Practice Test Bank Flashcards

Question

Question 9 ( Single Topic ) You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services. Which session affinity should you choose? A. None B. Client IP C. Client IP and protocol D. Client IP, port and protocol

Answer 1

Answer : B

Answer 2

Answer : D

Answer 3

Answer : A

Answer 4

Answer : C

Answer 5

Answer : B

Answer 6

Answer : BC

Answer 7

Answer : D

Answer 8

Answer : BD

Answer 9

Answer : B

Answer 10

Answer : B

Answer 11

Answer : D

Answer 12

Answer : C

Answer 13

Answer : C

Answer 14

Answer : C

Answer 15

Answer : D

Answer 16

Answer : B

Answer 17

Answer : AE

Answer 18

Answer : D

Answer 19

Answer : C

Answer 20

Answer : D

Answer 21

Answer : BD

Answer 22

Most Voted D

Answer 23

Most Voteda A

Answer 24

D is the answer because HTTP(S) load balancer can direct traffic reaching a single IP to different backends based on the incoming URL. A is not correct because configuring a new load balancer would require a new or different SSL and DNS records which conflicts with the requirements to keep the same SSL and DNS records. B is not correct because it goes against the requirements. The company wants to keep the old API available while new customers and testers try the new API. C is not correct because it is not a requirement to decommission the implementation behind the old API. Moreover, it introduces unnecessary risk in case bugs or incompatibilities are discovered in the new API.

Answer 25

his question could go either way for A or B. But Big Query was designed with this in mind, according to numerous Google presentation and videos. Cloud Datastore is a NoSQL database (https://cloud.google.com/datastore/docs/concepts/overview) Cloud Storage does not have an SQL interface. The previous two sentences eliminate options C and D. So I'd pick "A". IMHO, it should be A only. The reason is that they want to perform analysis on the data and BigQuery excels in that over Cloud SQL. You can run SQL queries in both but I BigQuery has better analytical tools. It can do ad-hoc analysis like Cloud SQL using Cloud Standard SQL and it can do geo-spatial and ML analysis via its Cloud Standard SQL interface.

Answer 26

It's A. AppEngine spins up new containers automatically according to the load. During peak traffic, HTTP requests originated by the same user could be served by different containers. Given that the variable `sessions` is recreated for each container, it might store different data. The problem here is that this Flask app is stateful. The `sessions` variable is the state of this app. And stateful variables in AppEngine / Cloud Run / Cloud Functions are problematic. A solution would be to store the session in some database (e.g. Firestore, Memorystore) and retrieve it from there. This way the app would fetch the session from a single place and would be stateless.

Answer 27

It's A. AppEngine spins up new containers automatically according to the load. During peak traffic, HTTP requests originated by the same user could be served by different containers. Given that the variable `sessions` is recreated for each container, it might store different data. The problem here is that this Flask app is stateful. The `sessions` variable is the state of this app. And stateful variables in AppEngine / Cloud Run / Cloud Functions are problematic. A solution would be to store the session in some database (e.g. Firestore, Memorystore) and retrieve it from there. This way the app would fetch the session from a single place and would be stateless.

Answer 28

A. This is GCP exam. They will always promote their services. Not a third party solution. upvoted 118 times willrof 4 years, 3 months ago Totally Agree. offering Stackdriver Logging is what they want from a GCA. answer is A. upvoted 7 times Ziegler 4 years, 9 months ago Remember that agent is only required for non cloud based resources. The question is saying their cloud based... feel C meets this need

Answer 29

D) and E) are pointless in this context. C) is certainly a good practice. Now between A) and B) A) Blue green deployment is an application release model that gradually transfers user traffic from a previous version of an app or microservice to a nearly identical new release—both of which are running in production. c) In software, a canary process is usually the first instance that receives live production traffic about a new configuration update, either a binary or configuration rollout. The new release only goes to the canary at first. The fact that the canary handles real user traffic is key: if it breaks, real users get affected, so canarying should be the first step in your deployment process, as opposed to the last step in testing in production. " While both green-blue and canary releases are useful, B) suggests "replacing QA" with canary releases - which is not good. QA got the issue down by 80%. Hence A) and C)

Answer 30

I spent all morning researching this question. I just popped over and took the GCP Practice exam on Google's website and guess what... this question was on it word for word, but it had slightly different answers, but not by much here is what I learned. The correct answer is 100% A / D and here is why. On the sample question, the "F" option is gone. "A" is there but slightly reworked, it now says: "Use persistent disks to store the state. Start and stop the VM as needed" which makes much more sense. The practice exam says A and D are correct. Given the wording of this question, if A and B, where there then both would be correct because of the word "persistent" and not because of the flag. The "no-auto-delete" makes A slightly safer than B, but it is the "persistent disk" that makes them right, not the flag. Hope that helps! F is not right because that is a complex way of solving the issue that by choosing Persistent Disk solves it up front. HTH

Answer 31

This is time series data. We also have no idea what kinds of data are being captured so it doesn't appear structurd. A does not seem reasonable because a flat file is not easy to query and analyze. B seems reasonable because this accommodates unstructured data. C seems unreasonable because we have no idea on the structure of the data. D seems unreasonable beacause there is no such Google database type.

Answer 32

"A" and "B" wouldn't turn the VMs on or off, it would jsut prevent traffic. "C" would turn them off if the health check is configured to terminate the VM is it fails. "D" is the start of a pseudo health check without any logic, so it also isn't an answer because it is like "A" and "B". Correct Answer: "C"

Answer 33

A - If client library was not installed, the python scripts won't run - since the question states the script reports "cannot connect" - the client library must have been installed. so it's B or C. B - https://cloud.google.com/bigquery/docs/authorization an access scope is how your client application retrieve access_token with access permission in OAuth when you want to access services via API call - in this case, it is possible that the python script use an API call instead of library, if this is true, then access scope is required. client library requires no access scope (as it does not go through OAuth) C - service account is Google Cloud's best practice So prefer C.

Answer 34

D) and E) are pointless in this context. C) is certainly a good practice. Now between A) and B) A) Blue green deployment is an application release model that gradually transfers user traffic from a previous version of an app or microservice to a nearly identical new release—both of which are running in production. c) In software, a canary process is usually the first instance that receives live production traffic about a new configuration update, either a binary or configuration rollout. The new release only goes to the canary at first. The fact that the canary handles real user traffic is key: if it breaks, real users get affected, so canarying should be the first step in your deployment process, as opposed to the last step in testing in production. " While both green-blue and canary releases are useful, B) suggests "replacing QA" with canary releases - which is not good. QA got the issue down by 80%. Hence A) and C)

Answer 35

The correct answer is B. GCDS tool only copies the usernames, not the passwords. And more over strict security requirements for the passwords. Not allowed to copy them onto Google, I think. Federation technique help resolve this issue. Please correct me if I am wrong. GCDS syncs passwords - Ok but which passwords? Clients need to provide a new password for accessing Google Cloud after GCDS sync. Google recognizes the user because GCDS populated the user list. The user is redirected to a standard Google sign-in screen where they enter their standard username and Google Cloud-specific password. The issue here is the two sets of passwords. Even if a user manually sets them both to the same value, they aren’t managed in a single place. If you need to update your password, you’d have to do that in AD and then again in Google Cloud Identity. In some cases, this approach can allow for better separation between your on-premises environment and Google Cloud, but it’s also one more password to manage for your users.

