Whizlabs, Practice Questions Flashcards

Question

You are working for a company which develops online games. Recently one of their online games started becoming more popular which is deployed on a compute engine. As the traffic is increasing they are struggling to provision additional instances globally for any time of the day. How will you design the architecture which will meet the demand of growing users and maintain the performance globally? A. Use Global Load balancer and Managed Instance Group B. Use Global Load balancer and Unmanaged Instance Group C. Use Regional Load balancer and Managed Instance Group D. Use Regional Load balancer and Unmanaged Instance Group

Answer 1

Answer: A As the game is becoming more popular globally they should use Global load balancer and Managed instance groups deployed in several regions in multiple zones. Using global load balancer will distribute the traffic to the managed instance group which is closer to the user automatically. Enable autoscaling on Managed instance groups to dynamically scale up and down as the traffic increases. Option B is incorrect because unmanaged instance group does not support autoscaling Option C is incorrect because Regional load balancer cannot load balance managed instance group deployed in multiple regions Option D is incorrect because unmanaged instance group does not support autoscaling

Answer 2

Answer: A As they want to run data analytics jobs which will be using Hadoop and spark clusters. Dataproc is a good option because it is a managed service based on Hadoop and spark which is used for ETL workload and data analysis. https://cloud.google.com/dataproc/docs Dataproc clusters can use preemptible VM instances, which will result in huge cost saving https://cloud.google.com/dataproc/docs/concepts/compute/preemptible-vms Option B is incorrect because they want a managed service Option C is incorrect because they want a managed service Option D is incorrect because they want a cost-effective solution so standard compute engine is not a good choice

Answer 3

Answer: A Assign Compute Network Admin role to the Security team at the Organization level. This will grant them Permissions to administer networking resources. The network admin role does not allow the security team to control the compute engine resources. By assigning this role at Organization level the Security team will have access to every project within an organization Assign Compute Instance Admin role to the Development team at a specific project-level i.e. dev project. This will grant the dev-team full access to compute engine resources only and read-only access to networking resources. By assigning this role at a specific project level will grant them access to resources in that particular project only. https://cloud.google.com/compute/docs/access/iam https://cloud.google.com/iam/docs/resource-hierarchy-access-control Option B is incorrect because it will grant dev-team access to all projects under the organization. Option C is incorrect because the Network admin role will not allow dev-team to control compute resources Option D is incorrect because Compute Instance admin role will not allow the Security team to administrate networking resources and Network Admin role will not allow the dev team to administrate compute resources

Answer 4

Answer: A By using Google Cloud Directory Sync you can sync Active directory username with Cloud Identity. In order to sync users and groups, you need to install GCDS agent in you AD servers https://support.google.com/a/answer/106368?hl=en Option B is incorrect because Identity aware proxy lets you manage access to the applications which are running on App Engine, Kubernetes engine and VM’s Option C is incorrect because you can sync Active directory users using GCDS Option D is incorrect because there is no need to move AD servers to compute engine, you can directly install GCDS agent on AD servers

Answer 5

Answer: A Cloud Dataprep is a serverless service that can be used for large dataset cleaning and preparing the data for analysis and reporting. It provides a GUI for cleaning and preparing the data. https://www.youtube.com/watch?v=Q5GuTIgmt98 Option B is incorrect because it is used to run Apache spark and Hadoop clusters Option C is incorrect because dataflow is used for real-time and batch processing of data Option D is incorrect because Datalab is used to visualize data and build machine learning models

Answer 6

Answer: A Cloud DLP is a fully managed service used to de-identify sensitive data like credit card numbers, Phone numbers, and any other PII information stored in text files within cloud storage and Bigquery. After detecting sensitive data the DPL API provides various options like mask the data or delete the data https://cloud.google.com/dlp/docs/deidentify-sensitive-data Option B is incorrect because it is used to detect threats like Burt force attack from logs and reports to Security command center Option C is incorrect because it is used to find any vulnerable library used in your application code Option D is incorrect because it is used to mitigate DDoS attack and provide WAF

Answer 7

Answer: A Cloud HA VPN provides an SLA of 99.99% service availability. https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn2?hl=nl Option B is incorrect because Cloud classic VPN provides 99.9 availability. Option C is used to connect on-premise location to Google’s Point of presence location(PoP) Option D can also work but there will be lots of management work so it is not preferable. GCP has its fully managed service i.e. Cloud HA VPN

Answer 8

Answer: A Cloud SQL is a fully managed service where Google manages all the heavy lifting work like patching, failover, backups and replication. Cloud SQL server instance is the best choice with a high availability option enabled on it. When you enable High Availability(regional) option, if there is an outage, your instance fails over to another zone in the region where your instance is located There are also several licensing options available for Cloud SQL. https://cloud.google.com/sql/docs/sqlserver/high-availability Option B is incorrect because to reduce the management work ahead, we will be using managed service i.e Cloud SQL Option C is incorrect because we need to enable the high availability option while creating Cloud SQL Option D is incorrect because it will not provide high availability and also will not reduce management work

Answer 9

Answer: A Disk performance depends on its size, instance vCPU count and I/o block size In our case, we are already having a large disk size i.e. 1TB which can support 480 Mbps read/write throughput. But as per our machine size i.e. n1-standard-4 (4vcpu), the disk is only limited to 240mbps read/write throughput. We need to increase the CPU count to 8 or above to support desired disk performance. For example, consider a 1,000 GB SSD persistent disk attached to an instance with an N2 machine type and 4 vCPUs. The read limit based solely on the size of the disk is 30,000 IOPS. However, because the instance has 4 vCPUs, the read limit is restricted to 15,000 IOPS." https://cloud.google.com/compute/docs/disks/performance#size_price_performance https://cloud.google.com/compute/docs/disks/performance#machine-type-disk-limits Option B is incorrect because we already have large disk size, the bottleneck was CPU Option C is incorrect because RAM does not limit the disk performance Option D will more degrade the performance. see above URL for comparison

Answer 10

Answer: A GCP performs maintenance activity on compute engine infrastructure which includes. Host kernel upgrades, hardware repair, or upgrade. This activity occurs once every two weeks. You can configure compute engine VM to perform live migration to another host in case of such maintenance activity without downtime. You just need to set instance On host maintenance property to Migrate VM instance and the entire process is handled by GCP on your behalf. You can see compute. instances. migrateOnHostMaintenance operation type performed in Operations Suite (formerly Stackdriver) logging when such activity is carried out. https://cloud.google.com/compute/docs/instances/live-migration https://cloud.google.com/compute/docs/instances/setting-instance-scheduling-options Option B is incorrect because it is used when the host machine crashes which holds your VM. If this property is enabled, whenever there is a host machine failure. Your compute engine will be automatically restarted Option C is incorrect because there is no need to perform any kind of operation from your side Option D is incorrect because if the property is set to Terminate VM instance, GCP will terminate your VM when there is a maintenance event.

Answer 11

Answer: A Google Cloud’s Vision API is an AI service provided by GCP to detect objects in an image, detect any explicit content in images, and also can extract text from images. As soon as the image is uploaded to the GCS bucket Cloud Function is invoked which will call Vision API and perform Offensive Image Detection operation. If any offensive image is detected another Cloud function will be called which will make the offensive content Blur using python pillow library and upload it to the same bucket. Option B is incorrect because Cloud ML engine is used to train machine learning models Option C is incorrect because we will need event-based service for such kind of requirement Option D is incorrect because Cloud Tasks is a fully managed service used to manage distributed tasks.

Answer 12

Answer: A HIPAA (Health Insurance Portability and Accountability Act) is regulatory compliance in the U.S which is used to protect the healthCare data collected by websites and application for business purpose in the U.S https://cloud.google.com/security/compliance/hipaa-compliance Option B is incorrect because it is a Payment Card Industry Data Security Standard to protect credit card information collected for business Option C is incorrect because GDPR(General Data Protection Regulation) is regulatory compliance in Europe which is used to protect any personally identifiable information collected for business purpose within the Europe region Option D is incorrect because Option SOX compliance is used for financial auditing purpose

Answer 13

Answer: A Horizontal Pod Autoscaler is used to automatically scale the pods in a deployment based on the CPU utilization or memory utilization Kubectl autoscale command is used to create HorizontalPodAutoscaler kubectl autoscale deployment example-app --max 5--min 2--cpu-percent 60 You can also enable autoscaling on your GKE cluster which can add or remove nodes from node pool based on the demands of your workloads You can use gcloud command to enable autoscaling on your GKE cluster gcloud container clusters update example-cluster --enable-autoscaling \ --min-nodes 2--max-nodes 6--zone compute-zone --node-pool default-pool Option B is incorrect because you need to enable autoscaling on GKE cluster not managed instance group Options C & D is incorrect because deployment is a Kubernetes object which is used to run multiple replicas of your pod and will automatically replace any failed or unresponsive pod

Answer 14

Answer: A Set the default class to Nearline Nearline Storage is the best choice when you want to access objects stored in the bucket once a month After one year as the files stored in the bucket will be accessed only once a year then you should create lifecycle rule to migrate nearline objects to cold line storage https://cloud.google.com/storage/docs/lifecycle Option B & Option C are incorrect because standard storage is used for objects which are accessed very frequently Option D is incorrect because Coldline storage is used for objects which are accessed once a year Note - GCP has launched a new storage class called Archival storage which was Generally available on January 08, 2020. This may reflect in exam https://cloud.google.com/storage/docs/storage-classes

Answer 15

Answer: A To improve the cache hit ratio you should reduce the cache key by removing host and protocol information. This final URL is called a custom cache key For e.g. https://demo.com/test/cloud.jpg and https://demo2.com/test/cloud.jpg have the same image i.e. cloud.jpg but URL is different you can remove protocol and host information from the cache key https://cloud.google.com/cdn/docs/best-practices Option B is incorrect it used to define the time that how long content is cached at PoP location Option C is incorrect because it is used to clear cache entry manually Option D is used to when you have an application where content is frequently updated So you can keep low cache expiration time on cache contents

Answer 16

Answer: B Admin activity logs are automatically collected for most of the services in GCP. For the VM system logs, you need to install a Logging agent in each VM whose logs you want to export to stackdriver logging. As per the compliance requirement, you must retain logs for auditing for that you should create a sink to GCS nearline bucket. These logs will be accessed once a month that’s why the nearline bucket is the best storage option. https://cloud.google.com/logging/docs/agent https://cloud.google.com/logging/docs/audit Option A is incorrect because VM system logs are not automatically collected. You need to install a stackdriver agent to get VM system logs. Option C is incorrect because the audit will happen once a month and for that Coldline storage is not a good option Option D is incorrect because VM system logs are not automatically collected you need to install stackdriver agent to get VM system logs and also coldline is not a right storage option

Answer 17

Answer: B An organization policy is a configuration of restrictions. You can create Organization policy at Organization level which will inherit to all resource under it and with Constraint for Google Cloud Platform - Resource Location Restriction set to the U.S only https://cloud.google.com/resource-manager/docs/organization-policy/overview https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints Option A is incorrect because IAM policy is attached to resources which are used to define access control Option C is incorrect because we want to apply the restriction for all the projects under the organization, not a specific project Option D is incorrect because we can have such kind of restriction using Organization Policy

Answer 18

Answer: B An organization policy is a configuration of restrictions. You can create Organization policy at Organization level which will inherit to all resource under it and with Constraints for Compute Engine service which include Define allowed external IPs for VM instances set to Deny All https://cloud.google.com/resource-manager/docs/organization-policy/overview https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints Option A is incorrect because IAM policy is attached to resources which are used to define access control Option C is incorrect because we want to apply the restriction for all the projects under the organization, not a specific project Option D is incorrect because we can have such kind of restriction using Organization Policy

Answer 19

Answer: B B Is right because Partner Interconnect is good up to 10Gbps and provides SLA also https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview Option A is incorrect because Dedicated interconnect is suitable and cost-effective above 10Gbps Option C is incorrect option because it is not suitable for High-speed connections where latency is a key requirement Option D is incorrect because there is no such service

Answer 20

Answer: B Cloud Bigtable is the best choice when you want to ingest time series data from sensors at low latency. It is a fully managed service used for large NoSQL analytical workloads. https://cloud.google.com/bigtable As they are using RabbitMQ as a messaging service on-premise and want to move to managed service while migration then Pub/Sub is a good choice. Pub-Sub is a fully managed service which provides asynchronous service to service communication mostly used in event-driven architectures https://cloud.google.com/pubsub/docs/overview Option A is incorrect because Datastore is not ideal for where low latency is a key requirement. Option C is incorrect because Bigquery is used for SQL data Option D is incorrect because it is used to run Apache Hadoop and Spark clusters

Answer 21

Answer: B Cloud filestore is a fully managed network-attached storage which uses NFS protocol where multiple Linux instances can mount a common file share over a network. https://cloud.google.com/filestore Option A is incorrect because Cloud storage is object storage and cannot be mounted on compute engines Option C is incorrect because the Relational database is used to store SQL data Option D is incorrect because Cloud datastore is a NoSQL database

Answer 22

Answer: B Cloud IoT core, Pub/Sub, Dataflow, Bigquery, Data studio is the correct option. Cloud IoT Core is a fully managed service which will accept data from sensors and will manage the connection with sensors. After the data arrives at IoT core it is sent to Pub/Sub which will act as an asynchronous message bus and further this real-time data is processed by data flow and stored in Bigquery for analysis as they want to run SQL queries so Bigurey is the best choice. You can use Data studio which will use Bigquery as a source and create dashboards and reports for visualization as per requirement. Option A is incorrect because Dataproc is used to run Hadoop and Spark clusters Option C is incorrect because data prep is used to cleanse and prepare data for analysis and machine learning Option D is incorrect because we want to run SQL queries against the data so BigTable is not the right choice as it is NoSQL database

Answer 23

Answer: B SSL Proxy load balancer is the best choice for non-https traffic and can also handler SSL termination. It is a Global load-balancing Solution Provided by GCP https://cloud.google.com/load-balancing/docs/choosing-load-balancer Option A is incorrect because HTTPS load balancer is used for HTTP traffic Option C is incorrect because the requirement is to terminate the SSL at the load balancing level. TCP proxy does not support SSL termination Option D is incorrect because Internal TCP/UDP load balancer is used to load balancer internal traffic inside a VPC

Answer 24

Answer: B StatefulSets are used for stateful applications where you want to persist application data. When you create StatefulSet, replica pods are created in order and each replica pod have its unique id, own PVC and state https://cloud.google.com/kubernetes-engine/docs/concepts/statefulset Option A is incorrect because the pod is the smallest unit of Kubernetes and mostly managed by Kubernetes objects like deployment, replica set, and StatefulSet Option C is incorrect deployments are mostly used for stateless application Option D is incorrect because DaemonSets are used when you want a run a copy of each pod on each node in Kubernetes

Answer 25

Answer: B This type of topology is useful when you want to expose on-premise application API’s to the workload running on Google Cloud without exposing them to internet Please refer to below link for different hybrid and multi-cloud network topologies https://cloud.google.com/solutions/hybrid-and-multi-cloud-network-topologies Option A is incorrect because Meshed topology is used to establish flat network connectivity where every system can communicate with each other Option C is incorrect because Gated egress and ingress topology is used when you have to expose a few API’s from on-premise to cloud and from cloud to on-premise in a secure way Option D is incorrect because it used when you want to expose a few API’s from an application which is running on Google Cloud to On-premise in a secure way

Answer 26

Answer: B Use CMEK using Cloud KMS Customer-managed encryption keys (CMEK) using Cloud KMS lets you create your own encryption keys in Cloud KMS where you can create, rotate, automatically rotate and destroy symmetric encryption keys https://cloud.google.com/storage/docs/encryption/customer-managed-keys Option A is incorrect because default encryption is fully managed by GCP from creating keys to encrypting the data and storing the keys and rotating them Option C is incorrect because CSEK is used when there is a requirement to store the encryption keys on-premise and only supports two services i.e cloud storage compute engine Option D is incorrect because you cannot use a third-party solution for encrypting GCP services

Answer 27

Answer: B when you set a retention policy on the bucket you cannot delete any objects in that bucket for the specified period of time mentioned in a retention policy https://cloud.google.com/storage/docs/using-bucket-lock Option A is incorrect because lifecycle rules are used to move objects between different storage classes Option C is incorrect because it is used to control access management Option D is incorrect because versioning is used to create multiple versions of a single object

Answer 28

Answer: C Option A is incorrect because it is used to share the VPC from the host project to service projects within an organization Option C is correct because VPC peering is always preferred when you want to connect two VPC’s within GCP cloud because the traffic stay’s inside Google’s private network Option D is incorrect because direct peering is a connection between the on-prem network and Google’s edge network

Answer 29

CSEK is a feature in Google Cloud Storage and Google Compute Engine services https://cloud.google.com/security/encryption-at-rest/customer-supplied-encryption-keys Options A, B & D are incorrect because only Cloud Storage and Compute Engine supports CSEK.

Answer 30

Answer: C Shielded VM is an option in a compute engine instance that comes with a set of security controls which helps to protect against rootkits and bootkits. For an application which required hardened OS, Shielded VM is a good option https://cloud.google.com/shielded-vm Option A is incorrect because by enabling encryption on the boot disk will only encrypt the data. It will not protect against rootkits and bootkit Option B is incorrect because this option provides us a dedicated physical server, which is allotted to us only for running compute engine instances Option D is incorrect because Preemptible instances are short-lived instance which can run for max 24 hour and provide huge cost saving as compared to standard instances

Answer 31

Answer: C You can perform penetration testing on your application without informing Google Cloud but you must satisfy all the terms and conditions of Google Cloud https://support.google.com/cloud/answer/6262505?hl=en. Option A is incorrect because there is no need to raise a support ticket to conduct penetration testing on your application Option B is incorrect because you can perform penetration testing on GCP Option D is incorrect because google does not perform penetration testing on your behalf. You can perform yourself without notifying google cloud

Answer 32

Answer: D As TerramEarth will be testing BigQuery initially, they don’t want data older than 15 days You can partition the table based on date and set the default table expiration to 15 days which will automatically delete data older than 15 days providing you the most recent data. https://cloud.google.com/bigquery/docs/best-practices-storage Option B is incorrect because there is no read to write a script, it can be done by the default table expiration feature on BigQuery Option C is incorrect because this is used when you have a table that is not edited for the last 90 Days. After 90 days the storage price drops by 50% which is similar to Nearline storage pricing Option A is incorrect because it will directly set the default table expiration time to 15 days which will delete data older than 15 days. Please refer to https://cloud.google.com/bigquery/docs/managing-tables for more information

Answer 33

Answer: D COPPA is regulatory compliance in the U.S which is related to protecting the privacy of children below 13 age in the U.S https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions-0 Option A is incorrect because HIPAA is related to protecting the privacy of healthcare data in the U.S Option B is incorrect because it is a Payment Card Industry Data Security Standard to protect credit card information collected for business Option C is incorrect because GDPR(General Data Protection Regulation) is regulatory compliance in Europe which is used to protect any personally identifiable information collected for business purpose within the Europe region

Answer 34

Answer: D For multicloud diagram, you can use Cloud Interconnect by resource Partner Interconnect with solutions such as megaport https://www.megaport.com/services/google-cloud-partner-interconnect/ or Equinix ECX https://cloud.google.com/architecture/connection-google-cloud-vpcs-to-aws-equinix-network-edge Option A is incorrect since HA VPN cannot provide 6 Gbps bandwidth. VPN tunnel can support bandwidth up to 3gbps. Option B also can be used to connect two networks, but we want a managed service. Option C is incorrect because it is used to connect VPCs within Google Cloud.

Answer 35

Answer: D GCP Storage Transfer Service offers Quick transfer of data from online sources like AWS S3 and Azure Blob Storage to Cloud Storage in one simple process. You can also create a schedule in transfer service to sync data on a daily basis https://cloud.google.com/storage-transfer/docs/create-manage-transfer-console#amazon-s3 Option A is incorrect because it is used to Transfer data from on-premise to Google cloud Option B is incorrect because managed GCP service will do most of the work for you. Option C is incorrect because you can use gsutil cmd but as per GCP, Transfer service is the best option that will do all the work in a single process.

Answer 36

Answer: D GDPR(General Data Protection Regulation) is regulatory compliance in Europe which is used to protect any personally identifiable information collected for business purpose within the Europe region Option A is incorrect because SOX compliance is used for financial auditing purpose Option B is incorrect because HIPAA is related to protecting the privacy of healthcare data in U.S Option C is incorrect because COPPA is related to protecting the privacy of children below 13 age in the U.S

Answer 37

Answer: D Kubernetes Engine Option A is incorrect because MountKirk wants a scalable environment so using Single compute engine instance will not fulfill the requirement Option B is incorrect because MountKirk wants a scalable environment so using Single compute engine instance will not fulfill the requirement Option C is incorrect because preemptible VM is not recommended for Production workload

Answer 38

Answer: D PersistentVolumes(PV) is cluster-wide storage which is used to store data. Persistent Volume has a lifecycle independent of any pod that uses the persistent Volume. When we create a persistent Volume in GKE a compute engine persistent disk is created https://kubernetes.io/docs/concepts/storage/persistent-volumes/ Option A is incorrect because it used to expose a Kubernetes service to the public internet Option B is incorrect because deployment is a Kubernetes object which is used to run multiple replicas of your pod and will automatically replace any failed or unresponsive pod Option C incorrect because it used to manage the number pods running in a deployment

Answer 39

Answer: D The team lead is responsible for auditing App engine code in production so he will need only roles/appengine.codeViewer to perform his duties. This role grants read-only access to deployed source code and application configurations. Developers can be granted roles/appengine.deployer which grants them read-only access to all application configuration, settings and allow them to create a new version of the application https://cloud.google.com/appengine/docs/admin-api/access-control#roles Option A is incorrect because it grants Read/Write/Modify permission to team lead and developers will not have permission to create a new version of an application Option B is incorrect because it will grant Read/Write/Modify permission to team lead Option C is incorrect because it will not allow the team lead to read the deployed source code

Answer 40

Answer B As per IAM best practices, you should add staging project’s service account in GCS bucket permission section and grant Storage object viewer role to provide cross account access https://cloud.google.com/dataprep/docs/concepts/gcs-buckets Option A is a possible option but directly using access keys in the compute engine is not a good security practice. Option C is incorrect because assigning the role in IAM section of the project will give access to all buckets in that project, not a particular bucket, this will grant access permissions Option D is incorrect because adding allUsers will make the bucket public and anyone can access it.

