Infra, Apps & APIs Flashcards
Infra, Networking, Security, Apps & APIs (134 cards)
1
Q
What are the four overarching managed service options on GCP?
A
IaaS - Compute Engine
PaaS - App Engine
CaaS - Cloud Run
FaaS - Cloud Functions
2
Q
What are the five fundamental attributes of Cloud Services?
A
1) On-demand Self-Service - No human intervention needed to access resources
2) Resource Pooling - Provider shares resources to customers
3) Rapid Elasticity
4) Measured Service - Pay for what we consume
5) Internet-Enabled - Access from Anywhere
3
Q
What are the two primary design principles of cloud native architecting?
A
1) Scalability:
- Ability to handle varying demands
- Reduce cost of under-utilised resources
- Scale up and down without compromising performance
2) Resilience:
- Functions despite failures of individual components
4
Q
What are the three migration methodologies for Google Cloud, and what are their pros and cons?
A
1) Lift and Shift
Pro: No need to rebuild applications or learn cloud skills.
Cons: Ignores cloud-native benefits, applications run without scaling and resilience benefits of cloud-native technologies.
2) Improve and Move
Pro: Introduces automation of scaling and reslience.
Cons: New skills and code management.
3) Rip and Replace
Pro: Remove technical debt
Cons: Requires highest level of time and skill investment.
5
Q
What are the 4 key design implementation choices to achieve a microservice architecture?
A
1) Loosely coupled services.
2) Asynchronous operations.
3) Stateless components.
4) Caching.
6
Q
What is the strangler pattern?
A
A methodology of incrementally replacing components of legacy applications with new services.
Named after the strangler tree.
7
Q
What are the four types of technical testing?
A
1) Unit Testing - Tests individual components of the application.
2) Integration Testing - Tests components grouped together.
3) Performance Testing - Tests the responsiveness of individual components.
4) Load / Endurance Testing - Tests the entire system placed under heavy load.
8
Q
What is Unit Testing and what are its pros and cons?
A
Tests individual components of the application.
Pro: Easy to spot errors and automate.
Con: Does not test external dependencies.
9
Q
What is Integration Testing and what are its pros and cons?
A
Tests components of an application when they are grouped together and reliant on one another.
Pro: Tests external dependencies and can be automated through mocking.
Cons: Can be difficult to understand the root of errors due to the black-box nature of integration.
10
Q
What is the recommended production-grade method for running Cloud Build?
A
Declaratively, by creating a cloudbuild.yaml in your SCR.
11
Q
What are the 3 types of roles you give to a GCP account within a project and what do they provide?
A
Primitive Roles - Applys at Project Level: Owner, Editor, Viewer and Billing Administrator.
Predefined Roles - Applys at GCP service level: Such as write access to Cloud Storage, but only view access to Compute Engine.
Custom Roles - Create your own roles such as “instanceOperator” where you can specify and manage the permissions. They can only be specified at the project level, not folder or org.
12
Q
Explain what blue / green deployment strategy is.
A
Blue-green deployment is a deployment strategy that utilizes two identical environments, a “blue” (aka staging) and a “green” (aka production) environment with different versions of an application or service. Quality assurance and user acceptance testing are typically done within the blue environment that hosts new versions or changes. User traffic is shifted from the green environment to the blue environment once new changes have been tested and accepted within the blue environment.
13
Q
What are the pros and cons of a blue / green deployment strategy?
A
Benefit - Rollback is straight forward, traffic can simply be routed back to the Green environment if the Blue environment sees any issues.
Drawbacks -
1) Cost of running two production-grade environments.
2) Depending on the implementation, shifting all user traffic at once can present risks.
3) In-flight user transactions may be lost when the shift in traffic is made.
14
Q
Explain what canary deployment is.
A
A canary deployment is a deployment strategy that releases an application or service incrementally to a subset of users. All infrastructure in a target environment is updated in small phases (e.g: 2%, 25%, 75%, 100%). A canary release is the lowest risk-prone, compared to all other deployment strategies, because of this control.
15
Q
What is the primary benefit and drawback of canary deployment strategies?
A
Pro: It’s cheaper than a blue-green deployment because it does not require two production environments.
Con:
- Some tests will need to be conducted in production.
- Often need to establish a trusted tester user base to roll out new features to.
16
Q
Which fully managed platform uses a container as its sole deployment artifact?
A
Cloud Run
17
Q
What are some good uses cases for a message bus like Cloud Pub/Sub?
A
Distributing messages between downstream microservices.
18
Q
You wish to direct a small percentage of production traffic to a new version of your application, so that your changes can be tested with live users. What is the name of this deployment pattern?
A
Canary Deployment
19
Q
How should application source code be stored for cloud-native software development?
A
The full codebase, including configuration and deployment files, should be stored in a collaborative source code repository, such as git.
20
Q
What type of testing tests external dependencies and multiple components and is sometimes referred to as a type of “black box” testing?
A
Integration testing
21
Q
You wish to maintain two entirely separate production environments, so that you can work on each one in isolation and then switch all production traffic between them when you are ready to release updates. What is the name of this deployment pattern?
A
Blue/Green Deployments
22
Q
What is the MOST efficient way to grant access to an object in cloud storage to an external user with no Google account?
A
Create a signed URL to grant temporary access to the object.
Signed URLs are a convenient way to embed the necessary authentication information into the URL itself, and to grant time-restricted access to specific objects in file storage.
23
Q
How can you prevent accidental deletion of objects in cloud storage for a minimum period of time?
A
Apply a retention policy to the bucket to prevent the deletion of objects until they have reached a minimum age.
