Question 1

Following a cyber incident at Rivertown Outfitters that left key production workloads down for almost three weeks, the newly hired CISO requires a control that prevents production Compute Engine virtual machines from obtaining external IP addresses unless an explicit exception is approved. You want a straightforward solution that aligns with Google recommendations and that you can enforce centrally across projects. What should you do?

Question 2

Design a Google Cloud data warehouse for time series telemetry that minimizes scanned data and avoids server management. What should you implement?

Question 3

Your team runs a retail checkout application on Google Kubernetes Engine. Customers report that the checkout component is not responding. You observe that every pod in the checkout deployment crashes and restarts about every 3 seconds. The service writes its logs to standard output. You want to quickly examine the runtime errors that are causing the restarts without disrupting production. What should you do?

Question 4

Which GCP compute services provide automatic scaling and minimal operations for long term application hosting after an initial lift and shift to Compute Engine? (Choose 2)

Question 5

BlueMonk Retail needs to move a 25 TB on premises database export into Cloud Storage and their link to Google Cloud averages 300 Mbps and the team wants to minimize total transfer time and overall cost while following Google recommended best practices for large dataset migration. What should you do?

Question 6

In a Compute Engine managed instance group, how can you apply a new instance template only to future VMs and keep existing instances unchanged? (Choose 2)

Question 7

You are the Cloud Security Administrator at Orion Pixel Labs where teams build games on Google Cloud. The development and quality assurance groups collaborate and need access to each other’s environments, yet you discover they can also access staging and production which raises the risk of accidental outages. One staging environment used for performance tests must copy a subset of production data every 36 hours. How should you restructure the environment to keep production isolated from all other environments while still allowing the required data transfer?

Question 8

Which GCP services provide low latency and durable session storage, durable object storage for user photos and exported VM images, and log archiving with lifecycle tiering after 90 days?

Question 9

FinchPay, a financial technology company, sees sporadic slowdowns when confirming card charges and the payment path crosses multiple microservices on Google Cloud. The engineers believe interservice latency is the cause and they want to isolate exactly which backend services add the extra time during a request. What should they do to identify the services responsible for the delays?

Question 10

Which Google Cloud resource hierarchy enables a central team to enforce organization wide IAM guardrails while each department manages access to its own projects?

Question 11

You are the architect for LumaBooks, an online publisher, and you operate a production service on Cloud Run for Anthos in a GKE cluster. A new release is ready and you want to direct about 20% of real user traffic to it so that you can validate performance and errors before promoting it fully. How should you test the new build with a limited portion of production traffic?

Question 12

Which Google Cloud design provides private low latency hybrid connectivity and prevents overlapping IP ranges with on premises while supporting growth for the next five years?

Question 13

Riverton Analytics plans to automate the rollout of a Compute Engine managed instance group for a latency sensitive service. Each VM requires numerous OS packages and during peak events the group scales from 8 to 160 instances and must make new VMs ready to serve quickly. What should you implement to automate the deployment while keeping instance startup time to a minimum?

Question 14

Which approach minimizes cost for interruptible batch workloads on Google Cloud while ensuring only HIPAA eligible services are used?

Question 15

Your team at a fintech startup is deploying a single second generation Cloud SQL for MySQL instance that stores mission critical payment records. Leadership wants the design to minimize data loss if a regional outage or other catastrophic event occurs. Which features should you enable to reduce potential data loss to the lowest practical level? (Choose 2)

Question 16

Which Compute Engine architecture provides autoscaling, global low latency, and multi-zone high availability for a REST API with spikes around 120 thousand requests per second?

Question 17

Nimbus Outfitters uses BigQuery as its enterprise data warehouse and the datasets are spread across nine Google Cloud projects. Finance requires that every query charge is billed to one central analytics project and that no costs accrue in the projects that store the data. Analysts must be able to read and run queries but must not change or create datasets. How should you assign IAM roles to meet these requirements?

Question 18

Which configuration lets App Engine standard reach an on-prem MySQL over private IP through an existing Cloud VPN?

Question 19

StellarPlay Studios has replatformed parts of its mobile game backend into independent microservices that expose HTTP REST APIs over HTTPS. The company needs to achieve near continuous availability because outages cause user churn and it must keep latency low for a global player base while scaling quickly during traffic spikes. Considering these goals and the nature of the APIs, how should you design the backend on Google Cloud platform?

Question 20

How should you centralize raw logs from all Google Cloud projects and retain them for 10 years in a simple and cost effective way for auditor access?

Question 1

The correct option is Apply the Organization Policy constraint constraints/compute.vmExternalIpAccess at the organization or folder and allow only the explicitly approved VM resource names.