Answer 41

Answer C VPC service controls allow you to lock down GCP resources. In VPC service control you can define which projects can call on your GCP APIs allowing you to whitelist the project which you want to grant access to. This can protect sensitive data from attackers or stolen identity The most common use cases for VPC service controls are Mitigate threats such as data exfiltration Isolate parts of the environment by trust level Secure access to multi-tenant services https://cloud.google.com/vpc-service-controls Option A is incorrect because it is used to mitigate DDoS attack and provides WAF Option B is incorrect because it is used to detect threats like Burt force attack from logs and reports to Security command center Option D is incorrect because Cloud DLP is used to detect and de-identify any sensitive information like credit card number or any PII data

Answer 42

Answer: Option A, B, D are the CORRECT choice because, When you apply a customer-managed encryption key to an object, the encryption key is used to encrypt the object, its CRC32C checksum, and its MD5 hash. The remaining metadata for the object, including the object's name, is encrypted using standard server-side keys. This allows you to always read and update metadata, as well as list and delete objects, provided you have permission to do so. https://cloud.google.com/storage/docs/encryption/customer-managed-keys

Answer 43

Answer: Option B is the CORRECT because, creating service accounts for each service with only the permissions required for that service is the best practice, even if the employee leaves the organization other employees can use the service account . Option A is INCORRECT because Service Account is used to give permission to Application or VMs. A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs so that the users aren't directly involved. With Admin access, the employees will be able to create Compute Engine instances which runs the service account, connect to them, and use the service account to start the job. So in nutshell,admin empowers to effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts has access. Option C is INCORRECT because Granting the service account only the minimum set of permissions required to achieve their goal is the best practice. Option D is INCORRECT because Google Managed service accounts are created and owned by Google. These accounts represent different Google services and each account is automatically granted IAM roles to access your GCP project. This service account is designed specifically to run internal Google processes on your behalf and is not listed in the Service Accounts section of GCP Console. More reading at https://cloud.google.com/iam/docs/understanding-service-accounts

Answer 44

Answer: Option B is the CORRECT choice because SSL proxy Loadbalancing supports SSL offloading and it is availability is Global and it handles non-http(s) traffic. Option A is INCORRECT because the traffic is non-http(s). Option C is INCORRECT because TCP proxy can handle non-http(s) traffic but it doesn’t come with SSL offloading feature. Option D is INCORRECT because Network TCP/UDP load balancing is Regional and it doesn’t handle SSL offloading. Google Cloud SSL Proxy Load Balancing terminates user SSL (TLS) connections at the load balancing layer, then balances the connections across your instances using the SSL or TCP protocols. Cloud SSL proxy is intended for non-HTTP(S) traffic.

Answer 45

Answer: Option B, D & E are the CORRECT choices. Option A is INCORRECT because always grant the service account only the minimum set of permissions required to achieve their goal. Option C is INCORRECT because always restrict who can act as service accounts. Users who are Service Account Users for a service account can indirectly access all the resources the service account has access to. Therefore, be cautious when granting the serviceAccountUser role to a user.

Answer 46

Answer: Option C is CORRECT because , VPC Service Controls create a security perimeter around data stored in API-based GCP services such as Google Cloud Storage, BigQuery and Bigtable. This helps mitigate data exfiltration risks stemming from stolen identities, IAM policy misconfigurations, malicious insiders and compromised virtual machines. Option A is INCORRECT because , Shared VPC allows an organization to connect resources from multiple projects to a common VPC network, so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. The VPC networks in the host project are called Shared VPC networks. Eligible resources from service projects can use subnets in the Shared VPC network .Here the challenge is to mitigate Data exfiltration and VPC Service Controls is the right choice. Option B is INCORRECT because, Cloud Armor is used for delivering defense at scale against infrastructure and application Distributed Denial of Service (DDoS) attacks using Google’s global infrastructure and security systems. Option D is INCORRECT because , . Resource Manager enables you to programmatically manage these resource containers. Google Cloud Platform provides Resource containers such as Organizations, Folders, and Projects, that allow you to group and hierarchically organize other Cloud Platform resources. This hierarchical organization lets you easily manage common aspects of your resources such as access control and configuration settings. Security benefits of VPC Service Controls VPC Service Controls helps mitigate the following security risks without sacrificing the performance advantages of direct private access to GCP resources: Access from unauthorized networks using stolen credentials: By allowing private access only from authorized VPC networks, VPC Service Controls protects against theft of OAuth credentials or service account credentials. Data exfiltration by malicious insiders or compromised code: VPC Service Controls complements network egress controls by preventing clients within those networks from accessing the resources of Google-managed services outside the perimeter. VPC Service Controls also prevents reading data from or copying data to a resource outside the perimeter using service operations such as copying to a public Cloud Storage bucket using the gsutil cp command or to a permanent external BigQuery table using the bq mk command. The restricted VIPs feature can be used to prevent access from a trusted network to storage services that are not integrated with VPC Service Controls. Public exposure of private data caused by misconfigured Cloud IAM policies: VPC Service Controls provides an additional layer of security by denying access from unauthorized networks, even if the data is exposed by misconfigured Cloud IAM policies. By assigning the Access Context Manager Policy Admin role for Cloud IAM, VPC Service Controls can be configured by a user who is not the Cloud IAM policy administrator. VPC Service Controls is configured for your GCP organization to create a broad, uniform policy that applies consistently to all protected resources within the perimeter. You retain the flexibility to process, transform, and copy data within the perimeter. The security controls automatically apply to all new resources created within a perimeter. Read more about VPC Service Control here : https://cloud.google.com/vpc-service-controls/docs/overview A service perimeter creates a security boundary around GCP resources. You can configure a service perimeter to control communications from virtual machines (VMs) to a GCP service (API), and between GCP services. A service perimeter allows free communication within the perimeter but, by default, blocks all communication across the perimeter. For example: A VM within a Virtual Private Cloud (VPC) network that is part of a service perimeter can read from or write to a Cloud Storage bucket in the same perimeter. However, any attempt to access the bucket from VPC networks that are not inside the perimeter is denied. A copy operation between two Cloud Storage buckets will succeed if both buckets are in the same service perimeter, but will fail if one of the buckets is outside the perimeter. A VM within a VPC network that is part of a service perimeter can privately access any Cloud Storage buckets in the same perimeter. However, the VM will be denied access to Cloud Storage buckets that are outside the perimeter.

Answer 47

Answer: A Option A is CORRECT because Cloud IoT Core can accept data from IoT devices and Cloud Pub/Sub acts as a connector service and sends the data to Cloud Data Flow for transformation. Data Flow transforms the data and sends it to Big Query for analysis. Option B is INCORRECT because Cloud Storage isn’t the right choice for streaming data, using Cloud Pub/Sub is the best choice. Option C is INCORRECT because Cloud IoT Core can stream the data directly to Cloud Pub/Sub .(use Cloud Storage for Batch Upload) Option D is INCORRECT because Dataproc is a fully managed cloud service for running Apache Spark and Apache Hadoop clusters. Sources: https://cloud.google.com/community/tutorials/cloud-iot-rtdp

Answer 48

Answer: B is the CORRECT choice, Cloud Functions is the least no-Ops, then App Engine, then followed by GKE and then Compute Engine with containers and at last Compute Engine.

Answer 49

Answer:A Option A is the Correct choice because , Cloud DLP helps you better understand and manage sensitive data. It provides fast, scalable classification and redaction for sensitive data elements like credit card numbers, names, social security numbers, US and selected international identifier numbers, phone numbers, and GCP credentials . Option B is Incorrect because Cloud Secure Service doesn’t exist in GCP. Option C is incorrect because , VPC Service Controls allow users to define a security perimeter around Google Cloud Platform resources such as Cloud Storage buckets, Bigtable instances, and BigQuery datasets to constrain data within a VPC and help mitigate data exfiltration risk but it doesn’t help in data redaction . Option D is Incorrect because ,Cloud Armour Google Cloud Armor delivers defence at scale against infrastructure and application Distributed Denial of Service (DDoS) attacks using Google’s global infrastructure and security systems but it doesn’t help in data redaction . Read more about it here : https://cloud.google.com/dlp/

Answer 50

C) Option is correct You should store Cloud SQL credentials in Cloud Secret Manager where you can rotate, create versions and can manage access to credentials https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets Option A is incorrect because storing the credentials in the code itself will make it accessible to anyone having access to cloud functions and it will also become difficult to rotate credentials Option B is incorrect because storing the credentials in the environment variable will make it accessible to anyone having access to cloud functions Option D is incorrect because Cloud KMS is used to managing encryption and decryption

Answer 51

C) Option is correct To use customer-supplied encryption keys with Google Cloud Storage while uploading files, you must add the encryption_key option in [GSUtil] section of the boto configuration file. Boto configuration file is the file where you can configure all configurations related to gsutil command line https://cloud.google.com/storage/docs/gsutil/addlhelp/UsingEncryptionKeys Option A is incorrect because you need to add encryption_key option in GSUtil section of boto configuration file there is no such flag while using gsutil commands Option B is incorrect because as per security policy they don’t want to store Keys in Google Cloud. So CMEK is not an option. Option D is incorrect because encryption_key must be added in boto file, not the gcloud configuration

Answer 52

Concert answer B The question describes a topology for Dynamic routing The minimal number of each type of component you need to implement Dynamic routing: 1 Cloud VPN Gateway (Show as VPN in GCP network on left), 1 Peer Gateway (Show as VPN Gateway with BGP in peer network on right), and 1 Cloud Router, displayed in the diagram

Answer 53

Correct Answer - A Option A is CORRECT because Cloud Armor delivers defence at scale against infrastructure and application Distributed Denial of Service (DDoS) attacks using Google’s global infrastructure and security systems. Option B is INCORRECT because, Cloud-Identity Aware Proxy lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls. Option C is INCORRECT because GCP firewalls rules don’t apply for HTTP(S) Load Balancers, while Cloud Armor is delivered at the edge of Google’s network, helping to block attacks close to their source. Option D is INCORRECT IAM policies don’t help in mitigating DDOS attacks. Read more about Cloud Armor: https://cloud.google.com/blog/products/gcp/getting-to-know-cloud-armor-defense-at-scale-for-internet-facing-services

Answer 54

Correct Answer - A Option A is correct because you are performing a one-time (rather than an ongoing series) data transfer from on-premises to Google Cloud Platform for users in a single region (Germany). Using a Region storage bucket will reduce cost and also conform to regulatory requirements Options B, C, and D are incorrect because you should not use a Multi-Region storage bucket for users in a single region (B, D). Also, Storage Transfer Service does not work for data stored on-premises file servers (C, D). Reference GCS Region storage for single location access: https://cloud.google.com/storage/docs/storage-classes Google Cloud transfer appliance: https://cloud.google.com/transfer-appliance/

Answer 55

Correct Answer - A Option A is correct With the help of this command, we can create a service type of LoadBalancer and expose the port on which our application is hosted. https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ Option B is incorrect because the flag --name is not optional and is missing in Option B. Option C is incorrect because it will create a service type of ClusterIP. Option D is incorrect because we need a service type of load balancer that we can expose to the public internet.

Answer 56

Correct Answer - A Option A is correct. BigQuery is the only of these Google products that support an SQL interface and can handle petabyte data.

Answer 57

Correct Answer - A Option A is the correct choice because the client doesn’t want to store the encryption keys on Google Cloud. With Cloud EKM, you can use keys that you manage within a supported external key management partner to protect data within Google Cloud. Option B is incorrect because, even though All objects on Google Storage are encrypted by default, the client is storing sensitive data and hence default encryption isn’t the best option. https://cloud.google.com/security/encryption-at-rest/ Option C is incorrect because giving your Cloud Storage service account access to an encryption key, that the service account encrypts comes under Customer-Managed Encryption Keys, these keys are stored in Google cloud, hence not the correct choice here. Option D is incorrect because, in a customer-managed encryption key, your encryption keys are stored within Cloud KMS. The client doesn’t want to store keys on the Cloud. Reference: https://cloud.google.com/kms/docs/ekm

Answer 58

Correct Answer - A A (Correct answer) - Launch a cluster in each region to preprocess and compress the raw data, then move the data into a regional bucket and use a Cloud Dataproc cluster to finish the job. Since the raw data are saved based on the vehicle's location all over the world, most likely they’ll scatter in many different regions, and eventually they need to move to a centralized location for final processing. Preprocessing raw data and compressing them from each location to reduce the size so to save the between-region data egress cost. Dataproc is a region-specific resource and since you want to run this job on all data and you or your group probably are the only consumers for the data, moving the data into a regional bucket same or closest to the DataProc cluster's region for final analysis is most cost-effective. Use a regional location to help optimize latency, availability, and network bandwidth for data consumers grouped in the same region. Use a multi-regional location when you want to serve content to data consumers that are outside of the Google network and distributed across large geographic areas. Store frequently accessed data, or data that needs to be geo-redundant as Multi-Regional Storage. B - Move all the data into 1 region, then launch a Google Cloud Dataproc cluster to run the job. Since the raw data are save based on the vehicles’ location all over the world, moving them to a centralized region without preprocessing and compressing would incur additional between-region data egress cost C - Launch a cluster in each region to preprocess and compress the raw data, then move the data into a multi-region bucket and use a Dataproc cluster to finish the job. Dataproc is Region-specific resource and since you want to run this job on all data and data consumption occurs in a centralized location, then moving the data into a multi-region bucket for Dataproc cluster jobs is not most cost-effective. Use a multi-regional location when you want to serve content to data consumers that are outside of the Google network and distributed across large geographic areas. · Store frequently accessed data or data that needs to be geo-redundant as Multi-Regional Storage. D - Move all the data into 1 zone, then launch a Cloud Dataproc cluster to run the job. GCS is either Regional or Multi-Regional not Zonal Resources

Answer 59

Correct Answer - A A is correct because this makes sure the VM gets replicated in the new zone. B is incorrect because this takes more steps than A. C is incorrect because this will generate an error because gcloud cannot copy disks. D is incorrect because the original VM will be moved, not replicated. References: https://cloud.google.com/compute/docs/instances/create-start-instance#createsnapshot

Answer 60

Correct Answer - A and B A (Correct Answer) - The blue-green model allows for extensive testing of the application in the green environment before sending traffic to it. Typically, the two environments are identical otherwise which gives the highest level of testing assurance. B (Correct Answer) - Microservices allows for smaller, more incremental rollouts of updates (each microservice can be updated individually) which will reduce the likelihood of an error in each rollout. C is incorrect - Would remove a well proven step from the general release strategy, a canary release platform is not a replacement for QA, it should be additive. D is incorrect - Doesn’t really help the rollout strategy, there is no inherent property of a relational database that makes it more subject to failed releases than any other type of data storage. E is incorrect - Doesn’t really help either since NoSQL databases do not offer anything over relational databases that would help with release quality.

Answer 61

Correct Answer - A What you need is Service Management with capabilities of real-time monitoring, security, and telemetry data collection in a multi-cloud microservices environment. They are called Service Mesh. The most popular product in this category is ISTIO, which collects traffic flows and telemetry data between microservices, enforcing security, with the help of proxies that operate without changes to application code. Traffic Director can help in a global service mesh because it is a fully managed Service Management control plane. With Traffic Director, you can manage on-premise and multi-cloud destinations, too. B is incorrect because Istio on Google Kubernetes Engine is a tool for GKE that offers automated installation and management of Istio Service Mesh. So, only inside GCP. C is incorrect because Apigee is a powerful tool for API Management suitable also for on-premise and multi-cloud environments. But API Management is for managing application APIs and Service Mesh is for managing Service to Service communication, security, Service Levels, and control. Similar services with different scopes. D is incorrect because App Engine Flexible Edition is a PaaS for microservices applications within Google Cloud. For any further detail: https://cloud.google.com/traffic-director/docs/overview Choosing between service management and API management

Answer 62

Correct Answer - B A - you anticipate a “large and undetermined amount of traffic”, so regardless of any provisioned IOPS there is always a risk it will not be enough and potentially high none necessary cost B (Correct answer) - Cloud Pub/Sub for capturing the writes and draining the queue to write to the database. Cloud Pub/Sub brings the scalability, flexibility, and reliability of enterprise message-oriented middleware to the cloud. By providing many-to-many, asynchronous messaging that decouples senders and receivers, it allows for secure and highly available communication between independently written applications. Cloud Pub/Sub delivers low-latency, durable messaging that helps developers quickly integrate systems hosted on the Google Cloud Platform and externally. C - Memcached is for reading not for write D - Install your MySQL database on Compute instance and enable autoscaling. If you roll out your own MySql instance, then you don’t have the advantage from manage Google Cloud SQL. Furthermore, it’ll be complicated and costly to implement a horizontal autoscaling feature even if you can try some sharding and master/slave. So, Answer B is the clear winner.

Answer 63

Correct Answer - B Option A is incorrect. A load balancer with MIG will provide scalability with an inbuilt feature of Live Migration if needed. But it is not as optimized response as compared to a managed service Option B is correct. The requirement is to have a dedicated System. MongoDB Atlas provides the same. MongoDB Atlas provides customers a fully managed service on Google’s globally scalable and reliable infrastructure. Atlas allows you to manage your databases easily with just a few clicks in the UI or an API call, is easy to migrate to, and offers advanced features such as global clusters for low-latency read and write access anywhere in the world. Option C is incorrect. Live migration is not an option but an inbuilt feature provided by Google. Option D is incorrect. A DB Instance, even if NoSQL, cannot scale in a simple way. In case of failover, it is likely to have inconsistencies and loss of services. In addition, local SSD disks are really fast but they persist only until the instance is stopped or deleted. Definitely not according to the requirements. For any further detail, please check the following URLs: https://cloud.google.com/mongodb https://www.mongodb.com/cloud/atlas/

Answer 64

Correct Answer - B Option B is correct because of the requirement to globally scalable transactions—use Cloud Spanner. CPU utilization is the recommended metric for scaling, per Google best practices, see linked below. A is incorrect because you should not use storage utilization as a scaling metric. C, D are incorrect because you should not use Cloud Bigtable for this scenario: The data will be transactional consistent and added from any location in the world. References: Cloud Spanner Monitoring Using Operations Suite (formerly Stackdriver) https://cloud.google.com/spanner/docs/monitoring Best Practices: https://cloud.google.com/spanner/docs/best-practice-list

Answer 65

Correct Answer - B Google Cloud Platform (GCP) legacy networking vs. VPC subnet: Legacy networking Legacy networks have a single RFC 1918 range, which you specify when you create the network. The network is global in scope and spans all cloud regions. In a legacy network, instance IP addresses are not grouped by region or zone. One IP address can appear in one region, and the following IP address can be in a different region. Any given range of IPs can be spread across all regions, and the IP addresses of instances created within a region are not necessarily contiguous. It is not possible to create regional subnets with a legacy network. Legacy networking Example: Subnets and IP ranges Each VPC network consists of one or more useful IP range partitions called subnetworks or subnets. Each subnet is associated with a region. Networks can contain one or more subnets in any given region. Subnets are regional resources. Each subnet must have a primary address range, which is a valid RFC 1918 CIDR block. Subnets in the same network must use unique IP ranges. Subnets in different networks, even in the same project, can re-use the same IP address ranges. VPC network example: subnet3 is defined as 10.2.0.0/16, in the us-east1 region. One VM instance in the us-east1-a zone and a second instance in the us-east1-b zone, each receiving an IP addresses from its available range. Note: Legacy networks are not recommended. Many newer GCP features are not supported in legacy networks. It is still possible to create legacy networks through the gcloud command-line tool and the REST API. It is not possible to create legacy networks using the Google Cloud Platform Console. Reference resources Virtual Private Cloud (VPC) Network Overview https://cloud.google.com/vpc/docs/vpc Google Cloud Platform (GCP) legacy networking vs. VPC subnet https://cloud.google.com/vpc/docs/legacy

Answer 66

Correct Answer - B Since we need to allow egress traffic to Active Directory servers only, we will create an egress rule which has a destination IP range of Active Directory servers and Assign a Low priority number because the lower the number, the higher the priority. The second rule to deny all egress traffic with Higher Priority Number i.e. 1000 https://cloud.google.com/vpc/docs/using-firewalls Option A is incorrect because creating a deny rule for all egress traffic with priority 100 will block all traffic including Active Directory. The lower number takes the first precedence Options C & D are incorrect because there is a requirement to all block outgoing traffic except traffic to the active directory server, so configuring ingress rules will not work.

Answer 67

Correct Answer - B We can monitor the GCP services using the Operations suite from Google. Though it doesn't provide memory metrics out of the box. We have to install the agent on VM for additional metrics. After configuring the Cloud monitoring you can set up alerting policies in Cloud monitoring to notify the SRE team. Option A is incorrect because Cloud logging is used for logging application logs or any other logs to Cloud logging. Option C is incorrect because the uptime check is used to check the system availability. Option D is incorrect because by default memory metrics are not available on Cloud monitoring.

