Question 1

Nimbus Playworks is preparing to launch a new mobile multiplayer title and has rebuilt its backend on Google Compute Engine with a managed NoSQL store to improve global scale and uptime. Before release, the team needs to validate the Android and iOS clients across dozens of OS versions and hundreds of device models while keeping testing costs under control and minimizing operational effort. Which approach should they use to perform broad and efficient device coverage testing across both platforms?

Question 2

Which Google Cloud architecture uses Cloud Load Balancing to stay low cost at about 200 daily requests yet reliably absorbs bursts up to 60,000 for public HTTP APIs and static content?

Question 3

LumaPay is moving over 30 internal applications to Google Cloud and the security operations group requires read only visibility across every resource in the entire organization for audit readiness. You already hold the Organization Administrator role through Resource Manager. Following Google recommended practices, which IAM roles should you grant to the security team?

Question 4

Which business risks should you consider when adopting Google Cloud Deployment Manager for infrastructure automation? (Choose 2)

Question 5

After CedarPeak Data deployed a custom Linux kernel module to its Compute Engine batch worker virtual machines to speed up the overnight jobs, three days later roughly 60% of the workers failed during the nightly run. You need to collect the most relevant evidence so the developers can troubleshoot efficiently. Which actions should you take first? (Choose 3)

Question 6

Two Google Cloud Shared VPC host networks in separate organizations have some overlapping IP ranges such as 10.60.0.0/16, and you need private connectivity only for nonoverlapping subnets with minimal redesign. What should you do?

Question 7

Orchid Outfitters operates a three layer application in a single VPC on Google Cloud. The web, service and database layers scale independently using managed instance groups. Network flows must go from the web layer to the service layer and then from the service layer to the database layer, and there must be no direct traffic from the web layer to the database layer. How should you configure the network to meet these constraints?

Question 8

Which Google Cloud storage option minimizes cost for telemetry that will be rarely accessed for the next 18 months?

Question 9

VerdantCart wants to move a mission critical web application from an on premises facility to Google Cloud and it must continue serving users if an entire region goes offline with automatic traffic failover. How should you design the deployment?

Question 10

How should you migrate Windows Server 2022 Datacenter VMs to Google Cloud so you can keep using existing Microsoft volume licenses in compliance?

Question 11

The compliance team at HarborView Insurance needs to retain Cloud VPN log events for 18 months to meet audit obligations. You must configure Google Cloud so these logs are stored appropriately. What should you do?

Question 12

An organization must validate disaster recovery every 60 days using only Google Cloud. Which approach enables repeatable full stack provisioning in a secondary region with actionable telemetry for each drill?

Question 13

SierraForge Industries is migrating telemetry files from field equipment into Cloud Storage and wants to keep each file for one year while reducing storage costs during that time. What lifecycle configuration should you implement?

Question 14

In BigQuery what approach enables reliable deletion of a single individual’s health records upon request?

Question 15

Your team at example.com is preparing to run a stateful service on Google Cloud that can scale out across multiple virtual machines. Every instance must read and write to the same POSIX file system and during peak periods the service needs to sustain up to 180 MB per second of write throughput. Which approach should you choose to meet these requirements while keeping the design managed and reliable?

Question 16

Which Google Cloud services should you use for high velocity time series ingestion, transactional user profiles and game state, and interactive analytics on 30 TB of historical events?

Question 17

Riverton Media is preparing to switch traffic to a new marketing site on Google Cloud. You created a managed instance group with autoscaling and attached it as a backend to an external HTTP(S) load balancer. After enabling the backend, you observe that the virtual machines are being recreated roughly every 90 seconds. The instances do not have public IP addresses, and you can successfully curl the service from an internal test host. What should you change to ensure the backend is configured correctly?

