Practice Test 5 - Results

Return to review
Attempt 1
All knowledge areas
All questions
Question 1: Incorrect
You want to monitor resource utilization (RAM, Disk, Network, CPU, etc.) for all
applications in development, test and production GCP projects in a single
dashboard. What should you do?

Make use of the default Cloud Monitoring dashboards in all the projects.

Create a Cloud Monitoring workspace in the production project and add

development and test projects to it.

(Correct)

Grant roles/monitoring.admin to development, test and production GCP projects.

(Incorrect)

In Cloud Monitoring, share charts from development, test and production GCP
projects.

Explanation
In Cloud Monitoring, share charts from development, test and production GCP
projects. is not right.

This option involves a lot of work. You can share charts from development, test and
production projects by enabling Cloud Monitoring as a data source for Grafana
Ref: https://cloud.google.com/monitoring/charts/sharing-charts
and then follow the instructions
 at https://grafana.com/docs/grafana/latest/features/datasources/cloudmonitoring/
to build Grafana dashboards.

Grant roles/monitoring.admin to development, test and production GCP

projects. is not right.
You don’t grant roles to projects, and this doesn’t help you get a unified view in a single
dashboard.
Rer: https://cloud.google.com/monitoring/access-control

Make use of the default Cloud Monitoring dashboards in all the projects. is
not right.
Possibly, but this doesn't satisfy the requirement "single pane of glass".

Create a Cloud Monitoring workspace in the production project and add

development and test projects to it. is the right answer.
A Workspace is a tool for monitoring resources contained in one or more Google Cloud
projects or AWS accounts. A Workspace accesses metric data from its monitored
projects, but the metric data remains in those projects. You can configure Production
project to be the host project and the development and test projects as the monitored
projects. You can now build dashboards in the Cloud Monitoring workspace and view
monitoring information for all projects in a "single pane of glass".
Ref: https://cloud.google.com/monitoring/workspaces

Question 2: Incorrect
Your company has a massive quantity of unstructured data in text, Apache AVRO
and PARQUET files in the on-premise data centre and wants to transform this data
using a Dataflow job and migrate cleansed/enriched data to BigQuery. How
should you make the on-premise files accessible to Cloud Dataflow?

Migrate the data from the on-premises data centre to BigQuery by using a custom
script with bq commands.

(Incorrect)

Migrate the data from the on-premises data centre to Cloud Spanner by using the
upload files function.


Migrate the data from the on-premises data centre to Cloud SQL for MySQL by
using the upload files function.

Migrate the data from the on-premises data centre to Cloud Storage by using a
custom script with gsutil commands.

(Correct)

Explanation
The key to answering this question is "unstructured data".

Migrate the data from the on-premises data centre to BigQuery by using a
custom script with bq commands. is not right.
The bq load command is used to load data in BigQuery from a local data source, i.e.
local file, but the data has to be in a structured format.

bq --location=LOCATION load \
--source_format=FORMAT \
PROJECT_ID:DATASET.TABLE \
PATH_TO_SOURCE \
SCHEMA

where schema: a valid schema. The schema can be a local JSON file, or it can be typed
inline as part of the command. You can also use the --autodetect flag instead of
supplying a schema definition.
Ref: https://cloud.google.com/bigquery/docs/loading-data-local#bq

Migrate the data from the on-premises data centre to Cloud SQL for MySQL by
using the upload files function. is not right.
Fully managed relational database service for MySQL, PostgreSQL, and SQL Server. As
this is a relational database, it is for structured data and not fit for unstructured data.
Ref: https://cloud.google.com/sql

Migrate the data from the on-premises data centre to Cloud Spanner by using
the upload files function. is not right.
Cloud Spanner is the first scalable, enterprise-grade, globally-distributed, and strongly
 consistent database service built for the cloud specifically to combine the benefits of
relational database structure with non-relational horizontal scale. Although Google
claims Cloud Spanner is the best of the relational and non-relational worlds, it also says
"With Cloud Spanner, you get the best of relational database structure and non-
relational database scale and performance with external strong consistency across rows,
regions, and continents.". Cloud spanner is for structured data and not fit for
unstructured data.
Ref: https://cloud.google.com/spanner

Migrate the data from the on-premises data centre to Cloud Storage by using
a custom script with gsutil commands. is the right answer.
Cloud storage imposes no such restrictions; you can store large quantities of
unstructured data in different file formats. Cloud Storage provides globally unified,
scalable, and highly durable object storage for developers and enterprises. Also,
Dataflow can query Cloud Storage filesets as described in this article
Ref: https://cloud.google.com/dataflow/docs/guides/sql/data-sources-
destinations#querying-gcs-filesets

Question 3: Correct
You are deploying an application on the Google Compute Engine, and you want to
minimize network egress costs. The organization has a policy that requires you to
block all but essential egress traffic. What should you do?

Enable a firewall rule at priority 100 to allow ingress and essential egress traffic.

Enable a firewall rule at priority 100 to block all egress traffic, and another firewall
rule at priority 65534 to allow essential egress traffic.

Enable a firewall rule at priority 65534 to block all egress traffic, and another
firewall rule at priority 100 to allow essential egress traffic.

(Correct)


Enable a firewall rule at priority 100 to allow essential egress traffic.

Explanation
Enable a firewall rule at priority 100 to allow essential egress traffic. is
not right.
This option would enable all egress traffic. Every VPC network has two implied firewall
rules, one of which is the implied allow egress rule. This egress rule whose action is
allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any
instance send traffic to any destination, except for traffic blocked by Google Cloud.
Since we want to restrict egress on all but required traffic, you can't rely on just the high
priority rules to allow specific traffic.
Ref: https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules

Enable a firewall rule at priority 100 to allow ingress and essential egress
traffic. is not right.
There is no relation between ingress and egress, and they both work differently. Like
above, this would enable all egress traffic. Every VPC network has two implied firewall
rules, one of which is the implied allow egress rule. This egress rule whose action is
allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any
instance send traffic to any destination, except for traffic blocked by Google Cloud.
Since we want to restrict egress on all but required traffic, you can't rely on just the high
priority rules to allow specific traffic.
Ref: https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules

Enable a firewall rule at priority 100 to block all egress traffic, and
another firewall rule at priority 65534 to allow essential egress traffic. is
not right.
The firewall rule priority is an integer from 0 to 65535, inclusive. Lower integers indicate
higher priorities. The highest priority rule applicable for a given protocol and port
definition takes precedence over others. In this scenario, having a deny all traffic at
priority 100 takes effect over all other egress rules that allow traffic at a lower priority
resulting in all outgoing traffic being blocked.
Ref: https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules

Enable a firewall rule at priority 65534 to block all egress traffic, and
another firewall rule at priority 100 to allow essential egress traffic. is
the right answer.
The firewall rule priority is an integer from 0 to 65535, inclusive. Lower integers indicate
higher priorities. The highest priority rule applicable for a given protocol and port
definition takes precedence over others. The relative priority of a firewall rule determines
 whether it is applicable when evaluated against others. In this scenario, the allow rule at
priority 100 is evaluated first, and this allows the required egress traffic. The deny rule at
65534 priority is executed last and denies all other traffic that is not allowed by previous
allow rules.
Ref: https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules

Question 4: Correct
You manage an overnight batch job that uses 20 VMs to transfer customer
information from a CRM system to BigQuery dataset. The job can tolerate some
VMs going down. The current high cost of the VMs make the overnight job not
viable, and you want to reduce the costs. What should you do?

Use tiny f1-micro instances to reduce cost.

Use a fleet of f1-micro instances behind a Managed Instances Group (MIG) with
autoscaling and minimum nodes set to 1.

Use a fleet of f1-micro instances behind a Managed Instances Group (MIG) with
autoscaling. Set minimum and maximum nodes to 20.

Use preemptible compute engine instances to reduce cost.

(Correct)

Explanation
Use preemptible compute engine instances to reduce cost. is the right answer.

Since the batch workload is fault-tolerant, i.e. can tolerate some of the VMs being
terminated, you should use preemptible VMs. A preemptible VM is an instance that you
can create and run at a much lower price than normal instances. However, Compute
Engine might stop (preempt) these instances if it requires access to those resources for
other tasks. Preemptible instances are excess Compute Engine capacity, so their
availability varies with usage. If your apps are fault-tolerant and can withstand possible
 instance preemptions, then preemptible instances can reduce your Compute Engine
costs significantly. For example, batch processing jobs can run on preemptible instances.
If some of those instances stop during processing, the job slows but does not entirely
stop. Preemptible instances complete your batch processing tasks without placing
additional workload on your existing instances and without requiring you to pay full
price for additional regular instances.

Ref: https://cloud.google.com/compute/docs/instances/preemptible#what_is_a_preempt
ible_instance

Question 5: Incorrect
You want to optimize the storage costs for long term archival of logs. Logs are
accessed frequently in the first 30 days and only retrieved after that if there is any
special requirement in the annual audit. The auditors may need to look into log
entries of the previous three years. What should you do?

Store the logs in Standard Storage Class and set up a lifecycle policy to transition
the files older than 30 days to Archive Storage Class.

(Correct)

Store the logs in Standard Storage Class and set up lifecycle policies to transition
the files older than 30 days to Coldline Storage Class, and files older than 1 year to
Archive Storage Class.

(Incorrect)

Store the logs in Nearline Storage Class and set up a lifecycle policy to transition
the files older than 30 days to Archive Storage Class.