Answer 68

Correct Answer - C Option A is incorrect because it is used to monitor resource utilization or any custom metric. Option B is incorrect because Cloud trace is used to detect the latency issues in your application. Option C is correct because Cloud profiler is a Google cloud service that helps you to analyze the CPU and memory usage of your functions in the application https://codelabs.developers.google.com/codelabs/cloud-stackdriver-profiler/#0 Option D is incorrect because Cloud logging is a fully managed service which allows you to store, search and analyze logs

Answer 69

Correct Answer - C A is incorrect. Instance Template are immutable so you have to create a new Instance Template and update the Managed Group Definition B is incorrect. It is not advisable to do such a manual operation. It’s cumbersome and prone to errors. C is correct. With managed instance group updater, you may roll out an update automatically based on your specifications: maxSurge is the number of Instances beyond the targetSize of the group maxUnavailable set the number of instances unavailable at any time during the update Minimal action: if the updater has to REPLACE or RESTART the Instances D is incorrect. A canary update is a partial update to a few numbers of instances in the instance group. The requirement was to deploy it in all the VMs in the fastest and safest way For more details, please refer to the URLs below: https://cloud.google.com/compute/docs/instance-groups/ https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups

Answer 70

Correct Answer - C GCP firewall rules are stateful. When a connection is allowed through the firewall in either direction, return traffic matching this connection is also allowed. You cannot configure a firewall rule to deny associated response traffic. Return traffic must match the 5-tuple (source IP, destination IP, source port, destination port, protocol) of the accepted request traffic, but with the source and destination addresses and ports reversed. Options A and D are incorrect. A service account represents an identity associated with an instance. Only one service account can be associated with an instance. So it is the best option in case of strict security constraints. Be careful because you cannot mix and match service accounts and network tags in any firewall rules. Option E is incorrect because it is not necessary to provide different security to various projects. So service accounts are not required for this requirement. For any further detail, please refer to the URLs below: https://cloud.google.com/vpc/docs/using-firewalls https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags https://cloud.google.com/vpc/docs/firewalls#specifications

Answer 71

Correct Answer - C The firewall rule to allow SSH is restricted to the internal VPC Instances can have both Internal and External IP addresses. When connecting to another instance by its external address, you're going out of your internal network to the external Internet and coming back to access the instance by its external address. If traffic is restricted to the local VPC, it will reject this attempt as it is coming from an external source. Reference: https://cloud.google.com/vpc/docs/firewalls#firewall_rules_in

Answer 72

Correct Answer - D Opion A - Write a lifecycle management rule in XML and push it to the bucket with gsutil: you can set lifecycle configuration for an existing bucket with a PUT API call request (NOT the “gsutil lifecycle” command!). You must include an XML document in the request body that contains the lifecycle configuration. https://cloud.google.com/storage/docs/xml-api/put-bucket-lifecycle#request_body_elements B and C can be eliminated. They do the similar thing slightly different: write script listing object and get their timestamps gsutil ls -[l or lr] gs://[BUCKET_NAME]/** If an object's age is older than 90 days, do deleting, then schedule a cron job for the recurring process. However, gsutil ls -l/-lr does not list versioned objects. To list versioned object, need gsutil ls -a. Using this approach, versioned archives won’t be deleted. There is a better, easier, and more consistent way to do this in Answer D D (Correct answer) - Write a lifecycle management rule in JSON and push it to the bucket with gsutil. To enable lifecycle management for a bucket: https://cloud.google.com/storage/docs/managing-lifecycles · Create a .json file with the lifecycle configuration rules you would like to apply (see examples below). · Use the lifecycle set command to apply the configuration gsutil lifecycle set [LIFECYCLE_JSON-CONFIG_FILE] gs://[BUCKET_NAME] The following lifecycle configuration JSON document specifies that all objects in this bucket that are more than 90 days old will be deleted automatically: { “rule”: [ { “action”: {“type”: “Delete”}, “condition”: {“age”: 90} } ] }

Answer 73

Correct Answer A and C Explanation For long-term logs preserving and retention: There are 3 type of sink destinations you can export Logs to: Cloud Storage, Cloud Pub/Sub, BigQuery. Export logs to Cloud Storage via an export sink. Cloud Storage is perfect solution for long-term logs retention. For Sharing: The choice to use IAM or signed URL's depends on if the auditors need a GCP account or need access to a single object or all logs in a bucket. You could either create a GCP account for auditor ACL object access or signed URL's depending on if they need to have a GCP account or not. Answer A is correct. If Auditors have GCP accounts, you can grant them “roles/storage.objectViewer” which can view objects and their metadata. Note the different between “storage.objectViewer” and “Project Viewer” https://cloud.google.com/storage/docs/access-control/iam-roles Cloud Storage IAM Roles Answer C is correct: “A signed URL is associated with a bucket or object and gives time-limited read or write access to that specific resource. Anyone in possession of the URL has the access granted by the URL, regardless of whether they have a Google account.” https://cloud.google.com/storage/docs/access-control/create-signed-urls-program Answer B is incorrect: Project Viewer role is not enough to view Admin Activity logs in Operations Suite (formerly Stackdriver) Logging. “To view the logs, you must have the IAM roles Logging/Private Logs Viewer or Project/Owner”. https://cloud.google.com/logging/docs/audit/#admin-activity Note: the Operations Suite (formerly Stackdriver) Admin activity log retention period is 400 days which meets and exceeds the required once-a-year access. Answer D is incorrect due to this part: “email a list of the logs once per year”

Answer 74

Correct Answer A and D Explanation You can restrict network access on the firewall by network tags and network ranges/subnets. Here is the console screenshot showing the options when you create firewall rules - network tags and network ranges/subnets are highlighted

Answer 75

Correct Answer A and D B - Use the -r option for large transfers. The -R and -r options are synonymous. Causes directories, buckets, and bucket subdirectories to be copied recursively. C - Copy the files in bigger pieces at a time. No applicable to the question requirements D (Correct answer) - Use the -m option for multi-threading on transfers. If you have a large number of files to transfer you might want to use the gsutil -m option, to perform a parallel (multi-threaded/multi-processing) copy: gsutil -m cp -r dir gs://my-bucket A (Correct answer) - Compress and combine files before transferring. Compressing and combining smaller files info fewer larger files is also a best practice for speeding up transfer speeds because it saves network bandwidth and space in Google Cloud Storage gsutil cp -z html -a public-read cattypes.html tabby.jpeg gs://mycats Reference cp - Copy files and objects https://cloud.google.com/storage/docs/gsutil/commands/cp

Answer 76

Correct Answer A and E The order should be Upload log files into Google Cloud Storage and then Load logs into Google BigQuery. E (Correct answer) - Upload log files into Google Cloud Storage Cloud Storage is best solution for Long-term disaster recovery backup. You can do SQL query direct against data in Cloud Storage. It also meets the low risk requirement to prevent potential accidental data loss and modification. A (Correct answer) - Load logs into Google BigQuery - BigQuery is most suitable solution for doing analytics against large amount of data; You can do SQL query direct against data in Cloud Storage. B - Import logs into Google Operations Suite (formerly Stackdriver) - Operations Suite (formerly Stackdriver) is not a suitable solution for Long-term disaster recovery backup C - Insert logs into Google Cloud Bigtable: BigTable is not a suitable solution for Long-term disaster recovery backup D - Load logs into Google Cloud SQL - Cloud SQL is relation database designed for transactional CRUD OLTP processing suitable for data less than 10 TB. Note: Our requirement is "analytics feature" ------------- BigQuery is Google’s Cloud-based data warehousing solution. It targets data in big picture and can query huge volume of data in a short time. As the data is stored in columnar data format, it is much faster in scanning large amounts of data compared with BigTable. BigQuery allows to scale to petabyte and is great enterprise data warehouse for analytics. BigQuery is serverless BigTable is designed in NoSQL architecture, but can still use row-based data format. With data read/write under 10 milliseconds, it is good for applications that have frequent data ingestion. It can be scaleable to hundreds of petabytes and handle millions of operations per second. -----------------------

Answer 77

Correct Answer A Explanation A (Correct Answer) - Deploying a new version without assigning it as the default version will not create downtime for the application. Using traffic splitting allows for easily redirecting a small amount of traffic to the new version and can also be quickly reverted without application downtime B - Deploy the application temporarily and be prepared to pull it back if needed. Deploying the application new version as default requires moving all traffic to the new version. This could impact all users and disable the service during the new version’s live time. C - Warn users that a new app version may have issues and provide a way to contact you if there are problems. We won’t recommend this practice. D - Create a new project with the new app version, then redirect users to the new version. Deploying a second project requires data synchronization and having an external traffic splitting solution to direct traffic to the new application. While this is possible, with Google App Engine, these manual steps are not required.

Answer 78

Correct Answer A Explanation A (Correct answer) - Separate project for each environment, each team only has access to their project. For least privilege and separation of duties, the best practice is to separate both environments into different projects, development or production team gets their own accounts, and each team is assigned to only their projects. The best practices: · You should not use same account for both Development and production environments regardless how do you create projects inside that account for different environments. You should use different account for each environment which associated with different group of users. You should use project to isolate user access to resource not to manage users. · Using a shared VPC allows each team to individually manage their own application resources, while enabling each application to communicate between each other securely over RFC1918 address space. So VPC's isolate resources but not user/service accounts. B, C, and D are incorrect Answer B is the scenario that use same account for both development and production environments attempting to isolate user access with different projects Answer C is the scenario that use same account for both development and production environments with same project attempting to isolate user access with network separation. Answer D is the scenario that use same account for both development and production environments with same project attempting to isolate user access with user group at resource level. You may grant roles to group of users to set policies at organization level, project level, or (in some cases) the resource (e.g., existing Cloud Storage and BigQuery ACL systems as well as and Pub/Sub topics) level. The best practice: Set policies at the Organization level and at the Project level rather than at the resource level. This is because as new resources get added, you may want them to automatically inherit policies from their parent resource. For example, as new Virtual Machines gets added to the project through auto scaling, they automatically inherit the policy on the project. https://cloud.google.com/iam/docs/resource-hierarchy-access-control#best_practices Additional Resources: To recap: IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific role(s) to a user giving the user certain permissions. https://cloud.google.com/resource-manager/docs/access-control-org Using Resource Hierarchy for Access Control https://cloud.google.com/iam/docs/resource-hierarchy-access-control#background

Answer 79

Correct Answer A Explanation A (Correct answer) - Specifying '--no--auto-delete' preserves the disk. This flag is not enabled by default so if not specify, it causes the disk to be auto-deleted. https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-disk-auto-delete B - The default is boot disk automatically delete and no flag needed, also the syntax is incorrect for this type of flags C - if you don’t specify ‘--no-boot-disk-auto-delete’. The default would be boot disk automatically delete Here is the corresponding console setting displaying the default option D - when instance created without this flag: --preemptible, it’ll be standard instance Here is the corresponding console setting in “Availability Policy” when you create instance with --preemptible flag

Answer 80

Correct Answer A Explanation Answers B (Shut down VM), D (Move files to new attached disk), and E (Use snapshot to restore … restart the database service) all have some sorts of downtime, so they can be ruled out. A (Correct answer) - In the Cloud Platform Console, increase the size of the persistent disk and use the resize2fs command in Linux. You can resize persistent disks when your instances require more storage space and attach multiple secondary disks only when you need to separate your data into unique partitions. You can resize disks at any time, regardless of whether the disk is attached to a running instance. You can use console or command line to resize the disk: gcloud compute disks resize [DISK_NAME] --size [DISK_SIZE] After you resize your persistent disk, you must configure the file system on the disk to use the additional disk space. If the disk has a partition table, such as a boot disk, you must grow the partition and resize the file system on that partition. If your persistent disk has only a file system and no partition table, you can just resize the file system. Extend the file system on the disk or the partition to use the added space. If you grew a partition on your disk, specify the partition. If your disk does not have a partition table, specify only the disk ID. The resize2fs is Linux program to resize ext2, ext3, or ext4 file systems. sudo resize2fs /dev/[DEVICE_ID][PARTITION_NUMBER] C - In the Cloud Platform Console, increase the size of the persistent disk and verify the new space is ready to use with the fdisk command in Linux. This answer is incomplete: after indicating size increase in console, to make the new size effective, you have two options: restart the VM or configure (Grow partition if needed and expand partition/file system) in the VM’s operating systems, windows or linux Reference Resources https://cloud.google.com/compute/docs/disks/add-persistent-disk Adding or Resizing Persistent Disks Additional Resource Update: Now you have the option to enable “Automatic storage increase” Instance Settings https://cloud.google.com/sql/docs/mysql/instance-settings#automatic-storage-increase-2ndgen Automatic storage increase If this setting is enabled, your available storage is checked every 30 seconds. If available storage falls below a threshold size, additional storage capacity is automatically added to your instance.

Answer 81

Correct Answer A Explanation Deleting a snapshot: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots When you delete a snapshot, Compute Engine immediately marks the snapshot as DELETED in the system. If the snapshot has no dependent snapshots, it is deleted outright. However, if the snapshot does have dependent snapshots: 1) Any data that is required for restoring other snapshots is moved into the next snapshot, increasing its size. 2) Any data that is not required for restoring other snapshots is deleted. This lowers the total size of all your snapshots. 3) The next snapshot no longer references the snapshot marked for deletion, and instead references the snapshot before it. Because subsequent snapshots might require information stored in a previous snapshot, keep in mind that deleting a snapshot does not necessarily delete all the data on the snapshot. As mentioned in the first bullet above, if any data on a snapshot that is marked for deletion is needed for restoring subsequent snapshots, that data is moved into the next corresponding snapshot. To definitively delete data from your snapshots, you should delete all snapshots. The diagram below illustrates the process described above:

Answer 82

Correct Answer A Explanation Individual VM's in a managed instance group should be treated as disposable entities and should not be individually backed up. Using the rolling update feature in your managed instance group allows you to use alternate managed instance templates for managing different versions of your application. https://cloud.google.com/compute/docs/instance-groups/updating-managed-instance-groups

Answer 83

Correct Answer A A (Correct answer) - Create a scalable environment in GCP for simulating production load. With this disposable and repeatable testing resources, you can do load test whenever needed. Shutdown or stop the services or simplify delete and recreate it based on the test plans, to keep the cost low. It meets the requirements “create a thorough testing process for new versions of the backend before they are released to the public” and” testing environment to scale in an economical way”. Doing thorough testing on production infrastructure is risky to other running application, not feasible, not scale in economical way. B - Build stress tests into each component of your application using resources internal to GCP to simulate load. This is not scale nor economical and too complicated to implement. C - Use the existing infrastructure to test the GCP-based backend at scale. At first glance, reuse exiting environments so it’ll be scalable, economical, and in the real situation. If we read the case study again, we know that Mountkirk games is a popular game platform targeting to global users with very high traffic and heavy load. Doing a load test on the production is no longer an option, nor is it necessarily a scale in an economical way if you mix the production and testing load. Comparing to the solution creating disposable and reputable testing environment simulating production load and execute test plans on demanding, Answer A is the winner. D - Create a set of static environments in GCP to test different levels of load - for example, high, medium, and low. This is nor scale nor economical

Answer 84

Correct Answer A A (Correct answer) - In a secret management system Applications often require access to small pieces of sensitive data at build or run time. These pieces of data are often referred to as secrets. Secrets are similar in concept to configuration files, but are generally more sensitive, as they may grant access to additional data, such as user data. https://cloud.google.com/kms/docs/secret-management B - In the source code: This is exactly again the best practice “Do not embed secrets related to authentication in source code, such as API keys, OAuth tokens, and service account credentials.” (see below the best practice #1) C - In an environment variable - you use environment variable to point to the location where the secrets (credentials) are stored other than store the secrete directly (see below the best practice #1 D - In a configuration file that has restricted access through ACLs - Secrets are similar to but generally more sensitive than configuration and also, ACLs may not enough for the secrete management. Here is example for Storing secrets https://cloud.google.com/kms/docs/store-secrets Additional Resource https://cloud.google.com/docs/authentication/production#providing_credentials_to_your_application Best practices for managing credentials Credentials provide access to sensitive data. The following practices help protect access to these resources: 1) Do not embed secrets related to authentication in source code, such as API keys, OAuth tokens, and service account credentials. You can use an environment variable pointing to credentials outside of the application's source code, such as Cloud Key Management Service. 2) Do use different credentials in different contexts, such as in testing and production environments. 3) Do transfer credentials only over HTTPS to prevent a third party from intercepting your credentials. Never transfer in clear text or as part of the URL. 4) Never embed long-lived credentials into your client-side app. For example, do not embed service account credentials into a mobile app. Client-side apps can be examined, and credentials can easily be found and used by a third party. Do revoke a token if you no longer need it.

Answer 85

Correct Answer A A (Correct Answer) - Since the data is accessed frequently within the first 30 days, using Standard Google Cloud Storage will enable the most cost-effective solution for storing and accessing the data. For videos older than 30 days, Google Cloud Coldline Storage offers the most cost-effective solution since it won’t be accessed. B - While Google Cloud Coldline storage is cost-effective for long-term video storage, Google Cloud Nearline Storage would not be an effective solution for the first 30 days as the data is expected to be accessed frequently. C - While Google Cloud Regional Storage is the most cost-effective solution for the first 30 days, Google Cloud Nearline Storage is not cost effective for long-term storage. D - While Google Cloud Regional Storage is the most cost-effective solution for the first 30 days, storing the data on Google Cloud Persistent Disk would not be cost-effective for long term storage.

Answer 86

Correct answer A A (Correct answer) - You must create a new node pool in the same cluster and migrate the workload to the new pool. You cannot change the machine type for an individual node pool after creation. You need to create a new pool and migrate your workload over. Here are the steps for “Migrating workloads to different machine types” https://cloud.google.com/kubernetes-engine/docs/tutorials/migrating-node-pool B - gcloud container clusters update mycluster --machine-type n1-standard-4 updates cluster settings for an existing container cluster. You can use this command to specify --max-nodes --min-nodes for autoscaling purpose not for changing machines type https://cloud.google.com/sdk/gcloud/reference/container/clusters/update C - This action is not possible. It’s possible to migrate workloads running on a Kubernetes Engine cluster to a new set of nodes without incurring downtime for your application. See “Migrate the workloads” https://cloud.google.com/kubernetes-engine/docs/tutorials/migrating-node-pool#step_4_migrate_the_workloads D - gcloud container clusters resize mycluster --machine-type n1-standard-4. Resizes an existing cluster for running containers not for changing machine type https://cloud.google.com/sdk/gcloud/reference/container/clusters/resize

Answer 87

Correct answer A A is correct because this resizes the cluster to the desired number of nodes. B is not correct because you need to use gcloud, not kubectl. C is not correct because you should not manually manage the MIG behind a cluster. D is not correct because you should not manually manage the MIG behind a cluster.

Answer 88

Correct Answer A Avoid using sequential filenames such as timestamp-based filenames if you are uploading many files in parallel. Because files with sequential names are stored consecutively, they are likely to hit the same backend server, meaning that throughput will be constrained. In order to achieve optimal throughput, you can add the hash of the sequence number as part of the filename to make it non-sequential https://cloud.google.com/storage/docs/best-practices Answer A (Correct) - since it uses “Name files with a random prefix pattern.” Answer C , B, and D are incorrect since they use either “Name files with serverName-EventSequence” Or “Name files with serverName-Timestamp” which will cause the files unevenly distributed in the backend. For example, a specific server may generate much more events than other, or at certain time period the system may generate much more events than other period…

Answer 89

Correct answer A To both minimize costs (don't want extra disks) and minimize downtime (cannot freeze database). Backing up just the database to another disk using a cron job is the preferred answer. It is also possible to backup the database to a Cloud Storage bucket instead of a disk, which would be cheaper for the same amount of storage. B and D all have some sort of Database downtime due to the snapshot. Answer C would be hard to implement and use doubled resources. You’ll also lost the data consistency if you don’t freeze the primary database when you take snapshot on secondary database. Overall, it’s not worthwhile for your efforts for this task when you have better solution like answer A.

Answer 90

Correct Answer B and C Explanation B and C (Correct answers) - A managed instance group can auto scale and use a custom Linux distribution. An HTTP load balancer serves web traffic and is a global load balancer (single load balancer for all GCP regions worldwide). A - App Engine would support autoscaling but does not use custom Linux distributions. D - A Network Load Balancer might be used in conjunction with an HTTP Load Balancer for backend functions but is not the required component in this scenario.

Answer 91

Correct Answer B and D Cloud Spanner acts as an SQL database that is horizontally scalable for cross-region support and can host large datasets. Cloud Storage supports multi-regional buckets for high performance from different regions.

Answer 92

Correct answer B and D B is correct if one zone fails you still have 100% desired capacity in another zone C is incorrect because it won't be able to handle the full load since, it's unmanaged group and won't auto scale accordingly. D is correct since you have at least total 150% desired capacity spread over 3 zones, each zone has 50% capacity. You’ll have 100% desired capacity in two zones if any single zone failed at given time. Reference Resources https://cloud.google.com/compute/docs/instance-groups/distributing-instances-with-regional-instance-groups If you are creating a regional managed instance group in a region with at least three zones, Google recommends overprovisioning your instance group by at least 50%.

Answer 93

Correct Answer B Answer B meet all of the 3 requirements: Cloud Pub/Sub is a simple, reliable, scalable foundation for stream analytics and event-driven computing systems. As part of Google Cloud’s stream analytics solution, the service ingests event streams and delivers them to Cloud Dataflow for processing and BigQuery for analysis as a data warehousing solution. Relying on the Cloud Pub/Sub service for delivery of event data frees you to focus on transforming your business and data systems with applications such as: · check Real-time personalization in gaming · check Fast reporting, targeting and optimization in advertising and media · check Processing device data for healthcare, manufacturing, oil and gas, and logistics · check Syndicating market-related data streams for financial services Also, Use Cloud Dataflow as a convenient integration point to bring predictive analytics to fraud detection, real-time personalization and similar use cases by adding TensorFlow-based Cloud Machine Learning models and APIs to your data processing pipelines. https://cloud.google.com/ml-engine/ BigQuery provides a flexible, powerful foundation for Machine Learning and Artificial Intelligence. BigQuery provides integration with CloudML Engine and TensorFlow to train powerful models on structured data. Moreover, BigQuery’s ability to transform and analyze data helps you get your data in shape for Machine Learning. https://cloud.google.com/bigquery/ Other solutions may work one way or other but only the combination of theses 3 components integrate well in data ingestion, collection, and real-time analysis, and data mining in a highly durable, elastic, and parallel manner. A - Cloud storage is not suitable for this kind of real-time streaming data collection; Dataproc is GCP’s BigData Hadoop/Spark that can do ETL and analysis, but DataFlow provides a simple unified programming model for ETL and analysis in both real-time and batch. C - Cloud SQL is mainly for OLTP (Transactional, CRUD) not for OLAP (On-line Analytical Processing, Data Warehouse). It does not have the scalability, elasticity, and parallel to absorb this amount of Data in real-time. Instead, BigQuery integrates well with DataFlow and can absorb both streaming and batch data from it. D - Bigtable is one of the possible Data sink for DataFlow and have the capability to absorb this amount of real time data but it lacks the Data mining features like BigQuery. Further Explanation Pub/Sub is a kind of ‘shock absorber', allowing asynchronous messaging between large numbers of devices. Cloud Dataflow acts as your data processing pipeline for ETL functions on both streaming and batch data. BigQuery is a data warehouse, able to run analysis on petabytes of data using SQL queries. Below is a reference architect Google recommending for similar scenario in Real-time streaming data collection and analysis https://cloud.google.com/solutions/mobile/mobile-gaming-analysis-telemetry Real-time processing of events from game clients and game servers Data Transformation with Cloud Dataflow - Dataflow acts as your data processing pipeline for ETL functions on both streaming and batch data.