Question 18

Which Google Cloud solutions let development VMs retain data across reboots and provide ongoing spend visibility without manual reporting? (Choose 2)

Question 19

A travel booking platform at Northstar Tickets processes card payments and wants to reduce the PCI DSS scope to the smallest footprint while keeping the ability to analyze purchase behavior and payment method trends. Which architectural approach should you adopt to satisfy these requirements?

Question 20

How should you configure BigQuery IAM so analysts can run queries in the project and only read data in their country’s dataset?

Question 1

The correct approach is Use Firebase Test Lab to upload the app and run automated and manual tests on a wide range of real and virtual Android and iOS devices.

Firebase Test Lab is a managed testing service that offers broad device coverage for both Android and iOS with real and virtual devices, which fits the need to validate across many OS versions and device models. It supports automated frameworks like Espresso, XCTest and Robo, and it can run tests in parallel across a device matrix to speed feedback while reducing operational effort. Because it is managed and offers virtual devices and transparent pricing, it helps control costs while still letting you scale to hundreds of device and OS combinations.

Set up Android and iOS virtual machines on Google Cloud and install the app for manual and scripted tests is not appropriate because it would be highly manual and would not provide the required breadth of real device and OS coverage. Running iOS simulators requires macOS on Apple hardware, which standard Compute Engine virtual machines do not provide, so it would not meet the cross platform requirement or the goal of minimizing operational effort.

Use Google Kubernetes Engine to run Android and iOS emulators in containers and execute automated UI tests increases complexity and operational overhead without delivering real device coverage. iOS simulators are not supported in typical Linux containers and emulator only testing misses hardware and OEM variances that matter for games, so this does not meet the goal of broad and efficient device coverage across both platforms.

Upload app builds with different configurations to Firebase Hosting and validate behavior from hosted links is incorrect because Firebase Hosting serves web content and does not execute native Android or iOS applications. It does not provide device farms, test orchestration or automated UI testing capabilities.

Question 2

The correct option is Use Cloud CDN for static content, run the APIs on Cloud Run, and use Cloud SQL.

This design keeps steady state costs very low because Cloud Run scales to zero and bills per request, which matches a workload of about 200 daily requests. It also absorbs sudden spikes to tens of thousands of requests because Cloud Run automatically and quickly scales out with high concurrency. Cloud CDN serves static assets from the edge, which offloads traffic from the origin and helps handle large bursts with low latency. Cloud Load Balancing integrates with Cloud Run through serverless network endpoint groups and with Cloud CDN, which provides global anycast entry, fast TLS termination, and resilient distribution during bursts. Cloud SQL is a good fit for a transactional relational backend at this scale and cost profile.

Use Cloud CDN for static content, run the APIs on App Engine Standard, and use Cloud SQL can functionally work, yet it is less cost effective for very low steady traffic with rare large spikes. To avoid cold starts and meet burst needs you often configure minimum instances which adds fixed cost, and its scaling characteristics are not as rapid or cost optimized as Cloud Run for this pattern.

Serve static assets through Cloud CDN, run the APIs on a Compute Engine managed instance group, and use Cloud SQL requires virtual machines to be running even when request volume is low, which raises baseline cost. Instance group scaling also takes longer to add capacity during sudden spikes compared to the near instant scaling of Cloud Run, so this is not the best low cost choice for infrequent large bursts.

Put static files in Cloud Storage, deploy the APIs to a regional GKE Autopilot cluster, and use Cloud Spanner is significantly more expensive and operationally heavier for a workload with only hundreds of daily requests. Spanner is a global, high throughput database with a high minimum cost, and running APIs on GKE Autopilot adds complexity and baseline spend compared to a fully managed serverless platform. This combination does not align with the low cost requirement.

Question 3

The correct option is Organization viewer, Project viewer.

Organization viewer provides read only access to organization level metadata and policies through Resource Manager which gives the security team visibility into the hierarchy and constraints without the ability to change anything. Project viewer grants read only access to project resources so when it is granted at the organization node it inherits down to all folders and projects which provides consistent visibility across every application while still following least privilege.

