances within seconds, which is well aligned with a spike from dozens to thousands of requests in a very short time. You can also keep a small number of instances warm with minimum instances to get the fastest possible first byte while still benefiting from automatic scaling.

Cloud Run offers automatic scaling for containers and can scale quickly, yet container image startup and cold starts can add variability without careful tuning of minimum instances and image size. For a requirement that emphasizes the fastest instance startup for an HTTP API without container management, this is not the best fit.

Compute Engine managed instance group with autoscaling relies on virtual machine instances which have longer boot times and the autoscaler responds to metrics that can lag behind sudden traffic surges. This makes it less suitable for a surge that must be absorbed within about 30 seconds.

Cloud Functions can scale automatically on HTTP triggers, however each instance handles a single request by default and cold starts are common during bursts. It is better for event-driven functions than for an HTTP API that needs consistently very fast instance startup during sharp spikes.

Question 3

The correct option is Promote the previous version as default and route all traffic to it.

In App Engine Standard you can keep multiple deployed versions for a service and switch traffic between them instantly without redeploying. By making the earlier version the default or by setting traffic splitting to send 100 percent of requests to it you achieve an immediate rollback while keeping the newer version available for future use.

Delete the latest version so traffic reverts automatically is incorrect because you cannot delete a version that is receiving traffic and deletion is not a rollback mechanism. You must move traffic away first which means it does not revert automatically and you also lose the ability to switch back quickly if you remove the version.

Migrate to App Engine Flexible and split traffic to the old release is incorrect because changing environments is unrelated to rollback and would require new deployments and configuration changes. In Standard you simply switch traffic to a previously deployed version to roll back immediately.

Question 4

The correct option is App Engine standard with automatic scaling.

This service automatically adds and removes instances in response to traffic and it can scale to zero when idle. This keeps costs low because you only pay for what you use and you do not manage servers. It is well suited for web apps with bursty and unpredictable traffic because it scales up quickly and scales down efficiently.

Google Kubernetes Engine with node autoscaling is powerful for containerized workloads but you must operate clusters and nodes and you pay for nodes while they are running. This makes it less cost efficient and more operationally heavy for a simple web app that needs hands off autoscaling for unpredictable traffic.

Compute Engine managed instance group with autoscaler can scale virtual machines based on load but you still manage VM images and you are billed for instances while they run. It typically does not offer scale to zero behavior and it introduces more operational overhead than a fully managed platform.

Question 5

The correct option is gcloud iam roles copy with the production project as the destination.

This command is purpose built to replicate a custom IAM role definition from one project to another. It copies the role configuration and permissions from the staging project and creates or updates the same custom role in the production project, which makes it the most direct and minimal effort approach.

Cloud Asset Inventory export and import is not appropriate because Asset Inventory exports snapshots of assets and IAM policies for analysis or auditing, and it does not provide a mechanism to create or replicate custom role definitions across projects.

Export and set the IAM policy between projects only moves policy bindings and requires the referenced roles to already exist. It does not create custom roles, so it cannot replicate the role definitions from staging to production.

Question 6

The correct option is Reserve and assign a static internal IP because reserving a private address in your subnet lets you reattach the same IP to a VM when you recreate it so clients continue to use the same internal address.

With a static internal IP you reserve the address in the VPC subnet so it persists independently of the VM. Ephemeral internal IPs are released when the instance is deleted while a reservation remains available so you can recreate the VM in the same project and subnet and then attach the reserved address. This keeps the internal IP stable across deletion and recreation.

Static external IP address is about the public address and does not control the private internal address that clients on the network use, so it does not meet the requirement.

Internal TCP or UDP load balancer provides a stable internal frontend address that forwards to backends, yet clients would connect to the load balancer IP rather than the VM IP. The question asks to keep the VM internal IP unchanged, therefore this choice does not satisfy the need.

Cloud DNS A record with low TTL only helps clients learn a new address more quickly. It does not keep the IP the same and it also depends on clients using DNS rather than a hard coded address.

Question 7

The correct option is Use gsutil to copy the files to Cloud Storage.

Placing the files in Cloud Storage lets Dataflow SQL and Dataflow jobs access them directly. At 5 TB an online transfer with gsutil is practical and reliable. It supports resumable and parallel composite uploads which helps you maximize throughput over your network and it stages the data in the right place for processing.

Use the bq command line tool to load the files into BigQuery does not stage the original files in Cloud Storage. It would load the data into BigQuery tables which changes the workflow and is unnecessary when the requirement is file access from Cloud Storage for Dataflow SQL.

Use Transfer Appliance to upload the files to Cloud Storage is intended for very large datasets or when network connectivity is insufficient. For 5 TB the setup time and logistics are not justified and an online transfer with gsutil is typically the better choice.

Question 8

The correct option is Grant project IAM roles to their Workspace identities.

This is correct because access to a Google Cloud project is controlled through IAM. By assigning the appropriate roles at the project level to the specific user identities, those users gain the required permissions immediately. You can do this in the IAM page of the project in the console or through gcloud or the IAM API, which makes it the fastest and most direct method for selected users.