Answer 36

All four options can accomplish what the question asks, in regards to batching and streaming processes. "A" is for Apache Spark and Hadoop, a juggernaut in speed of data processing. "B" is Google's best attempt at TIBCO, Ab Initio, and other processing technology, built explicity for visualizing batch operations and streams without through various labeled circuit boards. "C" and "D" are used within "A" and "B" and would require more work and higher risk. I'd guess Google wants you to select "B"

Answer 37

Key word: This behavior was not reported before the update A - Not Correct as it was working before with same ISP B - New code update caused an issue- why to open support ticket C - I agree with C D - This requires downtime and live prod affected too

Answer 38

A is the correct answer because the question says "with minimum downtime"

Answer 39

Final Decision to go with Option A. I have done PCI DSS Audit for my project and thats the best suited case. 100% sure to use tokenised data instead of actual card number

Answer 40

Google Cloud Bigtable is well-suited for handling high-throughput, low-latency workloads like clickstream data. It is optimized for analytics on time-series and event data at scale, and it supports high write rates, with the capacity to handle thousands of writes per second. This makes it ideal for storing large volumes of clickstream data with bursts, ensuring data is available for analysis by data science and user experience teams. 1. High throughput for clickstream data: Bigtable is a NoSQL database designed for high write throughput, making it ideal for handling the continuous stream of click data with bursts up to 8,500 clicks per second. 2. Scalability: Bigtable is highly scalable, allowing you to handle increasing data volumes as your website portfolio grows. 3. Low latency: Bigtable provides low latency data access, which is important for real-time analysis and reporting on clickstream data. 4. Integration with BigQuery: Bigtable integrates well with BigQuery, enabling your data science team to perform complex analysis and generate insights from the clickstream data.

Answer 41

All four are correct answers. Google has built in cron job schduling with Cloud Schedule, so that would place "D" behind "C" in Google's perspective. Google also has it's own lifecycle management command line prompt gcloud lifecycle so "A" or "B" could be used. JSON is slightly faster than XML because of the "{" verse "" distinguisher, with a Trie tree used for alphanumeric parsing. So between "A" and "B", choose "B". Between "B" and "A", "B" is slightly more efficient from the GCP operator perspective. So choose "B".

Answer 42

Dataproc is a managed Spark and Hadoop service that lets you take advantage of open source data tools for batch processing, querying, streaming, and machine learning. Dataproc automation helps you create clusters quickly, manage them easily, and save money by turning clusters off when you don't need them. With less time and money spent on administration, you can focus on your jobs and your data.

Answer 43

Selected Answer: B 1. Managed Hadoop and Spark: Dataproc is specifically designed for running and managing Apache Spark and Hadoop clusters, which directly addresses your company's needs. 2. Scalability: Dataproc allows you to easily scale your clusters to handle the increasing number and size of jobs. You can add or remove nodes as needed to accommodate the workload. 3. Minimal Operations Work: Dataproc automates cluster creation, configuration, and management, minimizing the operational overhead. This is crucial since you want to reduce operations work. 4. Code Compatibility: Dataproc is compatible with existing Spark and Hadoop code, so you can migrate your jobs with minimal or no code changes.

Answer 44

Selected Answer: B 1. Managed Hadoop and Spark: Dataproc is specifically designed for running and managing Apache Spark and Hadoop clusters, which directly addresses your company's needs. 2. Scalability: Dataproc allows you to easily scale your clusters to handle the increasing number and size of jobs. You can add or remove nodes as needed to accommodate the workload. 3. Minimal Operations Work: Dataproc automates cluster creation, configuration, and management, minimizing the operational overhead. This is crucial since you want to reduce operations work. 4. Code Compatibility: Dataproc is compatible with existing Spark and Hadoop code, so you can migrate your jobs with minimal or no code changes.

Answer 45

Selected Answer: B 1. Managed Hadoop and Spark: Dataproc is specifically designed for running and managing Apache Spark and Hadoop clusters, which directly addresses your company's needs. 2. Scalability: Dataproc allows you to easily scale your clusters to handle the increasing number and size of jobs. You can add or remove nodes as needed to accommodate the workload. 3. Minimal Operations Work: Dataproc automates cluster creation, configuration, and management, minimizing the operational overhead. This is crucial since you want to reduce operations work. 4. Code Compatibility: Dataproc is compatible with existing Spark and Hadoop code, so you can migrate your jobs with minimal or no code changes.

Answer 46

Answer is C because persistent disk performance is based on the total persistent disk capacity attached to an instance and the number of vCPUs that the instance has. Incrementing the persistent disk capacity will increment its throughput and IOPS, which in turn improve the performance of MySQL.

Answer 47

Selected Answer: C Cloud Bigtable is right solution and correct database choice, which provides high throughput, low latency and scalability for time series data such as this case. Selected Answer: C 1. High Write Throughput: Bigtable excels at handling high-volume write operations, which is crucial for your application receiving data from 50,000 sensors sending 10 readings per second. 2. Low Latency: Bigtable offers very low latency for read operations, essential for real-time charting and data visualization. 3. Time-Series Data: Bigtable is well-suited for storing and querying time-series data, like your weather sensor readings with timestamps. 4. Scalability: Bigtable can handle massive amounts of data and scale seamlessly as your application grows.

Answer 48

Selected Answer: C Cloud Bigtable is right solution and correct database choice, which provides high throughput, low latency and scalability for time series data such as this case.

Answer 49

resilience test is not about load, is about terminate resources and service not affected. Think it's B. The best for resilience in to introduce chaos in the infraestructure

Answer 50

C & E: C: Smaller the base image with minimum dependency faster the container will start E: Docker image build uses caching. Docker Instructions sequence matter because application’s dependencies change less frequently than the Python code which will help to reuse the cached layer of dependency and only add new layer for code change for Python Source code. C & E are the correct answers. Kindly refer - https://www.docker.com/blog/intro-guide-to-dockerfile-best-practices/

Answer 51

C & E: C: Smaller the base image with minimum dependency faster the container will start E: Docker image build uses caching. Docker Instructions sequence matter because application’s dependencies change less frequently than the Python code which will help to reuse the cached layer of dependency and only add new layer for code change for Python Source code.