Organization administrator, Project browser is incorrect because Organization administrator is a powerful administrative role that allows modifying IAM and resources which violates the read only requirement. Project browser only lists and gets metadata and does not provide broad read access to resource data which is often needed for audits.

Security Center admin, Project viewer is incorrect because Security Command Center admin is an administrative role and it only covers Security Command Center resources. It neither limits the team to read only actions nor guarantees visibility across all Google Cloud services.

Organization viewer, Project owner is incorrect because Project owner grants full control of projects including write and IAM changes which is not appropriate for an audit focused read only use case.

Question 4

The correct options are Template errors can delete critical resources and Cloud Deployment Manager manages only Google Cloud resources.

Template errors can delete critical resources is a real business risk because updates reconcile the live environment to what your configuration and templates declare. If a template removes or renames a resource or applies an unintended change then an update can delete or recreate production resources. You can mitigate this with previews and careful review but the risk remains if changes are pushed without safeguards.

Cloud Deployment Manager manages only Google Cloud resources is also a business risk because it limits you to Google Cloud resource types. This creates vendor lock in for your infrastructure automation and prevents you from using the same toolchain to orchestrate on premises or other cloud providers.

Requires Cloud Build to run deployments is incorrect because Deployment Manager runs through the API and gcloud and it does not require Cloud Build. You can optionally integrate it into Cloud Build pipelines but that is a choice rather than a requirement.

Must use a Google APIs service account is incorrect because you can deploy using your user credentials or a suitable service account with the necessary IAM roles. Google managed service agents may operate behind the scenes for specific services yet you are not forced to adopt a particular Google APIs service account as a business prerequisite.

Question 5

The correct options are Use Cloud Logging to filter for kernel and module logs from the affected instances, Connect to the VM serial console with gcloud or the Google Cloud console to observe kernel and boot logs, and Narrow the time window in Cloud Logging and Cloud Monitoring to the failure period and examine batch VM metrics.

Use Cloud Logging to filter for kernel and module logs from the affected instances gives developers immediate visibility into errors emitted by the custom kernel module and the Linux kernel. Filtering by instance identifiers and keywords related to kernel, module loading, crashes, or taints focuses the results on what changed and when. This surfaces stack traces, oops messages, and module load or unload failures that directly explain why workers failed.

Connect to the VM serial console with gcloud or the Google Cloud console to observe kernel and boot logs is crucial when VMs become unreachable or reboot during failures. The serial port captures early boot messages and kernel panics that may not reach system logs on disk, so it preserves decisive evidence even if the VM hung or crashed mid run.

Narrow the time window in Cloud Logging and Cloud Monitoring to the failure period and examine batch VM metrics helps correlate log events with system behavior such as restarts, CPU spikes, memory exhaustion, or disk errors. Constraining the time range reduces noise and makes patterns across many workers visible so you can confirm scope and timing of the regression introduced by the kernel module.

Check the activity log for live migration events on the failed instances is not a first action because live migration is designed to be transparent and is unlikely to explain widespread module related kernel failures. Even if live migration occurred it would not provide the kernel level detail needed to debug a custom module issue.

Review the Compute Engine audit activity log through the API or the console focuses on administrative and access operations rather than guest OS behavior. Audit logs do not capture kernel panics or module crashes, so they are not the most relevant starting point for this incident.

Enable Cloud Trace for the batch application and collect traces during the next window targets application latency and request flows rather than OS or kernel events. It would not help diagnose the current failures and it introduces delay since it only gathers data in future runs.

Question 6

The correct option is HA VPN with Cloud Router advertising only nonoverlapping prefixes. This approach provides private connectivity between the two VPC networks while letting you control which prefixes are exchanged so only nonoverlapping subnets are learned on each side and you avoid conflicts with minimal redesign.