Answer 94

Correct Answer B Explanation A - Set timeouts on your application so that you can fail requests faster - This won’t be able to tell you directly where the bottleneck is. B (Correct Answer) - Instrument your application with Operations Suite (formerly Stackdriver) Trace to break down the request latencies at each microservice. This is exactly Operations Suite (formerly Stackdriver) Trace comes to play. C - Send custom metrics for each of your requests to Operations Suite (formerly Stackdriver) Monitoring - without knowing where the bottleneck is beforehand, it’s not easy, if not impossible, to setup custom metrics to capture the latency causes. Besides, the question itself is about to find where the latency/bottleneck exists. D - Use Operations Suite (formerly Stackdriver) Monitoring to look for insights that show when your API latencies are high - this could tell you when the API call latency reaching to certain threshold/criteria but can hardly tell where the root causes is without additional setup and analysis. Reference Resources Operations Suite (formerly Stackdriver) Trace can help you answer the following questions: https://cloud.google.com/trace/docs/overview · How long does it take my application to handle a given request? · Why is it taking my application so long to handle a request? · Why do some of my requests take longer than others? · What is the overall latency of requests to my application? · Has latency for my application increased or decreased over time? · What can I do to reduce application latency? “As micro-services become more popular, the cross-application tracing provided by Operations Suite (formerly Stackdriver) Trace becomes essential in pinpointing the root cause of latency issues.”

Answer 95

Correct Answer B A - Deploy changes to a small subset of users before rolling out to production. This is the practice in Canary deployment. The bug slip into production may be caused by the discrepancy between test/staging and production environments or testing data. With Canary deployment or Canary test, you have the ability to test code with live data at any time, you increase the chance discovering the bug earlier and reduced the risk bring the bug into production with minimums impact and down time by rolling back quickly. But the canary deployment will not able to test the performance bugs in the environment. B (Correct Answer) - Increase the load on your test and staging environments. Increase the load in your test and staging environment will help to discover the bugs revolving around the performance issue. C and D - Deploy smaller or fewer changes to production. Although those are generally good agile practices for cloud native microservice, they don’t address the issues to adjust your test and deployment procedures to discover the bugs before in production. The Bug can still slip into production no matter how small how often you test the changes in same environment and same set of test data in same procedures.

Answer 96

Correct Answer B A - Opex and capex allocation is part of answers; GCP adoption would not cause significant LAN changes. B (Correct Answer) - Capacity planning, TCO calculations, Opex and Capex allocation - those are all in the scopes concerned. From the case study, it can conclude that Management (CXO) all concern rapid provision of resources (infrastructure) for growing as well as cost management, such as Cost optimization in Infrastructure, trade up front capital expenditures (Capex) for ongoing operating expenditures (Opex), and Total cost of ownership (TCO) C - Capacity planning, utilization measurement, data center expansion - their data center would be shrinking instead of expanding if increasing Google Cloud Platform adoption. D - Data Center expansion, TCO calculations, utilization measurement - “Data Center expansion” is wrong choice; “utilization measurement” is not necessary a significant change caused by GCP adoption; Also, this answer is not as complete as Answer B Additional Resource Please read TerramEarth case study carefully to draw and extract your conclusions applicable to this questions and answers.

Answer 97

Correct answer B A is not correct because this will just give you the spend but will not alert you when you approach the limit. B Is correct because a budget alert will warn you when you reach the limits set. C Is not correct because those budgets are only on App Engine, not other GCP resources. Furthermore, this makes subsequent requests fail, rather than alert you in time so you can mitigate appropriately. D is not correct because if you exceed the budget, you will still be billed for it. Furthermore, there is no alerting when you hit that limit by GCP. Reference AppEngine Spending Limit https://cloud.google.com/appengine/pricing#spending_limit Set Budgets and Alerts https://cloud.google.com/billing/docs/how-to/budgets

Answer 98

Correct Answer B Answer B gives the security team read only access to everything your company produces, anything else gives them the ability to, accidentally or otherwise, change things, a violation to the principle of least privilege.

Answer 99

Correct Answer B Answer B meet all of the 3 requirements: Cloud Pub/Sub is a simple, reliable, scalable foundation for stream analytics and event-driven computing systems. As part of Google Cloud’s stream analytics solution, the service ingests event streams and delivers them to Cloud Dataflow for processing and BigQuery for analysis as a data warehousing solution. Relying on the Cloud Pub/Sub service for delivery of event data frees you to focus on transforming your business and data systems with applications such as: · check Real-time personalization in gaming · check Fast reporting, targeting and optimization in advertising and media · check Processing device data for healthcare, manufacturing, oil and gas, and logistics · check Syndicating market-related data streams for financial services Other solutions may work one way or other but only the combination of theses 3 components integrate well in data ingestion, collection, and real-time analysis, and data mining in a highly durable, elastic, and parallel manner. A - Cloud storage is not suitable for this kind of real-time streaming data collection; Dataproc is GCP’s BigData Hadoop/Spark that can do ETL and analysis, but DataFlow provide simple unified programming model for ETL and analysis in bot Realtime and batch and integrate well with PubSub. C - Cloud SQL is mainly for OLTP (Transactional, CRUD) not for OLAP (On-line Analytical Processing, Data Warehouse). It does not have the scalability, elasticity, and parallel to absorb this amount of Data in real time. Instead BigQuery integrate well with DataFlow and can absorb both steaming and batch data from it. D - Bigtable is one of the possible Data sink for DataFlow and have the capability to absorb this amount of real time data but it lacks the Data mining features like BigQuery. Further Explanation Pub/Sub is kind of ‘shock absorber', allowing asynchronous messaging between large numbers of devices. Cloud Dataflow acts as your data processing pipeline for ETL functions on both streaming and batch data. BigQuery is a data warehouse, able to run analysis on petabytes of data using SQL queries. Below is a reference architect Google recommending for similar scenario in Real-time streaming data collection and analysis https://cloud.google.com/solutions/mobile/mobile-gaming-analysis-telemetry Real-time processing of events from game clients and game servers Data Transformation with Cloud Dataflow - Dataflow acts as your data processing pipeline for ETL functions on both streaming and batch data.

Answer 100

Correct answer B B (Correct Answer) - B is correct because it uses the principle of least privilege for IAM roles; use the Billing Administrator IAM role for that job function. A, C, and D are not correct because is it a Google best practice to use pre-defined IAM roles when they exist and match your business scenario; see the link below. Reference IAM for Billing: https://cloud.google.com/iam/docs/job-functions/billing

Answer 101

Correct Answer B B (Correct Answer) - Configure Shared VPC and add each project as a service of the Shared VPC project. Using a shared VPC allows each team to individually manage their own application resources, while enabling each application to communicate between each other securely over RFC1918 address space. The following example illustrates a simple Shared VPC scenario: Instead of a VPC being within a single project, Shared VPC allows the VPC to exist in multiple projects: - Instance/Applications in Service Project A can communicate with Instance/Applications in Service Project B. - Neither Instance/Applications in Project A or Project B can communicate with the Standalone Project (Bottom) - Of course, within the Standalone Project, Instance 1 can commutate with Instance 2 normally. A - Deploy each service into a single project within the same VPC. Deploying services into a single project results in every team accessing and managing the same project resources. This is difficult to manage and control as the number of teams involved increases. C - Configure each service to communicate with the others over HTTPS protocol. HTTPS is a valid option; however, this answer does not address the need to ensure management of individual projects. D - Configure a global load balancer for each project and communicate between each service using the global load balancer IP addresses The global load balancer uses a public IP address, and therefore it does not conform to the requirement of communication over RFC1918 address space.

Answer 102

Correct Answer B B (Correct answer) - Create synthetic random user input, replay synthetic load until autoscale logic is triggered on at least one layer, and introduce "chaos" to the system by terminating random resources on both zones. Ideally, the test environment should always resemble production in term of infrastructure and workload but it’s not always realistic. For example, testing data with full user population is not available, or test environment at production level is not ready. In the question scenario, you can test in pre-production with a synthetic workload from existing users which simulates a production workload and introduce "chaos" to simulate one zone failure to test the availability for the SLA. This enables you to decouple deployment from release, get real user feedback, test for bugs, and assess infrastructure performance. Answers A, C, and D either incorrect or incomplete in workload simulation for testing users’ generation, or zone (s) failure simulation for availability SLA. Additional Resources Provisioning a regional managed instance group in two zones: https://cloud.google.com/compute/docs/instance-groups/distributing-instances-with-regional-instance-groups#provisioning_a_regional_managed_instance_group_in_two_zones

Answer 103

Correct Answer B: B (Correct Answer). The command to resize an existing GKE node pool is: gcloud container clusters resize NAME (--num-nodes=NUM_NODES | --size=NUM_NODES) [--async] [--node-pool=NODE_POOL] [--region=REGION | --zone=ZONE , -z ZONE] [GCLOUD_WIDE_FLAG …] Option B is correct as you have to use --num-nodes flag. Option A uses a wrong flag "--max-nodes" Option C is describing a situation for changing machine type Option D “gcloud container clusters update”. This updates cluster settings for an existing container cluster. You can use this command to specify --max-nodes --min-nodes for autoscaling purpose. Also “--num-nodes” is a wrong flag option for this command. https://cloud.google.com/sdk/gcloud/reference/container/clusters/update Reference gcloud container clusters resize - resizes an existing cluster for running containers https://cloud.google.com/sdk/gcloud/reference/container/clusters/resize

Answer 104

Correct Answer C and D Explanation J2EE is Java, which can run on App Engine. He can also configure his application to run on a managed instance group for scaling, as long as he configures a data storage backend for the group as well.

Answer 105

Correct Answer C Explanation A - You ISP normally won’t help in this level. Also, the problem most likely is caused by recent update. The good approach is to rollback first and then investigate later. Similarly, this also apply to answer B. To investigate this kind of issue, use Operations Suite (formerly Stackdriver) Trace and logging to diagnose the bottleneck C and D have something in common for both “use Operations Suite (formerly Stackdriver) Trace and logging”, either in test/dev or in production environment and “Roll back to an earlier known good release”. At this moment, only the “earlier known good release” version starts receiving traffic. The difference lines between C’s “to diagnose the problem in a development/test/staging environment.” and D’s “then push the release again at a quieter period to investigate”. If you want to debug in production environments, “then push the release again at a quieter period to investigate” is not necessary - you can simply switch “default” version or split the traffic between the “earlier known good release” version and the new problem version. Essentially D’s “then push the release again at a quieter period to investigate” disqualifies itself as good answer - the default would be the new pushed version (the one with problem) starts receiving traffic “at a quieter period”, and the slow loading users may not present. But with answer C in development/test/staging environment, you can arbitrarily load those suffering users if you know them or simulate production load to reveal the problem users and then do further investigation. So, C is the correct answer: First, rollback to “the earlier known good release” and then use the test/dev/staging envs to investigate. Additional Resource https://cloud.google.com/appengine/docs/flexible/python/testing-and-deploying-your-app Testing and Deploying your Application

Answer 106

Correct Answer C Explanation B and D can be quickly ruled out because none of them is solution for the requirements “retained for 5 years” Between A and C, the different is where to store, BigQuery or Cloud Storage. Since the main concern is extended storing period, C (Correct Answer) is better choice, and the “retained for 5 years for future analysis” further qualifies it, for example, using Archive storage class. With regards of BigQuery, while it is also a low-cost storage, but the main purpose is for analysis. Also, logs stored in Cloud Storage is easy to transport to BigQuery or do query directly against the files saved in Cloud Storage if and whenever needed. Additional Resource Overview of storage classes, price, and use cases https://cloud.google.com/storage/docs/storage-classes. Why export logs? https://cloud.google.com/logging/docs/export/ Operations Suite (formerly Stackdriver) Quotas and Limits for Monitoring https://cloud.google.com/monitoring/quotas The BigQuery pricing. https://cloud.google.com/bigquery/pricing

Answer 107

Correct Answer C Explanation C (Correct answer) - Cloud Pub/Sub, Cloud Dataflow, BigQuery Cloud Pub/Sub is a simple, reliable, scalable foundation for stream analytics and event-driven computing systems. As part of Google Cloud’s stream analytics solution, the service ingests event streams and delivers them to Cloud Dataflow for processing and BigQuery for analysis as a data warehousing solution. Relying on the Cloud Pub/Sub service for delivery of event data frees you to focus on transforming your business and data systems with applications such as: · check Real-time personalization in gaming · check Fast reporting, targeting and optimization in advertising and media · check Processing device data for healthcare, manufacturing, oil and gas, and logistics · check Syndicating market-related data streams for financial services Also, Use Cloud Dataflow as a convenient integration point to bring predictive analytics to fraud detection, real-time personalization and similar use cases by adding TensorFlow-based Cloud Machine Learning models and APIs to your data processing pipelines. https://cloud.google.com/ml-engine/ BigQuery provides a flexible, powerful foundation for Machine Learning and Artificial Intelligence. BigQuery provides integration with CloudML Engine and TensorFlow to train powerful models on structured data. Moreover, BigQuery’s ability to transform and analyze data helps you get your data in shape for Machine Learning. https://cloud.google.com/bigquery/ Other solutions may work one way or other but only the combination of theses 3 components integrate well in data ingestion, collection, and real-time analysis, and data mining in a highly durable, elastic, and parallel manner. A - Wrong order. You don’t normally ingest IoT data directly to DataFlow C - DataProc is GCP version of Apache Hadoop/Spark. Although it has the SQL-like Hive, it does not provide SQL interface as sophisticated as BigQuery does. D - App Engine is compute resources. It is not designed to ingest IoT data like PubSub. Also. It’s rare use case App Engine ingests data to DataFlow directly. Below two pictures illustrate the typical toles played by DataFlow and PubSub Dataflow PubSub

Answer 108

Correct Answer C Explanation You can use gsutil rsync to keep two locations in sync. Here are the rules of thumb when deciding whether to use gsutil or Storage Transfer Service: · When transferring data one time or have to do it rarely, use gsutil. · When transferring data continuously for long periods of time, use Storage Transfer Service. Otherwise, evaluate both tools with respect to your specific scenario. Since, here the requirement is to keep both the bucket in sync all the time it's preferable to use Storage Transfer Service.

Answer 109

Correct Answer C A - Google BigQuery: A scalable, fully-managed Enterprise Data Warehouse (EDW) with SQL and fast response times. It is for analytics and OLAP workload, though it also provides storage capacity and price similar to GCS and it cannot stand for this amount (50000 X 10 per second) of data streaming ingestion in real-time. B - Google Cloud Storage: A scalable, fully-managed, highly reliable, and cost-efficient object / blob store. It cannot stand for this amount of data streaming ingestion rate in real-time C (Correct answer) - Google Cloud Bigtable: A scalable, fully-managed NoSQL wide-column database that is suitable for both real-time access and analytics workloads. https://cloud.google.com/storage-options/ Bigtable is Good for · Low-latency read/write access · High-throughput analytics · Native time series support For the following common work load IoT, finance, adtech Personalization, recommendations Monitoring Geospatial datasets Graphs D - Google Cloud SQL: A fully-managed MySQL and PostgreSQL relational database service for Structured data and OLTP workloads. It also won’t stand for this type of high ingesting rate in real time

Answer 110

Correct Answer C A - Google Cloud Dataproc to run Apache Hadoop jobs to process each test Apache Hadoop runs Java not C++; If the questions meant to use Hadoop to manage and process the test, it’s overkill and also needs significant changes to the testing infrastructure to integrate with Dataproc. B - Google App Engine with Google Operations Suite (formerly Stackdriver) for logging App Engine did not natively support C++, also it’s probably hard to port their “runs tests throughout each day on Linux virtual machines” to App Engine “while changing the tests as little as possible”; Operations Suite (formerly Stackdriver) logging won’t help porting the test to GCP, either. Between C and D, the main difference is managed or unmanaged instance group Unmanaged instance groups are groups of dissimilar instances that you can arbitrarily add and remove from the group. Unmanaged instance groups do not offer autoscaling, rolling update support, or the use of instance templates so Google recommends creating managed instance groups whenever possible. Use unmanaged instance groups only if you need to apply load balancing to your pre-existing configurations or to groups of dissimilar instances. https://cloud.google.com/compute/docs/instance-groups/ From the question, there is no such requirement for unmanaged instance group and not mention that dissimilar Linux machine types are required. In addition, judging from what they suffered “The full test suite takes several hours to complete, running on a limited number of on-premises servers”, it seems they simply need more computation power - bigger and/or more instances for the testing. So the managed instance group with autoscaling is preferred.

Answer 111

Correct Answer C A - Google cloud Datastore. Doesn’t meet this requirement “It must be stored for future analysis by your data science and user experience teams.” Google Cloud Datastore is a NoSQL document database built for automatic scaling, high performance, and ease of application development and integrating well with App Engine. Datastore: A scalable, fully-managed NoSQL document database for your web and mobile applications. Good for: Semi-structured application data Hierarchical data Durable key-value data Workload: User profiles Product catalogs Game state B - Google Cloud SQL. Cloud SQL is mainly for OLTP (Transactional, CRUD) not for taking and storing streaming data. It does not have the scalability and elasticity to absorb this amount of data in real time. C (Correct Answer) - Google Cloud Bigtable. The reason is that data is in IoT nature and it will be used for analytics. Bigtable: A scalable, fully-managed NoSQL wide-column database that is suitable for both real-time access and analytics workloads. Bigtable is ideal for very large NoSQL datasets and is useful for high-speed transactions and analysis. It integrates well with ML. Dataproc, and analytics Good for Low-latency read/write access High-throughput analytics Native time series support Work load IoT, finance, adtech Personalization, recommendations Monitoring Geospatial datasets Graphs Although both Datastore and Bigtable are NoSQL databases, Bigtable is able to support over a petabyte of data and is useful for high speed analytics as well, whereas Datastore is not. D - Google Cloud Storage. GCS is ideally for Object storage purpose although it has pretty good scalability. It’s not suitable for IoT kind of spiky streaming data. Its buckets initially support roughly 1000 writes per second and then scale as needed. As the request rate for a given bucket grows, Cloud Storage automatically increases the IO capacity for that bucket by distributing the request load across multiple servers. Especially considering the click stream rate of 6,000 clicks per minute, with bursts of up to 8,500 clicks per second, the way GCS handle and absorb this kind high and low data stream by scale up and down make it not suitable for this task.

Answer 112

Correct answer C A is not correct because groups are recommended over individual assignments. B is not correct because this command is to create roles, not to assign them. C is correct because Google recommends to use groups where possible. D is not correct because this command is to create roles, not to assign them. Reference gcloud iam https://cloud.google.com/sdk/gcloud/reference/iam/

Answer 113

Correct answer C A Is not correct because the Load Balancer will just load balance access to the uploaded image itself, and not create or autoscale VMs based on that image. B Is not correct because while the App Engine can scale as a proxy, all requests will still end up on the same Compute Engine instance, which needs to scale itself. C is correct because a managed instance group can use an instance template to scale based on HTTP traffic. D is not correct because unmanaged instance groups do not offer autoscaling. Reference Managed instance groups and autoscaling https://cloud.google.com/compute/docs/instance-groups/#managed_instance_groups_and_autoscaling Exporting an Image https://cloud.google.com/compute/docs/images/export-image Adding a Cloud Storage Bucket to Content-based Load Balancing https://cloud.google.com/compute/docs/load-balancing/http/adding-a-backend-bucket-to-content-based-load-balancing

Answer 114

Correct answer C C (Correct Answer) - C is correct because you will need to access your backup data monthly to test your disaster recovery process, so you should use a Nearline bucket; also, because you will be performing ongoing, regular data transfers, so you should use the storage transfer service. A, B, and D are not correct because you should not use Coldline if you want to access the files monthly (B, D) and you should not use Transfer Appliance for repeated data transfers (A, B). Reference GCS Nearline for once-per-month access https://cloud.google.com/storage/docs/storage-classes#nearline Storage Transfer Service Documentation https://cloud.google.com/storage-transfer/docs/

Answer 115

Correct Answer C C (Correct answer) - Digitally sign each timestamp and log entry and store the signature. Answer A, B, and D don’t have any added value to verify the authenticity of your logs. Besides, Logs are mostly suitable for exporting to Cloud storage, BigQuery, and PubSub. SQL database is not the best way to be exported to nor store log data. Simplified Explanation To verify the authenticity of your logs if they are tampered with or forged, you can use a certain algorithm to generate digest by hashing each timestamp or log entry and then digitally sign the digest with a private key to generate a signature. Anybody with your public key can verify that signature to confirm that it was made with your private key and they can tell if the timestamp or log entry was modified. You can put the signature files into a folder separate from the log files. This separation enables you to enforce granular security policies. Ref URL: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging

Answer 116

Correct Answer C C (correct answer) - Ensure that a firewall rule exists to allow load balancer health checks to reach the instances in the instance group. HTTP health check probes are sent from the IP ranges depending on LB types used. These are IP address ranges that the load balancer uses to connect to backend instances. You must create firewall rules that allows traffic from those ranges to reach your instances For Network load balancing When a health check is used with Network load balancing, the health check probes come from addresses in the ranges 209.85.152.0/22, 209.85.204.0/22, and 35.191.0.0/16. For HTTP(S). SSL proxy. TCP proxy, and Internal load balancing When a health check is used with HTTP(S), SSL proxy, TCP proxy, or Internal load balancing, the health check probes come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16. A - Ensure that a firewall rule exists to allow source traffic on HTTP/HTTPS to reach the load balancer. Firewall controls access at instance level, not load balancer. Must allow load balancer traffic to connect backend instance allowing health check B - Create a tag on each instance with the name of the load balancer. Configure a firewall rule with the name of the load balancer as the source and the instance tag as the destination. At this moment it is not possible to set firewall rules over the GCE Load Balancers. You need to create firewall rules that at subnet or instances level allowing specific health check IP ranges (See Answer A above), not the LB tags, to connect to all your load balanced instances. D - Assign a public IP to each instance and configure a firewall rule to allow the load balancer to reach the instance public IP. This is not mandatory since your LB could be Internal load balancing so instances’ external IPs may be removed

Answer 117

Correct Answer C C (Correct Answer) - The access pattern fits Nearline storage class requirements and Nearline is a more cost-effective storage approach than Multi-Regional. The object lifecycle management policy to delete data is correct versus changing the storage class to Coldline. A and B - For the requirement: “accessed approximately once a month” A and B can be quickly eliminated due to the incorrect Multi-Regional storage class vs Nearline storage class D - Need deleting them, not changing the storage class to Coldline.