Answer 52

C. Increase the load on your test and staging environments. As you have pointed out in "Question Statement", I do not see C covering "deployment procedures". Test and Staging environment is more on testing, but not about deployment procedure to production. So, the only option that cover test and deployment is D. (Yes, kind of unacceptable to have the users to do "testing", but we make it "ok" by calling it "canary deployment")

Answer 53

D. Instrument your application with Stackdriver Trace in order to break down the request latencies at each microservice Stackdriver Trace is a distributed tracing system that allows you to understand the relationships between requests and the various microservices that they touch as they pass through your application. By instrumenting your application with Stackdriver Trace, you can get a detailed breakdown of the latencies at each microservice, which can help you identify which service is taking the longest in those cases where a small number of API requests take a very long time. Setting timeouts on your application or sending custom metrics to Stackdriver Monitoring may not provide the level of detail that you need to identify the specific service that is causing the latency issues. Looking for insights in Stackdriver Monitoring may also not provide the necessary level of detail, as it may not show the individual latencies at each microservice.

Answer 54

Answer is D upvoted 100 times Jos 5 years, 3 months ago Yep, +1 for D upvoted 20 times Eroc Highly Voted 5 years, 4 months ago @chiar, I agree the question i s not clear. In GCP larger instances have larger number of CPUs, Memory and come with their own private network. So increases the instance size would help prevent the need for failover during high traffic times. However, routinely scheduled failovers would allow the team to test the failover when it is not requried. This would make sure it is working when it is required.

Answer 55

D Correct A and C can be quickly ruled out because none of them is solution for the requirements "retained for 5 years" Between B and D, the different is where to store, BigQuery or Cloud Storage. Since the main concern is extended storing period, D (Correct Answer) is better choice, and the "retained for 5 years for future analysis" further qualifies it, for example, using Coldline storage class. With regards of BigQuery, while it is also a low-cost storage, but the main purpose is for analysis. Also, logs stored in Cloud Storage is easy to transport to BigQuery or do query directly against the files saved in Cloud Storage if and whenever needed.

Answer 56

Let's go with option elimination A. Google Cloud Dedicated Interconnect >> Secured, fast connection, hence the choice. This will allow private connection from GCP to the data centre with a fast connection. Cost is not mentioned in the requirement to eliminate this option. B. Google Cloud VPN connected to the data centre network >> We have to think about data flowing on the internet and the requirement talks about private connect. Also not sure how well you connect VPN with Data Center until you use the hybrid option. https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview hence eliminate C. A NAT and TLS translation gateway installed on-premises >>This is a VM option to reach outside won't for this requirement hence eliminate D. A Google Compute Engine instance with a VPN server installed connected to the data centre network >>This is a slow option hence eliminate

Answer 57

B. https://cloud.google.com/iam/docs/roles-audit-logging#scenario_external_auditors

Answer 58

C Google Secret Management was designed explicitly for this purpose.

Answer 59

Google Compute Engine

Answer 60

Google Kubernetes Engine

Answer 61

To provide messaging services for real-time analytics and event-driven architectures.

Answer 62

NoSQL document database

Answer 63

To provide a private network for resources in Google Cloud.

Answer 64

AI Platform

Answer 65

Identity and Access Management

Answer 66

To distribute incoming traffic across multiple resources.

Answer 67

Google Kubernetes Engine

Answer 68

To process and analyze large data sets in real-time.

Answer 69

To provide visibility into the performance and availability of applications.

Answer 70

Google Cloud Functions

Answer 71

A specific geographical location where resources are hosted.

Answer 72

Google Cloud Storage

Answer 73

To run Apache Spark and Apache Hadoop clusters.

Answer 74

Google Cloud Dataflow

Answer 75

To automate the execution of tasks on a scheduled basis.

Answer 76

To provide security and risk management for Google Cloud resources.

Answer 77

✅ Answer: B. Configure Stackdriver Monitoring for all Projects, and export to BigQuery Explanation: Stackdriver (now Cloud Monitoring) has limited retention periods, which are not sufficient for a 5-year requirement. BigQuery provides scalable and cost-effective long-term storage while allowing efficient querying and analysis of historical data.

Answer 78

✅ Answer: A. Google Cloud Dedicated Interconnect Explanation: Dedicated Interconnect provides private, high-bandwidth, low-latency connectivity between on-premises and GCP, making it the best option for frequent large updates. Cloud VPN (option B) is a more affordable but lower-bandwidth alternative, which might not be sufficient for a 4TB database with large updates.

Answer 79

✅ Answer: B. Enable Logging export to Google BigQuery and use ACLs and views to scope the data shared with the auditor Explanation: BigQuery allows efficient querying and analysis of logs. Using ACLs and views, you can restrict access to only necessary data for auditors. This is the most efficient way to streamline IAM policy audits without manual intervention.

Answer 80

✅ Answer: C. In a secret management system Explanation: Secret management systems (such as Google Secret Manager) provide a secure, centralized, and access-controlled way to store sensitive data. Storing credentials in source code (A) is highly insecure. Environment variables (B) can be leaked through logs. Config files with ACLs (D) provide some security but are not ideal for dynamic secret management.

Answer 81

✅ Answer: B. Cloud Deployment Manager APIs could be deprecated in the future & C. Cloud Deployment Manager is unfamiliar to the company's engineers Explanation: (B) APIs can be deprecated, which could impact long-term maintenance and require migration efforts later. (C) If engineers are unfamiliar with Cloud Deployment Manager, there will be a learning curve, which could slow adoption and increase training costs. Other options: (A) Python usage is not a risk—many engineers are familiar with it. (D) Requiring a Google APIs service account is standard practice in cloud automation. (E) Any deployment tool can delete resources, but proper IAM policies and safeguards mitigate this risk. (F) While Cloud Deployment Manager is limited to Google Cloud, this is not necessarily a business risk unless multi-cloud support is required.

Answer 82

✅ Answer: A. Google Kubernetes Engine, Jenkins, and Helm Explanation: Google Kubernetes Engine (GKE) provides scalability, portability, and support for segregated application stacks. Jenkins supports continuous software delivery. Helm allows for dynamic application deployment using templated configurations. Cloud Load Balancing is useful for traffic routing but is not enough on its own to meet all the requirements.

Answer 83

✅ Answer: C. Create a shutdown script and use it as the value for a new metadata entry with the key shutdown-script in the Cloud Platform Console when you create the new virtual machine instance Explanation: Preemptible instances are terminated without warning, but Google Compute Engine (GCE) provides a short grace period for shutdown scripts to execute. The correct method is to use the shutdown-script metadata key, which is automatically triggered before termination.

Answer 84

✅ Answer: D. Add tags to each tier and set up firewall rules to allow the desired traffic flow Explanation: Firewall rules are the best way to enforce network segmentation and security while ensuring proper traffic flow. Tags allow the application of specific rules per tier to allow only the necessary communication (e.g., Web → API, API → Database).