Store the logs in Nearline Storage Class and set up lifecycle policies to transition
the files older than 30 days to Coldline Storage Class, and files older than 1 year to
Archive Storage Class.
Explanation
Store the logs in Nearline Storage Class and set up a lifecycle policy to
transition the files older than 30 days to Archive Storage Class. is not right.
Nearline Storage is ideal for data you plan to read or modify on average once per
month or less, and there are costs associated with data retrieval. Since we require to
access data frequently for 30 days, we should avoid Nearline and prefer Standard
Storage which is suitable for frequently accessed ("hot" data).
Ref: https://cloud.google.com/storage/docs/storage-classes#nearline
Ref: https://cloud.google.com/storage/docs/storage-classes#standard

Store the logs in Nearline Storage Class and set up lifecycle policies to
transition the files older than 30 days to Coldline Storage Class, and files
older than 1 year to Archive Storage Class. is not right.
Nearline Storage is ideal for data you plan to read or modify on average once per
month or less, and there are costs associated with data retrieval. Since we require to
access data frequently for 30 days, we should avoid Nearline and prefer Standard
Storage which is suitable for frequently accessed ("hot" data).
Ref: https://cloud.google.com/storage/docs/storage-classes#nearline
Ref: https://cloud.google.com/storage/docs/storage-classes#standard

Store the logs in Standard Storage Class and set up lifecycle policies to
transition the files older than 30 days to Coldline Storage Class, and files
older than 1 year to Archive Storage Class. is not right.
Since we require to access data frequently for 30 days, we should use Standard Storage
which is suitable for frequently accessed ("hot" data).
Ref: https://cloud.google.com/storage/docs/storage-classes#standard
However, transitioning to Coldline is unnecessary as there is no requirement to access
data after that so we might as well transition all data to archival storage which offers the
lowest cost option for archiving data.
Ref: https://cloud.google.com/storage/docs/storage-classes#coldline
Ref: https://cloud.google.com/storage/docs/storage-classes#archive

Store the logs in Standard Storage Class and set up a lifecycle policy to
transition the files older than 30 days to Archive Storage Class. is the right
answer.
Since we require to access data frequently for 30 days, we should use Standard Storage
which is suitable for frequently accessed ("hot" data).
Ref: https://cloud.google.com/storage/docs/storage-classes#standard
And since there is no requirement to access data after that, we can transition all data to
archival storage which offers the lowest cost option for archiving data.
 Ref: https://cloud.google.com/storage/docs/storage-classes#coldline
Ref: https://cloud.google.com/storage/docs/storage-classes#archive

Question 6: Correct
You want to run an application in Google Compute Engine in the app-tier GCP
project and have it export data from Cloud Bigtable to daily-us-customer-export
Cloud Storage bucket in the data-warehousing project. You plan to run a Cloud
Dataflow job in the data-warehousing project to pick up data from this bucket for
further processing. How should you design the IAM access to enable the compute
engine instance push objects to daily-us-customer-export Cloud Storage bucket in
the data-warehousing project?

Ensure both the projects are in the same GCP folder in the resource hierarchy.

Grant the service account used by the compute engine in app-tier GCP project
roles/storage.objectCreator IAM role on app-tier GCP project.

Grant the service account used by the compute engine in app-tier GCP project
roles/storage.objectCreator IAM role on the daily-us-customer-export Cloud
Storage bucket.

(Correct)

Update the access control on daily-us-customer-export Cloud Storage bucket to

make it public. Create a subfolder inside the bucket with a randomized name and
have the compute engine instance push objects to this folder.

Explanation
Ensure both the projects are in the same GCP folder in the resource
hierarchy. is not right.
Folder resources provide an additional grouping mechanism and isolation boundaries
between projects. They can be seen as sub-organizations within the Organization.
Folders can be used to model different legal entities, departments, and teams within a
 company. For example, the first level of folders could be used to represent the main
departments in your organization. Since folders can contain projects and other folders,
each folder could then include other sub-folders, to represent different teams. Each
team folder could contain additional sub-folders to represent different applications.
Ref: https://cloud.google.com/resource-manager/docs/cloud-platform-resource-
hierarchy
Although it is possible to move both projects under the same folder, unless the relevant
permissions are assigned to the VM service account, it can't push the exports to the
cloud storage bucket in a different project.

Grant the service account used by the compute engine in app-tier GCP project
roles/storage.objectCreator IAM role on app-tier GCP project. is not right.
The bucket daily-us-customer-export is in the data-warehousing so the VMs service
account must the assigned the role on data-warehousing and not app-tier.

Update the access control on daily-us-customer-export Cloud Storage bucket

to make it public. Create a subfolder inside the bucket with a randomized
name and have the compute engine instance push objects to this folder. is not
right.
Making the bucket public compromises security. It doesn't matter that the folder has a
pseudo-randomized suffix name. Anyone can check the contents of a public bucket.

Grant the service account used by the compute engine in app-tier GCP project
roles/storage.objectCreator IAM role on the daily-us-customer-export Cloud
Storage bucket. is the right answer.
Since the VM needs to access the bucket daily-us-customer-export which is in the data-
warehousing, its service account needs to be granted the required permissions (Storage
Object Creator) on the bucket daily-us-customer-export in the data-warehousing.

Question 7: Incorrect
Your company’s compute workloads are split between the on-premises data centre
and Google Cloud Platform. The on-premises data centre is connected to Google
Cloud network by Cloud VPN. You have a requirement to provision a new non-
publicly-reachable compute engine instance on a c2-standard-8 machine type in
australia-southeast1-b zone. What should you do?

Configure a route to route all traffic to the public IP of compute engine instance
through the VPN tunnel.
 (Incorrect)

Provision the instance in a subnet that has Google Private Access enabled.

Provision the instance in a subnetwork that has all egress traffic disabled.

Provision the instance without a public IP address.

(Correct)

Explanation
Provision the instance in a subnet that has Google Private Access enabled. is
not right.
VM instances that only have internal IP addresses (no external IP addresses) can use
Private Google Access to external IP addresses of Google APIs and services. Private
Google Access has no effect on instances with Public IPs as they are always publicly
reachable irrespective of the private google access setting.
Ref: https://cloud.google.com/vpc/docs/private-access-options#pga

Provision the instance in a subnetwork that has all egress traffic

disabled. is not right.
An egress firewall rule prevents traffic from leaving the VPC network, but does not
prevent traffic coming in. If the instance has a public IP address, then the instance is still
publicly reachable despite creating a deny-all egress firewall rule.

Configure a route to route all traffic to the public IP of compute engine

instance through the VPN tunnel. is not right.
You can not create routes for public IP addresses. Routes within the VPC are applicable
only to traffic on the internal IP range.
Ref: https://cloud.google.com/vpc/docs/routes

Provision the instance without a public IP address. is the right answer.

Public IP addresses are internet routable. But Private IP addresses are internal and
cannot be internet routable, such as RFC 1918 addresses. So creating the instance
 without a public IP address ensures that no internet traffic can reach it.
Ref: https://cloud.google.com/vpc/docs/ip-addresses

Question 8: Incorrect
Your compliance team has asked you to set up an external auditor access to logs
from all GCP projects for the last 60 days. The auditor wants to combine, explore
and analyze the contents of the logs from all projects quickly and efficiently. You
want to follow Google Recommended practices. What should you do?

Set up a BigQuery sink destination to export logs from all the projects to a
dataset. Configure the table expiration on the dataset to 60 days. Ask the auditor
to query logs from the dataset.

(Correct)

Set up a Cloud Scheduler job to trigger a Cloud Function that reads and export
logs from all the projects to a BigQuery dataset. Configure the table expiration on
the dataset to 60 days. Ask the auditor to query logs from the dataset.

Set up a Cloud Storage sink destination to export logs from all the projects to a
bucket. Configure a lifecycle rule to delete objects older than 60 days. Ask the
auditor to query logs from the bucket.

Ask the auditor to query logs from Cloud Logging.

(Incorrect)

Explanation
Ask the auditor to query logs from Cloud Logging. is not right.
Log entries are held in Stackdriver Logging for a limited time known as the retention
period - which is 30 days (default configuration). After that, the entries are deleted. To
keep log entries longer, you need to export them outside of Stackdriver Logging by
configuring log sinks. Also, it’s not easy to combine logs from all projects using this
option.
https://cloud.google.com/blog/products/gcp/best-practices-for-working-with-google-
cloud-audit-logging

Set up a Cloud Scheduler job to trigger a Cloud Function that reads and
export logs from all the projects to a BigQuery dataset. Configure the table
expiration on the dataset to 60 days. Ask the auditor to query logs from the
dataset. is not right.
While this works, it makes no sense to use Cloud Scheduler job to read from Stackdriver
and store the logs in BigQuery when Google provides a feature (export sinks) that does
the same thing and works out of the box.
Ref: https://cloud.google.com/logging/docs/export/configure_export_v2

Set up a Cloud Storage sink destination to export logs from all the projects
to a bucket. Configure a lifecycle rule to delete objects older than 60
days. Ask the auditor to query logs from the bucket. is not right.
You can export logs by creating one or more sinks that include a logs query and an
export destination. Supported destinations for exported log entries are Cloud Storage,
BigQuery, and Pub/Sub.
Ref: https://cloud.google.com/logging/docs/export/configure_export_v2
Sinks are limited to exporting log entries from the exact resource in which the sink was
created: a Google Cloud project, organization, folder, or billing account. If it makes it
easier to export logs from all projects of an organization, you can create an aggregated
sink that can export log entries from all the projects, folders, and billing accounts of a
Google Cloud organization.
https://cloud.google.com/logging/docs/export/aggregated_sinks
Either way, we now have the data in Cloud Storage, but querying logs information from
Cloud Storage is harder than Querying information from BigQuery dataset. For this
reason, we should prefer BigQuery over Cloud Storage.

