Which storage service provides a globally consistent, horizontally scalable RDBMS?

• Cloud Firestore
• Cloud Bigtable
• Cloud Spanner
• BigQuery

A managed instance group is thrashing: it keeps adding more VMs, and then shutting them down. The
VMs are working properly. How would you fix it?

• By decreasing the minimum number of VMs in the instance group

• By increasing the maximum number of VMs in the instance group
• By decreasing the time autoscalers consider when making decisions
• By increasing the time autoscalers consider when making decisions

Feedback

https://cloud.google.com/compute/docs/autoscaler/understanding-autoscaler-
decisions#delays_in_scaling_out
https://cloud.google.com/compute/docs/autoscaler/understanding-autoscaler-decisions#scale-
in_controls

A microservice has intermittent problems that bursts logs. How can you spot the right time to analyze
the logs as issues happen?

• Log into the machine running the microservice and wait for the log messages.
• Look for error in Error Reporting dashboard.
• Configure microservice to send traces to Cloud Trace.
• Set a log metric in Cloud Logging, and alert on it past a threshold.

An application synchronously communicates between microservices. Which approach will decouple the
microservices?

• Create a Pub/Sub topic that sender writes and receiver reads

• Have sender write to local drives; receiver mounts drives read-only
• Create a Cloud Storage bucket that sender writes and receiver reads
• Create a Bigtable database that sender writes and receiver reads

When migrating a SQL Server application to GCP, which DBMS service may be easiest to move to?

• Cloud Dataproc
• Cloud Bigtable
 • Cloud PostgreSQL
• Cloud SQL

Which product uses the Apache Beam API to provide transformation part in ETL services?

• BigQuery
• Cloud Dataproc
• Cloud Pub/Sub
• Cloud Dataflow

Which native GCP service provides a managed alternative to Apache Kafka service?

• Cloud Dataflow
• Cloud Pub/Sub
• Cloud Dataproc
• BigQuery

Which change would increase network bandwidth for a virtual machine with 2 vCPUs and 8 GB memory
on the default VPC?

• Assign 16 vCPUs
• Assign 4 Network Interfaces
• Assign a Custom Machine Type
• Assign 32 GB Memory

How to avoid dropped incoming data during workload spikes - without increasing the number of VMs?

• Add memory to the VMs

• Write to Cloud Pub/Sub and have VMs read from queue
• Use local SSDs on VMs
• Write to Cloud Memorystore and have VMs read from cache

An application is running on a managed instance group, but it is not able to serve the incoming requests.
What might be the most probable reason (out of those listed below)?

• VM shuts down when instance group time-to-live expires; a new VM starts

• The application shuts down when the instance group time-to-live expires
• VM shuts down when the health check fails & a new VM starts
• The application shuts down when the health check fails
Static web data loads slowly for users in other regions. How can you best improve peformance?

• Use Premium Network for VMs

• Scale up the size of the VMs
• Distribute data using Cloud CDN
• Move the VMs to a location nearer the users

What is your choice for a managed database for JSON documents?

• Cloud Filestore
• Cloud Spanner
• Cloud Firestore
• Cloud Bigtable

You need a private 1 Gbps connection between your GCP project and on-premises datacenter. The
optimal choice from cost perspective is:

• Cloud VPN
• Hybrid Interconnect
• Dedicated Interconnect
• Partner Interconnect

You are expanding from US to Europe. Which option routes users to the nearest healthy server?

• Content delivery network

• Global load balancing
• Simple network management protocol
• VPN

Can Google Cloud Load Balancing balance HTTP traffic across multiple regions?

• True
• False

Which load-balancing option is best for a large-scale, world-wide web app with a lot of static data?

• TCP load balancer with SSL

• HTTP/S load balancer with SSL and CDN
• HTTP/S load balancer with SSL
• TCP load balancer with SSL and CDN
VPC firewall rules are applied to traffic that is

• entering a VM from outside its project

• entering a VM regardless of origin
• entering a VM from outside the VPC network
• entering a VM from outside the VPC subnet

To connect networks between GCP projects in the same or different organizations, you should use:

• Dedicated Peering
• Carrier Peering
• VPC Peering
• Dedicated Interconnect

To ensure that a load balancer only sends requests to virtual machines that are working, you would use

• Health check
• Liveness probe
• Readiness probe
• Uptime check

You want to be notified if your application is down. Which tool can provide the basis for an alert?