24
Q
Your application expects a MySQL database connection to exist on localhost (i.e., running on the same server), but you would rather use Cloud SQL. How can you facilitate this?
A
Use the Cloud SQL proxy.
25
What is the equivilent of a deployment within Kubernetes for Compute Engine?
Managed Instance Groups allow you to spread compute across multiple zones within a region,auto-scaling and auto-healing and from an instance template.
26
What is the recommended way to install the Cloud Logging agent on a Compute Engine instance running Debian or Ubuntu Linux?
Add the logging agent repo and install using the system package manager.
27
What are the two methods for running a startup script on a new Compute Engine instance?
1) Define the startup script metadata when the instance is created containing the script itself.
2) Upload a startup script to Cloud Storage, and add its URI as metadata with the key: startup-script-url.
28
What IAM role is granted to the Compute Engine default service account?
Project Editor
29
You are running a managed instance group of application servers that you need to make available to other applications in Compute Engine. The application servers should only be accessed internally via private IPs from other Compute Engine services.
What two methods of service discovery could you use for this?
1) Create an internal load balancer with the managed instance group as a backend. Configure an internal DNS name in Cloud DNS for the frontend of the load balancer.
2) Nominate a primary application server and store its private IP in project metadata. Have other services query the metadata server to retrieve the primary application server IP.
30
You have created a compute engine instance that will connect to a Cloud SQL instance. Following best practice, you are using a custom service account that only grants the Cloud SQL Client permission. You are also using a startup script stored in Cloud Storage to configure your instance. However, when your instance starts, the script does not seem to run. What could be the problem and how might you fix it?
The service account does not have permission to access the startup script in Cloud Storage. Add the Storage Object Viewer role to the service account and reset the instance.
31
You want to manage a group of stateless web server instances on Compute Engine in a way that would be resilient to the loss of a single GCP zone. What is the best way to achieve this?
Create a regional managed instance group.
32
Your application requires a VM with 10 vCPUs and 64GB of memory, but this isn't a predefined option for a machine type in Compute Engine. What do you do?
Create a custom machine type using the GCP console that matches the exact requirements.
33
Why would you use Cloud Run over Cloud Functions?
1) If you require a runtime-environment not provided by Cloud Functions.
2) If you want to include a persistent file system
3) You can spin up multiple requests per instance with Cloud Run whereas Cloud Functions are one request per instance.
34
You have a workload running in a deployment on GKE, with a replica set of 4 Pods. Your dev team has provided you with an updated container image and asked you to deploy the update. You want to do this in a way that causes minimal service interruption, but you also want to control the overall amount of resources being consumed, so you don't need to add nodes to the cluster. What is the best way to update the deployment?
Ensure deployment is using a rolling update. Kubernetes' default rolling update strategy means that the rollout will pause if more than 25% of new Pods are not healthy, but it will also limit the increased number of Pods in use during the rollout (the surge), to 25%. You can amend this in the deployment.yaml if necessary.
35
Which of the following is the correct explanation of why a Pod would be in a Succeeded or Completed state?
1) All of the containers in a Pod are running and ready to serve.
2) All of the necessary container images have been downloaded and the Pod is getting ready to start.
3) All of the containers in a Pod have terminated in success and will not be restarted.
4) A Pod has been successfully deleted.
3) All of the containers in a Pod have terminated in success and will not be restarted.
36
What is the cause of a CrashLoopBackOff error in GKE?
A container has failed to start successfully and continued to fail on repeated attempts.
37
Your application in GKE needs access to a MySQL database, and your organization has a technical requirement to use managed databases wherever possible. What is the best solution here?
Use Cloud SQL for the database, and use a sidecar container to run the Cloud SQL proxy inside your application's Pod.
38
You have a small piece of code that takes an image and resamples it to a thumbnail version. You want to run this code in your GCP project every time a user uploads a photo with your application, which stores user photos in a Cloud Storage bucket. How could you implement this with managed services in a way that does not interfere with the running of the main application?
Deploy the resampling code as a small API program to Cloud Functions. Configure the function to be triggered whenever a new image is uploaded to the storage bucket.
39
Which open standard specification does Cloud Endpoints and API Gateway require APIs to be defined with?
OpenAPI 2.0
40
What are some best practices for Google Cloud Functions? (Select 3)
a) Use multiple dependencies for your chosen programming language to avoid the risk of missing libraries.
b) Don't start background processes.
c) Use only the dependences that are specifically required by the function.
d) Don't delete temporary files as part of the logic of the function. This is a computing overhead, and the platform automatically clears temporary files.
e) Spawn all processing in the background.
f) Always delete temporary files as part of the logic of the function.
b) Don't start background processes.
c) Use only the dependences that are specifically required by the function.
f) Always delete temporary files as part of the logic of the function.
41
What is the default retention period for user logs stored in the default logs bucket?
30 days, and retention can be configured from 1 day to 10 years.
42
You are developing a backend for a mobile game. The game includes a market place where players can trade items with each other. The details of each trade are written to application logs. You would like to monitor the average price of some items in the game and also create an alert when you suspect an item has been sold for an artificially inflated price. How can you use Operations Suite to help you achieve this in a quick and easy way?
Configure logs-based metrics to track trade prices in Cloud Monitoring. Create an an alerting policy to notify you when a trade price is above a certain threshold.
43
You have several GCP projects containing resources that you would like to monitor with a single dashboard. What is the recommended way to achieve this?
Configure a separate project as a "host" project for a Cloud Monitoring workspace and use it to manage all the other projects.
44
You would like to use BigQuery to analyse logs that are collected by Cloud Logging. What is the easiest way to enable this?