Set up a BigQuery sink destination to export logs from all the projects to a
dataset. Configure the table expiration on the dataset to 60 days. Ask the
auditor to query logs from the dataset. is the right answer.
You can export logs by creating one or more sinks that include a logs query and an
export destination. Supported destinations for exported log entries are Cloud Storage,
BigQuery, and Pub/Sub.
Ref: https://cloud.google.com/logging/docs/export/configure_export_v2
Sinks are limited to exporting log entries from the exact resource in which the sink was
created: a Google Cloud project, organization, folder, or billing account. If it makes it
easier to export logs from all projects of an organization, you can create an aggregated
 sink that can export log entries from all the projects, folders, and billing accounts of a
Google Cloud organization.
https://cloud.google.com/logging/docs/export/aggregated_sinks
Either way, we now have the data in a BigQuery Dataset. Querying information from a
Big Query dataset is easier and quicker than analyzing contents in Cloud Storage bucket.
As the requirement is to "Quickly analyze the log contents", we should prefer Big Query
over Cloud Storage.

Also, You can control storage costs and optimize storage usage by setting the default
table expiration for newly created tables in a dataset. If you set the property when the
dataset is created, any table created in the dataset is deleted after the expiration period.
If you set the property after the dataset is created, only new tables are deleted after the
expiration period.

For example, if you set the default table expiration to 7 days, older data is automatically
deleted after 1 week.
Ref: https://cloud.google.com/bigquery/docs/best-practices-storage

Question 9: Correct
A finance analyst at your company is suspended pending an investigation into
alleged financial misconduct. However, their Gsuite account was not disabled
immediately. Your compliance team has asked you to find out if the suspended
employee has accessed any audit logs or BigQuery datasets after their suspension.
What should you do?

Search for users’ Cloud Identity username (email address) as the principal in
system event logs in Cloud Logging.

Search for users’ Cloud Identity username (email address) as the principal in data
access logs in Cloud Logging.

(Correct)

Search for users’ service account as the principal in data access logs in Cloud
Logging.


Search for users’ service account as the principal in admin activity logs in Cloud
Logging.

Explanation
Search for users’ service account as the principal in admin activity logs in
Cloud Logging. is not right.
Admin Activity logs do not contain log entries for reading resource data. Admin Activity
audit logs contain log entries for API calls or other administrative actions that modify
the configuration or metadata of resources.
Ref: https://cloud.google.com/logging/docs/audit#admin-activity

Search for users’ Cloud Identity username (email address) as the principal
in system event logs in Cloud Logging. is not right.
System Event audit logs do not contain log entries for reading resource data. System
Event audit logs contain log entries for Google Cloud administrative actions that modify
the configuration of resources. Google systems generate system Event audit logs; they
are not driven by direct user action.
Ref: https://cloud.google.com/logging/docs/audit#system-event

Search for users’ service account as the principal in data access logs in
Cloud Logging. is not right.
System Event audit logs do not contain log entries for reading resource data. System
Event audit logs contain log entries for Google Cloud administrative actions that modify
the configuration of resources. Google systems generate system Event audit logs; they
are not driven by direct user action.
Ref: https://cloud.google.com/logging/docs/audit#system-event

Search for users’ Cloud Identity username (email address) as the principal
in data access logs in Cloud Logging. is the right answer.
Data Access audit logs contain API calls that read the configuration or metadata of
resources, as well as user-driven API calls that create, modify, or read user-provided
resource data.
Ref: https://cloud.google.com/logging/docs/audit#data-access

Question 10: Incorrect

You developed an application on App Engine Service to read data from a BigQuery
dataset and convert the data to PARQUET format. The application is using the
default app-engine service account in the app-tier GCP project. The data team
 owns the BigQuery dataset in the data-warehousing project. What IAM Access
should you grant to the default app-engine service account in app-tier GCP
project?

Grant the service account in the data-warehousing GCP project

roles/bigquery.jobUser role on the app-tier project.

(Incorrect)

Grant the default app-engine service account in the app-tier GCP project
roles/bigquery.dataViewer role on the same project.

Grant the default app-engine service account in the app-tier GCP project
roles/bigquery.dataViewer role on the data-warehousing project.

(Correct)

Grant the default app-engine service account in the app-tier GCP project
roles/bigquery.jobUser role on data-warehousing project.

Explanation
Grant the default app-engine service account in the app-tier GCP project
roles/bigquery.jobUser role on the data-warehousing project. is not right.
Granting jobUser IAM role lets your App engine service create and run jobs including
"query jobs" but doesn't give access to read data, i.e. query the data directly from the
datasets. The role that you need for reading data from datasets is dataViewer!!
Ref: https://cloud.google.com/bigquery/docs/access-control#bigquery

Grant the service account in the data-warehousing GCP project

roles/bigquery.jobUser role on the app-tier project. is not right.
If you grant the role from your project, you are granting the permissions for BigQuery
instance in your project. Since the requirement is for the app engine service to read data
from the BigQuery dataset in a different project, this wouldn't work. Moreover, granting
 jobUser IAM role lets you run jobs including "query jobs" but doesn't give access to read
data, i.e. query the data directly from the datasets. The role that you need for reading
data from datasets is dataViewer!!
Ref: https://cloud.google.com/bigquery/docs/access-control#bigquery

Grant the default app-engine service account in the app-tier GCP project
roles/bigquery.dataViewer role on the same project. is not right.
If you grant the role from your project, you are granting the permissions for BigQuery
instance in your project. Since the requirement is for the app engine service to read data
from the BigQuery dataset in a different project, these permissions are insufficient.

Grant the default app-engine service account in the app-tier GCP project
roles/bigquery.dataViewer role on the data-warehousing project. is the right
answer.
Since the data resides in the other project, the role must be granted in the other project
to the App Engine service account. And since you want to read the data from BigQuery
datasets, you need dataViewer role.
Ref: https://cloud.google.com/bigquery/docs/access-control#bigquery

Question 11: Incorrect

Your company wants to migrate all compute workloads from the on-premises data
centre to Google Cloud Compute Engine. A third-party team provides operational
support for your production applications outside business hours. Everyone at your
company has a Gsuite account, but the support team do not. How should you
grant them access to the VMs?

Use Cloud Identity Aware Proxy (IAP) to enable SSH tunnels to the VMs and add
the third-party team as a tunnel user.

(Correct)

Set up a Cloud VPN tunnel between the third-party network and your production
GCP project.

(Incorrect)


 Set up a firewall rule to open SSH port (TCP:22) to the IP range of the third-party
team.

Add all the third party teams’ SSH keys to the production compute engine
instances.

Explanation
Set up a firewall rule to open SSH port (TCP:22) to the IP range of the
third-party team. is not right.
This option a terrible way to enable access - the SSH connections may be happening
over untrusted networks, i.e. no encryption and you can't SSH to the instances without
adding an SSH public key.

Set up a Cloud VPN tunnel between the third-party network and your
production GCP project. is not right.
A step forward but you can't SSH without adding SSH public keys to the instances and
opening the firewall ports to allow traffic from the operations partner IP range.

Add all the third party teams’ SSH keys to the production compute engine
instances. is not right.
Like above, you haven't opened the firewall to allow traffic from the operations partner
IP range, and the SSH connections may be happening over untrusted networks, i.e. no
encryption.

Use Cloud Identity Aware Proxy (IAP) to enable SSH tunnels to the VMs and
add the third-party team as a tunnel user. is the right answer.
This option is the preferred approach, given that the operations partner does not use
Google accounts. IAP lets you

- Control access to your cloud-based and on-premises applications and VMs running on
Google Cloud

- Verify user identity and use context to determine if a user should be granted access

- Work from untrusted networks without the use of a VPN

- Implement a zero-trust access model

 To set up SSH tunnels using IAP, see:
https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_ssh_connections

Question 12: Correct

You deployed a mission-critical application on Google Compute Engine. Your
operations team have asked you to enable measures to prevent engineers from
accidentally destroying the instance. What should you do?

Turn on deletion protection on the compute engine instance.

(Correct)

Deploy the application on a preemptible compute engine instance.

Uncheck “Delete boot disk when instance is deleted” option when provisioning the
compute engine instance.

Enable automatic restart on the instance.

Explanation
Deploy the application on a preemptible compute engine instance. is not right.
A preemptible VM is an instance that you can create and run at a much lower price than
normal instances. However, Compute Engine might terminate (preempt) these instances
if it requires access to those resources for other tasks. Preemptible instances are excess
Compute Engine capacity, so their availability varies with usage. This option wouldn't
help with our requirement - to prevent anyone from accidentally destroying the
instance.
Ref: https://cloud.google.com/compute/docs/instances/preemptible

Uncheck “Delete boot disk when instance is deleted” option when provisioning
the compute engine instance. is not right.
You can automatically delete read/write persistent zonal disks when the associated VM
instance is deleted. Enabling/Disabling the flag impacts disk deletion but not the
 instance termination.
Ref: https://cloud.google.com/compute/docs/disks/add-persistent-
disk#updateautodelete

Enable automatic restart on the instance. is not right.