Use Google Admin console to add users to the project is incorrect because the Admin console manages users and groups for the organization but it does not grant project permissions. Project access must be managed through IAM on the project itself.

Create a Google Group and wait for automatic access is incorrect because a group alone does not receive any permissions. You must bind roles to the group on the project for members to get access and there is no automatic access without that binding.

Enable Cloud Identity API is incorrect because enabling an API does not grant permissions to a project. The Cloud Identity API is for directory and identity management tasks rather than project level access control.

Question 9

The correct option is Managed instance group on Compute Engine with CPU-based autoscaling. This choice supports lift and shift of virtual machines and lets you set a target average CPU utilization such as 65 percent so the autoscaler adds instances when the group average goes above the target and removes them when it falls below.

This option uses a Compute Engine managed instance group with an autoscaler policy that targets average CPU utilization. You can migrate existing virtual machines into an instance template and use the group to scale out when demand increases and scale in when demand subsides. This aligns directly with the requirement to trigger scaling at an average CPU threshold of 65 percent.

GKE cluster with Horizontal Pod Autoscaler is designed for containerized workloads and it scales pods not virtual machines. It does not provide a direct lift and shift path for existing virtual machines.

Compute Engine managed instance group with a fixed schedule changes capacity based on time windows. It does not respond to real time CPU metrics so it cannot satisfy a requirement that scales when average CPU exceeds 65 percent.

App Engine flexible environment with automatic scaling is a platform for applications rather than virtual machines and its scaling is based on request driven signals and instance behavior. It is not intended for lift and shift of virtual machines nor for CPU threshold based scaling of Compute Engine instances.

Question 10

The correct option is Configure a graceful decommission timeout longer than 30 minutes.

This setting tells Dataproc to drain workers during scale down and to wait for running Spark tasks to finish rather than killing them. Because your tasks take about 30 minutes, choosing a timeout slightly above that duration prevents task aborts and retries that prolong jobs. You still save cost because workers are removed once tasks complete and the cluster can safely shrink without disrupting work.

With autoscaling, graceful decommissioning coordinates with YARN so executors wind down cleanly during shrink events. This directly addresses aggressive scale down causing interruptions, and it achieves the balance the question asks for by combining cost reduction with uninterrupted task completion.

Reduce the scale down factor in the autoscaling policy is not sufficient because it only slows or limits how quickly workers are removed. It does not guarantee that running tasks are allowed to finish, so tasks can still be interrupted and retried.

Migrate the batch training pipeline to Dataflow changes the platform rather than solving the configuration problem at hand. It requires significant rework and is unnecessary when Dataproc can avoid task interruption through graceful decommissioning.

Enable preemptible secondary workers lowers cost but increases the likelihood of interruption because preemptible VMs can be reclaimed at any time. That conflicts with the requirement to avoid task interruption during scale down.

Question 11

The correct option is Persistent disk snapshot schedule with retention.

This feature is native to Compute Engine and automates snapshots of persistent boot disks on a fixed cadence such as every six hours. You can define a retention policy such as forty five days and the platform automatically deletes older snapshots to honor that policy. Restores are fast because you can create a new disk directly from a snapshot and attach it to a virtual machine or replace the boot disk with minimal steps.

It is configured through a resource policy that you attach to one or more disks. The platform handles scheduling and lifecycle management which provides predictable backups and simple recovery without custom code.

Cloud Functions with custom images is not a native disk backup feature for Compute Engine. It would require custom code and additional services to orchestrate schedules and retention which adds complexity and does not provide built in snapshot lifecycle management.

Cron job with gcloud is a do it yourself approach that relies on scripts or an external scheduler. It is not a built in Compute Engine capability and it requires you to manage timing, failures and retention cleanup on your own.

Instance templates and custom images are intended for consistent VM creation and golden image management rather than periodic disk backups. They do not provide automated schedules or retention for boot disk backups and they are not optimized for fast incremental restores.

Question 12

The correct option is Dataflow streaming pipelines.

It is a fully managed serverless stream processing service that automatically scales to handle very high throughput and is built to deliver low latency results. Properly designed streaming pipelines can achieve end to end processing under three seconds. Pricing is usage based because you pay for the resources consumed and for streaming capabilities rather than for idle capacity.

The service runs Apache Beam pipelines which gives you event time windowing, triggers, watermarks, exactly once processing and backpressure handling. The managed Streaming Engine offloads state and shuffle so workers can scale efficiently and maintain consistent throughput during spikes.

Cloud Pub/Sub is an event ingestion and delivery service and not a processing engine. It does not perform transformations, aggregations or windowed analytics and cannot by itself provide insights within three seconds.

Dataproc runs Spark and Hadoop on clusters and is not serverless. You must provision and scale clusters which adds operational overhead and latency, and it does not naturally meet near real time streaming and insight requirements in a usage based manner.

Cloud Run is a serverless container platform with request driven autoscaling and usage based pricing, yet it is not a native stream processing service. It lacks built in event time processing, windowing and watermark management, so you would need to implement and operate those features yourself which makes it a poor fit for this requirement.