Configure BigQuery as a custom sink for logs.
45
What is the default retention period for audit security logs on GCP?
400 days, and it cannot be changed.
46
You have deployed an app to App Engine, which seems to be mostly working. Occasionally the application returns an HTTP 500 Internal Server error. It generates lots of logs per request, so you are having difficulty tracking down the problem. Which Operations Suite tool could you most easily use to help you?
Cloud Error Reporting
47
You have deployed an internal tool to App Engine, and you wish to grant access to other members of your team. You all work remotely, and there is no VPN configuration for your organization. However, everyone has a Google Workspace identity. What is the easiest way to handle authentication for your app?
Use Cloud Identity Aware Proxy and grant the IAP-secured Web App User role to users who should be permitted to access the app.
48
Which managed GCP service crawls an App Engine, Compute Engine, or GKE application URL to identify security vulnerabilities?
Web Security Scanner
49
You need to store a series of API keys inside your GCP project, ideally using a managed service. Which is the best option?
Cloud Secret Manager
50
Your organization works in a regulated industry where you must be able to guarantee the safety and location of data. You are storing sensitive information in Cloud Storage. Which options will help you ensure that data remains in a specific region and is not moved? (Select 2)
A) Multi-region storage buckets
B) Firewall rules
C) Regional storage buckets
D) VPC Service Perimeter
C) Regional storage buckets - Using the regional storage class will allow you to choose a region for data to be stored.
D) VPC Service Perimeter - A VPC service perimeter can guarantee that data will not leave a defined boundary inside a project.
51
Your organization has two separate product teams that develop their own services in isolation. Each team requires a way to develop their application and deploy it to separate development, staging, and production environments. What is the best way to set this up in the GCP hierarchy?
Use a single GCP organization, and create folders for each of the product teams. Within each folder, create separate projects for development, staging, and production environments.
52
You are storing billing reports in a storage bucket and need to grant read-only access to your finance team. What is the best way to set this up?
Add the members of the finance team to a group, and grant the group the Storage Object Viewer role on the bucket containing the reports.
53
Your development team uses GitHub to manage their code. You need to perform debugging tasks to resolve an error that was recently reported by the QA team. What should you do?
Set up Cloud Debugger, create a snapshot, and set log points.
54
You have written a Cloud Function in Node.js with source code stored in a Git repository. You want any committed changes to the source to be automatically tested. You write a Cloud Build configuration that pushes the source to a uniquely named Cloud Function, then calls the function as a test, and then deletes the Cloud Function as cleanup. You discover that if the test fails, the Cloud Function is not deleted. What should you do?
A. Change the order of the steps to delete the Cloud Function before performing the test, which can indicate a result failure.
B. Include a waitFor option in the configuration for the Cloud Function deletion that identifies the test step as a required preceding step.
C. Have the test write its results to a file and return 0. Add a final step after the Cloud Function deletion that checks whether the file contains the expected results.
D. Have the test set its outcome in an environment variable called result and return 0. Add a final step after the Cloud Function deletion that checks whether the result contains the expected results.
C is correct. There is a persistent file system that is shared between steps in a Cloud Build. We change the story to be:
1. Deploy the Cloud Function.
2. Save the results of calling the Cloud Function to a file.
3. Delete the Cloud Function.
4. Test the content of the file.
Since step 2 can now never fail, step 3 is executed and step 4 defines the outcome of the build as a whole.
55
You have deployed a web application in a Google Kubernetes Engine (GKE) cluster. You are reviewing the Cloud Monitoring metrics and find that your cluster’s CPU load fluctuates throughout the day. To maximize performance while minimizing cost, you want the number of replicas to automatically adjust. What should you do?
A. Modify the managed instance group (MIG) to enable Autoscaling to configure max and min amount of nodes based on CPU load.
B. Enable Cluster Autoscaler on the GKE cluster, and configure the Horizontal Pod Autoscaler (HPA) to autoscale the workload based on CPU load.
C. Enable Cluster Autoscaler on the GKE cluster, and configure the HPA to autoscale the workloads based on a custom metric.
D. Modify the MIG to enable Autoscaling to configure max and min amount of nodes based on CPU load, and configure the Vertical Pod Autoscaler (VPA) to scale workloads based on CPU load.
B. Enable Cluster Autoscaler on the GKE cluster, and configure the Horizontal Pod Autoscaler (HPA) to autoscale the workload based on CPU load.
56
Your organization develops and tests multiple applications on Compute Engine virtual machine instances across 3 environments; Test, Staging, and Production. The separate development teams for each application require minimal access to Production but broad access in Test and Staging. You need to design the Resource Manager structure to support your organization in following least-privilege best practices. What should you do?
A. Create one project per environment per application. Assign the application team members an IAM role at the project level.
B. Create one project per environment. Assign the application team members an Identity Access Management (IAM) role at the project level.
C. Create one project per environment. Group each application team member into a Google Group. Assign the application team’s Google Group an IAM role at the project level.
D. Create one project per environment per application. Group each application team member into a Google Group. Assign the application team’s Google Group an IAM role at the project level.
D is correct because a project provides good isolation for each application team, and managing membership via a group is easier to maintain over time.
57
Your application that is deployed in the App Engine standard environment receives a large amount of traffic. You are concerned that deploying changes to the application could affect all users negatively. You want to avoid full-scale load testing due to cost concerns, but you still want to deploy new features as quickly as possible. Which approach should you take?
Use App Engine traffic splitting to have a smaller part of the users test out new features, and slowly adjust traffic splitting until all users get the new features. Traffic splitting allows real user testing without impacting all users and reduces load testing costs.