The restart behaviour determines whether the instance automatically restarts if it crashes
or gets terminated. This setting does not prevent anyone from accidentally destroying
the instance.
Ref: https://cloud.google.com/compute/docs/instances/setting-instance-scheduling-
options

Turn on deletion protection on the compute engine instance. is the right

answer.
By setting the deletionProtection flag, a VM instance can be protected from accidental
deletion. If a user attempts to delete a VM instance for which you have set the
deletionProtection flag, the request fails.
Ref: https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-
deletion

Question 13: Incorrect

You want to deploy a business-critical application on a fleet of compute engine
instances behind an autoscaled Managed Instances Group (MIG). You created an
instance template, configured a MIG to use the instance template and set up the
scaling policies, however, the creation of compute engine VM instance fails. How
should you debug this issue?

1. Ensure instance template syntax is valid.

2. Ensure the instance template, instance and the persistent disk names do not conflict.

1. Ensure you don’t have any persistent disks with the same name as the VM instance.

2. Ensure the disk autodelete property is turned on (disks.autoDelete set to true).

3. Ensure instance template syntax is valid.

(Correct)


1. Ensure you don’t have any persistent disks with the same name as the VM instance.

2. Ensure instance template syntax is valid.

(Incorrect)

1. Ensure the instance template, instance and the persistent disk names do not conflict.

2. Ensure the disk autodelete property is turned on (disks.autoDelete set to true).

Explanation
1. Ensure you don’t have any persistent disks with the same name as the VM
instance.
2. Ensure the disk autodelete property is turned on (disks.autoDelete set to
true).
3. Ensure instance template syntax is valid. is the right answer.
As described in this article, "My managed instance group keeps failing to create a VM.
What's going on?"
https://cloud.google.com/compute/docs/instance-groups/creating-groups-of-
managed-instances#troubleshooting
The likely causes are
- A persistent disk already exists with the same name as VM Instance

- disks.autoDelete option is set to false

- instance template might be invalid

Therefore, we need to ensure that the instance template is valid, disks.autoDelete is

turned on, and that there are no existing persistent disks with the same name as
VM instance.

Question 14: Correct

Your production applications are distributed across several Google Cloud Platform
(GCP) projects, and your operations team want to efficiently manage all the
production projects and applications using gcloud SDK on Cloud Shell. What
should you recommend they do to achieve this in the fewest possible steps?


Create a gcloud configuration for each production project. To manage resources

of a particular project, run gcloud init to update and initialize the relevant gcloud
configuration.

Create a gcloud configuration for each production project. To manage resources

of a particular project, activate the relevant gcloud configuration.

(Correct)

Use the default gcloud configuration on cloud shell. To manage resources of a

particular project, activate the relevant gcloud configuration.

Use the default gcloud configuration on cloud shell. To manage resources of a

particular project, run gcloud init to update and initialize the relevant gcloud
configuration.

Explanation
Create a gcloud configuration for each production project. To manage
resources of a particular project, activate the relevant gcloud
configuration. is the right answer.
gcloud configurations enable you to manage multiple projects in gcloud CLI using the
fewest possible steps,
Ref: https://cloud.google.com/sdk/gcloud/reference/config

For example, we have two projects.

$ gcloud projects list

PROJECT_ID NAME PROJECT_NUMBER
project-1-278333 project-1-278333 85524215451
project-2-278333 project-2-278333 25349885274

We create a configuration for each project. For project-2-278333,

$ gcloud config configurations create project-1-config
 $ gcloud config set project project-1-278333

And for project-2-278333,

$ gcloud config configurations create project-2-config
$ gcloud config set project project-2-278333

We now have two configurations, one for each project.

$ gcloud config configurations list
NAME IS_ACTIVE ACCOUNT PROJECT COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION
cloudshell-4453 False
project-1-config False project-1-278333
project-2-config True project-2-278333

To activate configuration for project-1,

$ gcloud config configurations activate project-1-config
Activated [project-1-config].
$ gcloud config get-value project
Your active configuration is: [project-1-config]
project-1-278333

To activate configuration for project-2,

$ gcloud config configurations activate project-2-config
Activated [project-2-config].
$ gcloud config get-value project
Your active configuration is: [project-2-config]
project-2-278333

Question 15: Incorrect

Your team creates/updates the infrastructure for all production requirements. You
need to implement a new change to the current infrastructure and want to
preview the update to the rest of your team before committing the changes. You
want to follow Google-recommended practices. What should you?

Preview the updates using Deployment Manager and store the results in a Google
Cloud Storage bucket.

(Correct)


Clone the production environment to create a staging environment and deploy the
proposed changes to the staging environment. Execute gcloud compute instances
list to view the changes and store the results in a Google Cloud Storage bucket.

Clone the production environment to create a staging environment and deploy the
proposed changes to the staging environment. Execute gcloud compute instances
list to view the changes and store the results in a Google Cloud Source Repository.

(Incorrect)

Preview the updates using Deployment Manager and store the results in a Google
Cloud Source Repository.

Explanation
Clone the production environment to create a staging environment and deploy
the proposed changes to the staging environment. Execute gcloud compute
instances list to view the changes and store the results in a Google Cloud
Storage bucket. is not right.
gcloud compute instances list - lists Google Compute Engine instances. The
infrastructure changes may include much more than compute engine instances, e.g.
firewall rules, VPC, subnets, databases etc. The output of this command is not sufficient
to describe the proposed changes. Moreover, you want to share the proposed changes,
not the changes after applying them.
Ref: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list

Clone the production environment to create a staging environment and deploy

the proposed changes to the staging environment. Execute gcloud compute
instances list to view the changes and store the results in a Google Cloud
Source Repository. is not right.
gcloud compute instances list - lists Google Compute Engine instances. The
infrastructure changes may include much more than compute engine instances, e.g.
firewall rules, VPC, subnets, databases etc. The output of this command is not sufficient
to describe the proposed changes. Moreover, you want to share the proposed changes,
 not the changes after applying them.
Ref: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list

Preview the updates using Deployment Manager and store the results in a
Google Cloud Source Repository. is not right.
With deployment manager, you can preview the update you want to make before
committing any changes, with the gcloud command-line tool or the API. The
Deployment Manager service previews the configuration by expanding the full
configuration and creating "shell" resources. Deployment Manager does not instantiate
any actual resources when you preview a configuration, allowing you to see the
deployment before committing to it.
Ref: https://cloud.google.com/deployment-manager However, saving the proposed
changes to Cloud Source Repositories is not a great idea. Cloud source repositories is a
private Git repository in GCP and is not a suitable place for such content.
Ref: https://cloud.google.com/source-repositories

Preview the updates using Deployment Manager and store the results in a
Google Cloud Storage bucket. is the right answer.
With deployment manager, you can preview the update you want to make before
committing any changes, with the gcloud command-line tool or the API. The
Deployment Manager service previews the configuration by expanding the full
configuration and creating "shell" resources. Deployment Manager does not instantiate
any actual resources when you preview a configuration, allowing you to see the
deployment before committing to it.
Ref: https://cloud.google.com/deployment-manager
Cloud Storage bucket is an ideal place to upload the information and share it with the
rest of the team.

Question 16: Incorrect

You migrated a mission-critical application from the on-premises data centre to
Google Kubernetes Engine (GKE) which uses e2-standard-2 machine types. You
want to deploy additional pods on c2-standard-16 machine types. How can you do
this without causing application downtime?

Create a new GKE cluster with node pool instances of type c2-standard-16. Deploy
the application on the new GKE cluster and delete the old GKE Cluster.

(Incorrect)


Update the existing cluster to add a new node pool with c2-standard-16 machine
types and deploy the pods.

(Correct)

Create a new GKE cluster with two node pools – one with e2-standard-2 machine
types and other with c2-standard-16 machine types. Deploy the application on the
new GKE cluster and delete the old GKE Cluster.

Run gcloud container clusters upgrade to move to c2-standard-16 machine types.

Terminate all existing pods.

Explanation
Create a new GKE cluster with node pool instances of type c2-standard-16.
Deploy the application on the new GKE cluster and delete the old GKE
Cluster. is not right.
This option results in the extra cost of running two clusters in parallel until the cutover
happens. Also, creating a single node pool with just n2-highmem-16 nodes might result
in inefficient use of resources and subsequently extra costs.

Create a new GKE cluster with two node pools – one with e2-standard-2
machine types and other with c2-standard-16 machine types. Deploy the
application on the new GKE cluster and delete the old GKE Cluster. is not
right.
Having two node pools - one based on n1-standard-2 and the other based on n2-
highmem-16 is the right idea. The relevant pods can be deployed to the respective node
pools. However, you are incurring the extra cost of running two clusters in parallel while
the cutover happens.

Run gcloud container clusters upgrade to move to c2-standard-16 machine

types. Terminate all existing pods. is not right.
gcloud container clusters upgrade - is used to upgrade the Kubernetes version of an
existing container cluster.
Ref: https://cloud.google.com/sdk/gcloud/reference/container/clusters/upgrade
 Update the existing cluster to add a new node pool with c2-standard-16
machine types and deploy the pods. is the right answer.
This option is the easiest and most practical of all options. Having two node pools - one
based on e2-standard-2 and the other based on c2-standard-16 is the right idea. Also,
adding the node pools to the existing cluster does not affect the existing node pool and
therefore no downtime.

Question 17: Incorrect

Your company deployed its applications across hundreds of GCP projects that use
different billing accounts. The finance team is struggling to add up all production
Cloud Opex costs and has requested your assistance for enabling/providing a
single pane of glass for all costs incurred by all applications in Google Cloud. You
want to include new costs as soon as they become available. What should you do?

Enable Billing Export from all GCP projects to BigQuery and ask the finance team
to use Google Data Studio to visualize the data.

(Correct)

Use Cloud Scheduler to trigger a Cloud Function every hour. Have the Cloud
Function download the CSV from the Cost Table page and upload the data to
BigQuery. Ask the finance team to use Google Data Studio to visualize the data.