Answer 85

✅ Answers: A. Use Stackdriver Logging to search for the module log entries, C. Use gcloud or Cloud Console to connect to the serial console and observe the logs, E. Adjust the Google Stackdriver timeline to match the failure time, and observe the batch server metrics Explanation: Stackdriver Logging (A) helps identify errors in system logs related to the kernel module. The serial console (C) is useful for diagnosing boot issues or crashes caused by kernel modifications. Stackdriver Metrics (E) can reveal any performance issues, CPU spikes, or memory leaks after the module was installed. Other options: (B) GCE Activity logs do not provide detailed Linux kernel logs. (D) Live migration would not cause failures if properly configured. (F) Running a debug VM locally is impractical and does not provide a cloud-native solution.

Answer 86

✅ Answers: A. Load logs into Google BigQuery, E. Upload log files into Google Cloud Storage Explanation: Google Cloud Storage (E) is ideal for low-cost, long-term archival and disaster recovery. BigQuery (A) enables efficient analytics on large datasets, making it ideal for log analysis. Other options: (B) Cloud SQL is for relational databases and is not designed for large-scale log analysis. (C) Stackdriver is useful for monitoring but not designed for long-term storage. (D) Bigtable is useful for high-throughput operations but is not the best choice for archiving logs.

Answer 87

To provide a suite of cloud computing services that run on the same infrastructure that Google uses internally.

Answer 88

Google Compute Engine

Answer 89

Scalability, flexibility, and cost-effectiveness.

Answer 90

Google Cloud Endpoints

Answer 91

A serverless data warehouse that enables fast SQL queries and interactive analysis of large datasets.

Answer 92

Google Cloud Storage

Answer 93

To manage and orchestrate containerized applications using Kubernetes.

Answer 94

Google Cloud AI Platform

Answer 95

highly reliable and low-latency

Answer 96

Pay-as-you-go

Answer 97

Google Cloud Functions

Answer 98

To manage access to resources by defining who (identity) has what access (roles) to which resources.

Answer 99

To enable real-time messaging between applications.

Answer 100

Google Compute Engine

Answer 101

To help discover, classify, and protect sensitive data.

Answer 102

Google Cloud Deployment Manager

Answer 103

Improved performance and reduced latency for users worldwide.

Answer 104

Google Cloud Dataflow

Answer 105

NoSQL document database

Answer 106

Load balancing

Answer 107

✅ Answer: B. Use a multi-region deployment with a global load balancer and managed services Explanation: Multi-region deployment ensures availability even during regional failures. Global load balancing allows traffic to be automatically routed to available regions. Managed services (e.g., Cloud Run, GKE, or App Engine) reduce operational overhead and improve scalability. Option A lacks regional redundancy. Option C is limited to one region and does not handle regional failures. Option D requires manual intervention, which is not ideal for a mission-critical system.

Answer 108

✅ Answers: A. Enable CMEK for data storage, B. Use Cloud Key Management Service (KMS) to generate and control encryption keys Explanation: CMEK (A) ensures that only your organization controls encryption keys, meeting compliance requirements. Cloud KMS (B) provides centralized key management, supporting encryption at rest and in transit. Option C (Cloud SQL multi-region) conflicts with the geographic restriction. Option D (GCS with custom encryption) helps with security but does not explicitly address regional restrictions. Option E (Cloud Spanner) stores data globally, which violates the geographic compliance requirement.

Answer 109

✅ Answer: B. Cloud Spanner with multi-region deployment Explanation: Cloud Spanner is the only Google Cloud database that provides strong consistency (ACID transactions) and high availability. Multi-region deployment ensures low latency and failover protection. Option A (Cloud SQL) has replication, but read replicas do not support strong consistency. Option C (BigQuery) is for batch analytics, not real-time transactions. Option D (Firestore) is a NoSQL database and does not guarantee ACID transactions.

Answer 110

✅ Answer: B. Deploy the new application on Google Cloud and switch traffic gradually using a blue/green deployment strategy Explanation: Blue/Green deployments allow gradual traffic shifting, minimizing risk and enabling rollback if needed. Option A (Lift-and-shift) does not support rollback and can result in downtime. Option C (Migrating all data first) risks long downtime and customer impact. Option D (Cloud VPN) is useful for hybrid connections but does not solve deployment risks.

Answer 111

✅ Answer: B. Dataflow + Cloud Pub/Sub Explanation: Cloud Pub/Sub handles event ingestion and message distribution at scale. Dataflow is designed for real-time stream processing with exactly-once processing and auto-scaling. Option A (Cloud Functions) is serverless but not optimized for large-scale streaming. Option C (Data Fusion + BigQuery) is more suitable for batch ETL pipelines. Option D (Dataproc + Cloud Storage) is better for batch processing, not real-time streaming.

Answer 112

✅ Answer: B. Business requirements define organizational needs, while technical requirements describe how cloud solutions fulfill them. Explanation: Business requirements are high-level objectives (e.g., cost reduction, scalability, security compliance). Technical requirements define the cloud solutions that meet those business goals (e.g., using Cloud Spanner for scalability or CMEK for security compliance). Option A is incorrect because business requirements do not focus on technical features—they set the strategic goals. Option C is incorrect because business and technical requirements are interconnected. Option D is incorrect because both requirements must be balanced.

Answer 113

✅ Answers: B. Deploy applications in multiple Google Cloud regions for high availability, C. Store customer data in Cloud Storage with multi-region replication Explanation: Objective 1 (Cost Reduction) → Using cost-effective storage like Cloud Storage aligns with this. Objective 2 (High Availability) → Multi-region deployment ensures 99.99% uptime. Objective 3 (Compliance) → Cloud Storage supports compliance with regulatory frameworks. Option A (Preemptible VMs) is cost-effective but not reliable for a financial system. Option D (Single-region deployment) does not meet high availability needs. Option E (Disabling encryption) violates security compliance requirements.

Answer 114

✅ Answer: B. Use Cloud SQL instead, as it is cheaper and supports replication, even if availability is slightly lower. Explanation: Cloud Spanner provides high availability but is expensive. Cloud SQL (with read replicas) provides a balance between cost and availability. Option A (Cloud Spanner) meets technical needs but ignores cost concerns. Option C (On-premises database) does not modernize the platform as intended. Option D (Cloud Storage) is not a database solution and would cause performance issues.

Answer 115

✅ Answers: A. Cloud KMS (Key Management Service), C. IAM (Identity and Access Management) Explanation: Cloud KMS ensures HIPAA-compliant encryption of patient data. IAM allows role-based access control to enforce security policies. Option B (Cloud Armor) protects against DDoS attacks but does not handle data access controls. Option D (Firebase) is not designed for HIPAA-compliant healthcare records. Option E (Cloud CDN) speeds up content delivery but does not handle compliance or security.