58
Your website is deployed on Compute Engine. Your marketing team wants to test conversion rates between 3 different website designs. You are not able to make changes to your application code. What should you do?
Deploy website on App Engine and use traffic splitting.
59
You have an application that accepts inputs from users. The application needs to kick off different background tasks based on these inputs. You want to allow for automated asynchronous execution of these tasks as soon as input is submitted by the user. Which product should you use?
You would choose Cloud Tasks over Cloud Pub/Sub as Pub/Sub is only a messaging service.
60
You have deployed your website in a managed instance group. The managed instance group is configured to have a size of three instances and to perform an HTTP health check on port 80. When the managed instance group is created, three instances are created and started. When you connect to the instance using SSH, you confirm that the website is running and available on port 80. However, the managed instance group is re-creating the instances when they fail verification. What should you do?
A. Change the type to an unmanaged instance group.
B. Disable autoscaling on the managed instance group.
C. Increase the initial delay timeout to ensure that the instance is created.
D. Check the firewall rules and ensure that the probes can access the instance.
D. is correct because the instance has been created and the website is being served, but the health check is failing verification.
61
Your application starts on the virtual machine (VM) as a systemd service. Your application outputs its log information to stdout. You want to review the application logs. What should you do?
A. Review the application logs from the Compute Engine VM instance activity logs in Cloud Logging.
B. Review the application logs from the Compute Engine VM instance data access logs in Cloud Logging.
C. Install Cloud Logging Agent. Review the application logs from the Compute Engine VM instance syslog logs in Cloud Logging.
D. Install Cloud Logging Agent. Review the application logs from the Compute Engine VM instance system event logs in Cloud Logging.
C is correct: a service running in systemd that outputs to stdout will have logs in syslog and will be scraped by the logging agent.
62
You are writing an API endpoint to process orders from a web application and save the data into a Firestore collection. During application testing, you notice that when your application encounters an HTTP 5xx server error from the Firestore API, it catches this error and returns an HTTP 200 OK response code to the client, but does not store the data within Firestore. You want the consumers of your API endpoint to know that the write request was unsuccessful. What should you do?
Return a 500-class response. This clearly communicates to clients that the API call was unsuccessful, and the client can re-submit independently.
63
Why might a GCP customer use resources in several zones or regions?
1) Improved fault tolerance
2) Bring applications closer to users
3) Zones within a region still have fast network connectivity among them.
64
What is Cloud CDN?
Automatically caches "cacheable" content from web applications such as images, videos and js / css files.
65
What are the primary 2 reasons for choosing Apigee over API Gateway / Cloud Endpoints?
If you have services / backends that are outside of GCP, you can only use Apigee.
If you want to billing and analytics on a customer facing API, Apigee is a better alternative.
66
What is the key difference between "Container Analysis API On-Demand Vulnerability Scanning" and "Container Analysis API Automatic Vulnerability Scanning"?
Automatic vulnerability scanning will provide notes on vulnerabilities detected in containers uploaded to Artifact Registry, but the information must be acted on manually, so this won't stop any developers deploying insecure containers.
Integrating on-demand vulnerability scanning into your Cloud Build pipeline will allow you to block a build or deployment if a container image has vulnerabilities matching a predefined severity.
67
How does oAuth 2.0 work?
"Open Authentication" requires three players: the end user, the application (API), and the resource (service provider that has stored your privileged credentials). The transaction begins once the user expresses intent to access the API.
1) Application asks permission: The application or the API asks for authorization from the resource by providing the user’s verified identity as proof.
2) Application requests Access Token: After the authorization has been authenticated, the resource grants an Access Token to the API, without having to divulge usernames or passwords.
3) Application accesses resource: Tokens come with access permission for the API. These permissions are called scopes and each token will have an authorized scope for every API. The application gets access to the resource only to the extent the scope allows.
Think of this like a hotel. You are the application requesting permission, you prove your identity before getting given your hotel key card...which is your Access/Bearer Token as it only grants you access to the room you have permission to access and the hotel room is the resource.
68
What is the purpose of Kubernetes RBAC?
Offers control over lower-level kubernetes resources within the cluster supplementing the control provided directly by cloud IAM which allows you to control access at the gke and cluster level.
69
What is Workload Identity?
A workload identity pool allows you to organise and manage external identity providers, including Cloud IAM.
70
What is the difference between Cloud Logging, Cloud Error Reporting and Cloud Trace?
Cloud logging lets you view logs from your applications and filter and search on them.
Cloud Error Reporting tracks and groups the errors in your cloud applicaitions and notifies you when new errors are detected.
Cloud Trace sample's the latency of applications and allows you to drill down into multi-tiered request procedures.
71
Describe how Cloud Debugger works?
Connects your applications production data to the respective source code repository so you can inspect the state of the app without having to add logging statements.
Allows you to set watchpoints of application state during code execution. In many ways, it's like an IDE, allowing you to insert snapshots and log points into production code.
72
What's the difference between a snapshot and a log point in Cloud Debugger?
Snapshot - Captures the state of your application variables and call stack in production at a specific line location.
Log Point - Every time any instance executes code at the logpoint location, Cloud Debugger logs a message.
73
You are helping your organization move some applications to the cloud. Your HR department relies on a legacy application that runs on a single Windows server. It is due to be replaced in the next two years but for now just needs to be moved out of your private datacenter. What is the best migration target for this server?