Answer 118

Correct Answer C C (Correct Answer) - The HTTP(S) load balancer in GCP handles websocket traffic natively. Backends that use WebSocket to communicate with clients can use the HTTP(S) load balancer as a front end, for scale and availability. A - There is no compelling reason to move away from websockets as part of a move to GCP. B - This may be a good exercise anyway, but it doesn’t really have any bearing on the GCP migration. D - There is no compelling reason to move away from websockets as part of a move to GCP.

Answer 119

Correct answer C mb is to make the bucket. Nearline buckets are for once per month access. Coldline buckets require only accessing once per 90 days and would incur additional charges for greater access. Further Explanation Synopsis gsutil mb [-c class] [-l location] [-p proj_id] url... If you don't specify a -c option, the bucket is created with the default storage class Standard Storage, which is equivalent to Multi-Regional Storage or Regional Storage, depending on whether the bucket was created in a multi-regional location or regional location, respectively. If you don't specify a -l option, the bucket is created in the default location (US). -l option can be any multi-regional or regional location. Reference mb - Make buckets: https://cloud.google.com/storage/docs/gsutil/commands/mb

Answer 120

Correct Answer D Option D - Configure a VPN connection to GCP to allow SSH access to the cloud VMs. The questions tell that the "blocking" happens on GCP, especially in production environments. That means that there are firewall rules preventing access from public IPs on port 22. Therefore, using a VPN and configuring a firewall that allows TCP connections from RFC1918 on port 22, would work best. In this case, answer D is better. Option B - SSH access will not allow access if Port 22 is blocked. Options A and C are possible options that might require more setup than worthwhile for the needs.

Answer 121

Correct Answer D D (Correct answer) - Have the vehicle’s computer compress the data in hourly snapshots, a Store it in a GCS Coldline bucket. This is the Lowest cost for storage for infrequent access that meets the requirement (“next year …”). There is no good reason to use nearline instead of low-cost storage Coldline for one-year-after access. A - Have the vehicle’s computer compresses the data in hourly snapshots and store it in a Google Cloud Storage (GCS) Nearline bucket. Nearline does not fit the usage pattern described in the question. Nearline fits this usage pattern: For example, if you want to continuously add files to cloud storage, and plan to access those files once a month for analysis, nearline storage is a great choice B and C can be eliminated for this reason “Push the telemetry data in real-time to a streaming dataflow job …” since vehicles are unconnected Reference Resource Comparison of storage classes https://cloud.google.com/storage/docs/storage-classes

Answer 122

Correct Answer D Explanation App Engine Standard environment intend to · Language: Python, Java, Node.js, PHP, and Go · Experiences sudden and extreme spikes of traffic which require immediate scaling. · Instance startup time in seconds Reference Choosing an App Engine Environment https://cloud.google.com/appengine/docs/the-appengine-environments

Answer 123

Correct answer D Explanation Based on their current batch upload model, the direct equivalent would be to use Cloud Storage for storing files, Dataflow for their ETL processing, and BigQuery for their data warehouse needs. Below illustrates the solution concept. TerramEarth's Existing Technical Environment One Possible GCP solution for batch upload flow

Answer 124

Correct Answer D Explanation D (Correct answer) - among the available answers, D is the closest solution to meet the isolate and inter-access requirements. In this example, you’ll create one Host project for Developer and Tester and another Host project for staging, and the third one for production. Staging and Production environments can access resources as per the cross accessible Service Accounts created for just the required needs. B - This is incomplete and not the best solution. Network isolation is for separation of resources communication, the project is for IAM resource access control. If the question meant putting resources in different networks but in the same project, it’s not enough to separate developer from access Stage/Product unless access policy is set at each specific resource level which is not only against the best practice but also hard to manage especially if you consider Mountkirk Games is not a small shop. Answer C is incorrect for the same or similar reasons. Answer A indeed enables the isolation but sharing staging and Production in the same project might have some cross access of the resources by human error. On the other hand, if the quest meant Developer and tester are in the same group called Development (based on “What should you do to isolate development environments from staging and production?”), D could be an answer since it isolates the development from staging and production, though no inter-project access issues addressed. Overall, judging from Mountkirk Games application, environments, and company size, most likely they’ll have separated Development and Testing while they do share access to some resources such as access testing data as well as computing resources. So, Answer option D is closer to the requirements

Answer 125

Correct answer D Explanation Pub/Sub is kind of ‘shock absorber', allowing asynchronous messaging between large numbers of devices. Cloud Dataflow acts as your data processing pipeline for ETL functions on both streaming and batch data. BigQuery is a data warehouse, able to run analysis on petabytes of data using SQL queries. Below is a reference architect Google recommending for similar scenario in Real-time streaming data collection and analysis https://cloud.google.com/solutions/mobile/mobile-gaming-analysis-telemetry Real-time processing of events from game clients and game servers Data Transformation with Cloud Dataflow - Dataflow acts as your data processing pipeline for ETL functions on both streaming and batch data.

Answer 126

Correct Answer D A - Configure a new load balancer for the new version of the API. Then you’ll have two load balancers: new and old one. This would break the API contract and also need to configure SSL and DNS for new load balancer B - Reconfigure old clients to use a new endpoint for the new API. This would break the contract between client and API and also can no longer reach to old API. C - Have the old API forward traffic to the new API based on the path. This is against the design principle and best practice for webservices API. API should not play this role - API should not know how to route client requests. In fact, API even shouldn’t have knowledge about client at all. D (Correct answer) - Use separate backend pools for each API path behind the load balancer. This solution meets both requirements: continue servicing old and new API and keep the same SSL and DNS records Further Explanation HTTP(S) Load Balancing configuration and it backend service: A configured backend service contains one or more backends. Here is demonstrating configuration for the concept similar to the question scenarios: you just need to configure URL mapping pointing to the new and old APIs which are hosted in corresponding backends - this implementation meets all the requirement: No contract breaking; clients continue to access new and old API without reconfigure SSL and DNS References Setting Up HTTP(S) Load Balancing https://cloud.google.com/compute/docs/load-balancing/http/ Backend service components: https://cloud.google.com/compute/docs/load-balancing/http/backend-service Creating Content-Based Load Balancing https://cloud.google.com/load-balancing/docs/https/content-based-example

Answer 127

Correct answer D A and B are not correct because this will make the application temporarily unavailable to users. C is not correct because to roll back, you’ll need to redeploy the previous deployment because the app was overwritten with the same version number. Therefore this takes longer than a rollback using method D. D is correct because this makes sure there is no downtime and you can roll back the fastest. Reference Migrating and Splitting Traffic https://cloud.google.com/appengine/docs/admin-api/migrating-splitting-traffic

Answer 128

Correct Answer D D (Correct Answer) - Deploying a new version without assigning it as the default version will not create downtime for the application. Using traffic splitting allows for easily redirecting a small amount of traffic to the new version and can also be quickly reverted without application downtime. A - Deploying the application version as default requires moving all traffic to the new version. This could impact all users and disable the service. B - Deploying a second project requires data synchronization and having an external traffic splitting solution to direct traffic to the new application. While this is possible, with Google App Engine, these manual steps are not required. C - App Engine services are intended for hosting different service logic. Using different services would require manual configuration of the consumers of services to be aware of the deployment process and manage from the consumer side who is accessing which service.

Answer 129

Correct Answer D D (Correct Answer) - Since you know that there is a burst of log lines you can set up a metric that identifies those lines. Operations Suite (formerly Stackdriver) will also allow you to set up a text, email or messaging alert that can notify promptly when the error is detected so you can hop onto the system to debug. A - Logging into an individual machine may not see the specific performance problem as multiple machines may be in the configuration and reducing the chances of interacting with an intermittent performance problem. B - Error reporting won’t necessarily catch the log lines unless they are stack traces in the proper format. Additionally, just because there is a pattern doesn’t mean you will know exactly when and where to log in to debug. C - Trace may tell you where time is being spent but won’t let you know in on the exact host that the problem is occurring on because you generally only send samples of traces. There is also no alerting on traces to notify exactly when the problem is happening. Additional Resource https://cloud.google.com/logging/docs/logs-based-metrics/

Answer 130

Correct Answer D D (Correct answer) - Use Google App Engine to serve the website and Google Cloud Datastore to store user data - This solution meets all the requirements and has all the element of App Engine features App Engine Standard environment intend to · Multiple Languages supported; · Experiences sudden and extreme spikes of traffic which require immediate scaling; · Instance startup time in seconds Google Cloud Datastore is a NoSQL document database built for automatic scaling, high performance, and ease of application development and integrating well with AppEngine Datastore: A scalable, fully-managed NoSQL document database for your web and mobile applications. Good for: Semi-structured application data Hierarchical data Durable key-value data Workload: User profiles Product catalogs Game state The combination of App Engine and DataStore make answer D a clear choice. A - Use a single compute Engine virtual machine (VM) to host a web server, backed by Google Cloud SQL - Not as good as App Engine solution for “minimize direct operation management” and single VM may not scalable enough to handle the traffic spikes from 100 to 500,000 click throughs per day. B - Use a Google Container Engine cluster to serve the website and store data to persistent disk - Slightly better than A but still not as good as App Engine solution for “minimize direct operation management”. Also store huge amount of user information and preferences data to disk is improper in term of programming model, efficiency, cost, and scalability C - Use a managed instance group to serve the website and Google Cloud Bigtable to store user data - this would overkill for this kind of simple application in term of programming model, efficiency, and cost. It deviates further from the requirements “to minimize direct operation management.” Additional Resource Choosing an App Engine Environment https://cloud.google.com/appengine/docs/the-appengine-environments Build highly scalable applications on a fully managed serverless platform https://cloud.google.com/appengine/ Cloud Datastore Overview, What it's good for: https://cloud.google.com/appengine/docs/standard/python/datastore/

Answer 131

Correct Answer D D is Correct answer - Federate authentication via SAML 2.0 to the existing Identity Provider. This meets both “minimal user disruption” and “strict security team requirements for storing passwords” User's passwords are stored on-premise, authentication happens on premise, there is no user disruption, on successful authentication, access token is shared to access application or GCP services. Option A - Use G Suite Password Sync to replicate passwords into Google - This is a violation against “strict security team requirements for storing passwords” https://support.google.com/a/answer/2611859?hl=en Option B - Ask users to set their Google password to match their corporate password - this violate “minimal user disruption” and “strict security team requirements for storing passwords” Option C - Provision users in Google using the Google Cloud Directory Sync tool. With google cloud directory sync, only the SHA-1 and MD5 unsalted passwords gets synced from source. Plus this may break the strict password requirement. Your credential details are now stored at 2 places.

Answer 132

Correct Answer D In this case, the preemptible VM's are not part of the problem. Likely, the cause is that the health check for the instance group is not receiving a success reply from the VM's, causing it to recreate the VM's over and over. This is due to either the health check not being correctly configured or the firewall for the instance group not allowing traffic from the load balancer/health check.

Answer 133

Correct Answer D The 3 characters: 1000 rooms; a sensor that reports its status every second; the data includes only a sensor ID and several different discrete items are a clear indication for a BigTable (a NoSQL database) usage pattern. Google Cloud Bigtable: A scalable, fully-managed NoSQL wide-column database that is suitable for both real-time access and analytics workloads. https://cloud.google.com/storage-options/ Bigtable is Good for: · Low-latency read/write access · High-throughput analytics · Native time series support For the following common workload: IoT, finance, adtech Personalization, recommendations Monitoring Geospatial datasets Graphs Bigtable single value in each row is indexed; Cloud Bigtable tables are sparse; if a cell does not contain any data, it does not take up any space, which satisfies for storing this type of data: “the data includes only a sensor ID and several different discrete items” Reference: Overview of Cloud Bigtable https://cloud.google.com/bigtable/docs/overview

Answer 134

Correct Answer E All of other answers are either not applicable or not specified by the question scenarios. The following console screenshot show the effect to IO performance by changing memory or disk - it’s self-explained (please enlarge to see the details). Answer E is a clear straightforward winner over answer C as well as others. Increase disk size to 500GB take significant effect on IO performance than original configuration and higher memory configuration. Taking IOPS for read as example, all instances are configure with 8vCPU: 80G DISK/30G MEM = 2400 IOPS; 500G DISK/30G MEM = 15000 IOPS; 80G Disk/52G MEM=2400 IOPS And here is how to dynamically resize disk: https://cloud.google.com/compute/docs/disks/add-persistent-disk Adding or Resizing Persistent Disks

Answer 135

Correct Answer is D With formatted json, it’ll be easy to understand without lots of knowledge about Storage lifecycle syntax. It says (note the line number in [ ]): [1] Create lifecycle [2] rule to take [5] action of [6] delete [8] if the object is [9] 30 days old and [10] the version isLive: false (non-current version) [12] And [14] take action of [15] SetStorageClass to [16] COLDLINE [18] if the object is [19] 365 days old and [20] if its StorageClass matches [21] MULTI-REGIONAL The Correct Answer is D: Delete all the versions that are not current and 30 days old. Move the remaining current versions to Coldline after 365 days. Note: Here there are 2 rules 1st rule has 2 condition a. isLive: false => this means object should be declared as non-current verison b. age 30: 30 days old Then action will run "action":{ "type": "Delete"}, In another way: In this question there are 2 rules Rule 1 is with 2 condition a. 30 days b. isLive: false if these 2 condition meets: the object will be have action. i.e. delete Here IsLive means object need to be tagged as non-current which means versioning is enabled for that bucket. Rule 2 also have 2 condition a. 365 days b. MatchesStorageClass: Multi-Regional This means if Object is in Multi-Regional for over 365 days then the action will trigger Move the object to StorageClass:ColdLine Hence our suggested answer option D is correct. For a deep dive, please find time to study at https://cloud.google.com/solutions/data-lifecycle-cloud-platform

Answer 136

Correct Answer: Option B Option B is CORRECT Dataflow is a good choice if data has no implementation with Spark or Hadoop and does not run on clusters, instead, it is based on parallel data processing. As such data is split processed on multiple microprocessors to reduce processing time. Option A is INCORRECT. Dataprep uses Dataflow/ BigQuery under the hood, enabling to process structured or unstructured datasets of any size with the ease of clicks. Dataprep optimizes the job execution leveraging Trifacta’s in-memory processing engine for small datasets, BigQuery SQL pushdown (ELT) when the data is already in BigQuery/Dataflow by parallel data processing framework for large distributed datasets. Dataprep uses predefined models to clean the data, which is not valid in this scenario. Option C is INCORRECT because Dataproc is designed to run on clusters which makes it compatible with Apache Hadoop, hive, and spark. It is significantly faster at creating clusters and can autoscale clusters without interruption of the running jobs. Option D is INCORRECT because Cloud Bigtable is Google's NoSQL Big Data database service, it is not used to clean data.

Answer 137

Correct Answer: A A - Create a firewall rule to allow traffic from resources with specific network tags, then assign the specific machines in subnet-a the same tags. Network tags allow more granular access based on individually tagged instances - Instances by target tags: The firewall rule is applicable only to VMs if they have a matching network tag. It allows specific VMs in the subnet-a to reach the VMs in subnet-b. B - Relocate the subnet-a machines to a different subnet and give the new subnet the needed access. This would give the entire subnet access which is against the requirements: allow traffic from specific virtual machines in 'subnet-a' network access to machines in 'subnet-b' without giving the entirety of subnet-a access. C - Create a rule to deny all traffic to the entire subnet, then create a second rule with higher priority giving access to tagged VM's in subnet-a. Every custom VPC by default has a firewall rule that denies network traffic between subnet. D - You can only grant firewall access to an entire subnet and not individual VM's inside.

Answer 138

Correct answer: A Option A is correct because this is the way to set up an autoscaling Kubernetes cluster. Option B is incorrect because you should not manage the scaling of Kubernetes through the MIG. Option C is incorrect because a UMIG cannot scale based on a load balancer and this is not the correct way to set up Kubernetes. Option D is incorrect because Kubernetes will not create additional instances when deployed on Compute Engine. Reference: Kubernetes Engine's cluster Autoscaler https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-autoscaler

Answer 139

Correct Answer: A Option A is correct. Running queries based on month-for-date partitioned tables is an efficient and cost-optimized solution. Option B is incorrect. While Bigtable can provide low latency for a high volume of reads and writes but it isn’t a requirement here. Option C is incorrect. One of the requirements is the solution to be cost-effective, and loading the data from Cloud Storage to Bigquery and running queries on Bigquery is a cost-optimized but not a viable and performance-optimized solution. Option D is incorrect. Cloud Spanner is a transactional database, the requirement suggests a data warehouse service. Reference : Introduction to partitioned tables | BigQuery | Google Cloud

Answer 140

Correct Answer: A (see Mountkirk Games case study for details or below for briefing summary) For requirements: Process incoming data on the fly, directly from the game servers - Cloud Dataflow (for both stream and batch), hence we can eliminate C and D since they don’t have DataFlow Option C is incorrect - Container Engine, Cloud Pub/Sub, and Cloud SQL Option D is incorrect - Cloud Pub/Sub, Compute Engine, Cloud Storage, and Cloud Dataproc For requirements: Allow SQL queries to access at least 10 TB of historical data - BigQuery, hence we can eliminate B and E since they don’t have BigQuery Option B is incorrect - Cloud SQL, Cloud Storage, Cloud Pub/Sub, and Cloud Dataflow Option E is incorrect - Cloud Dataproc, Cloud Pub/Sub, Cloud SQL, and Cloud Dataflow The only correct answer left is A, which meets all of their requirements Option A is correct - Cloud Dataflow, Cloud Storage, Cloud Pub/Sub, and BigQuery Below is a reference architect Google recommends for a similar scenario in data collection and analysis https://cloud.google.com/solutions/mobile/mobile-gaming-analysis-telemetry Building a Mobile Gaming Analytics Platform - a Reference Architecture Mountkirk Games real-time analytics platform Solution Concept: Mountkirk Games is building a new game, which they expect to be very popular. They plan to deploy the game’s backend on Google Compute Engine so they can capture streaming metrics, run intensive analytics, take advantage of its autoscaling server environment and integrate with a managed NoSQL database.

Answer 141

Correct Answer: A A is correct. Cloud Composer is a fully managed workflow service that can author, schedule, and monitor pipelines that span across clouds and on-premises data centers. B is wrong. Cloud Interconnect gives fast (10/100Gb) connections to your Google VPC. It is too expensive to connect the fields’ offices in this way. C is wrong. Appengine is a PaaS, so you have to prepare a program for that. It is not simple at all. D is wrong. Cloud Build is a service that builds tour code on GCP for deploy; any kind of code. A Cloud Composer task, when started with automated commands, uses Cloud Identity-Aware Proxy for security, controls processing, and manage storage with Cloud Storage bucket. In this way, it is possible in a simple, standard, and safe way to automate all the processes. Once the files are correctly stored, a triggered procedure can start the new and integrated procedures. For more details, please refer to the URLs below: https://cloud.google.com/composer/ https://cloud.google.com/composer/docs/concepts/cloud-storage

Answer 142

Correct Answer: A A is correct. Cloud Dataflow is the only product that can process streaming and batch data at the same time. In addition, there are ready to use Templates, useful for streaming data transformation. Look at this link for any further detail: https://github.com/GoogleCloudPlatform/DataflowTemplates Cloud Bigtable provides a massively scalable NoSQL database suitable for low-latency and high-throughput workloads. B is wrong. Cloud Dataproc is a service for running Apache Spark and Apache Hadoop clusters. It is not completely serveless and has limited support for streaming data. Cloud Storage is an object storage solution that allows worldwide storage and retrieval of any amount of data at any time. It is not a Database. C is wrong. Cloud Functions is a serverless execution environment for building and connecting cloud services. You write simple, single-purpose functions that are attached to events released from your cloud infrastructure and services. Also, in this case, there is no direct support for streaming data. In any case, you have to write all your code. Cloud Spanner is a powerful, mission-critical, scalable relational database service, built to support transactions, strong consistency, and high availability across regions and continents. It doesn’t have the required speed of Bigtable. D is wrong. Data Catalog is a fully managed and scalable metadata management service that helps to discover, manage, and understand all their data in Google Cloud. So, it performs a completely different task. The same goes for Cloud Datalab which is a visual tool created to explore, analyze, transform, and visualize data already stored somewhere and build machine-learning models on Google Cloud Platform. E is wrong. Cloud Dataprep is a tool for cleaning and preparing structured and unstructured data for analysis. Cloud Data Fusion is a fully managed, cloud-native data integration service that helps users efficiently build and manage ETL/ELT data pipelines. With a graphical interface and a broad open-source library of preconfigured connectors and transformations, Data Fusion shifts an organization's focus away from code and integration to insights and action. The problem, even in this case, is that there is no direct support for streaming data. For any further detail, please visit the following URLs: https://cloud.google.com/dataflow/docs/ https://github.com/GoogleCloudPlatform/DataflowTemplates https://cloud.google.com/bigtable/docs/

Answer 143

Correct Answer: A and B To list the services the current project has enabled for consumption, run: gcloud services list -enabled also --enabled is the default when you don’t use any flag. The services that are enabled when you create a project are BigQuery API, Google Cloud APIs, Operations Suite (formerly Stackdriver) Logging API, Operations Suite (formerly Stackdriver) Monitoring API, Datastore API, Service Management API, Service Usage API, Cloud SQL API, Cloud Storage JSON API & Cloud Storage API. Option C is incorrect because, it lists the services the current project can enable for consumption, run: .”gcloud services list --available “. Also Compute Engine API isn’t enabled when you create a project, once you click on Compute Engine in the console, it gets enabled. Option D is incorrect because --upservices is a fictitious flag and it doesn’t exist. References: https://cloud.google.com/sdk/gcloud/reference/services/list

Answer 144

Correct Answer: A and C Explanation: C (Correct answer) - Export audit logs to Cloud Storage via an export sink. Cloud Storage is the perfect solution for long-term logs storage. There is 3 type of sink destinations you can export Operations Suite (formerly Stackdriver) Logs to Cloud Storage, Cloud Pub/Sub, BigQuery. While you could export to BigQuery for low-cost storage, BigQuery is mainly and best for analysis not for long-term storage. Besides, whenever you need to do analysis with BigQuery, you can always easily export the logs from GCS to BigQuery or do queries directly against data in the GCS bucket. A (Correct answer) - You could either create a GCP account for auditor ACL object access or a signed URL depending on if they need to have a GCP account or not. Since the requirement is to “allow access for external auditors to view”, hence signed URL is the right choice B - Does not meet the “for long-term access” requirement. D - It works but for the “for long-term access” storage consideration, Cloud Storage is a better choice over BigQuery. References: https://cloud.google.com/logging/docs/export/ Generate a signed URL to the Stackdriver export destination for auditors to access.