This works because Cloud Router supports custom advertisements so you can advertise only the specific IP ranges that you want the other side to learn. When each side advertises only the nonoverlapping subnets, routing remains private and reachable for those ranges while overlapping ranges are never imported. This setup is supported for VPC to VPC connectivity across projects and even across organizations, and it requires no IP renumbering.

Private Service Connect with internal load balancers is for publishing and consuming specific services privately rather than providing general purpose network connectivity between arbitrary subnets. It is not intended to create broad bidirectional connectivity between two VPC networks, so it does not meet the requirement.

VPC Network Peering with custom route exchange does not support overlapping IP ranges and it has no route filtering to selectively block conflicting subnets. Overlapping prefixes cause conflicts and the routes are not imported, therefore it cannot satisfy the requirement.

Dedicated Interconnect with custom route advertisements is designed for private connectivity between on premises networks and Google Cloud. Using it to connect two VPC networks in different organizations would require additional infrastructure and complexity, which is not minimal redesign and is unnecessary for this use case.

Question 7

The correct option is Apply network tags to each layer and create VPC firewall rules that allow web to service and service to database while preventing web to database.

This configuration uses firewall rules as the enforcement point for lateral traffic inside a VPC. You assign distinct tags to the instances in each managed instance group through their instance templates, then create an ingress allow rule that targets the service tier with a source tag that identifies the web tier. You also create an allow rule that targets the database tier with a source tag that identifies the service tier. To ensure there is no direct web to database path, add an explicit deny from the web tag to the database target with a higher priority than any broader allows, or rely on the absence of an allow so the implied deny blocks it.

This works because VPC routing is destination based and does not enforce hop by hop traversal. Firewall rules define which sources can reach which targets, and tags make it easy to select entire tiers in managed instance groups with consistent policy.

Place each layer in separate subnetworks within the VPC is insufficient on its own because subnet boundaries do not block traffic. Traffic can flow between subnets in the same VPC whenever firewall rules allow it, so you still need explicit rules to constrain which tiers can talk.

Configure Cloud Router with custom dynamic routes and use route priorities to force traffic to traverse the service tier does not meet the requirement because Cloud Router exchanges routes with peer networks using BGP and does not control instance to instance traffic inside a VPC. Route priority cannot force traffic to take a middle hop between tiers.

Add tags to each layer and create custom routes to allow only the desired paths is incorrect because VPC routes are destination based and cannot express policies that depend on both source and destination. Custom routes cannot prevent a directly reachable destination from being used, so they cannot reliably enforce tier by tier traversal. You need firewall rules for that control.

Question 8

The correct option is Compress telemetry every 30 minutes and store snapshots in Cloud Storage Coldline.

Coldline is designed for data that is accessed very infrequently and kept for months to years, which aligns with telemetry that will be rarely accessed over 18 months. It offers lower storage cost than classes intended for more frequent access while still providing immediate access when needed. The minimum storage duration for Coldline is reasonable for long lived telemetry and its retrieval and operation costs are appropriate when access is rare, which makes total cost lower than options optimized for more frequent reads.

Stream telemetry to BigQuery partitions with long term storage pricing is not optimal for cost minimization of rarely accessed raw telemetry because BigQuery is an analytics warehouse and not a low cost archival store. Streaming inserts and query based access add ongoing costs and BigQuery long term storage still tends to be more expensive than Google Cloud Storage archival classes for large volumes kept primarily for retention.

Compress telemetry every 30 minutes and store snapshots in Cloud Storage Nearline targets data accessed roughly once a month, which is more frequent than this workload requires. Its storage price is higher than Coldline, so it does not minimize cost for data that will be accessed only rarely over 18 months.

Compress telemetry every 30 minutes and store snapshots in Cloud Storage Archive is optimized for data accessed less than once per year and for long term preservation. For telemetry that may still need occasional investigation within the 18 month window, the higher retrieval and operation costs can outweigh the storage savings compared with Coldline, so it is not the best balance for minimizing total cost in this scenario.