Answer 116

✅ Answer: B. Use Vertex AI with auto-scaling and managed infrastructure Explanation: Vertex AI provides high-performance ML with auto-scaling while reducing operational costs. Option A (Compute Engine with GPUs) provides performance but requires manual scaling, increasing complexity. Option C (Cloud Functions) is not suitable for ML workloads. Option D (Cloud SQL + local ML) does not provide cloud-based scalability. Key Takeaways Business requirements define strategic goals (e.g., cost reduction, security, scalability). Technical requirements define cloud solutions that fulfill those goals (e.g., using Cloud SQL for cost-effective scalability). Cloud architects must balance performance, availability, security, and cost to meet both business and technical needs.

Answer 117

Answers: A. Google Kubernetes Engine (GKE), E. BigQuery Explanation: Objective 1 (Cost Reduction) → GKE optimizes cost with auto-scaling. Objective 2 (Real-Time Analytics) → BigQuery is designed for fast, scalable analytics. Objective 3 (High Availability) → GKE ensures application availability. Objective 4 (Compliance & Security) → GKE supports security best practices. Option B (Cloud Storage Nearline) is for archival storage, not real-time data. Option C (Cloud Spanner) is great for availability but may be too expensive. Option D (Preemptible VMs) is not ideal for mission-critical workloads.

Answer 118

✅ Answer: B. Use Cloud Storage Multi-Regional for new videos and Cloud Storage Coldline for archived content Explanation: Cloud Storage Multi-Regional provides fast delivery and scalability. Cloud Storage Coldline reduces costs for older content. Option A (Cloud SQL + CDN) is incorrect because Cloud SQL is not a storage solution for video. Option C (Bigtable + Pub/Sub) is incorrect because Bigtable is not optimized for video storage. Option D (Dataproc) is incorrect because Dataproc is for processing, not storage and delivery.

Answer 119

✅ Answer: C. Google Kubernetes Engine (GKE) with private networking and Cloud Load Balancing Explanation: GKE with private networking provides secure transactions. Cloud Load Balancing ensures fast and scalable response times. Option A (Cloud Run + Cloud SQL) lacks enterprise security controls. Option B (App Engine + IAP) is good for security but less scalable than GKE. Option D (Preemptible VMs) is not suitable for a financial application that needs stability.

Answer 120

Answers: A. Use preemptible VMs for non-critical workloads, C. Implement autoscaling Explanation: Preemptible VMs reduce compute costs for batch jobs. Autoscaling optimizes resource allocation and minimizes costs. Option B (Single region) reduces costs but lowers availability. Option D (Cloud Spanner) is powerful but expensive for small workloads. Option E (Cloud Storage Coldline) is good for archival storage, but not for active workloads.

Answer 121

✅ Answer: C. De-identify the data with the Cloud Data Loss Prevention (DLP) API Explanation: Cloud DLP is a Google-managed service that scans and de-identifies PII and PCI before storage. Option A (SHA-256 hashing) does not remove sensitive data—it just makes it non-reversible (but still exists). Option B (Elliptic Curve Encryption) encrypts data but does not remove PII. Option D (Regex-based redaction) is error-prone and hard to maintain compared to Cloud DLP.

Answer 122

✅ Answer: A. ~/bin Explanation: Cloud Shell sessions reset after a period of inactivity. However, the home directory (~/bin) persists across sessions. Option B (Cloud Storage) is persistent but not in the execution path. Option C (/google/scripts) is read-only. Option D (/usr/local/bin) requires root access, which Cloud Shell does not provide.

Answer 123

✅ Answer: A. Create a VPC and connect it to your on-premises data center using Dedicated Interconnect. Explanation: Dedicated Interconnect provides private, high-speed (up to 100 Gbps) connections between on-premises and Google Cloud VPCs. Option B (Cloud VPN) is limited to 3 Gbps per tunnel (even with multiple tunnels, it won't reach 20 Gbps). Options C & D (Cloud CDN) are for caching web content, not private connections.

Answer 124

✅ Answer: B. Utilize free tier and sustained use discounts. Provide training to the team about service cost management. Explanation: Google Free Tier provides limited free usage of GCP services. Sustained Use Discounts (SUDs) automatically lower costs for long-running workloads. Training employees on cost management is critical for long-term efficiency. Option C & D (Committed Use Discounts, CUDs) require long-term commitments, which are not ideal for an unpredictable startup.

Answer 125

✅ Answer: D. Use Jenkins to monitor tags in the repository. Deploy staging tags to a staging environment for testing. After testing, tag the repository for production and deploy that to the production environment. DExplanation: Jenkins automates CI/CD workflows, ensuring code changes go through staging before production. Option A (Spinnaker Red/Black Deployments) ensures safe rollbacks, but it does not explicitly test before production. Option B (Spinnaker Testing in Production) violates best practices by skipping a staging phase. Option C (Jenkins with 10% rollout) is useful for gradual releases but does not explicitly test before deployment.

Answer 126

✅ Answer: C. Disable the health check for the instance group. Add his SSH key to the project-wide SSH Keys. Explanation: The health check is likely causing restarts because it detects the instances as unhealthy and forces recreation. Disabling the health check temporarily allows instances to remain running for debugging. Adding an SSH key to the project-wide SSH keys ensures your colleague can access all instances. Option A (Project Viewer role) does not grant SSH access. Option B (Rolling Restart) would not fix the root cause. Option D (Disable Autoscaling) is unnecessary—autoscaling is already disabled.

Answer 127

✅ Answer: C. GKE and GCP provide the tools you need to build a PCI DSS-compliant environment. Explanation: Google Cloud itself is PCI DSS-compliant, but it is your responsibility to configure GKE properly to meet PCI DSS requirements. Option A (Only App Engine is PCI-certified) is false—multiple GCP services can be used for PCI DSS. Option B (GKE is considered shared hosting and non-compliant) is incorrect—GKE supports PCI DSS compliance when properly configured. Option D (All GCP services are PCI-compliant by default) is false—compliance depends on your architecture.

Answer 128

✅ Answer: B. Upload your files into Cloud Storage. Use Cloud Dataprep to explore and clean your data. Explanation: Cloud Dataprep is a Google-recommended tool for exploring, cleaning, and transforming data using machine learning-based anomaly detection. Option A (Cloud Datalab + Cloud Storage) is not ideal because Cloud Datalab is a Jupyter-based notebook tool for exploratory analysis, not data cleansing. Option C & D (Connecting on-premises directly to Dataprep or Datalab) are unnecessary overhead—first upload data to Cloud Storage.

Answer 129

✅ Answer: C. The effective policy is the union of the policy set at the node and policies inherited from its ancestors. Explanation: IAM policies in GCP inherit permissions from higher levels (Organization → Folder → Project → Resource). The effective IAM policy is a combination (union) of the policies applied at that level and inherited policies. Option A (Only the node’s policy matters) is false—inherited policies apply too. Option B (Restricted by ancestors) is misleading—permissions accumulate, not restrict. Option D (Intersection of policies) is false—permissions do not "cancel out"—they add up.