Use Google pricing calculator for all the services used in all GCP projects and pass
the estimated cost to finance team every month.

(Incorrect)

Ask the finance team to check reports view section in Cloud Billing Console.

Explanation
Use Google pricing calculator for all the services used in all GCP projects
and pass the estimated cost to finance team every month. is not right.
We are interested in the costs incurred, not estimates.

Use Cloud Scheduler to trigger a Cloud Function every hour. Have the Cloud
Function download the CSV from the Cost Table page and upload the data to
BigQuery. Ask the finance team to use Google Data Studio to visualize the
data. is not right.
The question states "You want to include new costs as soon as they become available"
but exporting CSV is a manual process, i.e. not automated, so you don't get new cost
data as soon as it becomes available.
Ask the finance team to check reports view section in Cloud Billing
Console. is not right.
If all projects are linked to the same billing account, then the billing report would have
provided this information in a single screen with a visual representation that can be
customized based on different parameters. However, in this scenario, projects are linked
to different billing accounts and viewing the billing information of all these projects in a
single visual representation is not possible in the Reports View section in Cloud Billing
Console.
Ref: https://cloud.google.com/billing/docs/how-to/reports

Enable Billing Export from all GCP projects to BigQuery and ask the finance
team to use Google Data Studio to visualize the data. is the right answer.
Cloud Billing export to BigQuery enables you to export detailed Google Cloud billing
data (such as usage, cost estimates, and pricing data) automatically throughout the day
to a BigQuery dataset that you specify. Then you can access your Cloud Billing data from
BigQuery for detailed analysis, or use a tool like Google Data Studio to visualize your
data and provide cost visibility to the finance department. All projects can be configured
to export their data to the same billing dataset. As the export happens automatically
throughout the day, this satisfies our "as soon as possible" requirement.
Ref: https://cloud.google.com/billing/docs/how-to/export-data-bigquery

Question 18: Incorrect

 Your company runs most of its compute workloads in Google Compute Engine in
the europe-west1-b zone. Your operations team use Cloud Shell to manage these
instances. They want to know if it is possible to designate a default compute zone
and not supply the zone parameter when running each command in the CLI. What
should you do?

Add a metadata entry in the Compute Engine Settings page with key:
compute/zone and value: europe-west1-b.

Run gcloud config to set europe-west1-b as the default zone.

(Incorrect)

Update the gcloud configuration file ~/config.ini to set europe-west1-b as the

default zone.

In GCP Console set europe-west1-b zone in the default location in Compute Engine
Settings.

(Correct)

Explanation
Update the gcloud configuration file ~/config.ini to set europe-west1-b as
the default zone. is not right.
gcloud does not read configurations from default.conf
Ref: https://cloud.google.com/sdk/gcloud/reference/config/configurations
Ref: https://cloud.google.com/sdk/docs/configurations

Run gcloud config to set europe-west1-b as the default zone. is not right.
Using gcloud config set, you can set the zone in your active configuration only. This
setting does not apply to other gcloud configurations and does not become the default
for the project.
Ref: https://cloud.google.com/sdk/gcloud/reference/config/set
gcloud config set compute/zone europe-west1-b

Add a metadata entry in the Compute Engine Settings page with key:
compute/zone and value: europe-west1-b. is not right.
You could achieve this behaviour by running the following in gcloud.
https://cloud.google.com/compute/docs/regions-zones/changing-default-zone-
region#gcloud
gcloud compute project-info add-metadata \
--metadata google-compute-default-region=europe-west1,google-compute-default-zone
=europe-west1-b

As shown above, the key to be used is google-compute-default-zone and not

compute/zone.

In GCP Console set europe-west1-b zone in the default location in Compute

Engine Settings. is the right answer.
Ref: https://cloud.google.com/compute/docs/regions-zones/changing-default-zone-
region#gcloud
The default region and zone settings affect only client tools, such as the gcloud
command-line tool and the Google Cloud Console. When you use these tools to
construct your requests, the tools help you manage resources by automatically selecting
the default region and zone. When you use the Cloud Console to create regional or
zonal resources like addresses and instances, Compute Engine sets the region and zone
fields for you. You can accept the pre-populated values, or explicitly change one or both
of the values. When you use the gcloud tool, omit setting the --region and --zone flags
to use the default region and zone properties for the new project. You can always
change the default region and zone settings in the metadata server, override the default
region and zone locally for the gcloud tool or override the settings manually for each
request in either the gcloud tool and the Cloud Console.

You could also achieve this behaviour by running the following in gcloud.
https://cloud.google.com/compute/docs/regions-zones/changing-default-zone-
region#gcloud

gcloud compute project-info add-metadata \

--metadata google-compute-default-region=europe-west1,google-compute-default-zone
=europe-west1-b

After you update the default metadata by using any method, run the gcloud init
command to reinitialize your default configuration. The gcloud tool refreshes the default
region and zone settings only after you run the gcloud init command.
 Question 19: Incorrect
You deployed an application on a general-purpose Google Cloud Compute Engine
instance that uses a persistent zonal SSD of 300 GB. The application downloads
large Apache AVRO files from Cloud Storage, retrieve customer details from them
and saves a text file on local disk for each customer before pushing all the text
files to a Google Storage Bucket. These operations require high disk I/O, but you
find that the read and write operations on the disk are always throttled. What
should you do to improve the throughput while keeping costs to a minimum?

Replace Zonal Persistent SSD with a Local SSD.

(Correct)

Replace Zonal Persistent SSD with a Regional Persistent SSD.

Bump up the size of its SSD persistent disk to 1 TB.

(Incorrect)

Bump up the CPU allocated to the general-purpose Compute Engine instance.

Explanation
Replace Zonal Persistent SSD with a Regional Persistent SSD. is not right.
Migrating to a regional SSD would actually make it worse. At the time of writing, the
Read IOPS for a Zonal standard persistent disk is 7,500, and the Read IOPS reduces to
3000 for a Regional standard persistent disk, which reduces the throughput.
Ref: https://cloud.google.com/compute/docs/disks/performance

Bump up the size of its SSD persistent disk to 1 TB. is not right.
The performance of SSD persistent disks scales with the size of the disk.
Ref: https://cloud.google.com/compute/docs/disks/performance#cpu_count_size
However, no guarantee increasing the disk to 1 TB will increase the throughput in this
scenario as disk performance also depends on the number of vCPUs on VM instance.
Ref: https://cloud.google.com/compute/docs/disks/performance#ssd_persistent_disk_pe
rformance_by_disk_size
Ref: https://cloud.google.com/compute/docs/disks/performance#machine-type-disk-
limits
For example, consider a 1,000 GB SSD persistent disk attached to an instance with an N2
machine type and 4 vCPUs. The read limit based solely on the size of the disk is 30,000
IOPS. However, because the instance has 4 vCPUs, the read limit is restricted to 15,000
IOPS.

Bump up the CPU allocated to the general-purpose Compute Engine instance. is

not right.
In Compute Engine, machine types are grouped and curated for different workloads.
Each machine type is subject to specific persistent disk limits per vCPU. Increasing the
vCPU count increases the Read IOPS
https://cloud.google.com/compute/docs/disks/performance#machine-type-disk-limits
However, no guarantee increasing CPU will increase the throughput in this scenario as
disk performance could be limited by disk size.
Ref: https://cloud.google.com/compute/docs/disks/performance#ssd_persistent_disk_pe
rformance_by_disk_size
Ref: https://cloud.google.com/compute/docs/disks/performance#machine-type-disk-
limits
For example, consider a 1,000 GB SSD persistent disk attached to an instance with an N2
machine type and 48 vCPUs. The read limit based solely on the vCPU count is 60,000
IOPS. However, because the instance has 1000 GB SSD, the read limit is restricted to
30,000 IOPS.

Replace Zonal Persistent SSD with a Local SSD. is the right answer.
Local SSDs are physically attached to the server that hosts your VM instance. Local SSDs
have higher throughput and lower latency than standard persistent disks or SSD
persistent disks. The performance gains from local SSDs require trade-offs in availability,
durability, and flexibility. Because of these trade-offs, Local SSD storage isn't
automatically replicated, and all data on the local SSD might be lost if the instance
terminates for any reason.
Ref: https://cloud.google.com/compute/docs/disks#localssds
Ref: https://cloud.google.com/compute/docs/disks/performance#type_comparison

Question 20: Incorrect

Your company is building a mobile application that enables users to upload and
share images with their friends. Your company places a high value on security,
prefers minimal maintenance (no-op), and wants to optimize costs where possible.
 You are designing the backend for the app based on these requirements: - Enable
users to upload images for only 30 minutes, - Enable users to retrieve their images
and share their images with their friends, - Delete images older than 50 days. You
have very little time to design the solution and take it to production. What should
you do (Choose two)?

Write a cron script that checks for objects older than 50 days and deletes them.

Enable lifecycle policy on the bucket to delete objects older than 50 days.

(Correct)

Have the mobile application send the images to an SFTP server.

Use Cloud Scheduler to trigger a Cloud Function to check for objects older than 50
days and delete them.

(Incorrect)

Have the mobile application use signed URLs to enabled time-limited upload to
Cloud Storage.