• Health check
• Liveness probe
• Readiness probe
• Uptime check

Customer wants to migrate to GCP, but still maintain investment in an existing Apache Spark code data
pipeline. What service should he choose?

• BigQuery
• Dataflow
• Dataproc
• Dataprep
A client is using Cloud SQL database to serve infrequently changing lookup tables that host data used by
applications. The applications will not modify the tables. As they expand into other geographic regions,
they want to ensure good performance. What do you recommend?

• Migrate to Cloud Spanner.

• Read replicas.
• Instance high availability configuration.
• Replicate from an external server.

Feedback

This is correct. A read replica will increase the availability of the service and can be located
closer to the users in the new geographies.

EHR Healthcare - Case Study

For this question, refer to the EHR Healthcare case study. You need to define the technical architecture
for hybrid connectivity between EHR's on-premises systems and Google Cloud. You want to follow
Google's recommended practices for production-level applications. Considering the EHR Healthcare
business and technical requirements, what should you do?

A. Configure two Partner Interconnect connections in one metro (City), and make sure the Interconnect
connections are placed in different metro zones. → Connectivity through a Parter is not reliable and not
recommended by Google

B. Configure two VPN connections from on-premises to Google Cloud, and make sure the VPN devices
on-premises are in separate racks. → Not the best in terms of performance, latency and throughput

C. Configure Direct Peering between EHR Healthcare and Google Cloud, and make sure you are peering
at least two Google locations. → requires external IPs, but it’s requested hybrid connectivity with on-
prem so we need internal IPs

D. Configure two Dedicated Interconnect connections in one metro (City) and two connections in
another metro, and make sure the Interconnect connections are placed in different metro zones.

For this question, refer to the EHR Healthcare case study. In the past, configuration errors put public IP
addresses on backend servers that should not have been accessible from the Internet. You need to
ensure that no one can put external IP addresses on backend Compute Engine instances and that
external IP addresses can only be configured on frontend Compute Engine instances. What should you
do?

A. Create an Organizational Policy with a constraint to allow external IP addresses only on the frontend
Compute Engine instances.

B. Revoke the compute.networkAdmin role from all users in the project with front end instances. →
doesn’t guarantee human mistakes that someone could create external IP address
C. Create an Identity and Access Management (IAM) policy that maps the IT staff to the
compute.networkAdmin role for the organization. → doesn’t guarantee human mistakes that someone
could create external IP address

D. Create a custom Identity and Access Management (IAM) role named GCE_FRONTEND with the
compute.addresses.create permission. → doesn’t guarantee human mistakes that someone could
create external IP address

Your client created an Identity and Access Management (IAM) resource hierarchy with Google Cloud
when the company was a startup. Your client has grown and now has multiple departments and teams.
You want to recommend a resource hierarchy that follows Google-recommended practices. What
should you do?

A. Keep all resources in one project, and use a flat resource hierarchy to reduce complexity and simplify
management.

B. Keep all resources in one project, but change the resource hierarchy to reflect company organization.

C. Use a flat resource hierarchy and multiple projects with established trust boundaries.

D. Use multiple projects with established trust boundaries, and change the resource hierarchy to reflect
company organization.

Cymbal Direct’s social media app must run in a separate project from its APIs and web store. You want
to use Identity and Access Management (IAM) to ensure a secure environment. How should you set up
IAM?

A. Use separate service accounts for each component (social media app, APIs, and web store) with basic
roles to grant access.

B. Use one service account for all components (social media app, APIs, and web store) with basic roles to
grant access.

C. Use separate service accounts for each component (social media app, APIs, and web store) with
predefined or custom roles to grant access.

D. Use one service account for all components (social media app, APIs, and web store) with predefined
or custom roles to grant access.