Answer 130

✅ Answer: C. Use an IP range on Google Cloud that does not overlap with the range you use on-premises. Explanation: GCP VPCs must have non-overlapping IP ranges to avoid routing conflicts with on-premises networks. Option A (Same IP range as on-prem) will cause routing conflicts. Option B & D (Using secondary overlapping ranges) still cause conflicts in routing tables.

Answer 131

Standard Storage: There is no minimum storage duration. This is designed for frequently accessed data. Nearline Storage: Minimum storage duration is 30 days. This is intended for data accessed less frequently, typically once a month or less. Coldline Storage: Minimum storage duration is 90 days. This is for data accessed infrequently, ideally once a quarter or less. Key points to understand: These minimum durations mean that even if you delete your data before the specified time, you'll still be charged for that minimum duration. These storage classes are designed for different access frequencies, with trade-offs between storage cost and retrieval cost.

Answer 132

Feedback: A. Correct! VPC Peering allows for shared networking between organizations. B. Incorrect. Carrier Peering lets you connect to Google’s public infrastructure when you can’t satisfy the peering requirements yourself. C. Incorrect. Because the partner is in a different organization, you can’t use a Shared VPC. D. Incorrect. If both subnets use the same IP address range, there could be IP address conflicts and issues with routing. Where to look: https://cloud.google.com/vpc/docs/vpc-peering Content mapping: ● Architecting with Google Compute Engine (ILT) ○ M8 Interconnecting Networks ● Elastic Google Cloud Infrastructure: Scaling and Automation (On-demand) ○ M1 Interconnecting Networks Summary: Use VPC Network Peering to configure private communication between VPC networks in different organizations. You can use it for different projects within the same organization, but that’s less common. Make sure that there aren't overlapping IP address ranges. Shared VPC only works within the same organization, so that’s an important piece of information you can use to help determine which solution is more appropriate.

Answer 133

D This is specific, and you can reasonably expect to meet this KPI. Don't use word low, need specific numbers.

Answer 134

Cymbal Direct’s on-premises network cannot meet the requirements for peering. Use Carrier peering Carrier Peering: This method uses a service provider to obtain enterprise-grade network services that connect your infrastructure to Google, allowing access to Google Workspace applications. Cloud Interconnect: This offers two options: Dedicated Interconnect: Provides a direct physical connection between your on-premises network and the Google network. Partner Interconnect: Provides connectivity between your on-premises and VPC networks through a supported service provider. Direct Peering: Enables you to establish a direct peering connection between your business network and Google's edge network and exchange high-throughput cloud traffic.

Answer 135

D Feedback: A. Incorrect. Default mode networks create subnets for you automatically in each zone and could allow people to accidentally provision resources in other regions. B. Incorrect. Auto mode networks create subnets for you automatically in each zone and could allow people to accidentally provision resources in other regions. C. Correct! Custom networks give you full control. D. Incorrect. Subnets are regional, not zonal. Where to look: https://cloud.google.com/vpc/docs/vpc Content mapping: ● Architecting with Google Compute Engine (ILT) ○ M2 Virtual Networks ● Essential Google Cloud Infrastructure: Foundation (On-demand) ○ M2 Virtual Networks Summary: A custom mode VPC network does not automatically create subnets. This type of network provides you with complete control over its subnets and IP address ranges. You decide which subnets to create, in regions you choose, and which IP address ranges you use for subnets, but only if they fall within the RFC 1918 address space. RFC 1918 Class B uses the 172.16.x.x address space. Default networks are created when you set up a new project but are a form of auto mode VPC network, and thus do not give you the ability to specify where your subnets are created. Subnets that use default IP address ranges are created automatically in all regions.

Answer 136

C A. Incorrect. Dataprep is used to normalize data before processing, if necessary. Coldline could be used, but Nearline is probably a better fit because the data could be accessed every month. Coldline has a higher cost for data access than Nearline, which makes it a poor choice for data accessed “every month or two.” B. Correct! Dataflow is a fully managed service that can be used to process both streams and batches of data. Nearline is a good fit because the data could be accessed every month. C. Incorrect. BigQuery is Google Cloud's serverless data warehousing tool tool, which is not used for processing real-time data. Standard could be used but is not the most cost-effective solution. Nearline would be more cost-effective, because the data is only accessed once per month at most. Standard storage has a lower access cost, but has higher storage costs, so it’s a better fit for frequently accessed data which will not be retained for long periods of time. D. Incorrect. BigQuery is Google Cloud's serverless data warehousing tool, which is not used for processing real-time data. Where to look: https://cloud.google.com/architecture/data-lifecycle-cloud-platform?hl=en#process_an d_analyze https://www.clearblade.com/iot-core

Answer 137

A Feedback: A. Incorrect. Firestore does not meet the requirements for consistent low latency, scaling throughput seamlessly, and petabyte-scaling data. B. Correct! Bigtable is ideal for IoT, gives consistently sub-10ms latency, and can be used at a petabyte scale. C. Incorrect. Firestore does not meet the requirements for consistent low latency, scaling throughput seamlessly, and petabyte-scale. D. Incorrect. BigQuery is used for Enterprise data warehouse and building reports and extracting insights. Bigtable meets the requirements for consistent low latency, scaling throughput seamlessly, and petabyte-scale. Where to look: https://cloud.google.com/bigtable/ Content mapping: ● Architecting with Google Compute Engine (ILT) ○ M5 Storage and Database Services ● Essential Google Cloud Infrastructure: Core Services (On-demand) ○ M2 Storage and Database Services Summary: Bigtable is often used as a solution when working with IoT and analytics because it's very good at storing heavy read/write data and scaling while maintaining linear performance. Bigtable is the basis for several Google products because it scales into the petabyte range.

Answer 138

Feedback: A. Incorrect. A Deployment represents multiple identical Pods. A Deployment is used to ensure that Pods are available, but it does not attempt to maintain state. Containers are considered disposable. The kubectl command can be used from gcloud to create or modify deployments defined in a YAML file or manifest. B. Incorrect. A container must be run within a pod. Cloud Build is used to build a container image using either a YAML file or a Dockerfile. The container can then be run in Kubernetes by referencing that image. C. Correct! A StatefulSet represents a group of persistent Pods. The YAML file will define a PersistentVolumeClaim (PVC) that allows for an application to retain state. A StatefulSet is commonly used with applications like databases. D. incorrect. A Pod is the smallest unit of Deployment and contains one or more containers. A Pod doesn’t define how many containers must be running, so they’re generally managed by the Deployment or StatefulSet. Where to look: https://cloud.google.com/kubernetes-engine/docs/concepts/pod Content mapping: Getting Started with Google Kubernetes Engine, M3 Summary: As a Cloud Architect, you need to understand the relationships between a Deployment, Container, StatefulSet, and Pod. A Container must run in an environment, and that environment is the Pod. A Deployment is multiple instances of a Pod, and a StatefulSet ensures that the Pods will persist when state information must be retained. Most containers externalize state so that they can be destroyed and/recreated on demand. A StatefulSet ensures the containers persist so they can maintain state. Although as a Professional Cloud Architect it generally won’t be your responsibility to manage Kubernetes, you should be familiar with the basic Kubernetes commands and concepts.