Compute Engine
74
Your organization contains multiple product teams that are working on their own microservice applications in isolation, ready to deploy to the cloud. Each application should have a reliable way of communicating with other applications once deployed. While designing the cloud infrastructure, what advice can you offer the product teams to achieve this? (Select 2)
A. Use REST APIs that conform to an API contract
B. Use a message bus middleware service, like Cloud Pub/Sub
C. Store messages that are destined for other applications in a relational database
D. Make HTTP calls with increased error checking to allow for discrepancies
Correct Answer: A
Microservices can expose a REST API for communication. The API design should conform to a contract, so that dependent microservices all understand how to talk to each other even if individual microservices are updated.
Correct Answer: B
Messaging middleware like Cloud Pub/Sub can provide even greater flexibility and scalability for communication between microservices.
75
Your organization works in a regulated industry where you must be able to guarantee the safety and location of data. You are storing sensitive information in Cloud Storage. Which options will help you ensure that data remains in a specific region and is not moved?
A. Regional storage buckets
B. VPC service perimeter
C. Firewall rules
D. Subnets
Correct Answer: A
Using the regional storage class will allow you to choose a region for data to be stored.
Correct Answer: B
A VPC service perimeter can guarantee that data will not leave a defined boundary inside a project.
76
Your organization contains multiple product teams who each deploy their applications within their own GCP projects. Applications must communicate with each other within the same VPC. However, application teams should not be allowed to control or administer VPC settings. How can you set this up?
Create a host project to control VPC networks, and share them with application teams using Shared VPC. This will allow the application teams to run their apps on the same VPC network, without giving them any control of the network.
77
You have created a simple web API that runs in Cloud Functions. To make the API available to the public, you would like to integrate authentication from Auth0. Which is the easiest way to do this?
Cloud API Gateway will provide a managed serverless API layer that can integrate with Auth0.
If you then wish to enable billing and analytics, Apigee will become the more viable option.
78
You are managing a team of developers who will be deploying apps to Kubernetes Engine. You need to be able to restrict specific users to deploying to a certain namespace only, that is within a GKE cluster. How can you set this up?
Using RBAC, create a Kubernetes Role with the necessary permissions within the appropriate namespace and assign it to the user.
Cloud IAM can be used to manage permissions to GKE and Cluster level, however RBAC is used for individual Kubernetes resources, such as namespaces.
79
You are running a website for a famous photographer in Compute Engine using autoscaling Managed Instance Groups (MIGs) and the Cloud Load Balancer. When your customer takes a photo that goes viral, load to the site increases dramatically and more instances are spun up, as per design. However this costs more as you are running more instances. What change could you make to reduce costs?
Enable Cloud CDN.
The Cloud CDN will cache content on Google Front End (GFE), which will reduce overall load on the MIG.
80
Your organization has just completed a large deployment to Kubernetes Engine with multiple interconnected microservices. However, after two separate reviews it has been found that you need to add two important operational features: secure communication and observability of latency between microservices. What is the quickest and easiest way to set this up?
Install Istio service mesh - The Istio service mesh will add a sidecar container to all deployed Pods to instantly provide secure mTLS communication, as well as latency observability between microservices.
81
Your CSO is concerned that developers in your organization's application teams may be using insecure container images that may expose vulnerabilities when deployed. What GCP service can you leverage to help stop this happening?
Container Analysis API On-Demand Vulnerability Scanning
Why?
Integrating on-demand vulnerability scanning into your Cloud Build pipeline will allow you to block a build or deployment if a container image has vulnerabilities matching a predefined severity.
82
An application team in your organization has developed a cloud-native app, and they have configured a deployment pipeline using Cloud Build, Container Registry, and Cloud Run. However, they set up their GCP project and the supporting resources (storage buckets, database, etc.) manually using the web UI. They now need to create separate GCP projects for staging and production environments. They want to reduce repetition and improve parity between environments. What approach should they use to do this?
Use Infrastructure-as-Code (IAC) such as Terraform or Deployment Manager to create GCP environments.
83
You are creating an application and need to choose a database. Your application stores records about customers, products, purchases, prices, and locations. You believe that queries will often require looking at many of these types of data at once and combining them to produce a result. What sort of database should you choose?
A. In-memory database
B. Time-series database
C. Non-relational database
D. Relational database
D Relational database
84
A development team in your organization is deploying their application by manually building Docker images, pushing them to Container Registry, and then creating a new Cloud Run service revision using the GCP console UI. What could you recommend to help them make this process more efficient?
Use Cloud Build to automate building the image, storing it in Container Registry, and updating the Cloud Run service.
85
You are managing an application that is deployed to a Managed Instance Group (MIG) of Compute Engine VMs. When the group scales up, new instances in the group run a startup script that updates their packages and installs the required software before they are ready to serve. This means that autoscaling events normally take 10-20 minutes before the group can respond to the new demand in traffic. How could you speed this up?
A
Create a Compute Engine custom image using the latest version of the software. Apply only the security updates on the instance when it first runs.
B
Create a pipeline that creates a new Compute Engine custom image every week with the latest security updates, plus the latest version of the software. Use the custom image in the MIG.
C
Do not apply security patches, only install the application on first boot.
D
Create a Compute Engine custom image with the latest security updates. Apply only the application software installation when it first runs.
Correct Answer: B
This solution is the best of both worlds, as it will keep an up to date image that will boot in the quickest time possible. It will also allow you to test for compatibility with updates as part of the pipeline.
86
You want to run a public Cloud Run service that should be able to trigger a private HTTP cloud function. The function will access a private database. What is the most secure way to configure this?
A
Create a single custom service account for the identity of the Cloud Run service and the Cloud Run function. Grant only the permissions required for both services to work.