Question 13

The correct option is Pub/Sub with Dataflow streaming to BigQuery because it provides end to end streaming ingestion, transformation, and delivery into BigQuery so the data becomes queryable within a few seconds and meets the three second freshness requirement.

Pub/Sub can ingest messages every twelve seconds from vehicles and Dataflow streaming can transform events continuously with low processing latency. The BigQuery streaming sink writes to BigQuery using streaming inserts which places new rows in the streaming buffer and makes them available for query almost immediately. This design is built for real time analytics so it can reliably achieve second level availability for transformed data.

Write to Bigtable and query with BigQuery federation is not suitable for strict low latency analytics after transformation because federated queries over this source introduce additional latency and have feature limitations. It does not support the same real time transformation path as a streaming pipeline and it is less likely to meet a three second freshness target for transformed data.

Store telemetry in Cloud Storage and schedule Dataflow to load to BigQuery is a batch pattern that depends on file creation and scheduled jobs which introduces minutes of delay. It cannot provide transformed data that is queryable within three seconds of arrival.

Question 14

The correct option is Use Storage Object Viewer on the bucket. This grants auditors read only access to object data in just that bucket using IAM while keeping the scope narrow and aligned with least privilege.

Applying a bucket level IAM binding lets auditors list objects and read their contents while preventing writes, deletes, or bucket configuration changes. This approach is the recommended pattern for Cloud Storage because you centralize and scale access control with IAM rather than managing permissions per object.

Use signed URLs for each object is not appropriate for ongoing audit access because signed URLs are temporary and created per object. This introduces significant operational overhead and does not provide straightforward object listing or centralized control.

Grant Viewer on the project violates least privilege by giving broad read access across many services in the project. It also does not grant the specific Cloud Storage object read permissions that auditors need.

Set object level ACLs is discouraged because best practice is to use IAM with uniform bucket level access enabled. ACLs are difficult to manage at scale and when uniform bucket level access is on then object ACLs are ignored.

Question 15

The correct option is Compute Engine Spot VMs.

Compute Engine Spot VMs provide very low cost disposable capacity and are ideal for large numbers of short lived independent batch tasks. They can scale to thousands of instances at night through instance templates and managed instance groups and the workload can tolerate interruptions because jobs are only thirty minutes and independent. You can use retries or checkpointing to handle preemptions which makes Compute Engine Spot VMs the most cost effective choice for this scenario.

Dataflow focuses on data processing pipelines with Apache Beam and is excellent for ETL streaming and batch transformations. It is not intended for running arbitrary CPU bound tasks and you do not gain the spot pricing benefits that Compute Engine Spot VMs provide for disposable compute swarms.

Google Kubernetes Engine can run batch jobs by using Kubernetes Jobs and node autoscaling, yet it introduces cluster setup and management overhead and you would still need to choose node types and manage quotas. It does not directly answer the goal of the lowest cost disposable capacity as simply as using Compute Engine Spot VMs.

Cloud Run is optimized for request driven stateless services and while Cloud Run jobs exist for batch, there is no spot pricing and there are execution and concurrency constraints. Meeting 12,000 simultaneous thirty minute CPU jobs at night at the lowest cost is better accomplished with Compute Engine Spot VMs.

Question 16

The correct option is Create a metric threshold policy on compute.googleapis.com/instance/cpu/utilization for above 90% over 10 minutes.

This policy uses the CPU utilization metric which represents normalized CPU usage as a fraction where 1.0 is 100 percent. You set a threshold greater than 0.9 and a duration of 10 minutes so the alert fires only when the condition is sustained. Configure the resource type for Compute Engine VM instances and let the policy evaluate each time series so it triggers when any VM crosses the threshold for the specified period.

Configure an uptime check and alerting policy for the instances is incorrect because uptime checks measure availability of endpoints or services rather than internal VM metrics such as CPU.

Create an anomaly detection policy on CPU utilization is incorrect because the requirement is a fixed threshold of 90 percent for a set duration rather than detecting deviations from a learned baseline.

Set a metric threshold on compute.googleapis.com/instance/cpu/usage_time for 10 minutes is incorrect because usage_time measures CPU seconds consumed during the sampling period and varies with core count and interval length. It is not a percentage and does not map cleanly to a 90 percent threshold.

Question 17

The correct option is Cloud Scheduler and Pub/Sub invoking Cloud Functions.

This is the simplest fully managed way to run a timed batch job every 12 hours because Cloud Scheduler provides straightforward cron-style scheduling and publishes a message to Pub/Sub and a subscribed Cloud Function runs the batch logic. It is easy to configure and you do not manage servers or clusters.

Cloud Functions offers configurable memory with proportional CPU which allows you to match varying resource needs for each run and you can tune execution characteristics in its second generation. Using Pub/Sub to decouple the trigger from the worker keeps the solution reliable and fully managed while remaining simple to operate.

Google Kubernetes Engine CronJob can schedule containers on a timer but it requires operating a GKE cluster which adds setup and ongoing maintenance. This is not the simplest managed approach for a basic twice-daily batch job.

Workflows is designed to orchestrate steps across services rather than execute batch code directly. It is not a standalone scheduler and still depends on another compute service to run your job so it is not the most straightforward choice for this requirement.