Answer 139

A Correct! Custom instances are a good way to optimize costs. You don’t have to pay for resources you don’t need. A. Incorrect. An e2-standard-8 instance will have the appropriate amount of memory. However, this instance type will have more CPU than necessary and incur additional unnecessary costs. B. Incorrect. An e2-standard-8 instance will have the appropriate amount of memory. However, this instance type will have more CPU than necessary and incur additional unnecessary costs. Although preemptible instances can save substantial money, they are not appropriate for instances that need to store persistent data locally. C. Correct! Custom instances are a good way to optimize costs. You don’t have to pay for resources you don’t need. D. Incorrect. Although preemptible instances can save substantial money, they are not appropriate for instances that need to store persistent data locally. Where to look: https://cloud.google.com/compute/docs/instances/changing-machine-type-of-stoppedinstance Content mapping: ● Architecting with Google Compute Engine (ILT) ○ M3 Virtual Machines ● Essential Google Cloud Infrastructure: Foundation (On-demand) ○ M3 Virtual Machines Cost is often a factor when architecting a solution, and you can use tools to optimize your spending in Google Cloud. Use the pricing calculator to calculate the cost of resources, and check for recommendations in the console for over-sized instances. Use preemptible and committed-use instances where appropriate. Remember that the standard instance sizes are based on what makes sense for most general purpose applications, but your environment may differ. You can use custom instances to make sure you only pay for the resources you need.

Answer 140

Feedback: A. Correct. You must initially create a GKE cluster. Then you can use Migrate to Containers (Migrate for Anthos) to set up the cluster and import the VMs. B. Incorrect. Migrate to Containers (Migrate for Anthos) uses containers in GKE to migrate the VMs; It does not use Compute Engine instances. C. Cloud Build lets you build Docker-compatible containers, but you can’t use it to automate the importing of VMs. D. Incorrect. Use Migrate for Compute Engine to import VMs and create Compute Engine instances. You can't use Migrate for Compute Engine to create containers. Where to look: https://cloud.google.com/migrate/containers Content mapping: ● Getting Started with Google Kubernetes Engine (ILT and On-demand) ○ M3 Kubernetes Architecture Summary: Migrate for Anthos is a very powerful tool that can be used to import VMs to GKE. It automates the configuration of a GKE cluster and the importing of the VMs. Migrate for Compute Engine is also a useful tool, but instead converts VMs to Compute Engine instances. Creating a migration plan involves many considerations. Remember, the diagnostic question we just reviewed only covers one scenario. Here are some links to resources that can help you get started learning about migration plans. You’ll find this list in your workbook. https://cloud.google.com/migrate/containers https://cloud.google.com/resources/cloud-migration-checklist https://cloud.google.com/products/cloud-migration https://cloud.google.com/solutions/application-migration https://cloud.google.com/architecture/migration

Answer 141

Feedback: A. Incorrect. Version control allows for change control. Backing services allow for flexibility in design, not concurrency. B. Incorrect. Concurrency will help, but dependencies refer to declaring and isolating code dependencies. C. Incorrect. Backing services allow for flexibility in design, but not concurrency. Dependencies refer to declaring and isolating code dependencies. D. Correct! Treating each app as one or more stateless processes means externalizing state to a separate database service. This allows for more concurrent processing. Where to look: https://cloud.google.com/architecture/twelve-factor-app-development-on-gcp Content mapping: ● Architecting with Google Cloud: Design and Process (ILT) ○ M2 Microservice Design and Architecture ● Reliable Google Cloud Infrastructure: Design and Process (On-demand) ○ M2 Microservice Design and Architecture Summary: Containers are a common and standard tool used to isolate processes. Using “12 factor” application development best practices can be a useful check when designing or redesigning applications. Following best practices such as the 12 factors allows for process isolation by externalizing state. This approach lets you use GKE to automatically scale instances based on CPU load.

Answer 142

Feedback: A. Incorrect. Cloud VPN lets a VPN appliance establish a tunnel, but it is not the type of VPN users run directly on their systems. B. Correct! Enabling VPC Service Controls lets you define a network perimeter. VPC Flow Logs lets you log network-level communication to Compute Engine instances. C. Incorrect. IAP secures an application by restricting access to valid, authorized accounts. In this scenario, the intention is to restrict access based on where the request is coming from. D. Incorrect. Enabling VPC Service Controls lets you define a network perimeter. You also need to enable VPC Flow Logs. If you do not enable it, the network traffic flows will not be logged. Where to look: https://cloud.google.com/vpc/docs/flow-logs https://cloud.google.com/vpc-service-controls/ Content mapping: NA Summary: Using VPC Service Controls to enable a network perimeter lets you restrict access to services behind a private endpoint. You can restrict access to specific network ranges. Although Identity-Aware Proxy (IAP) provides secure access for valid accounts, the network perimeter determines where they can access from. Google Cloud Observability is useful for viewing logs. To enable logging of network traffic, you must first enable VPC Flow Logs.

Answer 143

Feedback: A. Incorrect. You should use a managed instance group to scale based on demand. B. Incorrect. Go is supported in the App Engine standard environment, so there is no need to use the App Engine flexible environment. You should use a managed instance group to scale based on demand. C. Incorrect. The traffic is already encrypted, so there's no need to offload SSL to the proxy. Additionally, SSL Proxy Load Balancing does not preserve the client's IP address. D. Correct! Using App Engine allows for dynamic scaling based on demand, as does a managed instance group. Using an external network load balancer preserves the client's IP address. Where to look: https://cloud.google.com/load-balancing/docs/choosing-load-balancer Content mapping: ●Summary: Networking and load balancing are key topics for a Professional Cloud Architect. The services you use in one environment can and will differ, but there will always be networking. To take advantage of working in a cloud environment, you need to be able to distribute traffic across multiple resources. You need to understand what options are available for load balancing and how to choose between them. Whenever you're distributing traffic across multiple resources, you're scaling horizontally. You will probably want to be able to horizontally scale dynamically, so nderstanding managed instance groups is also critical. There are several serverless options in Google Cloud; you should be familiar with all of them

Answer 144

Feedback: A. Correct! This takes a lazy deletion approach and allows support or administrators to restore data later if necessary. B. Incorrect. This doesn’t achieve the goal of ensuring that the customer service team has access to the account information. C. Incorrect. Support agents wouldn’t be able to complete this solution, and it would require excessive work by administrators. D. Incorrect. This will probably introduce human error and would require excessive work. Where to look: https://cloud.google.com/storage/docs/lifecycle Summary: If information might be needed in the future, or if a user might have deleted it by mistake, it's a good idea not to immediately delete it. Instead, take a "lazy deletion" approach and allow for the user to restore the data or for support/administrators to do it if necessary. How you implement lazy deletion will depend on what kind of storage solution you are using and the information lifecycle related to the data. No matter which method you choose, think ahead to what will happen when and if you need to restore data as you architect a solution. Lazy deletion can be especially useful when you are dealing with compliance or regulatory environments where data must be retained for specific periods of time

Answer 145

Feedback: A. Incorrect. Unit tests can’t be run unless the code has been checked in for testing. B. Incorrect. The source code repository must exist to check code in and do any subsequent steps. C. Correct! Each step is dependent on the previous step. These are in the right order. D. Incorrect. The source code repository must exist to check code in and do any subsequent steps. Where to look: https://cloud.google.com/build/docs/ Summary: This sequence of steps represents a simple pipeline and could be substantially more complex, depending on the required tasks. To check in code, you must have a source code repository. Next, developers check in the code. Unit tests can be run todetermine whether the build should execute. If all tests pass, the Docker image is then built and finally deployed.