Michael is the owner/operator of “Zneeks,” a retail shoe store that caters to sneaker aficionados. He
regularly works with customers who order small batches of custom shoes. Michael is interested in using
Cymbal Direct to manufacture and ship custom batches of shoes to these customers. Reasonably tech-
savvy but not a developer, Michael likes using Cymbal Direct's partner purchase portal but wants the
process to be easy. What is an example of a user story that could describe Michael’s persona?
A. As a shoe retailer, Michael wants to send Cymbal Direct custom purchase orders so that batches of
custom shoes are sent to his customers.

B. Michael is a tech-savvy owner/operator of a small business.

C. Zneeks is a retail shoe store that caters to sneaker aficionados.

D. Michael is reasonably tech-savvy but needs Cymbal Direct's partner purchase portal to be easy.

Cymbal Direct has an application running on a Compute Engine instance. You need to give the
application access to several Google Cloud services. You do not want to keep any credentials on the VM
instance itself. What should you do?

A. Create a service account for each of the services the VM needs to access. Associate the service
accounts with the Compute Engine instance.

B. Create a service account and assign it the project owner role, which enables access to any needed
service.

C. Create a service account for the instance. Use Access scopes to enable access to the required services.

D. Create a service account with one or more predefined or custom roles, which give access to the
required services.

Cymbal Direct wants to use Identity and Access Management (IAM) to allow employees to have access
to Google Cloud resources and services based on their job roles. Several employees are project
managers and want to have some level of access to see what has been deployed. The security team
wants to ensure that securing the environment and managing resources is simple so that it will scale.
What approach should you use?

A. Grant access by assigning custom roles to groups. Use multiple groups for better control. Give access
as low in the hierarchy as possible to prevent the inheritance of too many abilities from a higher level.

B. Grant access by assigning predefined roles to groups. Use multiple groups for better control. Give
access as low in the hierarchy as possible to prevent the inheritance of too many abilities from a higher
level.

C. Give access directly to each individual for more granular control. Give access as low in the hierarchy as
possible to prevent the inheritance of too many abilities from a higher level.

D. Grant access by assigning predefined roles to groups. Use multiple groups for better control. Make
sure you give out access to all the children in a hierarchy under the level needed, because child
resources will not automatically inherit abilities.
You have several Compute Engine instances running NGINX and Tomcat for a web application. In your
web server logs, many login failures come from a single IP address, which looks like a brute force attack.
How can you block this traffic?

A. Edit the Compute Engine instances running your web application, and enable Google Cloud Armor.
Create a Google Cloud Armor policy with a default rule action of "Allow." Add a new rule that specifies
the IP address causing the login failures as the Condition, with an action of "Deny” and a deny status of
"403," and accept the default priority (1000).

B. Ensure that an HTTP(S) load balancer is configured to send traffic to the backend Compute Engine
instances running your web server. Create a Google Cloud Armor policy with a default rule action of
"Deny." Add a new rule that specifies the IP address causing the login failures as the Condition, with an
action of "Deny" and a deny status of "403," and accept the default priority (1000). Add the load
balancer backend service's HTTP-backend as the target.

C. Ensure that an HTTP(S) load balancer is configured to send traffic to the backend Compute Engine
instances running your web server. Create a Google Cloud Armor policy with a default rule action of
"Allow." Add a new rule that specifies the IP address causing the login failures as the Condition, with an
action of "Deny" and a deny status of "403," and accept the default priority (1000). Add the load
balancer backend service's HTTP-backend as the target.

D. Ensure that an HTTP(S) load balancer is configured to send traffic to your backend Compute Engine
instances running your web server. Create a Google Cloud Armor policy using the instance’s local
firewall with a default rule action of "Allow." Add a new local firewall rule that specifies the IP address
causing the login failures as the Condition, with an action of "Deny" and a deny status of "403," and
accept the default priority (1000).

Cymbal Direct needs to make sure its new social media integration service can’t be accessed directly
from the public internet. You want to allow access only through the web frontend store. How can you
prevent access to the social media integration service from the outside world, but still allow access to
the APIs of social media services?