B
Create a custom service account for the Cloud Function. Grant only the permissions required to the function for it to work. Make the Cloud Run service allow unauthenticated invocations to make it public.
C
Create a custom service account for the Cloud Function. Grant only the permissions required to the function for it to work. Do not allow unauthenticated invocations for the Cloud Run service.
D
Create separate custom service accounts for the Cloud Run service and the Cloud Function. Grant only the permissions required to the function for it to work. Grant the Cloud Run account only the permission to trigger the cloud function. Make the Cloud Run service allow unauthenticated invocations to make it public.
Correct Answer: D
This solution follows the security principle of least privilege. The public facing service only has permission to invoke the function and cannot access any other resources in your GCP project if it is compromised.
87
You have been asked to deploy PostgreSQL to Kubernetes to provide a database for your organization's app. The containerized PostgreSQL workload is stateful and requires a persistent disk for each Pod. In addition, the first Pod that comes up will assume it is the master of the database cluster, with subsequent Pods assuming a replica role. What is the correct object to use to create this workload in Kubernetes?
StatefulSet
88
As your development team moves towards cloud-native app design, what methods would you recommend getting software deployed to a Compute Engine VM? (Select all that apply)
A
Bootstrapping installation using a startup script
B
Using a configuration management tool like Ansible
C
Using SSH to connect to an instance to install packages
D
Using a custom machine image to deploy a pre-installed application
A, B and D
89
You have created a stateless web application that you will deploy to Compute Engine. You need to ensure that it can autoscale based on demand, and that it is resilient to the loss of a single GCP zone. What is the best way to achieve this?
Create a regional managed instance group.
This not only automates the creation of the instances for you, but distributes them across multiple zones in a region for high availability.
90
Your organization is running an application in Google Kubernetes Engine. The new version of the app contains a major change that can only be tested with production traffic. You would like to perform a safe deployment that allows testing on production traffic while minimizing the risk for the majority of users. How can you achieve this?
A) Create a new deployment for a canary release. Ensure that each deployment has labels that identify it as either "production" or "canary". Update the Service selector to point to the canary deployment for roughly 2.4 hours of the day, providing it with the 10% of production traffic required for testing.
B) Create a new deployment for a canary release. Ensure that the old and new deployments share the same label for the application name. Make sure the size of the canary deployment is appropriate (e.g., 10% the size of the current deployment). Use a Service with a selector that routes traffic to Pods based on the application label.
C) Create a traffic split across multiple backends using the Cloud Load Balancer to point 10% of traffic at the new release.
D) Update 10% of the Pods within the deployment to the new version of the application.
Correct Answer: B
Why?
As both deployments share the same label, traffic from the Service could route to either deployment, but through deployment sizing you will route roughly 10% of traffic to the canary deployment as per the requirement.
91
You are creating a startup script to run on a fleet of Compute Engine instance. The script will configure the instance based on its location and desired purpose (e.g., frontend, backend, etc.). Using GCP services, what is the easiest and most simple form of service discovery that the script can use to identify what to do with an instance?
A) Store instance locations and profiles in Cloud Firestore.
B) Store instance locations and profiles in Cloud SQL.
C) Compile a list of instances and profiles in CSV format and store it in Cloud Storage. Retrieve the data from Cloud Storage at startup.
D) Use the GCE Metadata server to retrieve instance location and tags.
Correct Answer: D
Simple service discovery can be managed using just the metadata server. Tags, location and other data can be retrieved at startup time by the script.
92
Your application needs to register new users and send them a welcome email. You use a third-party service, which simply accepts an HTTP request, to send emails, but occasionally the requests take up to a minute to be accepted or they time out. How can you utilize GCP services to help you reduce the impact on users of using this service?
Cloud Tasks queues are perfect for queuing tasks that can be completed asynchronously without blocking the current user activity. Failed attempts will be retried automatically.
93
You are designing the infrastructure for a new ecommerce application. It is important that logs from every part of the application are available for your data analytics team to query using standard SQL syntax. The solution you choose must scale as your application grows. What is the best way to set this up?
Use Cloud Logging for your application and configure BigQuery as a sink.
94
You are monitoring an application that handles queues of tasks for an internal system. You have configured a custom logs-based metric to alert you whenever a queue has over 100 uncompleted tasks. Sometimes, however, a queue can have no tasks for a length of time, which usually means some other part of the system has gone wrong. How can you also use Cloud Monitoring to alert you of this situation?
95
Which of the following actions require you to stop a Compute Engine instance? (Select 2)
A Creating a snapshot of a persistent disk
B Migrating to a different VPC
C Resizing a persistent disk
D Changing a machine type
B and D
96
You are trying to scale up a deployment in Kubernetes Engine, but your Pods are not being scheduled. You can see an error regarding "insufficient CPU". What could be causing this problem? (Select all that apply)
A) There are currently no more instances that can be scheduled by Compute Engine for your cluster.
B) The Pod has been scheduled but keeps crashing because it is using too much CPU.
C) Pods cannot be scheduled because all of the available CPU of the available nodes has already been consumed.
D) Pods cannot be scheduled because they are requesting more CPU than is currently available.
C and D
97
You have updated an existing deployment in Google Kubernetes Engine with a new version of your application, but Pods in the new ReplicaSet are failing to start, reporting an error of ImagePullErr. What could be the cause of this error?
The updated container image is not available.
98
Your monitoring dashboard is showing you that 10% of requests are responding with a significant delay. However, each request has to traverse several application layers and you are not sure which layer may be causing the most latency. What is the best way to troubleshoot this?