(Correct)

Explanation
Have the mobile application send the images to an SFTP server. is not right.
It is possible to set up an SFTP server so that your suppliers can upload files but building
an SFTP solution is not something you would do when the development cycle is short. It
would help if you instead looked for off the shelf solutions that work with minimal
configuration. Moreover, this option doesn't specify where the uploaded files are stored.
Nor does it talk about how the files are secured and how the expiration is handled.
 Use Cloud Scheduler to trigger a Cloud Function to check for objects older
than 50 days and delete them. is not right.
Sure can be done, but this is unnecessary when GCP already provides lifecycle
management for the same. You are unnecessarily adding cost and complexity by doing
this using Cloud functions.

Write a cron script that checks for objects older than 50 days and deletes
them. is not right.
Like above, sure can be done but this is unnecessary when GCP already provides
lifecycle management for the same. You are unnecessarily adding cost and complexity
by doing it this way.

Have the mobile application use signed URLs to enabled time-limited upload
to Cloud Storage. is the right answer.
When we generate a signed URL, we can specify an expiry (30 mins), and users can only
upload for the specified time "30 minutes". Also, only users with the signed URL can
view/download the objects so we share individual signed URLs so that "suppliers can
access only their data". Finally, all objects in Google Cloud Storage are encrypted, which
takes care of one of the primary goal "data security".
Ref: https://cloud.google.com/storage/docs/access-control/signed-urls

Enable lifecycle policy on the bucket to delete objects older than 50

days. is the right answer.
Since you don't need data older than 50 days, deleting such data is the right approach.
You can set a lifecycle policy to delete objects older than 50 days. The policy is valid on
current as well as future objects and doesn't need any human intervention. This option
also takes care of the other primary goal "expiration of aged data" and ensures that we
"Delete data that is over 50 days old.".
Ref: https://cloud.google.com/storage/docs/lifecycle

Question 21: Correct

Your compliance team wants to review the audit logs and data access logs in the
production GCP project. You want to follow Google recommended practices. What
should you do?

Grant the compliance team roles/logging.privateLogViewer IAM role. Let the

compliance team know they can also query IAM policy changes in Cloud Logging.
 (Correct)

Export logs to Cloud Storage and grant the compliance team a custom IAM role
that has logging.privateLogEntries.list permission.

Grant the compliance team a custom IAM role that has

logging.privateLogEntries.list permission. Let the compliance team know they can
also query IAM policy changes in Cloud Logging.

Export logs to Cloud Storage and grant the compliance team

roles/logging.privateLogViewer IAM role.

Explanation
Google Cloud provides Cloud Audit Logs, which is an integral part of Cloud Logging. It
consists of two log streams for each project: Admin Activity and Data Access, which are
generated by Google Cloud services to help you answer the question of "who did what,
where, and when?" within your Google Cloud projects.
Ref: https://cloud.google.com/iam/docs/job-
functions/auditing#scenario_external_auditors

To view Admin Activity audit logs, you must have one of the following Cloud IAM roles
in the project that contains your audit logs:

- Project Owner, Project Editor, or Project Viewer.

- The Logging Logs Viewer role.

- A custom Cloud IAM role with the logging.logEntries.list Cloud IAM permission.
https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions

To view Data Access audit logs, you must have one of the following roles in the project
that contains your audit logs:

- Project Owner.

- Logging's Private Logs Viewer role.

- A custom Cloud IAM role with the logging.privateLogEntries.list Cloud IAM permission.
https://cloud.google.com/iam/docs/audit-logging#audit_log_permissions

Export logs to Cloud Storage and grant the compliance team a custom IAM role
that has logging.privateLogEntries.list permission. is not right.
logging.privateLogEntries.list provides permissions to view Data Access audit logs but
this does not grant permissions to view Admin activity logs.
Ref: https://cloud.google.com/logging/docs/access-control#console_permissions

Grant the compliance team a custom IAM role that has

logging.privateLogEntries.list permission. Let the compliance team know they
can also query IAM policy changes in Cloud Logging. is not right.
logging.privateLogEntries.list provides permissions to view Data Access audit logs but
this does not grant permissions to view Admin activity logs.
Ref: https://cloud.google.com/logging/docs/access-control#console_permissions

Export logs to Cloud Storage and grant the compliance team

roles/logging.privateLogViewer IAM role. is not right.
The IAM role roles/logging.privateLogViewer is the right role. It includes
roles/logging.viewer permissions (everything in logging except access transparency and
data access audit logs) plus: logging.privateLogEntries.list permissions (access
transparency and data access audit logs). Together, they let the compliance team review
the admin activity logs and data access logs. But exporting logs to Cloud Storage
indicates that we want the compliance team to review logs from Cloud Storage and not
the logs within Cloud Logging console. In this scenario, unless the compliance team is
also assigned a role that lets them access the relevant cloud storage buckets, they
wouldn't be able to view log information in the buckets.

Grant the compliance team roles/logging.privateLogViewer IAM role. Let the

compliance team know they can also query IAM policy changes in Cloud
Logging. is the right answer.
The IAM role roles/logging.privateLogViewer is the right role. It includes
roles/logging.viewer permissions (everything in logging except access transparency and
data access audit logs) plus: logging.privateLogEntries.list permissions (access
transparency and data access audit logs). Together, they let the compliance team review
the admin activity logs and data access logs. This role lets them access the logs in Cloud
Logging console.
Ref: https://cloud.google.com/logging/docs/access-control

Question 22: Incorrect

 Your business-critical application deployed on a compute engine instance in us-
west1-a zone suffered an outage due to GCP zone failure. You want to modify the
application to be immune to zone failures while minimizing costs. What should
you do?

Provision another compute engine instance in us-west1-b and balance the traffic
across both zones.

(Correct)

Ensure you have hourly snapshots of the disk in Google Cloud Storage. In the
unlikely event of a zonal outage, use the snapshots to provision a new Compute
Engine Instance in a different zone.

Direct the traffic through a Global HTTP(s) Load Balancer to shield your
application from GCP zone failures.

Replace the single instance with a Managed Instance Group (MIG) and autoscaling
enabled. Configure a health check to detect failures rapidly.

(Incorrect)

Explanation
Ensure you have hourly snapshots of the disk in Google Cloud Storage. In the
unlikely event of a zonal outage, use the snapshots to provision a new
Compute Engine Instance in a different zone. is not right.
This option wouldn't eliminate downtime, the solution doesn't support the failure of a
single Compute Engine zone, and the solution involves manual intervention which adds
to the overall cost.

Direct the traffic through a Global HTTP(s) Load Balancer to shield your
application from GCP zone failures. is not right.
 The VMs are still in a single zone, so this solution doesn't support the failure of a single
Compute Engine zone.

Replace the single instance with a Managed Instance Group (MIG) and
autoscaling enabled. Configure a health check to detect failures rapidly. is
not right.
The VMs are still in a single zone, so this solution doesn't support the failure of a single
Compute Engine zone.

Provision another compute engine instance in us-west1-b and balance the

traffic across both zones. is the right answer.
Creating Compute Engine resources in us-west1-b and balancing the load across both
zones ensures that the solution supports the failure of a single Compute Engine zone
and eliminates downtime. Even if one zone goes down, the application can continue to
serve requests from the other zone.

Question 23: Incorrect

You deployed the Finance teams’ Payroll application to Google Compute Engine,
and this application is used by staff during regular business hours. The operations
team want to backup the VMs daily outside the business hours and delete images
older than 50 days to save costs. They need an automated solution with the least
operational overhead and the least number of GCP services. What should they do?

Add a metadata tag on the Google Compute Engine instance to enable snapshot
creation. Add a second metadata tag to specify the snapshot schedule, and a third
metadata tag to specify the retention period.

Navigate to the Compute Engine Disk section of your VM instance in the GCP
console and enable a snapshot schedule for automated creation of daily snapshots.
Set Auto-Delete snapshots after to 50 days.

(Correct)


 Use AppEngine Cron service to trigger a custom script that creates snapshots of
the disk daily. Use AppEngine Cron service to trigger another custom script that
iterates over the snapshots and deletes snapshots older than 50 days.

Use Cloud Scheduler to trigger a Cloud Function that creates snapshots of the disk
daily. Use Cloud Scheduler to trigger another Cloud Function that iterates over the
snapshots and deletes snapshots older than 50 days.

(Incorrect)

Explanation
Add a metadata tag on the Google Compute Engine instance to enable snapshot
creation. Add a second metadata tag to specify the snapshot schedule, and a
third metadata tag to specify the retention period. is not right.
Adding these metadata tags on the instance does not affect snapshot
creation/automation.

Use Cloud Scheduler to trigger a Cloud Function that creates snapshots of

the disk daily. Use Cloud Scheduler to trigger another Cloud Function that
iterates over the snapshots and deletes snapshots older than 50 days. is not
right.
You want to fulfil this requirement by using the least number of services. While this
works, it involves the use of Cloud Functions and Cloud Scheduler, and we should look
at doing this using the least number of services.

Use AppEngine Cron service to trigger a custom script that creates snapshots
of the disk daily. Use AppEngine Cron service to trigger another custom
script that iterates over the snapshots and deletes snapshots older than 50
days. is not right.
Bash scripts and crontabs add a lot of operational overhead. You want to fulfil this
requirement with the least management overhead so you should avoid this.

Navigate to the Compute Engine Disk section of your VM instance in the GCP
console and enable a snapshot schedule for automated creation of daily
snapshots. Set Auto-Delete snapshots after to 50 days. is the right answer.
Google recommends you use Use snapshot schedules as a best practice to back up your
Compute Engine workloads.
Ref: https://cloud.google.com/compute/docs/disks/scheduled-snapshots
 Question 24: Incorrect
Your company plans to migrate all applications from the on-premise data centre
to Google Cloud Platform and requires a monthly estimate of the cost of running
these applications in GCP. How can you provide this estimate?