This control provides a centrally enforced guardrail that denies external IP assignment by default across all targeted projects. It supports a narrow allowlist so you can approve only specific instances when there is a justified exception. It aligns with recommended practices because it is simple to roll out at the organization or folder level and is auditable and reversible.

Use VPC Service Controls to place production projects in a service perimeter and block access to the public internet is incorrect because VPC Service Controls protect access to Google managed APIs and services rather than controlling generic internet egress or the ability for VM interfaces to obtain external IP addresses.

Replace default internet gateway routes with Cloud NAT so that all production subnets use private egress only is incorrect because Cloud NAT enables outbound connectivity for instances without external IPs and does not stop users from assigning external IPs to instances. It also does not replace the default internet gateway route and therefore does not meet the requirement to prevent external IP allocation.

Build two custom VPC networks so that one hosts approved instances with a default route and the other hosts all remaining instances without a default route is incorrect because this design is operationally complex and easy to bypass and it does not centrally prevent the assignment of external IPs. It lacks a policy based approval mechanism and does not scale well across projects.

Question 2

The correct choice is BigQuery with date partitioned telemetry. It meets the requirement to minimize scanned data for time series analytics and it removes server management through a fully managed serverless warehouse.

With BigQuery you can partition tables by ingestion time or by a timestamp column so queries automatically prune partitions and scan only the relevant dates. Partition filters and optional clustering on device or metric fields further reduce bytes processed and improve performance while you pay only for the data scanned. The service is serverless so capacity provisioning and maintenance are handled by Google.

Query external files with BigQuery external tables does not minimize scanned data for analytical workloads because queries read data from external storage and often cannot benefit from native partition pruning and columnar storage. Performance and cost control are better with native partitioned tables for this use case.

Cloud Bigtable is a NoSQL key value database for low latency operational access rather than a SQL analytics warehouse for telemetry. It also requires instance sizing and node management which does not satisfy the requirement to avoid server management.

AlloyDB for PostgreSQL targets transactional and mixed workloads on managed PostgreSQL and it is not a columnar analytics warehouse. You must manage instances and storage settings and large scans are not minimized the way they are with partitioned analytical storage.

Question 3

Inspect the affected GKE container logs in Cloud Logging using the workload and container filters is correct.

This option is best because the application writes to standard output and GKE automatically collects container stdout and stderr to the centralized logging backend. You can scope by workload and container in the logs interface to focus on the checkout deployment and view the exact error messages that occur before each crash. This approach requires no interaction with running pods and it continues to capture messages even as the pods restart every few seconds.

Review the Cloud Logging entries for each Compute Engine VM that is acting as a GKE node is incorrect because node level logs are noisy and focus on system and kubelet activity. Application stdout from containers is organized under Kubernetes resources, so looking at VM entries is slower and makes it easy to miss the container errors you need.

Use Cloud Trace to inspect latency traces for the checkout service is incorrect because Trace is for distributed request latency and requires instrumentation. It does not surface crash stack traces or the stderr and stdout messages that explain why the pods are restarting.

Use kubectl to exec into one pod and tail the application logs from inside the container is incorrect because the pods are restarting every few seconds which makes an interactive session unreliable. It also touches production containers and provides no aggregated history across restarts, so it is slower and less reliable than using centralized logs.

Question 4

The correct options are Google Kubernetes Engine and Google App Engine Standard.

Google Kubernetes Engine offers a managed Kubernetes control plane with automatic scaling for nodes and pods and it can run in Autopilot mode where Google manages the cluster infrastructure. This reduces day to day operations while still providing robust scaling and reliability for long term application hosting after an initial lift and shift to Compute Engine.

Google App Engine Standard is a fully managed application platform where you deploy code and the platform handles provisioning, autoscaling, patching and health. It requires minimal operations and is well suited for stable long running services once the workload has been migrated.

Managed instance groups can autoscale virtual machine instances and integrate with load balancing, yet you still manage operating systems, images, startup logic and many lifecycle tasks. This makes them more operationally heavy than managed application platforms for long term hosting.

Google Dataproc is designed for data processing with Spark and Hadoop and its autoscaling focuses on batch or ephemeral clusters. It is not intended for always on application hosting.

Question 5

The correct option is Order Transfer Appliance and ingest the export by shipping the device to Google.

At 300 Mbps, moving 25 TB over the network would take roughly a week or more when you include protocol overhead and potential retries. Transfer Appliance is built for large one time migrations over limited bandwidth since you copy locally and ship the device to Google which shortens wall clock time and improves reliability. It can also reduce operational disruption because the corporate link is not saturated for days.