Answer 145

Correct Answer: A and D A (Correct answer) - it’s generally considered as a good practice to leverage source code security analyzers integrated with your CI/CD pipeline. D (Correct Answer) - Run a vulnerability security scanner as part of your continuous-integration /continuous-delivery (CI/CD) pipeline - it’s generally considered as a good practice to do Security scanning of the application and infrastructure as part of the CI/CD pipeline. B - Ensure you have stubs to unit test all interfaces between components - this is just one of the specific approaches to unit testing your code, not for security error detection. C and E - The process is not required for an agile practice and it would slow down not speed up the release. Also, those do not specifically have added value for security error detection.

Answer 146

Correct Answer: A Answer B, C, and D can be simply ruled out since none of the business requirements are public-facing (see TerramEarth case study for details or below for briefing summary). Also, the frameworks mentioned are too specific. A (Correct answer) - Use Google App Engine with Google Cloud Endpoints. Focus on an API for dealers and partners. Google Cloud Endpoints is a distributed API Management system comprising services, runtimes, and tools. Cloud Endpoints is configured using the OpenAPI Specification (formerly Swagger Specification), which provides management, monitoring, and authentication, to help you create, share, maintain, and secure your APIs. E - Use Google Container Engine with a Tomcat container with the Swagger (Open API Specification) framework. Focus on an API for dealers and partners. Google Cloud Endpoints is OpenAPI Specification (formerly Swagger Specification) based API management to help you create, share, maintain, and secure your APIs. Cloud Endpoints is designed to allow developers to easily choose the language and framework they want for their backend. Tomcat container is just one of the supported containers which primarily provide Java Runtime. TerramEarth Business Requirements Predict and detect vehicle malfunction and rapidly ship parts to dealerships for just-in-time repair where possible. Decrease cloud operational costs and adapt to seasonality. Increase speed and reliability of development workflow. Allow remote developers to be productive without compromising code or data security. Create a flexible and scalable platform for developers to create custom API services for dealers and partners. Cloud Endpoints Architecture

Answer 147

Correct Answer: A Because of the small data volume i.e. 200GB and as we can have a few hrs. downtime while migration MySQL Dump utility is the best option for performing the migration. Option B is incorrect because we can consider downtime while migration. This option is valid when you have strict SLAs that the database should not be down for hrs. Option C is incorrect because there is no such option. Option D is incorrect because of the small data volume.

Answer 148

Correct answer: A BigQuery allows to manage data with the standard SQL language, well known in the company, but not only: it allows access to data on text files and other databases, both in GCP, on-premises and in other Clouds. Furthermore, with BigQuery ML, it is possible to create Machine Learning models for the required forecasting services without a team of Data Scientists. B is wrong because Dataproc performs data analysis with the tools of the Hadoop ecosystem, but you need to know it well and it has neither the ease of use, nor the ability to integrate external data, nor the versatility of BigQuery. C is wrong because Dataflow is aimed to manage parallel Data Pipelines, that is, data transformations. In Batch and Streaming mode. It is not an analytics tool. D is wrong because BigTable is a noSQL database, powerful and very fast, used by Google for Gmail and Maps. It is not so suitable for data integration and prediction. For any further detail: https://cloud.google.com/bigquery-ml/docs/introduction https://cloud.google.com/bigquery/docs/introduction

Answer 149

Correct answer: A Cloud Spanner is a fully managed, globally distributed, ACID-compliant relational database with read-write unlimited scale, strong consistency, and up to 99.999% availability. It handles replicas, sharding, and transaction processing. B is wrong because the DB must be globally in read-write mode. In addition Cloud SQL may be a too small solution for a such growing business C is wrong also because SQL Server do not support global Read Replicas D is wrong because Firestore is not a SQL transactional database For any further detail: https://cloud.google.com/spanner/docs/replication

Answer 150

Correct Answer: A Enable Private Google Access for Subnet When you enable Private Google Access for a subnet, instances in that subnet that don't have a public IP address can access Google APIs and services like Cloud Storage, etc. https://cloud.google.com/vpc/docs/configure-private-google-access Option B is incorrect because Cloud NAT Gateway is used by instances that require internet access. By using a NAT gateway, instances in a private subnet can download or upload files to Cloud storage Option C is incorrect because Private Google Access is a subnet-level setting. Option D is incorrect because Private Services Access is a not available for GCE and GCS. https://cloud.google.com/vpc/docs/private-services-access

Answer 151

Correct Answer: A Gated egress topology lets APIs in on-premise environments be available only to processes inside Google Cloud without direct public internet access. Applications in Google Cloud communicate with APIs in on-premise environments only with private IP addresses and are eventually exposed to the public via an Application Load Balancer and using VPC Service Controls. VPC Service Controls create additional security for Cloud applications: Isolate services and data Monitor against data theft and accidental data loss Restrict access to authorized IPs, client context, and device parameters B is wrong because Cloud Endpoint is an API Gateway that could create an application facade as required. But Cloud Endpoint does not support on-premises endpoints. C is wrong because Cloud VPN is just a way to connect the local network to a VPC. D is wrong because Cloud Composer is a workflow management service. For any further detail: https://cloud.google.com/architecture/hybrid-and-multi-cloud-network-topologies#gated-egress https://cloud.google.com/vpc-service-controls#all-features

Answer 152

Correct Answer: A The use of Managed services reduces the workload on systems administrators and DevOps engineers because this will eliminate some of the work required when managing your own implementation of a platform. The use of preemptible machines will cost significantly less than standard VMs. Option B is incorrect because using Compute VM for Hadoop & Spark clusters will not eliminate the management and operational work Option C is incorrect because using Standard VM will not reduce operational cost Option D is incorrect because using Compute VM for Hadoop & Spark clusters will not eliminate the management and operational work.

Answer 153

Correct Answer: A This command : gcloud recommender recommendations list --recommender = google.compute.instance.IdleResourceRecommender gives to all the idle VMs based on Cloud Monitoring metrics of the previous 14 days. There is no equivalent in the Console. B is wrong because Cloud Billing Reports don’t give details about activities. C is wrong because there is no Idle Systems Report in the GCP Console. D is wrong because the Security Command Center is used for Security threats, not for ordinary technical operations. For any further detail: https://cloud.google.com/compute/docs/instances/viewing-and-applying-idle-vm-recommendations

Answer 154

Correct Answer: A VPC peering allows any integration of VPC between different Organizations, so it meets all requirements. B, C, and D are wrong because the need is to connect the 2 VPCs, without realizing other data link on-premises. E is wrong because shared VPC is only within an organization. Check the following URLs: https://cloud.google.com/blog/products/gcp/getting-started-with-shared-vpc https://cloud.google.com/blog/products/gcp/getting-started-with-shared-vpc For any further detail, please visit the URLs below: https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing https://cloud.google.com/blog/products/networking/google-cloud-networking-in-depth-simplify-routing-between-your-vpcs-with-vpc-peering

Answer 155

Correct Answer: B Option A is incorrect- Use multi-threaded uploads using the -m option. If you have a large number of files to transfer you might want to use the gsutil -m option, to perform a parallel (multi-threaded/multi-processing) copy: gsutil -m cp -r dir gs://my-bucket Option B (Correct answer) - Parallel uploads are for breaking up larger files into pieces for faster uploads. gsutil can automatically use object composition to perform uploads in parallel for large, local files being uploaded to Google Cloud Storage. If enabled (see below), a large file will be split into component pieces that are uploaded in parallel and then composed in the cloud (and the temporary components finally deleted). gsutil -o GSUtil:parallel_composite_upload_threshold=150M cp bigfile gs://your-bucket Option C is incorrect. Use the Cloud Transfer Service to transfer. Storage Transfer Service is limited to AWS S3, Google Cloud Storage, On-premise and HTTP/HTTPS locations. Our requirement is "help speed up the transfer process" Using Option C, we can migrate but will not help to increase speed. Option D is incorrect Start a recursive upload: The -R and -r options are synonymous. Causes directories, buckets, and bucket subdirectories to be copied recursively. Reference: cp - Copy files and objects https://cloud.google.com/storage/docs/gsutil/commands/cp

Answer 156

Correct Answer: B Option B is Correct because Data rehydration is the process by which you fully reconstitute the files so you can access and use the transferred data. To rehydrate data, the data is first copied from the Transfer Appliance to your Cloud Storage staging bucket. The data uploaded to your staging bucket is still compressed, deduplicated, and encrypted. Data rehydration reverses this process and restores your data to a usable state. Option A is Incorrect because Link aggregation is the bundling of multiple network interfaces (NIC) into a single link, which allows maximum data throughput and redundancy in case of a network connection failure. Option C is Incorrect because Data capture jobs are used to identify data on your network and stream it to Google Transfer Appliance. Option D is Incorrect because Data Recapture activity doesn’t exist. Reference: https://cloud.google.com/transfer-appliance/docs/2.0/data-rehydration

Answer 157

Correct Answer: B Option B is the CORRECT because Compute shared VPC Admin role gives you the permission to set up Shared VPC. Option A is INCORRECT because even with delegated access you need to give yourself Compute Shared Admin role. Option C is INCORRECT because giving the Compute Admin Access role doesn’t give you permission to set up Shared VPC. Option D is INCORRECT because there is NO Shared Network Admin Role in GCP Read More at https://cloud.google.com/vpc/docs/provisioning-shared-vpc

Answer 158

Correct Answer: B A is wrong: Cloud SQL is not global B is correct: it meets all the requirements (see the main features below) C is wrong: Cloud Firestore is not global and it is a NoSQL DB D is wrong: Cloud SQL is not global E is wrong: Cloud Datastore is not global and it is a NoSQL DB A small recap of the targeted technologies: Cloud Spanner is a mission-critical, scalable relational database service, built to support transactions, strong consistency, and high availability across regions and continents. Main features: scalable, enterprise-grade, globally-distributed, combine the benefits of relational database structure with a non-relational horizontal scale industry-leading 99.999% availability SLA no planned downtime enterprise-grade security. For more details, please visit the link: https://cloud.google.com/spanner/ Cloud SQL is a fully-managed database service that offers to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud. Main features: high performance and good scalability (not linear). database infrastructure for applications running anywhere. Regional with multi-regional Backups. Live migration High availability with continuous health-checking and automatic failover For more details, please visit the link: https://cloud.google.com/sql/ Cloud Firestore is a fast, fully managed, serverless, cloud-native NoSQL document database that simplifies storing, syncing, and querying data for your mobile, web, and IoT apps at a global scale. Cloud Firestore is the next generation of Cloud Datastore. Main features: ACID transactions Datastore mode Regional (multi-zone) with multi-region replication, if needed Automatic horizontal scaling in and out Realtime Database For more details, please visit the link: https://cloud.google.com/firestore/ Cloud Datastore is a highly-scalable NoSQL database for your applications. Cloud Datastore automatically handles sharding and replication Main features: ACID transactions Regional with multi-region replication Regional (multi-zone) with multi-region replication, if needed It will be replaced by Firestore For more details, please visit the link: https://cloud.google.com/datastore/

Answer 159

Correct Answer: B and C Pub/Sub is the solution recommended by Google because it provides flexibility and security. Flexibility because, being loosely coupled with a publish / subscribe mechanism, it allows you to modify or add functionality without altering the application code. Security because it guarantees reliable, many-to-many, asynchronous messaging with at-least-once delivery. Uploading to both Cloud Storage and Bigquery is important because you want to store the data both in its entirety and in aggregate form. Parallel composite uploads are recommended because the daily files are of considerable size (200 to 500 megabytes). Using Dataflow allows you to manage processing in real-time and to use the same procedures for daily batches. A is incorrect because it stores data only in BigQuery and does not provide real-time processing when the requirements are to have both global and aggregated data. D is incorrect because, also here, data is stored only in BigQuery and because BigQuery Data Transfer Service involves passing through cloud sources, not from on-premise archives. It also doesn't talk about how the data is decompressed and processed. For any further detail: https://cloud.google.com/bigquery-transfer/docs/introduction https://cloud.google.com/storage/docs/uploads-downloads#parallel-composite-uploads https://www.youtube.com/playlist?list=PLIivdWyY5sqJcBvDh5dfPoblLGhG1R1-O https://cloud.google.com/pubsub

Answer 160

Correct Answer: B Apigee is the GCP top product for API management. It offers all the functionalities requested: monetization, traffic control, throttling, security and hybrid (third -parties) integration. GCP offers 3 different products for API management: Apigee, Cloud Endpoints (only GCP) and API Gateway (for Serverless workloads). A is wrong because Cloud Endpoints is an API product, too but doesn't support monetization and hybrid C. is wrong because Cloud Tasks is a dev tool for thread management D is wrong because Cloud Billing is for GCP services accounting, billing and reporting, not for end-user services E is wrong because API Gateway is an API product, too but doesn't support monetization and hybrid For any further detail: https://cloud.google.com/apigee/docs/api-platform/get-started/what-apigee

Answer 161

Correct Answer: B Cloud DLP can identify where sensitive data is stored, then use tools to redact those sensitive identifiers. Cloud DLP uses more than 90 predefined detectors to identify patterns, formats, and checksums, and de-identification techniques like masking, secure hashing, and tokenization to redact sensitive data, all without replicating customer data. A is wrong. This solution is not at all quick and managed B is correct. Cloud DLP is the perfect solution C is wrong. Versioning doesn’t protect sensitive data but preserves an old version of the Objects. D is wrong. PCI Data Security Standard compliance, that is Payment Card Industry Data Security Standard (PCI DSS) compliance is only related to electronic payments. It sets the requirements for organizations and sellers to accept, store, process, and transmit cardholder data safely and securely during a credit card transaction. For more details, please check the URLs below: https://cloud.google.com/blog/products/storage-data-transfer/scan-your-cloud-storage-buckets-for-sensitive-data-using-cloud-dlp

Answer 162

Correct Answer: B Cloud Pub/Sub is the perfect product for this project: you can send and receive messages between independent applications and transmit data across projects and applications running on cloud, on-premise, or hybrid environments. Cloud Pub/Sub is perfect to decouple systems and components hosted on GCP or elsewhere on the internet. It provides "at least once" delivery at low latency with on-demand scaling to tens of millions of messages per second. A is wrong. Cloud Composer is a managed workflow orchestration. So, different processing are often related to each other B is correct. C is wrong. Cloud Tasks manage queues, but within an Application, so its scalability cannot meet requirements. It is used with App Engine. D is wrong. Cloud Functions are the small pieces of code executed in an event driven mode. Natively, it doesn’t handle messages. E is wrong. It a managed Database Service. Its scalability cannot meet requirements, definitely. For any further detail, please refer to the URL below: https://cloud.google.com/pubsub/

Answer 163

Correct answer: B MongoDB is a horizontally scalable noSQL Document Database that is not offered in GCP as a managed service; in order to obtain horizontal scalability and data redundancy, however, you need to install it on a cluster of VMs. Given the volumes of EHR, the best solution is certainly to use Kubernetes and its StatefulSets and Volumes. Kubernetes is known for offering a perfect environment for Microservices, with its Stateless Deployments , but it is not the only possible solution. In fact, there are also StatefulSets, Demons and Jobs. It should be noted that Google uses its own internal Kubernetes for any type of workload. The closest MongoDB-like product in the GCP is Firebase, so this is the best strategy. A is wrong because a single VM deployment doesn’t offer any scalability and failover. C and D are wrong because a migration is out of the requirements scopes. Moreover, DocumentDB is an AWS Service, not a GCP one. For any further detail: https://kubernetes.io/blog/2017/01/running-mongodb-on-kubernetes-with-statefulsets/ https://cloud.google.com/kubernetes-engine/docs/concepts/statefulset?hl=it

Answer 164

Correct Answer: B Since the case study clearly mentions that "They plan to deploy the game’s backend on Google Kubernetes Engine so they can scale rapidly", hence Google Kubernetes Engine can be used. Case Study GKE Documentation

Answer 165

Correct Answer: B Telemetry includes all control data and metrics from cloud systems. Telemetry needs to be extracted, organized and transmitted from multiple locations to a central point of analysis. We go beyond the scalability and availability of services, because the purpose of this Data is to optimize processes and costs; for example, Telemetry is used for the security and integrity of applications, to improve the user experience, to maximize performance and, more generally, the quality of systems. Prometheus is a widely used open-source (Cloud Native Computing Foundation graduated) for the acquisition, integration, query and analysis of telemetry data. Its main features are: All data is collected into an easy to use multidimensional data model Uses a flexible query language called PromQL Flexible System Management and, security and no overhead graphing and dashboarding support, even if often used with Kabana, another open tool GCP has new features for Service and Telemetry reporting that may be integrated after migration A is wrong because this is not an easy and fast solution, even if it is the Google internal solution; Pods in Google are often made by the app container plus the control container that deals with telemetry. C is wrong because Operations Suite (formerly Stackdriver) don’t cover all the needs for a wide-range telemetry D is wrong because Istio is a service-mesh for Kubernetes; so, it is aimed at microservices architectures. It is open-source and offers important telemetry functions, but it doesn't cover all of our requirements. E is wrong because Cloudwatch is the Operations Suite (formerly Stackdriver) counterpart product in AWS For any further detail: https://prometheus.io/docs/introduction/overview/ https://cloud.google.com/service-infrastructure/docs/telemetry-reporting https://istio.io/latest/about/service-mesh/

Answer 166

Correct Answer: B The ‘retry on failure’ option is aimed to automatically retry a background function until it completes successfully. And this is exactly what is needed. You have to use it carefully and you should handle permanent problems inside the function. The other proposed solutions modify the function which is not advisable because developers are already looking for the solution or just the debugging methods. For any further detail, please follow the URL below: https://cloud.google.com/blog/products/serverless/cloud-functions-pro-tips-using-retries-to-build-reliable-serverless-systems

Answer 167

Correct answer: B The best and simplest way to achieve that is with an API Gateway, possibly Apigee. Apigee is the most complete service in GCP for API management and supports any environment. The official documentation says: Apigee on the other hand is a comprehensive API management platform built for Enterprises, with deployment options on cloud, on-premises, or hybrid. The feature set includes a full-fledged API gateway, customizable portal for on-boarding partners and developers, rate and Traffic limiting and management, monetization, and deep analytics around your APIs. A is wrong because Canary deployment doesn’t create an API facade service as required. C is wrong because ISTIO is a service mesh management and even if it can help for app evolving, it doesn’t create an API facade service. D and E are PaaS; they manage app versions and advanced deployments but not hybrid configurations as required. For any further detail: https://cloud.google.com/api-gateway/docs/deployment-model#multiregion https://docs.apigee.com/api-platform/develop/rate-limiting

Answer 168

Correct Answer: B What you need is a service that examines your code and finds out if something is vulnerable or insecure. Web Security Scanner does exactly this: it performs managed and custom web vulnerability scanning. It performs scans for OWASP, CIS GCP Foundation, PCI-DSS (and more) published findings. A is wrong because Cloud Armor is a Network Security Service, with WAF rules, DDoS and application attacks defenses. C is wrong because the Security Command Center suite contains Web Security Scanner and many other services. D is wrong because Shielded GKE nodes are special and secured VMs. For any further detail: https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview

Answer 169

Correct Answer: B You could have solved the problem with a NAT system or a Bastion Host too, but the first option is far simpler and meets requirements. Network Address Translation (NAT) performs Private to Public Address translations, so VMs in private subnets can access the internet—for updates, patching, config management, and more—in a controlled and efficient manner, but outside resources cannot directly access those instances. A is totally out of scope. C and D could solve the problem but are too expensive and complex for this case. For any further detail, please refer to the URLs below: https://cloud.google.com/nat/docs/overview https://cloud.google.com/blog/products/networking/cloud-nat-deep-dive-into-our-new-network-address-translation-service

Answer 170

Correct Answer: C Option C is correct - This grants the least privilege required to access the data and minimizes the risk of accidentally granting access to the wrong people. Option A is incorrect. Signed URLs could potentially be leaked. Option B is incorrect. This is needlessly permissive, users only require one permission in order to get access. Option D is incorrect - This is security through obscurity, also known as no security at all.