For all GCP services/APIs you are planning to use, use the GCP pricing calculator to
estimate the monthly costs.

(Correct)

Migrate all applications to GCP and run them for a week. Use the costs from the
Billing Report page for this week to extrapolate the monthly cost of running all
applications in GCP.

Migrate all applications to GCP and run them for a week. Use Cloud Monitoring to
identify the costs for this week and use it to derive the monthly cost of running all
applications in GCP.

(Incorrect)

For all GCP services/APIs you are planning to use, capture the pricing from the
products pricing page and use an excel sheet to estimate the monthly costs.

Explanation
Migrate all applications to GCP and run them for a week. Use the costs from
the Billing Report page for this week to extrapolate the monthly cost of
running all applications in GCP. is not right.
By provisioning the solution on GCP, you are going to incur costs. We are required to
estimate the costs, and this can be done by using Google Cloud Pricing Calculator.
Ref: https://cloud.google.com/products/calculator

Migrate all applications to GCP and run them for a week. Use Cloud
Monitoring to identify the costs for this week and use it to derive the
 monthly cost of running all applications in GCP. is not right.
By provisioning the solution on GCP, you are going to incur costs. We are required to
estimate the costs, and this can be done by using Google Cloud Pricing Calculator.
Ref: https://cloud.google.com/products/calculator

For all GCP services/APIs you are planning to use, capture the pricing from
the products pricing page and use an excel sheet to estimate the monthly
costs. is not right.
This option would certainly work but is a manual task. Why use this when you can use
Google Cloud Pricing Calculator to achieve the save?
Ref: https://cloud.google.com/products/calculator

For all GCP services/APIs you are planning to use, use the GCP pricing
calculator to estimate the monthly costs. is the right answer.
You can use the Google Cloud Pricing Calculator to total the estimated monthly costs
for each GCP product. You don't incur any charges for doing so.
Ref: https://cloud.google.com/products/calculator

Question 25: Incorrect

You deployed an application using Apache Tomcat server on a single Google Cloud
VM. Users are complaining of intermittent issues accessing a specific page in the
application, and you want to look at the logs on the local disk. What should you
do?

Configure a health check on the instance to identify the issue and email you the
logs when the application experiences the issue.

Check logs in Cloud Logging.

(Incorrect)

Install the Cloud Logging Agent on the VM and configure it to send logs to Cloud
Logging. Check logs in Cloud Logging.

(Correct)


Check logs in the Serial Console.

Explanation
Check logs in Cloud Logging. is not right.
The application writes logs to disk, but we don't know if these logs are forwarded to
Cloud Logging. Unless you install Cloud logging agent (which this option doesn't talk
about) and configure to stream the application logs, the logs don't get to Cloud
logging.
Ref: https://cloud.google.com/logging/docs/agent

Check logs in the Serial Console. is not right.

You would interact with instance's serial console to debug boot and networking issues,
troubleshoot malfunctioning instances, interact with the GRand Unified Bootloader
(GRUB), and perform other troubleshooting tasks. Since the issues being reported are
with the application, analysing and debugging in the instances' serial console doesn't
help.
Ref: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console

Configure a health check on the instance to identify the issue and email you
the logs when the application experiences the issue. is not right.
We don’t know what the issue is, and we want to look at the logs to identify the
problem, so it is not possible to create a health check without first identifying what the
issue is.

Install the Cloud Logging Agent on the VM and configure it to send logs to
Cloud Logging. Check logs in Cloud Logging. is the right answer.
It is a best practice to run the Logging agent on all your VM instances. In its default
configuration, the Logging agent streams logs from common third-party applications
and system software to Logging; review the list of default logs. You can configure the
agent to stream additional logs; go to Configuring the Logging agent for details on
agent configuration and operation. As logs are now streamed to Cloud Logging, you can
view your logs in Cloud logging and diagnose the problem.
Ref: https://cloud.google.com/logging/docs/agent

Question 26: Correct

You are running a business-critical application in a GKE cluster in a subnet with
cluster autoscaling enabled. A massive surge in demand for your company’s
products has seen the GKE cluster node pool scale-up until there were no more
 free IP addresses available for new VMs in the subnet. What should you do to fix
this issue?

Add a new VPC and set up VPC sharing between the new and existing VPC.

Add a secondary (alias) IP range to the existing subnet.

Expand the range of the existing subnet.

(Correct)

Add a new subnet to the same region.

Explanation
Add a new subnet to the same region. is not right.
When you create a regional (private) GKE cluster, it automatically creates a private
cluster subnet, and you can't change this/add a second subnet.
Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/private-
clusters#view_subnet

Add a secondary (alias) IP range to the existing subnet. is not right.

Since there are no more primary IP Address available in the VPC, it is not possible to
provision new VMs. You cannot create a VM with just a secondary (alias) IP. All subnets
have a primary CIDR range, which is the range of internal IP addresses that define the
subnet. Each VM instance gets its primary internal IP address from this range. You can
also allocate alias IP ranges from that primary range, or you can add a secondary range
to the subnet and allocate alias IP ranges from the secondary range.
Ref: https://cloud.google.com/vpc/docs/alias-
ip#subnet_primary_and_secondary_cidr_ranges

Add a new VPC and set up VPC sharing between the new and existing VPC. is not
right.
You can't split a GKE cluster across two VPCs. You can't use shared VPC either as Google
 Kubernetes Engine does not support converting existing clusters to the Shared VPC
model.
https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#overview

Expand the range of the existing subnet. is the right answer.

Since there are no more IPs available in the IP range, you need to expand the primary IP
range of an existing subnet by modifying its subnet mask, setting the prefix length to a
smaller number. Expanding the subnet adds more IP addresses to the subnet IP range
and lets the GKE cluster spin up more nodes as needed.
Ref: https://cloud.google.com/vpc/docs/using-vpc#expand-subnet

Question 27: Incorrect

You want to migrate a legacy application from your on-premises data centre to
Google Cloud Platform. The application serves SSL encrypted traffic from
worldwide clients on TCP port 443. What GCP Loadbalancing service should you
use to minimize latency for all clients?

Internal TCP/UDP Load Balancer.

SSL Proxy Load Balancer.

(Correct)

External HTTP(S) Load Balancer.

Network TCP/UDP Load Balancer.

(Incorrect)

Explanation
Internal TCP/UDP Load Balancer. is not right.
Internal TCP Load Balancing is a regional load balancer that enables you to run and
scale your services behind an internal load balancing IP address that is accessible only to
your internal virtual machine (VM) instances. Since we need to serve public traffic, this
load balancer is not suitable for us.
Ref: https://cloud.google.com/load-balancing/docs/internal

Network TCP/UDP Load Balancer. is not right.

Google Cloud external TCP/UDP Network Load Balancing is a regional, non-proxied load
balancer. Since this is a regional load balancer, its endpoint is regional, and this means
that the traffic for this load balancer must traverse through the internet to reach the
regional endpoint. Not a problem for clients located closer to this region but traversing
through the internet can add a lot of latency to connections from other regions. In this
scenario, clients are located all over the world; therefore, Network Load Balancer is not a
suitable option.
Ref: https://cloud.google.com/load-balancing/docs/network

External HTTP(S) Load Balancer. is not right.

External HTTP(S) Load Balancer is a Layer 7 load balancer suitable for HTTP/HTTPS traffic
and is not suited for TCP traffic.
Ref: https://cloud.google.com/load-balancing/docs/choosing-load-balancer#summary-
of-google-cloud-load-balancers

SSL Proxy Load Balancer. is the right answer.

By using Google Cloud SSL Proxy Load Balancing for your SSL traffic, you can terminate
user SSL (TLS) connections at the load balancing layer. You can then balance the
connections across your backend instances by using the SSL (recommended) or TCP
protocols. The SSL proxy load balancer terminates TLS in locations that are distributed
globally, to minimize latency between clients and the load balancer.
Ref: https://cloud.google.com/load-balancing/docs/ssl
Ref: https://cloud.google.com/load-balancing/docs/choosing-load-balancer
 Question 28: Incorrect
An auditor requires specific access on certain GCP services in your Cloud project.
You have developed the the first version of a custom IAM role to enable this
access. The compliance team wants to test this role in a test GCP project and has
asked you to share with them the role and its lifecycle stage. What should you do?

1. Set the custom IAM role lifecycle stage to BETA while you test the role in the test GCP
project.

2. Restrict the custom IAM role to use permissions with SUPPORTED support level.

1. Set the custom IAM role lifecycle stage to ALPHA while you test the role in the test
GCP project.
 2. Restrict the custom IAM role to use permissions with SUPPORTED support level.

(Correct)

1. Set the custom IAM role lifecycle stage to BETA while you test the role in the test GCP
project.

2. Restrict the custom IAM role to use permissions with TESTING support level.

(Incorrect)

1. Set the custom IAM role lifecycle stage to ALPHA while you test the role in the test
GCP project.

2. Restrict the custom IAM role to use permissions with TESTING support level.

Explanation
When setting support levels for permissions in custom roles, you can set to one
of SUPPORTED, TESTING or NOT_SUPPORTED. SUPPORTED -The permission is fully
supported in custom roles. TESTING - The permission is being tested to check its
compatibility with custom roles. You can include the permission in custom roles, but you
might see unexpected behaviour. Such permissions are not recommended for
production use.
Ref: https://cloud.google.com/iam/docs/custom-roles-permissions-support Since we
want the role to be suitable for production use, we need "SUPPORTED" and not
"TESTING".