A. Remove external IP addresses from the VM instances running the social media service and place them
in a private VPC behind Cloud NAT. Any SSH connection for management should be done with Identity-
Aware Proxy (IAP) or a bastion host (jump box) after allowing SSH access from IAP or a corporate
network.

B. Limit access to the external IP addresses of the VM instances using firewall rules and place them in a
private VPC behind Cloud NAT. Any SSH connection for management should be done with Identity-
Aware Proxy (IAP) or a bastion host (jump box) after allowing SSH access from IAP or a corporate
network.

C. Limit access to the external IP addresses of the VM instances using a firewall rule to block all
outbound traffic. Any SSH connection for management should be done with Identity-Aware Proxy (IAP)
or a bastion host (jump box) after allowing SSH access from IAP or a corporate network.
D. Remove external IP addresses from the VM instances running the social media service and place them
in a private VPC behind Cloud NAT. Any SSH connection for management should be restricted to
corporate network IP addresses by Google Cloud Armor.

Cymbal Direct is experiencing success using Google Cloud and you want to leverage tools to make your
solutions more efficient. Erik, one of the original web developers, currently adds new products to your
application manually. Erik has many responsibilities and requires a long lead time to add new products.
You need to create a Cloud Functions application to let Cymbal Direct employees add new products
instead of waiting for Erik. However, you want to make sure that only authorized employees can use the
application. What should you do?

A. Set up Cloud VPN between the corporate network and the Google Cloud project's VPC network. Allow
users to connect to the Cloud Functions instance.

B. Use Google Cloud Armor to restrict access to the corporate network’s external IP address. Configure
firewall rules to allow only HTTP(S) access.

C. Create a Google group and add authorized employees to it. Configure Identity-Aware Proxy (IAP) to
the Cloud Functions application as a HTTP-resource. Add the group as a principle with the role “Project
Owner.”

D. Create a Google group and add authorized employees to it. Configure Identity-Aware Proxy (IAP) to
the Cloud Functions application as a HTTP-resource. Add the group as a principle with the role “IAP-
secured Web App User.”

You've recently created an internal Cloud Run application for developers in your organization. The
application lets developers clone production Cloud SQL databases into a project specifically created to
test code and deployments. Your previous process was to export a database to a Cloud Storage bucket,
and then import the SQL dump into a legacy on-premises testing environment database with
connectivity to Google Cloud via Cloud VPN. Management wants to incentivize using the new process
with Cloud SQL for rapid testing and track how frequently rapid testing occurs. How can you ensure that
the developers use the new process?

A. Use an ACL on the Cloud Storage bucket. Create a read-only group that only has viewer privileges, and
ensure that the developers are in that group.

B. Leave the ACLs on the Cloud Storage bucket as-is. Disable Cloud VPN, and have developers use
Identity-Aware Proxy (IAP) to connect. Create an organization policy to enforce public access protection.

C. Use predefined roles to restrict access to what the developers are allowed to do. Create a group for
the developers, and associate the group with the Cloud SQL Viewer role. Remove the
"cloudsql.instances.export" ability from the role.

D. Create a custom role to restrict access to what developers are allowed to do. Create a group for the
developers, and associate the group with your custom role. Ensure that the custom role does not have
"cloudsql.instances.export."
Your client is legally required to comply with the Payment Card Industry Data Security Standard (PCI-
DSS). The client has formal audits already, but the audits are only done periodically. The client needs to
monitor for common violations to meet those requirements more easily. The client does not want to
replace audits but wants to engage in continuous compliance and catch violations early. What would
you recommend that this client do?

A. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health Analytics
in the Premium tier. Export or view the PCI-DSS Report from the SCC dashboard's Compliance tab.

B. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health Analytics
in the Standard tier. Export or view the PCI-DSS Report from the SCC dashboard's Compliance tab.

C. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health Analytics
in the Premium tier. Export or view the PCI-DSS Report from the SCC dashboard's Vulnerabilities tab.

D. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health Analytics
in the Standard tier. Export or view the PCI-DSS Report from the SCC dashboard's Vulnerabilities tab.