Answer 146

A. Incorrect. Changing from a virtual machine–based application deployment to a container-based deployment will probably likely require refactoring. B. Incorrect. Changing from a virtual machine–based application deployment to Cloud Run will probably require refactoring. C. Incorrect. This approach would allow you to leverage Google Cloud’s load balancers, but would not be deploying to Google Cloud. D. Correct! Terraform lets you manage how you deploy and manage a variety of services in Google Cloud, such as Compute Engine. Where to look: https://cloud.google.com/docs/terraform/ Summary: Although all of these are good ways to deploy, or expose, an application to Google Cloud, Cloud Run, and GKE will probably require some refactoring to the application. The hybrid network approach will make the application available via the load balancer, but will not deploy it to Google Cloud. Because the application is already a virtual machine, migrating to Compute Engine with Terraform will use a lift-and-shift approach.

Answer 147

Feedback: A. Correct! Terraform lets you automate and manage resources in multiple clouds. B. Incorrect. Automation using scripts adds unnecessary complexity and does not have the same benefits of modern infrastructure automation tooling. C. Incorrect. GKE is Google’s managed Kubernetes service. Deployments accomplish many of these goals, but only for within Kubernetes. GKE is only available in Google Cloud, not other clouds. D. Incorrect. Docker (or Docker-compatible) containers make deploying code much easier, but do not manage or orchestrate the process themselves. This is what a tool like Kubernetes is for. Summary: Terraform is one of the most used infrastructure automation tools and has good support for multiple cloud providers.

Answer 148

A. Incorrect. If clients know extensive information about backend services, backend systems would be difficult to change or replace. REST APIs are protocol-agnostic, and HTTP(S) is the most common protocol for external APIs. B. Incorrect. If an API is not loosely coupled, it can become an issue for maintenance, with large, complicated monolithic applications. REST APIs are protocol-agnostic, and HTTP(S) is the most common protocol for external APIs. C. Correct! Loose coupling has several benefits, including maintainability, versioning, and reduced complexity. Clients not knowing the backend systems means that these systems can be more easily replaced or modified, and HTTP(S) is the most common protocol used for external REST APIs. D. Incorrect. If an API is not loosely coupled, it can become an issue for maintenance, with large, complicated monolithic applications. REST APIs are protocol-agnostic, and HTTP(S) is the most common protocol for external APIs. Summary: An API is effectively a contract between the API provider and the clients using it. As long as the client makes a request that is valid according to the API’s specification, the request will be fulfilled. This is referred to as a loose coupling or a black box approach. A microservice-based architecture means that many independent parts (the microservices) can change. The client shouldn’t need to know about the different parts. When making updates, you need to make sure that your changes don’t break older versions of the API specification in use by a client. One way is through a concept called a versioned contract. This common approach specifies which version the client wants to access as part of your API. Follow the OpenAPI standard to help ensure loose coupling and versioned contracts. Atlassian and Pact offer tools to test API contracts. Although most modern APIs, especially those designed for external use, use HTTP(S) as the transport protocol, that’s not a requirement. Many internal APIs at Google use gRPC, but that isn’t a requirement. Most modern APIs decouple the transport protocol from the API.

Answer 149

Feedback: A. Incorrect. Labels are often confused with network tags. Tags are used with firewall rules, and labels are used for billing. Secure boot and vTPM protect the OS from being compromised. B. Incorrect. Labels are often confused with network tags. Tags are used with firewall rules, and labels are used for billing. All Compute Engine instances have an associated service account. Creating an account specifically for an instance or type of instance with limited abilities instead of the default account could be a good approach to the principle of least privilege. C. Correct! You can use network tags with firewall rules to automatically associate instances when they are created. Secure boot and vTPM protect the OS from being compromised. D. Incorrect. All Compute Engine instances have an associated service account. Creating an account specifically for an instance or type of instance with limited abilities instead of the default account could be a good approach to the principle of least privilege. Where to look: https://cloud.google.com/compute/docs/instances/create-start-instance Summary: You can do many things to make a Compute Engine instance more secure; the options mentioned are just a few of them. Remember that network tags are used for determining firewall rules, and labels are used for categorization and insight (such as tracking spending). Secure boot and vTPM allow for validating the operating system at boot time and are supported by several operating systems, but not all.

Answer 150

A. Incorrect. A deployment specifies the number of pods, not a pod itself, and setting the number to six means running additional instances when you don’t need them. B. Incorrect. Managing your deployments as code has a lot of benefits, but setting the number to six means running additional instances when you don’t need them. C. Incorrect. A deployment specifies the number of pods, not a pod itself. D. Correct! This will allow Kubernetes to scale the number of pods automatically, based on a condition like CPU load or requests per second. Where to look: https://cloud.google.com/kubernetes-engine/docs/how-to/scaling-apps#autoscaling-deployments Summary: As with a Compute Engine managed instance group, you can either specify a fixednumber of instances or have GKE autoscale them for you. Autoscaling is generally going to be more efficient because unnecessary pods will not be running when they're not needed.

Answer 151

Feedback: A. Correct! This is the right order of operations. B. Incorrect. The external global HTTP(S) load balancer must exist to provide the multicast IP address, and then route the request through the target proxy. C. Incorrect. The SSL Proxy is not for HTTP(S) traffic. The question specifically states a web-based application. D. Incorrect. The SSL Proxy is not for HTTP(S) traffic. The question specifically states a web-based application. Where to look: https://cloud.google.com/load-balancing/docs/load-balancing-overview Summary: A request coming from the internet is processed by the HTTP(S) proxy. A URL map is then compared to the request to route it to the appropriate backend service. For example, you could have two backend services: one for serving video and one for service audio. The URL ending in “/audio” could be mapped to the backend serving audio, and the URL ending in “/video” could be mapped to the backend serving video. Each backend service could have multiple backends, such as instance groups in different regions. The backend the traffic is sent to is determined by health, capacity, and geographic location.

Practice Test Bank Flashcards

(196 cards)