Answer 171

Correct Answer: C A is wrong. It is not easy and simple. Auditors would not be able to search and analyze data the way they would need it. B is wrong. Cloud Storage is not searchable at the granular level required. C is correct. It will be easy to query and organize the Log information by historical period D is wrong. It is neither easy nor simple and economical You may configure log export and deliver them to a dataset in BigQuery, granting permissions to limit access. Date-partitioned tables and expiration dates could help limit query costs by reducing the amount of data scanned as a part of queries and might keep auditing the logging data for the required period and then delete it. For any further detail, please refer to the URLs below: https://cloud.google.com/logging/ https://cloud.google.com/solutions/exporting-stackdriver-logging-for-security-and-access-analytics

Answer 172

Correct Answer: C A is wrong. The application does not use HTTP(s), so an HTTP(S) Load Balancer is out of scope B is wrong. Managed Instance Groups are for scalable and identical Instances C is correct. It is the only feasible way D is wrong. The application does not use Http, and Managed Instance Groups is for scalable and identical Instances Flowchart for choosing a load balancer: For more details, please refer to the URLs below: https://cloud.google.com/load-balancing/docs/choosing-load-balancer https://cloud.google.com/compute/docs/instance-groups/

Answer 173

Correct Answer: C A is wrong. The key requirement that you need to meet is to select data by product families and sale regions B is wrong. BigTable is a NoSQL database, not an Analytics System C is correct. Clustering Partitioned Tables with Product Type and Sale Region you will gain in speed and spare money. D is wrong. Cloud Spanner is a global SQL database and not an Analytics System E is wrong. Cloud Firestore is a NoSQL database and not an Analytics System BigQuery is a fully managed, low cost, serverless, columnar and ANSI SQL data warehouse that can analyze terabytes to petabytes of data in blazing-fast speeds. Additional features: Analyze geospatial data using familiar SQL with BigQuery GIS ML models on large-scale structured or semi-structured data: BigQuery ML Real-time interactive dashboarding with sub-second query latency using BigQuery BI Engine. Transferring services and flexible data ingestion Pay-for-what-you-use pricing It doesn't use indexes, but only full-scan searches. It is important because you will be charged for the amount of data processed for a query. So, the use of Partitioned Tables, Clustering Tables, and View are uttermost important. Clustering Tables improve the performance of queries when filter clauses based on the contents of clustered columns are used. When data is written to a clustered table by a query job or a load job, BigQuery sorts the data using the values in the clustering columns. These values are used to organize the data into multiple blocks in BigQuery storage. When you submit a query containing a clause that filters data based on the clustering columns, BigQuery uses the sorted blocks to eliminate scans of unnecessary data. Similarly, when you submit a query that aggregates data based on the values in the clustering columns, performance is improved because the sorted blocks find out rows with similar values. For any further detail, please check the URLs below: https://cloud.google.com/bigquery/docs/clustered-tables https://cloud.google.com/bigquery/docs/authorized-views

Answer 174

Correct Answer: C Check to make sure you have proper firewall rules allowing the correct subnets access. Also, make sure another rule with higher priority is not conflicting with it.

Answer 175

Correct Answer: C Cloud Tasks is an asynchronous task execution service that encodes and executes Tasks using Queues. It enables serverless execution for Systems operating in App Engine standard or flexible environments. With this Service, it is possible to offload long-running and background activities, decouple services from one another and make your applications much more resilient to failures. The other answers depict feasible solutions, that are not Serverless (A,D) or incomplete (B) For more details, please refer to the URLs below: https://cloud.google.com/tasks/ https://cloud.google.com/appengine/docs/flexible/dotnet/scheduling-jobs-with-cron-yaml

Answer 176

Correct Answer: C Google Container Registry, Google Kubernetes Engine, Google HTTP(s) Load Balancer. As per the requirements, Google Container Registry, and Google Kubernetes Engine meets the below requirements: “Their architecture includes many small services that they want to be able to update and roll back quickly”; And following specific requirements * Services are deployed redundantly across multiple regions in the US and Europe. * Deployment artifacts are immutable. And Google HTTP(s) Load Balancer meets the below requirements: * Only frontend services are exposed on the public internet. * They can provide a single frontend IP for their fleet of services. All other answers provide an incomplete or incorrect solution and don't meet the requirements.

Answer 177

Correct Answer: C IAP- Identity-Aware Proxy is a service that lets you use SSH and RDP on your GCP VMs from the public internet, wrapping traffic in HTTPS and validating user access with IAM. Inside GCP there is a Proxy server with a listener that translates the communication and lets you operate in a safe way without the public exposure of your GCP resources. A is wrong because a Bastion Host needs a Public IP, so it is not feasible. B is wrong because a Nat Instance needs a Public IP, too. In addition, it is aimed at outgoing connectivity to the internet, blocking inbound traffic, thus preventing exactly what we need. D is wrong because Security Command Center is a reporting service for security that offers monitoring against vulnerabilities and threats. For any further detail: https://cloud.google.com/iap/docs/tcp-forwarding-overview https://cloud.google.com/security-command-center

Answer 178

Correct Answer: C It is a simple and quick solution that meets all the requirements. The other solutions are much more complex and not so easy to manage and maintain. The GSuite module (solution B) requires to partially rewrite the routine. For any further detail, please refer to the URLs below: https://cloud.google.com/functions/docs/calling/storage https://cloud.google.com/functions/docs/tutorials/storage For more complex scenarios, it is also possible to use Pub/Sub Notifications for Cloud Storage. These solutions are suitable when there are multiple activities that arise after the change of an Object. For more details on Pub/Sub notifications, check the following URLs: https://cloud.google.com/functions/docs/calling/pubsub https://cloud.google.com/storage/docs/pubsub-notifications

Answer 179

Correct Answer: C Lift and Shift is the best approach because the company wants to migrate the existing application to google cloud with minor modifications and refactoring. In lift and shift migration you migrate the application as it is from on-premise to Google Cloud with very fewer modifications and it is the fastest way of migrating an application to Google Cloud https://cloud.google.com/solutions/migration-to-gcp-getting-started Option A is incorrect because this approach is used when you need to modernize the application while migrating to Google Cloud Option B is incorrect because it used when you have to totally redesign the application while migrating Option D is incorrect because there is no such type of migration as per Google’s Documentation

Answer 180

Correct Answer: C Pub/Sub ingests and stores these messages, both from the user devices or the Game Server. Dataflow can transform data in schema-based and process it in real-time BigQuery will perform analytics. A is wrong because Big Table is not the service for real-time analytics B is wrong because Kubeflow is used for Machine Learning pipelines. D is wrong because Cloud Spanner is a global SQL Database and not an analytics tool. For any further detail: https://cloud.google.com/solutions/mobile/mobile-gaming-analysis-telemetry

Answer 181

Correct Answer: C System Pods have to run with non-preemptible VMs, otherwise, it would be dangerous when the node gets removed. So you have to avoid having only node pools with GPU preemptible VMs. In this case, the taint nvidia.com/gpu=present:NoSchedule should be removed. And it is OK to have at least a node pool with non-preemptible VMs, in addition to GPU preemptible VMs. Option A is wrong because it is OK to have a node pool with preemptible VMs when you have at least a node pool with non-preemptible VMs. Option B is wrong because it is OK to use GPU preemptible VMs. Option D is wrong because it would be dangerous when System Pods will get removed. For any further detail: https://cloud.google.com/kubernetes-engine/docs/how-to/preemptible-vms#gpu_preemptible_node_taints

Answer 182

Correct Answer: C The headquarters office manages the global network so the networking specialists mainly work over there. Shared VPC lets create a single, global VPC organized by a central project (host project). All the other projects (service projects) maintain their independence but they don’t have the burden of network management. So we can have a balance between control policies at the network level and freedom to manage application projects A is wrong because with VPC peering there is no organization hierarchy. B is wrong because Cloud Interconnect is for on-premises networking. D is wrong because Cloud VPN and Cloud Router are used for Cloud and on-premises telecommunications. For any further detail: https://cloud.google.com/vpc/docs/shared-vpc https://cloud.google.com/architecture/best-practices-vpc-design#shared-vpc

Answer 183

Correct Answer: C The preferred way to access services in a secured and authorized way is with Kubernetes service accounts, which are not the same as GCP service accounts. With Workload Identity, you can configure a Kubernetes service account so that workloads will automatically authenticate as the corresponding Google service account when accessing GCP APIs. Moreover, Workload Identity is the recommended way for applications in GKE to securely access GCP APIs because it lets you manage identities and authorization in a standard, secure and easy way. A is wrong because API keys offer minimal security and no authorization, just identification. B is wrong because GCP Service Accounts are GCP proprietary. Kubernetes is open and works with Kubernetes service accounts. D is wrong because Workload identity federation is useful when you have an external identity provider such as Amazon Web Services (AWS), Azure Active Directory (AD), or an OIDC-compatible provider. For any further detail: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity https://cloud.google.com/docs/authentication

Answer 184

Correct Answer: C The Transcoder API can: create consumer streaming formats, like MPEG-4 (MP4), Dynamic Adaptive Streaming over HTTP (DASH, also known as MPEG-DASH), and HTTP Live Streaming (HLS). encode or decode a digital data stream with multiple techniques (codecs) Partionize video files for fast encoding decoding A is wrong because Dataflow could transform a stream of data in another format but you had to provide all the coding to realize it . B is wrong because Elemental medialive is a broadcasting service from Amazon D is wrong because Dataproc you should use Hadoop streaming and develop all the code for the solution. For any further detail: https://cloud.google.com/transcoder/docs/concepts/overview

Answer 185

Correct Answer: D Option A is incorrect - Since we have a managed service and a native solution in the option, it is preferred to pick that option. Option B is incorrect. Federated mode allows for deployment in a federated way but does not do anything beyond that, you still have to have a tool like Jenkins to enable the "automated " part of the question, and with Jenkins you can accomplish the goal without necessarily needing federation to be enabled. Option C is incorrect. This may work in very simple examples, but as complexity grows this will become unmanageable. Option D is correct. You can automate the deployment of your application to GKE by creating a trigger in Cloud Build. You can configure triggers to build and deploy images whenever you push changes to your code. https://cloud.google.com/build/docs/deploying-builds/deploy-gke

Answer 186

Correct Answer: D Option A is incorrect. It is a manual operation, long and heavy, and the problem may be related to other elements and factors related to the application Option B is incorrect. Cloud Debugger checks the code, and you already know the queries with problems Option C is incorrect. Cloud Trace collects latency data from your applications and displays it in the Google Cloud Platform Console. You already know that this kind of problem exists. Option D is correct. You can set a metric that accurately identifies the log lines related to queries. You can also create an alert that can promptly alert you when the problem is displayed, so you can review all the related logs and information at the right time. Option E is incorrect. There are no errors, so this is a useless operation. For more details, please refer to the following URLs: https://cloud.google.com/logging/ https://cloud.google.com/logging/docs/logs-based-metrics/

Answer 187

Correct Answer: D Option D is correct because Query history has the required information. Option A is incorrect because it has information about export, load, copy etc. Options B and C are incorrect because they provide logs for user-specific actions on a high-level basis. They don't provide query level logs specific to a user.

Answer 188

Correct Answer: D A is wrong. Instance Template are immutable, so you have to create a new Instance Template and update the Managed Group Definition B is wrong. It is not advisable to do such a manual operation. It is cumbersome and prone to errors C is wrong. With managed instance group updater, you may roll out all an update automatically. The question required a partial update. D is correct. A canary update is a partial update to a few numbers of instances in the instance group. You may view with console or gcloud for the currentAction being performed on each instance in your group, as well as the status of each instance. You may roll back quickly to the previous version and control the speed of an update with the parameters: minReadySeconds (wait for the next replacement), Enable health checking (wait until healthy), tune maxUnavailable (number of Instances beyond the targetSize of the group), and maxSurge (number of instances unavailable at any time during the update) A canary update is an update that is applied to a partial number of instances in the instance group. Canary updates let you test new features or upgrades on a subset of instances, instead of rolling out a potentially disruptive update to all your instances. If an update is not going well, you only need to roll back a small number of instances, minimizing the disruption for your users. From the perspective of the server, a canary update is the same as a standard rolling update, except that the number of instances that should be updated is less than the total size of the instance group. Like a standard rolling update, a canary update is disruptive to the instances affected; that is, the affected instances are deleted and replaced by new VM instances during the update. For more details, please visit the following URLs: https://cloud.google.com/compute/docs/instance-groups/ https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups

Answer 189

Correct Answer: D A is wrong. It is not the fastest way (images are quicker) and don’t malware protection B is wrong. It is the fastest but it don’t have malware protection C is wrong. It doesn’t have malware protection D is correct The key requirement is that is needed for the Shielded VM support, so you are compelled to use a Public Image. See https://cloud.google.com/compute/docs/images Instance template may use a public image and a startup script to prepare the instance after it starts running. Custom images are more deterministic and start more quickly than instances with startup scripts. However, startup scripts are more flexible and allow you to update the applications and settings in your instances more easily. For more details, please refer to the URLs below: https://cloud.google.com/compute/docs/instance-templates/create-instance-templates https://cloud.google.com/compute/docs/instances/create-vm-from-instance-template https://cloud.google.com/security/shielded-cloud/shielded-vm

Answer 190

Correct Answer: D A is wrong. Pub/Sub is correct but Cloud Spanner is a global SQL Database with outstanding integrity and consistency, but don’t have milliseconds performances. We don’t need (and want to pay) all these features. B is wrong. Dataproc is the Hadoop solution in GCP. It doesn’t really solve the real-time requirement that hasn’t milliseconds performances. C is wrong. Cloud Dataprep is a tool for Data correction and refining (not required in the question). D is correct. It is the only solution that meets all requirements. E is wrong. Cloud Datastore is a performant NoSQL Database, inexpensive but not suitable for Big Data and realtime processing. Cloud Pub/Sub is a serverless product for stream analytics and event-driven computing. You can send and receive messages between independent applications and transmit data across projects and applications running on the cloud, on-premise, or hybrid environments. Cloud Pub/Sub is perfect to decouple systems and components hosted on GCP or elsewhere on the internet. It provides "at least once" delivery at low latency with on-demand scaling to tens of millions of messages per second. With Cloud Pub/Sub, data engineers can: Scale without provisioning, partitioning, or load isolation Expand applications and pipelines to new regions Enrich, deduplicate, order, aggregate, and land events using Cloud Dataflow Mix real-time and batch processing via Cloud Pub/Sub’s durable storage Cloud Dataflow is a fully managed service for transforming and enriching data in real-time and batch stream. Cloud Dataflow has a serverless approach that saves money because you only pay for what you use. Plus, Cloud Dataflow not only works with Google's ingestion, data warehousing, and machine learning products but also third-party tools like Apache Spark and Apache Beam. https://cloud.google.com/dataflow/ Cloud Bigtable is a NoSQL database service for use cases where low latency reads and high throughput writes, scalability, and reliability are critical. Main features: Now it is global (used to be regional) It offers consistent sub-10ms latency It is ideal for Ad Tech, Fintech, and IoT It offers a storage engine for machine learning applications It provides easy integration with open-source big data tools For any further detail, please visit the following URLs: https://cloud.google.com/pubsub/ https://cloud.google.com/dataflow/ https://cloud.google.com/bigtable/

Answer 191

Correct Answer: D App Engine Flexible Edition is a PaaS solution without any constraints regarding the technologies adopted, as long as you can package the app into a Container. So it is the only solution that meets all the requirements. A is wrong because it is not fully managed, scalable and flexible B is wrong especially because Containers are not advisable with Database Systems. SQL Databases cannot scale simply starting a new Instance. C is wrong because it is not fully managed. For any further detail, please refer to the URLs below: https://cloud.google.com/appengine/docs/flexible/java/ https://cloud.google.com/sql/docs/postgres/connect-app-engine https://vsupalov.com/database-in-docker/

Answer 192

Correct Answer: D As mentioned in the official documentation, the schema data types vary from Oracle to Spanner. For instance, the usage of VARCHAR column should be converted into Spanner's STRING equivalent. The same applies for INT, INTEGER, etc (to be converted into INT64); the same for DATETIM E -> TIMESTAMP. This basically means we need to convert the table schemas in any case. Therefore, answer D is valid. Option A is incorrect because Spanner handles secondary indexes. Option C is incorrect because Spanner automatically manages the distribution of data in the clusters. Option B is incorrect because there is no insight about the type of primary keys being used in Oracle schema: nowhere it is written the DB is using sequences. The source Oracle DB could be using GUIDs which will work well. https://cloud.google.com/spanner/docs/migrating-oracle-to-cloud-spanner#supported-data For any further detail: https://cloud.google.com/spanner/docs/schema-design#primary-key-prevent-hotspots

Answer 193

Correct Answer: D Explanation: D (Correct Answer) - This approach meets all of the requirements, it is easy to do and works cross project and cross region. A - This approach affects the performance of the existing machine and incurs significate network costs. B - We can share the snapshots of boot dist across the project and region but cannot create an instance using directly the snapshots. C - dd will not work correctly on a mounted disk. Reference Resources https://cloud.google.com/compute/docs/machine-images#when-to-use

Answer 194

Correct Answer: D Google, by default, encrypts each chunk of data with a data encryption key DEK using AES256/AES128, symmetric cryptography. DEKs are sent to KMS (the service for Key Management) encrypted with a key-encryption key KEK, and the wrapped DEKs are stored with the data chunks. KEKs are kept in KMS and are not exportable; so, all encryption and decryption must be done within KMS. KEKs are rotated periodically and automatically. A is wrong because in GCP all the storage is encrypted. B is wrong because SHA-256 is a hash algorithm, one way, no feasible. C is wrong because RSA-256 is asymmetric cryptography, not used for data encryption because it would be too slow. For any further detail: https://cloud.google.com/security/encryption/default-encryption/

Answer 195

Correct Answer: D Running Shutdown Scripts: Create and run shutdown scripts that execute commands right before an instance is terminated or restarted, on a best-effort basis. This is useful if you rely on automated scripts to start up and shut down instances, allowing instances time to clean up or perform tasks, such as exporting logs or syncing with other systems. https://cloud.google.com/compute/docs/shutdownscript To setup Shutdown Scripts, go to the GCP console and follow the steps: Compute Engine -> VM instance -> Create Instance -> (Expand) Management, disks, networking, SSH keys Enter the key “shutdown-script” and the proper value.

Answer 196

Correct Answer: D The perfect solution is Service Mesh. Anthos Service Mesh is Google's implementation of the powerful Istio open-source project, allowing you to manage, observe, and secure your services without having to change your application code. Options A and B are incorrect. It is not possible to develop quickly an internal solution that meets these requirements. Option C is incorrect because Endpoint creates APIs and doesn’t integrate all kinds of services. https://cloud.google.com/endpoints/ Option E is incorrect because it is not standard and cannot integrate all kinds of services. For any further detail, please follow the links below: https://cloud.google.com/service-mesh/docs/unified-install/multi-cloud-hybrid-mesh

Answer 197

Correct Answer: E GCP firewall rules are stateful. If a connection is allowed between a source and a target, all subsequent traffic in either direction will be allowed as long as the connection is active. In other words, firewall rules allow bidirectional communication once a session is established. The connection is considered active if at least one packet is sent every 10 minutes. Firewall rules cannot allow traffic in one direction while denying the associated return traffic. So, A and D are wrong. A service account represents an identity associated with an instance. Only one service account can be associated with an instance. So it is the best option in case of strict security constraints. Be careful because you cannot mix and match service accounts and network tags in any firewall rules. C is wrong because it is necessary to provide different security to various projects. So network tags are the arbitrary attributes and are not enough for this requirement. For any further detail, please refer to the URLs below: https://cloud.google.com/vpc/docs/using-firewalls https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags

Answer 198

Correct Answer: E The best way is to adopt Kubernetes on-prem and in Cloud. It could be used Anthos on-prem, too, in order to ease the migration. Kubernetes provides the best solution for orchestrating workloads of any kind in any Cloud and on-prem. Cloud Build cannot deploy local workloads so a tool like Spinnaker is the best way to achieve the desired consistency. A is wrong because VMs and Compute Engine are not containers optimized. B is wrong because Cloud Build and Cloud Run are optimal services only in Cloud. They are not suitable for on-premises deployments C is wrong Cloud Build cannot deploy local workloads D is wrong VMs and AppEngine are not containers optimized. For any further detail: https://cloud.google.com/containers https://cloud.google.com/build/docs/overview https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview https://cloud.google.com/anthos/docs/setup/on-premises

Answer 199

Correct Answer: E The DocumentAI can detect and extract text from images. Document AI uses machine learning and Google Cloud to help you create a scalable, cloud-based document understanding solution. Using Document AI, you can: Convert images to text Classify documents Analyze and extract entities For more details, please visit the following link: https://cloud.google.com/document-ai/docs/overview

Answer 200

Correct Answers - A and B Options A and B are correct as they are valid questions with respect to cost effectiveness. Other options are incorrect, as they are general questions asked based upon curiousity. They are not related to cost or billing. For any further detail, please refer to the URLs below: https://cloud.google.com/billing/docs/how-to/budgets https://cloud.google.com/billing/docs/ https://cloud.google.com/billing/v1/getting-started

Answer 201

Correct Answers - A, B, D A is correct. As per google's best practices, this is the best way to manage the access and users. B is correct. You can authorize users via Cloud Identity-Aware Proxy (IAP). They do not require direct access to the underlying GCP resources—just to the web app that utilizes the GCP resources. C is wrong. Feasible, but not advisable. Burdensome and difficult to maintain. D is correct. You create the basic Service Accounts and link them to the VMs. So, users that have access to the VM, inherit all the authorizations needed E is incorrect. Service Accounts are associated with your pods and not clusters. Service Accounts related to your applications Service Accounts related to your VMs For more details, please visit the following links: https://cloud.google.com/iam/docs/overview https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform https://cloud.google.com/blog/products/identity-security/understanding-gcp-service-accounts-three-common-use-cases

Answer 202

Correct Answers A and D A (Correct) - Each subnet can span over multiple Availability Zones to provide a high-availability environment. Each VPC network consists of one or more useful IP range partitions called subnetworks or subnets. Each subnet is associated with a region. Networks can contain one or more subnets in any given region. Subnets are regional resources. VPC network example: subnet3 is defined as 10.2.0.0/16, in the us-east1 region. One VM instance in the us-east1-a zone and a second instance in the us-east1-b zone, each receiving an IP addresses from its available range. D (Correct Answer) - By default, all subnets can route between each other, whether they are private or public. Because subnets are regional resources, instances can have their network interfaces associated with any subnet in the same region that contains their zones. Resources within a VPC network can communicate with one another using internal (private) IPv4 addresses, subject to applicable network firewall rules. The default network includes a “default-allow-internal” rule, which permits instance-to-instance communication within the network. C is incorrect: Each subnet defines a range of IP addresses. The minimum CIDR size for a subnet is /29. Reference: https://cloud.google.com/vpc/docs/vpc

Answer 203

Correct Answers: A and C B - is for migration not for “regularly creating disk-level backups of the root disk of a critical instance”. There are tools allowing copying (importing) on-premises virtual disk to Compute engine but you cannot copy GCP VM. C(Correct Answer) - Sharing storage resources across projects and organizations You can share access to images, disks, and snapshots using the following IAM roles or permissions: Images: The roles/compute.imageUser role or the compute.images.useReadOnly permission. Snapshots: The roles/compute.storageAdmin role or the compute.snapshots.useReadOnly permission. Disks: The roles/compute.storageAdmin role or the compute.disks.useReadOnly permission. These roles and permissions allow you to share each resource type independently with other team members outside of your projects. For example, your company might have a specific project with qualified images that the rest of your company can use. You can assign a group to the project that is explicitly responsible for creating and maintaining images. Then, you can grant the roles/compute.imageUser role to other team members so that team members can use these images in their own projects. Note: These roles allow users to use your storage resources in any project, including projects outside of your organization. To restrict image use to specific organizations or specific projects, set the 'constraints/compute.storageResourceUseRestrictions' constraint as an organization policy. https://cloud.google.com/compute/docs/images/sharing-images-across-projects A (Correct answer) - The proper method is to create a custom image either from an existing, stopped instance, or snapshots of a boot disk, which can then be shared across projects and used to create additional instances. https://cloud.google.com/compute/docs/instances/create-start-instance D- doesn’t meet the requirement “regularly create disk-level backups of the root disk of a critical instance” nor is it easy to convert into the new instance.