Use gcloud storage cp to copy the files from the data center to a Cloud Storage bucket depends entirely on the 300 Mbps link so the transfer would take many days and would require you to manage retries and throughput tuning. This does not minimize time for a 25 TB migration.

Configure Storage Transfer Service with an on premises agent to move the export into Cloud Storage gives managed scheduling and checksumming, yet it still uses the same constrained link so total duration would be similar. This service is better when you have recurring transfers over sufficient bandwidth rather than a one time bulk move at this size and speed.

Build a Cloud Dataflow job that reads directly from the source database and writes to Cloud Storage is not appropriate here because you already have an export and this approach adds development and run cost without solving the bandwidth bottleneck.

Question 6

The correct options are Use OPPORTUNISTIC updates and let autoscaling add instances and Use OPPORTUNISTIC updates and manually resize the group.

With OPPORTUNISTIC updates, the managed instance group accepts the new instance template but does not proactively restart or recreate existing virtual machines. If you let autoscaling add instances, each newly created instance uses the new template while existing instances remain unchanged, which achieves the goal without disruption.

You can achieve the same outcome by combining OPPORTUNISTIC updates with manually resize the group. Increasing the target size creates new instances from the updated template while leaving the current instances intact. You can later scale in to retire older instances on your own schedule.

Set PROACTIVE rollout with RECREATE is incorrect because a proactive rollout triggers replacement of existing instances so the new template is applied to current machines, which changes them.

Create a new managed instance group and shift traffic with a load balancer is unnecessary for this scenario and changes the architecture rather than using the update policy to apply the template only to future instances within the same group.

Question 7

The correct option is Create one project for development and test together and create separate projects for staging and production. This keeps production isolated with its own project boundary while allowing development and test to collaborate in a shared project. You can still enable a controlled cross project data flow from production to staging on the required 36 hour schedule.

Projects are the primary isolation boundary for IAM, policy, quotas, and network scope in Google Cloud. By putting staging and production in their own projects you prevent broad access overlap and you reduce the risk of accidental outages in production. Grant a dedicated service account in staging narrowly scoped read access to only the specific datasets or buckets in production that need to be copied. Schedule the transfer every 36 hours using Cloud Scheduler to trigger a job such as Storage Transfer Service or a Dataflow pipeline so the movement is one way and least privilege.

Place development and test resources in a single VPC and place staging and production resources in a different VPC is incorrect because VPCs are network boundaries and do not enforce administrative or IAM isolation. It also groups staging with production which violates the requirement to keep production isolated from all other environments.

Keep all environments in one project and enforce a VPC Service Controls perimeter around production data is incorrect because VPC Service Controls focuses on reducing data exfiltration for supported services and does not replace project level isolation or protect compute resources. Keeping everything in one project keeps IAM and quotas coupled and increases the chance of accidental access to production.

Deploy development and test workloads to one subnet and deploy staging and production workloads to another subnet is incorrect because subnets are not security or administrative boundaries for IAM. It also places staging with production which does not meet the isolation requirement.

Question 8

The correct option is Memcache with Cloud Datastore for sessions and Cloud Storage with lifecycle for logs, photos and exported VM images.

This combination satisfies all requirements. Memcache provides very low latency access for session data while Cloud Datastore supplies durable storage so sessions can be recovered and shared across instances. For user photos, exported VM images and log archiving, Cloud Storage is the right durable object store and it supports lifecycle management so objects can automatically transition to a colder tier after 90 days. Note that Cloud Datastore is now Firestore in Datastore mode and App Engine Memcache is a legacy feature, so newer answers may reference Memorystore plus Firestore to describe a similar pattern for low latency with durable backing.

Local SSD for sessions and Cloud Storage with lifecycle for logs, photos and exported VM images is incorrect because Local SSD is ephemeral and attached to a single VM which means data can be lost on VM stop or host events and it is not a shared or durable session store.

Memorystore for Redis for sessions and Persistent Disk SSD for exported VM images and Cloud Storage for logs and photos is incorrect because Persistent Disk is block storage and does not provide object storage features or lifecycle policies for exported images, which are typically stored in Cloud Storage. In addition, Memorystore for Redis does not provide durable persistence for session data.

Memorystore for Memcached for sessions and Cloud Storage with lifecycle for logs, photos and exported VM images is incorrect because Memcached is an in memory cache without durability, so it cannot meet the requirement for durable session storage by itself.

Question 9

The correct option is Instrument the application with Cloud Trace and view distributed traces to see end to end latency across calls.