Cloud Trace
99
You are managing an application that is deployed as a Managed Instance Group (MIG) in Compute Engine. It is set to autoscale when demand increases, but the application take some time to start so there is a delay before an autoscaling event can accommodate the extra demand in traffic. You believe that you could trigger the autoscaling earlier based the number of a type of event recorded in your application logs, rather than using a simple CPU metric. How can you set this up?
A logs-based counter metric counts the number of log entries that contain a specific message. You can then use this logs-based metric to configure autoscaling.
100
Please describe the differences between Cloud Tasks and Cloud Pub Sub and when is the best time to use both?
Pub/Sub supports implicit invocation: a publisher implicitly causes the subscribers to execute by publishing an event.
By contrast, Cloud Tasks is aimed at explicit invocation where the publisher retains full control of execution. In particular, a publisher specifies an endpoint where each message is to be delivered and when it needs to be delivered.
Overall Cloud Tasks are appropriate for use cases where a task producer needs to defer or control the execution timing of a specific webhook or remote procedure call. Pub/Sub is optimal for more general event data ingestion and distribution patterns where some degree of control over execution can be sacrificed.
101
What is an SRE?
What happens when you ask a software engineer to design an operations team
102
What is the name of Google's internal version of kubernetes?
Borg
103
What is the structural conflict that SRE attempts to resolve, and what mechanism do we use to resolve it?
Pace of Innovation vs Product Stability
We resolve it through the introduction of an error budget.
Error budgets observe that a reliability target of 100% is counter productive, as users do not see the benefit between 99.999% and 100%. So the 0.001% is the error budget.
This makes outages something that the product and ops teams expect and budget for...rather than fear.
104
You have a service running on Compute Engine virtual machine instances behind a global load balancer. You need to ensure that when the instance fails, it is recovered. What should you do?
Set up health checks in the managed instance group configuration.
105
You are planning to deploy your application in a Google Kubernetes Engine (GKE) cluster. The application exposes an HTTP-based health check at /healthz. You want to use this health check endpoint to determine whether traffic should be routed to the pod by the load balancer.
Which code snippet should you include in your Pod configuration?
A) livenessProbe
B) Liveness
C) readinessProbe
D) readiness
E) LoadbalancerHealthCheck
F) healthCheck
C) readinessProbe
106
You are developing a JPEG image-resizing API hosted on Google Kubernetes Engine (GKE). Callers of the service will exist within the same GKE cluster. You want clients to be able to get the IP address of the service.
What should you do?
Define a GKE Service. Clients should use the name of the A record in Cloud DNS to find the service's cluster IP address.
107
Your service adds text to images that it reads from Cloud Storage. During busy times of the year, requests to Cloud Storage fail with an HTTP 429 "Too Many
Requests" status code.
How should you handle this error?
Retry the request with a truncated exponential backoff strategy.
108
Your application is controlled by a managed instance group. You want to share a large read-only data set between all the instances in the managed instance group. You want to ensure that each instance can start quickly and can access the data set via its filesystem with very low latency. You also want to minimize the total cost of the solution.
What should you do?
Move the data to a Compute Engine persistent disk, and attach the disk in read-only mode to multiple Compute Engine virtual machine instances.
109
Your existing application keeps user state information in a single MySQL database. This state information is very user-specific and depends heavily on how long a user has been using an application. The MySQL database is causing challenges to maintain and enhance the schema for various users.
What recommendation do you have?
Migrate to Cloud Firestore in order to reduce maintenance of the schema.
110
You are building a new API. You want to minimize the cost of storing and reduce the latency of serving images.
Which architecture should you use?
Cloud Content Delivery Network (CDN) backed by Cloud Storage
111
Your company's development teams want to use Cloud Build in their projects to build and push Docker images to Container Registry. The operations team requires all Docker images to be published to a centralized, securely managed Docker registry that the operations team manages.
What should you do?
Create a separate project for the operations team that has Container Registry configured. Assign appropriate permissions to the Cloud Build service account in each developer team's project to allow access to the operation team's registry.
112
You are planning to deploy your application in a Google Kubernetes Engine (GKE) cluster. Your application can scale horizontally, and each instance of your application needs to have a stable network identity and its own persistent disk.
Which GKE object should you use?
StatefulSet
113
You are using Cloud Build to build a Docker image. You need to modify the build to execute unit and run integration tests. When there is a failure, you want the build history to clearly display the stage at which the build failed.
What should you do?
Create a Cloud Build build config file with separate cloud builder steps to compile and execute unit and integration tests.
114
You are using Cloud Build to create a new Docker image on each source code commit to a Cloud Source Repositories repository. Your application is built on every commit to the master branch. You want to release specific commits made to the master branch in an automated method.
What should you do?
Create a build trigger on a Git tag pattern. Use a Git tag convention for new releases.
115
What is the difference between blackbox monitoring and whitebox monitoring?
White Box Monitoring - This type of monitoring mainly refers to the monitoring the internal states of the applications running on your system. Mainly this type of monitoring involves exposing metrics that are specific to your application like total number of http requests received / latency etc.
Black Box Monitoring - This type of monitoring mainly refers to the monitoring state of services in the system. Using this type of monitoring we ensure things like status of the application being alive or dead , cpu / disk usage etc.
116
What is the difference between SLI's, SLO's and SLA's?
SLI - Service Level Indicators
SLO - A certain metric that you want to measure
SLA - A group of SLO's that have consequences if you don't satisfy them
117
You’ve been tasked with evaluating Cloud Pub/Sub. What features do you include in your report? (Choose all that apply.)
A) Both push and pull delivery options.
B) Connections to Google Cloud services exclusively.
C) One-to-many, many-to-one, and many-to-many delivery possibilities.