Answer 204

Correct answers: A and C Dataflow can process both batch- and streaming-data parallel pipelines with the same code in a serverless way. It is based on Apache Beam so the procedures may be created as reusable templates in any environment. The dev team cab build programs that define the pipeline. Then, one of Apache Beam's supported distributed processing backends, such as Dataflow, executes the pipeline. The data processing job supports parallel processing. B is wrong because it requires more developing work and may not sustain heavy traffic. D is wrong because the solution is not secure For any further detail: https://cloud.google.com/dataflow/docs/concepts/beam-programming-model https://cloud.google.com/storage/docs/access-control/signed-urls

Answer 205

Correct Answers: A and C The best way to find out service accounts usage are: Service account insights, that lists service accounts not used in the past 90 days and Activity Analyzer, which reports about service account’s last usages. So they let you control the opposite aspects. B is wrong because Cloud Audit Logs contain audit trials, that is user activity and services modifications in GCP. D is wrong because Flow logs contain only network information to and from VM instances. For any further detail: https://cloud.google.com/iam/docs/manage-service-account-insights https://cloud.google.com/iam/docs/service-account-recent-usage

Answer 206

Correct answers: A and C With AD SSO federation relevant users and groups are synchronized to Cloud Identity, but changes in Active Directory are replicated to Google Cloud but not vice versa. SO Active Directory remains the only system that manages these credentials. EHR Healthcare uses Active Directory on-premises but not Active Directory in Azure Cloud (Azure Active Directory). B and D are wrong because EHR Healthcare doesn't use Azure Active Directory. For any further detail: https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction

Answer 207

Correct answers: A, C and D The first solution (A+D) uses HTTP(S) Load Balancing and NEGs. Network endpoint groups (NEG) let you design serverless backend endpoints for external HTTP(S) Load Balancing. Serverless NEGs became target proxies and the forwarding is performed with the use of URL maps. In this way, you may integrate seamlessly with the legacy application. An alternative solution is API Management, which creates a facade and integrates different applications. GCP has 3 API Management solutions: Cloud Endpoints, Apigee, and API Gateway. API Gateway is only for serverless back ends. B is wrong because developing a proxy inside the monolithic application for integration means, keep on updating the old app with possible service interruptions and useless toil. E is wrong because App Engine’s flexible edition manages containers but cannot integrate the legacy monolithic application with the new functions. For any further detail: https://cloud.google.com/load-balancing/docs/negs/serverless-neg-concepts https://cloud.google.com/endpoints

Answer 208

Correct Answers: A, C, and E Option A is correct. Kubernetes can fit more containers/pods in the same VM Option B is incorrect. Kubernetes can automate more operations and hide the complexity of networking and load balancing Option C is correct. You may create automation with Cloud Build such as when you commit your source, your production or staging environment will be seamlessly updated. Option D is incorrect. Kubernetes has been adopted by all the major cloud platforms as the leading Containers Orchestrator Option E is correct. As you can easily see from the following picture, the container-native load balancer communicates directly with the Pods, connections have fewer network hops, so both latency and throughput are improved. For more details, please visit the following URLs: https://cloud.google.com/kubernetes-engine/ https://cloud.google.com/kubernetes-engine/docs/how-to/container-native-load-balancing

Answer 209

Correct Answers: A, D, E A is correct. It is the most advisable way to build private clusters that can use an HTTP(S), an internal or a network load balancer to accept incoming traffic B is wrong. You have to use Service Accounts, but you cannot expose keys in clear text inside Configuration Files C is wrong. It is always possible to use private clusters, that can use an HTTP(S), an internal or a network load balancer to accept incoming traffic D is correct. It is the basic way to go, but now there is a better way: Workload Identity E is correct. It is the new security method: once you configure the relationship between a Kubernetes service account and a Google service account, any workload running as the Kubernetes service account automatically authenticates as the Google service account while accessing Google Cloud APIs. Workload Identity, is the new way for GKE applications to authenticate and consume other Google Cloud services. It works by creating a relationship between Kubernetes service accounts and Cloud IAM service accounts, so you can use Kubernetes-native concepts to define which workloads run as which identities, and permit your workloads to automatically access other Google Cloud services, all without having to manage Kubernetes secrets or IAM service account keys. For any further detail, please refer to the URLs below: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform

Answer 210

Correct Answers: B and D A - Create an account for auditors to have view access to Operations Suite (formerly Stackdriver) Logging - continue storing log information in Operations Suite (formerly Stackdriver) is not a proper solution for “Long term access”. Between B and C, the difference is where to store the logs, BigQuery or Cloud Storage. Since the main concern is extended storing period, B (Correct Answer) is a better answer, and the “Long term access” further qualifies it, for example, using the Coldline storage class. With regards to BigQuery, while it is also a low-cost storage, but the main purpose is for analysis. Also, logs stored in Cloud Storage is easy to transport to BigQuery or do query directly against the files saved in Cloud Storage if and whenever needed. D (Correct Answer) - Create an account for auditors to have view access to the export storage bucket with the Storage Object Viewer role - this completes the answers by providing a view-only role to the auditors

Answer 211

Correct Answers: B and D D is correct because HTTP Live Streaming is a technology from Apple for sending live and on‐demand audio and video to a broad range of devices. It supports both live broadcasts and prerecorded content, from storage and CDN. B is correct because Video Intelligence API Streaming API is capable of analyzing and getting important metadata from live media, using the AIStreamer ingestion library. A is wrong because HTTP protocol alone cannot manage live streaming video. C is wrong because Dataflow manages streaming data pipelines but cannot derive metadata from binary data, unless you use customized code. E is wrong because Pub/Sub could ingest metadata, but not analyze and getting labels and other info from videos For any further detail: https://cloud.google.com/video-intelligence/docs/streaming/live-streaming-overview https://cloud.google.com/blog/products/data-analytics/streaming-video-using-cloud-data-platform https://developer.apple.com/streaming/

Answer 212

Correct Answers: B and D For MySQL Database it is possible to create a Cloud SQL read replica of a local DB. The Cloud SQL read replica is asynchronously synchronized and may be promoted to master DB. An easy and elegant solution. With SQL Server it is not possible; Cloud SQL read replicas for SQL Server are not supported so the traditional way (incremental backups and transaction logs) have to be followed Option A is incorrect because don’t ensure RPO and RTO requirements Option C is incorrect because Cloud SQL read replicas for SQL Server are not supported Option E is incorrect because Cloud SQL read replicas for MySQL are supported For any further detail: https://cloud.google.com/architecture/dr-scenarios-for-data https://cloud.google.com/architecture/disaster-recovery-for-microsoft-sql-server https://cloud.google.com/architecture/migration-to-google-cloud-transferring-your-large-datasets https://cloud.google.com/architecture/migrating-mysql-to-cloudsql-concept#external_replica_promotion_migration

Answer 213

Correct answers: B Telemetry includes all control data and metrics from cloud systems. Telemetry needs to be extracted, organized and transmitted from multiple locations to a central point of analysis. We go beyond the scalability and availability of services, because the purpose of this Data is to optimize processes and costs; for example, Telemetry is used for the security and integrity of applications, to improve the user experience, to maximize performance and, more generally, the quality of systems. Prometheus is a widely used open-source (Cloud Native Computing Foundation graduated) for the acquisition, integration, query and analysis of telemetry data. Its main features are: All data is collected into an easy to use the multidimensional data model Uses a flexible query language called PromQL Flexible System Management and, security and no overhead graphing and dashboarding support, even if often used with Kabana, another open tool GCP has new features for Service and Telemetry reporting that may be integrated after migration A is wrong because this is not an easy and fast solution, even if it is the Google internal solution; Pods in Google are often made by the app container plus the control container that deals with telemetry. C is wrong because Operation Suite (formerly Stackdriver) doesn’t cover all the needs for a wide-range telemetry D is wrong because Istio is a service mesh for Kubernetes; so, it is aimed at microservices architectures. It is open-source and offers important telemetry functions, but it doesn't cover all of our requirements. E is wrong because Cloudwatch is the Operation Suite (formerly Stackdriver) counterpart product in AWS For any further detail: https://prometheus.io/docs/introduction/overview/ https://cloud.google.com/service-infrastructure/docs/telemetry-reporting https://istio.io/latest/about/service-mesh/

Answer 214

Correct answers: B, C All the answers are correct, but the best solutions are: BigQuery ML for the easy way, because data is already in BigQuery and it can host many kinds of models, even custom TensorFlow and Auto ML TensorFlow Enterprise and KubeFlow are tailored by design for the creation of an MLOps environment in Google Cloud for developing, training, and continuously improve ML Models A is incorrect because BigQuery has all the capabilities without having to move or transform data D is incorrect because Kubernetes and Tensorflow are the foundation of the optimal solution, without the need to configure and create pipelines and automatic methods for process optimization. Kubeflow and TensorFlow Enterprise are already optimized for this purpose. For any further detail: https://cloud.google.com/bigquery-ml/docs https://www.kubeflow.org/ https://cloud.google.com/tensorflow-enterprise https://www.tensorflow.org/tfx

Answer 215

Correct Answers: B, C, D A is wrong: Cloud Storage Object cannot be updated or appended. Objects are immutable, you cannot make incremental changes to objects, such as append operations or truncate operations. You may overwrite objects, so incremental updates can be achieved by rewriting an object with the desired updates. B is correct: It has Global consistency. It is different from AWS because it has full consistency for all these operations: Read-after-write, Read-after-metadata-update, Read-after-delete, Bucket listing, Object listing and Granting access to resources C is correct: There is an archive and cheap Solution like AWS Glacier. There is the Archival Storage, that is available within milliseconds. It is the low-cost, highly durable storage service for data archiving, online backup, and disaster recovery. D is correct: Objects may have a Retention Policy and can be versioned. A retention period can be placed on a bucket. An object in the bucket cannot be deleted or overwritten until it reaches the specified age. Object Versioning can be enabled on a bucket in order to retain older versions of objects when they are deleted or overwritten. Object Versioning increases storage costs, but this can be partially mitigated by configuring Object Lifecycle Management to delete older object versions. For any further detail, please visit the following URLs: https://cloud.google.com/storage/docs/concepts https://cloud.google.com/storage/docs/best-practices https://cloud.google.com/blog/products/storage-data-transfer/hdfs-vs-cloud-storage-pros-cons-and-migration-tips

Answer 216

Correct Answers: C All answers are a partial solution with the exception of option D and E, which is incorrect because Zonal SSD persistent disks are useless in the event of a disaster. Furthermore, regional disks may not be available, but in this case, all the snapshots in Cloud Storage are preserved. Remember that snapshots are incremental and compressed, so they are fast and inexpensive. Check the following link to get the complete procedure of this solution: https://cloud.google.com/solutions/dr-scenarios-for-data

Answer 217

Correct Answers: C and D Google Cloud global Load Balancing gives a single anycast IP for the users anywhere in the world. This IP address will be declined in the best network path to the Google Edge Network around the world, closest to the users. This is an important feature of the powerful Google Network. The Edge Network is the link between ISP (Internet Providers) and the Google Network and hosts also the CDN services that cache and accelerate static contents. Google Cloud global Load Balancing and CDN are designed to work together for these goals. A is wrong because Apigee Edge is a powerful and enterprise API (Application Programming Interface). B is wrong because Vertex is a complete cloud solution for AI and ML E is wrong becauseCloud Endpoints is also an API (Application Programming Interface), and so it is designed for completely different scopes. For any further detail: https://cloud.google.com/cdn/docs/overview https://cloud.google.com/load-balancing https://peering.google.com/

Answer 218

Correct Answers: C and D Google Cloud Global Load Balancing gives a single anycast IP for users anywhere in the world. This IP address will be in the best network path to the Google Edge Network around the world, closest to the users. This is an important feature of the powerful Google Network. The Edge Network is the link between ISP (Internet Providers) and the Google Network and hosts also the CDN services that cache and accelerate static contents. Google Cloud Global Load Balancing and CDN are designed to work together for these goals. A is wrong because Apigee Edge is a powerful enterprise API (Application Programming Interface). B is wrong because Vertex is a complete cloud solution for AI and ML E is wrong because cloud Endpoints is also an API (Application Programming Interface), and so it is designed for completely different scopes. For any further detail: https://cloud.google.com/cdn/docs/overview https://cloud.google.com/load-balancing https://peering.google.com/

Answer 219

Correct answers: C and E All the solutions indicated are useful for preserving and monitoring the security level of your environment. The question was about CI / CD processes, so the relevant techniques are: Vulnerability Scanning works in container images submitted to Artifact Registry repositories. As soon as a reference, for example, is classified as unsafe, an alarm is raised. Binary authorization is a control for container images deployed on Google Kubernetes Engine (GKE); they must be signed by trusted authorities to ensure their sources. A It is wrong because DLP is and is related to data content and privacy and is not connected to software development and maintenance B It's wrong because Forseti Security is a community-driven, open source security set of tools, unrelated to CI / CD D It is wrong because Event Threat Detection is part of the Security Command Center that reads the logs and, with ML techniques, detects possible threats and dangerous situations For any further detail: https://cloud.google.com/binary-authorization/docs/overview https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview https://cloud.google.com/artifact-registry

Answer 220

Correct options are A, B & D As per the Google Best practices for testing the performance of Bigtable, you should include these test scenarios in your performance and scalability testing Ensure the load tests are performed with enough data - For example, If your production Bigtable consists of 150GB data, you should test the performance with the same amount of data. Ensure heavy pre-test are performed for several minutes - By performing pre-test for several minutes this gives Cloud Bigtable time to balance data across several nodes based on the access pattern Ensure tests are running for at least 10 mins - This ensures that the test read operations are performed from disk as well as cached memory https://cloud.google.com/bigtable/docs/performance#testing Option C is incorrect because as per best practices you should include Bigtable while performance testing Option E is incorrect because the question is asking suggestions related to Bigtable

Answer 221

D) Option correct GDPR (General Data Protection Regulation) is regulatory compliance in Europe which is used to protect any personally identifiable information collected for business purpose within the European region Option A is incorrect because HIPAA is related to protecting the privacy of healthcare data in the U.S Option B is incorrect because it is a Payment Card Industry Data Security Standard to protect credit card information collected for business Option C is incorrect because COPPA is regulatory compliance in the U.S which is related to protecting the privacy of children below 13 age in the U.S

Answer 222

D) Option is correct Cloud Armor is a fully managed service that protects your application against DDOS attack and also provides a Web access firewall which can further provide protection against attacks like XSS (cross-site-scripting), SQL injection, etc. You can also have geo-based access control to your application using Cloud armor. https://cloud.google.com/armor Option A is incorrect because it is used to detect threats like Burt force attack from logs and reports to Security command center Option B is incorrect because it is used to control incoming and outgoing traffic to and from your compute engine VM’s Option C is incorrect because it is used to find any vulnerable library used in your application code

Answer 223

D) Option is correct Organization viewer role will provide the ability to view the entire organization and Project viewer role will grant read-only access to all the projects and resources under it within the organization Option A is incorrect because the Project editor is a too broad role and it will grant read-write access to the resources within the project Option B is incorrect because the Security Center Admin will not grant read-only access to the project Option C is incorrect because the Project editor is a too broad role and it will grant admin access to all the resources within the project

Answer 224

Options A & D are correct As per Google’s API key best practices you should never place the API key directly into application code & renew API keys periodically You should save the API keys as environment variables or in a secret management system. https://developers.google.com/maps/api-key-best-practices Option B is incorrect because you should have a limited scope for each API key. Option C is incorrect because as per Google’s best practices you should never store API keys directly into code.

Answer 225

Options A, B, D are the right choices. Using SELECT * is the most expensive way to query data. When you use SELECT *, BigQuery does a full scan of every column in the table. Queries are billed according to the number of bytes read. To estimate costs before running a query you could use The --dry_run flag in the CLI. If possible, partition your BigQuery tables by date. Partitioning your tables allows you to query relevant subsets of data which improves performance and reduces costs. Option C is an incorrect choice because applying a LIMIT clause to a query does not affect the amount of data that is read. It merely limits the results set to output. You are billed for reading all bytes in the entire table as indicated by the query. Option E is an incorrect choice because, Keeping large result sets in BigQuery storage has a cost. If you don't need permanent access to the results, use the default table expiration to automatically delete the data for you. Reference(s) : https://cloud.google.com/bigquery/docs/best-practices-costs

Answer 226

The correct answer is Option C. Option C is correct - Google Cloud Dedicated Interconnect or Google Cloud partner Interconnect Both VPN and Dedicated Interconnect/Partner Interconnect provide private address space communication. "The database is 4 TB, and large updates are frequent" makes the Dedicated Interconnect/Partner Interconnect a suitable solution due to its bandwidth capability and SLA A single interconnect can be a single 10G link or a link bundle, connected to a single Google router Option D is incorrect because Google Cloud VPN connected to the data center network Option A is incorrect because you cannot create two VPN tunnels within the same Cloud VPN gateway to the same destination VPN gateway. Option B is incorrect because Direct Peering exists outside of the Google Cloud Platform. https://cloud.google.com/hybrid-connectivity/ Dedicated Interconnect Overview: https://cloud.google.com/interconnect/docs/concepts/dedicated- overview

Answer 227

The correct answer is Option D. The best approach is by elimination: start from any requirements, for example, you may start elimination by the requirement not supported by repeatedly appeared components (e.g., GCE and GKE) in the questions · Req 1: Be based on open-source technology for cloud portability · Req 3 Support continuous software delivery · Req 5 Deploy application bundles using dynamic templates · Req 6 Route network traffic to specific services based on URL If we start from “Be based on open-source technology for cloud portability”, we know that Container Engine (new name is K8s Engine, GKE for short) one of the unique features is “open-source and cloud portability”. Now we have followings left: · Google Kubernetes Engine and Cloud Load Balancing · Google Kubernetes Engine, Jenkins, and Helm At this point, if you have the experience or knowledge, you probably are able to make the right decision. If not then following the same approach, we can choose either requirement of LB or CICD. For example, if we chose CICD, then the only answer is: Answer D. Google Kubernetes Engine, Jenkins, and Helm At first glance it appears answer D does not meet “all of his requirements” since it seems misses the “Route network traffic to specific services based on URL”, an obvious feature for Cloud Load Balancing. If looking further, we know, unlike Compute Engine, the Kubernetes Engine offers integrated support for two types of cloud load balancing for a publicly accessible application. One of them is HTTP(S) load balancers are designed to terminate HTTP(S) requests and can make better context-aware load balancing decisions. https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer For your information: Helm is a package manager for Kubernetes templates. It allows for defining the Kubernetes templates required to run an application and then replace the application options dynamically. It bundles all the templates in `tgz` packages called charts. https://helm.sh/ Note: The first requirement in the question is "Open source technology for cloud portability ". The Google Kubernetes Engine (GKE) is the most preferred choice for this requirement for this. Google document mentions the following about GKE: Requirement 3 in the question is Continues delivery. Hence the correct choice will be Google Container Engine, Jenkins, and Helm. Also the one more requirement here is "Route network traffic to specific services based on URL" which is the requirement make you think to select Cloud Load Balancing. Let's summarise how load balancing is achieved here. The Google Document mentions the following: Kubernetes Engine offers integrated support for two types of cloud load balancing for a publicly accessible application. Reference link: https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer

Whizlabs, Practice Questions Flashcards

Google Cloud Certified Professional Cloud Architect