This approach gives you distributed tracing that stitches together spans across all microservice hops on a single request. By propagating context across service boundaries, each hop is timed and visualized on a timeline so you can see exactly where latency accumulates. You can drill into spans for RPCs and HTTP calls to find the slow backend or dependency and quantify its contribution to total request time.

Enable Cloud Logging for every backend service and search the logs for error patterns is not sufficient for pinpointing cross service latency. Logs are valuable for diagnostics and errors, yet they do not automatically correlate an entire request path across services or provide precise per hop timing without full tracing instrumentation.

Turn on Cloud Profiler across the services to analyze CPU and memory usage focuses on code level resource usage inside a process. Profiler helps find hot methods and memory issues, but it does not show network or interservice latency along a distributed call path.

Place an external HTTP(S) Load Balancer in front of the services to distribute requests evenly does not address latency within a multi hop service chain. Load balancing can improve availability and distribution but it does not provide visibility into which downstream service adds delay.

Question 10

The correct option is Single Organization with per-department Folders and delegated IAM.

This structure lets a central team apply organization wide guardrails using Organization level IAM and Organization Policy while delegating day to day access control to department administrators at the Folder level. IAM policies inherit from Organization to Folder to Project which allows the central team to set baseline constraints and audit requirements while each department manages access to its own projects within its folder.

This approach balances centralized governance with decentralized ownership. It supports clear separation of duties and simplifies compliance because guardrails are enforced at the highest level while local teams retain autonomy for their resources.

Single Organization with one shared Folder and central IAM is incorrect because it concentrates all control in a single folder and central team which prevents departments from independently managing access to their projects. It does not provide the delegated administration the question requires.

Multiple Organizations per department is incorrect because creating separate organizations fragments governance and prevents consistent organization wide policies and IAM guardrails. Centralized auditing and policy enforcement become difficult and cross organization controls are limited.

Question 11

The correct option is Deploy the new version as a revision within the existing Cloud Run service and use traffic splitting to route a small percentage to that revision.

This approach uses Cloud Run revisions and weighted traffic routing so you can send about twenty percent of production requests to the new revision while keeping the remainder on the stable one. You can adjust the percentages up or down and then quickly roll forward or roll back based on results, which is the intended canary pattern for Cloud Run and works the same on Cloud Run for Anthos.

Create a parallel Cloud Run service for the new build and place an external HTTPS load balancer in front to weight traffic across both services is unnecessary and adds complexity because Cloud Run already provides built in weighted routing between revisions within a single service. Managing two separate services behind a load balancer complicates deployment and rollback without providing benefits for this scenario.

Configure Traffic Director with a new service entry that targets the new version and set a small weighting to route a fraction of requests is not the recommended method for Cloud Run canary releases. Cloud Run handles revision level traffic splitting natively, and introducing Traffic Director for this purpose adds control plane overhead and does not align with the simple per revision routing model built into the platform.

Set up a Cloud Build trigger on a feature branch and pass a substitution variable named TRAFFIC_PERCENT to control how much traffic goes to the new version is incorrect because Cloud Build manages builds and automation rather than live traffic routing. There is no built in traffic control through such a substitution and traffic allocation must be configured on the Cloud Run service itself.

Question 12

The correct option is Custom VPC with unique CIDRs and Dedicated Interconnect. This design gives private low latency hybrid connectivity and avoids overlapping IP ranges with on premises while allowing ample room to scale for the next five years.

A custom VPC lets you select your own RFC 1918 ranges so you can align with enterprise IP address management and ensure that Google Cloud subnets do not overlap with existing on premises networks. Choosing unique CIDRs up front supports clean growth as you add projects, regions, and services over time.

Dedicated Interconnect delivers private physical connectivity that bypasses the public internet, which provides consistent low latency and high throughput with an SLA. You can scale capacity and reach by adding circuits and VLAN attachments, which supports sustained growth without redesigning the network.

Default VPC with HA VPN is not a good fit because the default network is auto mode with many precreated subnets that use fixed ranges that can conflict with your on premises space. HA VPN rides over the public internet, so latency and jitter are less predictable than a private interconnect.

Auto mode VPC with Cloud Interconnect does provide private connectivity, but auto mode preallocates regional subnets from a predefined block, which can lead to overlap or inefficient address use. Meeting the requirement to prevent overlap and plan multi year growth calls for custom subnet design rather than auto mode.

Question 13

Recent Posts

3 min

Planning For A Financial Revival In 2025...

3 min

Drowning In Debt? How To Manage On A Dwindling Budget...

Trending

12 min

A Complete Guide to Meta Ads Attribution...

5 min

Proposed Changes To Phone Services For Social Security Benef...