Question 9

The correct option is Place the application in two Compute Engine managed instance groups in two different regions within one project and use a global external HTTP(S) Load Balancer to fail over between the groups.

This design delivers regional resilience because each region runs its own managed instance group and the global external HTTP(S) Load Balancer presents a single anycast IP to users. The load balancer continuously health checks the backends and automatically shifts traffic to the healthy region when a region becomes unavailable. Managed instance groups add autohealing and autoscaling so the application maintains capacity and replaces failed virtual machines without manual action.

Keeping both instance groups in one project keeps configuration, identity and access, logging, and troubleshooting straightforward. The global external HTTP(S) Load Balancer natively supports multi region backends within a single project which is the simplest way to meet the requirement for automatic cross region failover.

Run the application on a single Compute Engine VM and attach an external HTTP(S) Load Balancer to handle failover between instances is incorrect because a single virtual machine in one region cannot survive a regional outage and an external HTTP(S) Load Balancer needs multiple healthy backends to fail over to. This setup offers neither regional redundancy nor managed recovery.

Place the application in two Compute Engine managed instance groups in different regions that live in different projects and configure a global HTTP(S) Load Balancer to shift traffic between them is unnecessary for the goal. While cross project backends can be made to work with additional features, it adds complexity without improving availability for this scenario and the simpler same project design already meets the requirement.

Launch two standalone Compute Engine VMs in separate regions within one project and set up an HTTP(S) Load Balancer to route traffic from one VM to the other when needed is incorrect because standalone instances do not provide autohealing or autoscaling and the load balancer distributes traffic to backends rather than forwarding from one virtual machine to another. This design is brittle and does not ensure reliable failover.

Question 10

The correct option is Import as Windows 2022 Datacenter BYOL and use Sole Tenant Node.

This approach lets you bring your existing Microsoft volume licenses while staying compliant because Windows Server BYOL on Google Cloud requires running on dedicated hosts. Using BYOL with Windows Server is supported only when the VMs are placed on dedicated capacity, which is provided by sole tenant nodes. You import the Windows Server 2022 Datacenter image as BYOL and schedule the VMs onto dedicated nodes so your licenses remain isolated and auditable according to Microsoft terms.

Compute Engine Windows image is incorrect because Google provided images are license included and you would pay for the Windows license through Google Cloud rather than reusing your existing licenses.

Migrate to Virtual Machines with license included images is incorrect because license included choices bundle the Windows Server license and do not allow you to apply your existing volume licenses.

Import disk and run on shared tenancy is incorrect because BYOL for Windows Server is not permitted on shared tenancy and must run on dedicated hosts to meet Microsoft licensing requirements.

Question 11

The correct option is Create a Cloud Logging sink with a filter for Cloud VPN entries and export them to a Cloud Storage bucket for long term retention.

This approach uses a log sink to route only Cloud VPN log entries so you retain precisely what auditors need. Exporting to Cloud Storage gives durable and cost effective storage. You can set a bucket retention policy to 18 months which prevents early deletion and meets the compliance requirement. This also avoids the default retention limits of Cloud Logging so the logs remain available for the full audit window.

Build a Cloud Logging dashboard that shows Cloud VPN metrics for the past 18 months is incorrect because dashboards visualize data and do not store it. They cannot extend log retention and cannot guarantee that raw log entries are kept for 18 months.

Configure a Cloud Logging export that publishes matching entries to Pub/Sub is incorrect because Pub/Sub is a messaging service and not an archival store. Message retention is limited to days and without an additional storage destination it cannot satisfy an 18 month retention requirement.

Enable firewall rule logging on the Compute Engine rules that handle VPN traffic is incorrect because firewall logs record allow and deny decisions for firewall rules rather than Cloud VPN tunnel events. Enabling this does not address the need to retain Cloud VPN logs for 18 months.