D) HIPAA-compliant service.
A, C and D
118
You have an autoscaled managed instance group that is set to scale based on CPU utilization of 60%. There are currently 3 instances in the instance group. You're connected to one of the instances and notice that the CPU usage is a 70%. However, the instance group isn't starting up another instance. What's the most likely reason?
The average CPU for the entire instance group is below 60%.
The autoscaler averages the CPU usage of the entire group. so one instance could be higher than the usage threshold.
119
You need to find a way to connect your on-premises network with Cloud VPC. Which Google Cloud service offers the lowest latency and RFC 1918 communication?
Cloud Interconnect
120
You are running an autoscaling Managed Instance Group (MIG) in Compute Engine. The instances themselves conduct simulations that are fed to it from a scheduling application. This scheduling application has a simple API and also provides service discovery. When instances scale down, the scheduling applications needs to know that they are no longer available to receive simulation jobs. What is the easiest way to configure this?
Provide a local shutdown script as part of the Instance Template that contacts the scheduling API.
121
You are creating a complex design for your GCP project with numerous applications that exist within different trust boundaries. Network traffic must be restricted to specific applications and ports and should not be allowed to leave a specific trust boundary across the network. Which GCP services will help you achieve this?
(Select All)
A) Network tags
B) Firewall rules
C) Cloud Interconnect
D) VPC networks
E) Shared VPC
A, B and D
122
You want to run a workload in GKE that should have access to a private Cloud Run service. Permission to access the Cloud Run service has been granted to a custom service account. Ideally, you don't want to alter the container running in GKE. Which of the following is the best approach to take?
A) Get JSON credentials for the service account and create an environment variable in the Pod manifest to store them.
B) Create a Kubernetes service account to run the workload in GKE. Use Workload Identity to map the Kubernetes service account to the GCP service account.
C) Get JSON credentials for the service account and include them in the container that is deployed to GKE.
D) Get JSON credentials for the service account and store them as a Secret object in Kubernetes. Mount the Secret object in the Pod alongside the container in GKE to access the credentials.
B) Create a Kubernetes service account to run the workload in GKE. Use Workload Identity to map the Kubernetes service account to the GCP service account.
123
You are running a backend service in Kubernetes Engine that is required to communicate with the Cloud Vision API. In order for this to work, you must authenticate with the API. What options do you have for setting this up securely?
(Select 2)
A) Create a custom service account for the backend app, use workload identity in GKE, and have the app retrieve a valid JWT token from the metadata server to use as a bearer token in its request to the Cloud Vision API.
B) Create an API key in the GCP project, Use a Secret object in Kubernetes to assign the key as an environment variable for the backend app to use when making requests to the Cloud Vision API
C) Create a custom service account for the backend app and generate a JSON key. Copy the JSON key into the container image used to deploy the backend app. Send the JSON key in the header when making requests to the Cloud Vision API.
D) Create a custom service account for the backend app and generate a JSON key. Copy the JSON key into the container image used to deploy the backend app. Use gcloud inside the container to activate the service account using the key.
A and B
124
What are the differences vetween a VPC network and subnets within GCP?
1) Subnets are regional resources, as opposed to VPC networks which are global resources.
2) Each subnet defines a range of IP addresses. VPC networks do not have any IP address ranges associated to them.
125
How would you go about connecting VPC networks securely within a hybrid environment?
Cloud VPN or Cloud Interconnect.
126
What is the difference between Shared VPC and VPC Peering?
VPC Peering - Establishes a relationship between 2 VPC's in different projects so they can exchange traffic.
Shared VPC - Enables the full capabilities of IAM across multiple VPC's in multiple projects to control who and what can interact with resources within another peered VPC.
127
What are the benefits of Terraform?
1) Automation of multi-cloud environments.
2) Reduced development costs - Reduced time and errors in provisioning infrastructure and less repeatability in provisioning infrastructure.
3) Collaborative infrastructure management - Easy integration with SCR's for enhanced version control and collaboration.
4) No need to write additional documentation - The tf files become the documentation.
128
What are providers within Terraform?
A plugin that allows us to talk and authenticate to a specific set of APIs.
129
What does the Terraform Plan command do?
Dry run of the code so you can see all the changes that will take place, demonstating what new instances will be created, changed or destroyed prior to implementing the change. Allows you to reduce the risk of breaking your production environment.
130
What does the Terraform Apply command do?
Checks for changes between the deployed environment and the configuration within the declarative tf file and implement changes on any resources that have a change in configuration.
131
How would you go about terminating all resources using Terraform?
in cli, run "terraform destroy"
132
What does the terraform.tfstate file contain?
The latest applied state of the tf files, so it can be used to compare to previous deployed versions to identify where changes have been made.
133
What are the 4 benefits of gRPC over REST API's?
1) Lightweight messages. Depending on the type of call, gRPC-specific messages can be up to 30 percent smaller in size than JSON messages.
2) High performance. By different evaluations, gRPC is 5, 7, and even 8 times faster than REST+JSON communication.
3) Built-in code generation. gRPC has automated code generation in different programming languages including Java, C++, Python, Go, Dart, Objective-C, Ruby, and more.
4) More connection options. While REST focuses on request-response architecture, gRPC provides support for data streaming with event-driven architectures: server-side streaming, client-side streaming, and bidirectional streaming.
134
What is the primary use case for gRPC and what are some of the features that support this use case?
You would use gRPC in envy where:
1) Real-time communication services where you deal with streaming calls
2) In multi-language environments
3) For internal APIs where you don’t have to force technology choices on clients
Therefore, Microservices are the best use case for gRPC.