In terms of role stage, the stage transitions from ALPHA --> BETA --> GA
Ref: https://cloud.google.com/iam/docs/understanding-custom-
roles#testing_and_deploying Since this is the first version of the custom role, we start
with "ALPHA".

The only option that satisfies "ALPHA" stage with "SUPPORTED" support level is

1. Set the custom IAM role lifecycle stage to ALPHA while you test the role
in the test GCP project.
 2. Restrict the custom IAM role to use permissions with SUPPORTED support
level. is the right answer

Question 29: Correct

All departments at your company have their own Google Cloud Projects. You got
transferred into a new department that doesn’t have a project yet, and you are
ready to deploy a new application onto a Compute Engine Instance. What should
you do?

Use gcloud commands first to create a new project, then to enable the Compute
Engine API and finally, to launch a new compute engine instance in the project.

(Correct)

In the GCP Console, enable the Compute Engine API. When creating a new
instance in the console, select the checkbox to create the instance in a new GCP
project and provide the project name and ID.

Run gcloud compute instances create with --project flag to automatically create
the new project and a compute engine instance. When prompted to enable the
Compute Engine API, select Yes.

In the GCP Console, enable the Compute Engine API. Run gcloud compute
instances create with --project flag to automatically create the new project and a
compute engine instance.

Explanation
In the GCP Console, enable the Compute Engine API. Run gcloud compute
instances create with --project flag to automatically create the new project
and a compute engine instance. is not right.
You can't create the instance without first creating the project. The --project flag in
gcloud compute create instances command is used to specify an existing project.
https://cloud.google.com/sdk/gcloud/reference/compute/instances/create
--project=PROJECT_ID

The Google Cloud Platform project ID to use for this invocation. If omitted, then the
current project is assumed; the current project can be listed using gcloud config list --
format='text(core.project)' and can be set using gcloud config set project PROJECTID.
Ref: https://cloud.google.com/sdk/gcloud/reference#--project

Run gcloud compute instances create with --project flag to automatically

create the new project and a compute engine instance. When prompted to
enable the Compute Engine API, select Yes. is not right.
You can't create the instance without first creating the project. The --project flag in
gcloud compute create instances command is used to specify an existing project.
https://cloud.google.com/sdk/gcloud/reference/compute/instances/create

--project=PROJECT_ID

The Google Cloud Platform project ID to use for this invocation. If omitted, then the
current project is assumed; the current project can be listed using gcloud config list --
format='text(core.project)' and can be set using gcloud config set project PROJECTID.
Ref: https://cloud.google.com/sdk/gcloud/reference#--project

In the GCP Console, enable the Compute Engine API. When creating a new
instance in the console, select the checkbox to create the instance in a new
GCP project and provide the project name and ID. is not right.
In Cloud Console, when you create a new instance, you don't get an option to select the
project. The compute engine instance is always created in the currently active project.
Ref: https://cloud.google.com/compute/docs/instances/create-start-instance

Use gcloud commands first to create a new project, then to enable the
Compute Engine API and finally, to launch a new compute engine instance in
the project. is the right answer.
This option does it all in the correct order. You first create a project using gcloud
projects create, then enable the compute engine API and finally create the VM instance
in this project by using the --project flag or by creating an instance in this project in
Cloud console.
https://cloud.google.com/sdk/gcloud/reference/compute/instances/create

--project=PROJECT_ID

The Google Cloud Platform project ID to use for this invocation. If omitted, then the
current project is assumed; the current project can be listed using gcloud config list --
 format='text(core.project)' and can be set using gcloud config set project PROJECTID.
Ref: https://cloud.google.com/sdk/gcloud/reference#--project
Question 30: Incorrect
Your production Compute workloads are running in a subnet with a range
192.168.20.128/25. A recent surge in traffic has seen the production VMs struggle,
and you want to add more VMs, but all IP addresses in the subnet are in use. All
new and old VMs need to communicate with each other. How can you do this with
the fewest steps?

Update the subnet range to 192.168.20.0/24.

(Correct)

Create a new VPC and a new subnet with IP range 192.168.21.0/24. Enable VPC
Peering between the old VPC and new VPC. Configure a custom Route exchange.

Create a new non-overlapping Alias range in the existing VPC and Configure the
VMs to use the alias range.

(Incorrect)

Create a new VPC network and a new subnet with IP range 192.168.21.0/24.
Enable VPC Peering between the old VPC and new VPC.

Explanation
Create a new non-overlapping Alias range in the existing VPC and Configure
the VMs to use the alias range. is not right.
Since there isn't any more primary IP Address available in the VPC, it is not possible to
provision new VMs. You cannot create a VM with just a secondary (alias) IP. All subnets
have a primary CIDR range, which is the range of internal IP addresses that define the
subnet. Each VM instance gets its primary internal IP address from this range. You can
also allocate alias IP ranges from that primary range, or you can add a secondary range
to the subnet and allocate alias IP ranges from the secondary range.
 Ref: https://cloud.google.com/vpc/docs/alias-
ip#subnet_primary_and_secondary_cidr_ranges

Create a new VPC and a new subnet with IP range 192.168.21.0/24. Enable VPC
Peering between the old VPC and new VPC. Configure a custom Route
exchange. is not right.
Subnet routes that don't use privately reused public IP addresses are always exchanged
between peered networks. You can also exchange custom routes, which include static
and dynamic routes, and routes for subnets that use privately reused public IP addresses
if network administrators in both networks have the appropriate peering configurations.
But in this case, there is no requirement to exchange custom routes.
Ref: https://cloud.google.com/vpc/docs/vpc-peering?&_ga=2.257174475.-
1345429276.1592757751#importing-exporting-routes

Create a new VPC network and a new subnet with IP range 192.168.21.0/24.
Enable VPC Peering between the old VPC and new VPC. is not right.
This approach works but is more complicated than expanding the subnet range.
Ref: https://cloud.google.com/vpc/docs/vpc-peering

Update the subnet range to 192.168.20.0/24. is the right answer.

Since there are no private IP addresses available in the subnet, the most appropriate
action is to expand the subnet. Expanding the range to 192.168.21.0/24 gives you 128
additional IP addresses. You could you gcloud compute networks subnets expand-ip-
range to expand a subnet.
Ref: https://cloud.google.com/sdk/gcloud/reference/compute/networks/subnets/expan
d-ip-range

Question 31: Correct

Your gaming backend uses Cloud Spanner to store leaderboard and player profile
data. You want to scale the spanner instances based on predictable usage patterns.
What should you do?

Configure alerts in Cloud Monitoring to trigger a Cloud Function via webhook, and
have the Cloud Function scale up or scale down the spanner instance as necessary.

(Correct)


 Configure a Cloud Scheduler job to invoke a Cloud Function that reviews the
relevant Cloud Monitoring metrics and resizes the Spanner instance as necessary.

Configure alerts in Cloud Monitoring to alert your operations team and have them
manually scale up or scale down the spanner instance as necessary.

Configure alerts in Cloud Monitoring to alert Google Operations Support team and
have them use their scripts to scale up or scale down the spanner instance as
necessary.

Explanation
Configure a Cloud Scheduler job to invoke a Cloud Function that reviews the
relevant Cloud Monitoring metrics and resizes the Spanner instance as
necessary. is not right.
While this works and does it automatically, it does not follow Google's recommended
practices.
Ref: https://cloud.google.com/spanner/docs/instances
"Note: You can scale the number of nodes in your instance based on the Cloud
Monitoring metrics on CPU or storage utilization in conjunction with Cloud Functions."

Configure alerts in Cloud Monitoring to alert your operations team and have
them manually scale up or scale down the spanner instance as necessary. is
not right.
This option does not follow Google's recommended practices.
Ref: https://cloud.google.com/spanner/docs/instances
"Note: You can scale the number of nodes in your instance based on the Cloud
Monitoring metrics on CPU or storage utilization in conjunction with Cloud Functions."

Configure alerts in Cloud Monitoring to alert Google Operations Support team

and have them use their scripts to scale up or scale down the spanner
instance as necessary. is not right.
This option does not follow Google's recommended practices.
Ref: https://cloud.google.com/spanner/docs/instances
"Note: You can scale the number of nodes in your instance based on the Cloud
Monitoring metrics on CPU or storage utilization in conjunction with Cloud Functions."
 Configure alerts in Cloud Monitoring to trigger a Cloud Function via
webhook, and have the Cloud Function scale up or scale down the spanner
instance as necessary. is the right answer.
For scaling the number of nodes in Cloud spanner instance, Google recommends
implementing this base on the Cloud Monitoring metrics on CPU or storage utilization
in conjunction with Cloud Functions.
Ref: https://cloud.google.com/spanner/docs/instances

Question 32: Correct

Your company updated its business operating model recently and no longer need
the applications deployed in the data-analytics-v1 GCP project. You want to turn
off all GCP services and APIs in this project. You want to do this efficiently using
the least number of steps while following Google recommended practices. What
should you do?

Ask an engineer with Project Owner IAM role to identify all resources in the
project and delete them.

Ask an engineer with Project Owner IAM role to locate the project and shut down.

(Correct)

Ask an engineer with Organization Administrator IAM role to locate the project
and shut down.

Ask an engineer with Organization Administrator IAM role to identify all resources
in the project and delete them.

Explanation
Ask an engineer with Organization Administrator IAM role to locate the
project and shut down. is not right.
Organization Admin role provides permissions to get and list projects but not shutdown
 projects.
Ref: https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles

Ask an engineer with Organization Administrator IAM role to identify all

resources in the project and delete them. is not right.
Organization Admin role provides permissions to get and list projects but not delete
projects.
Ref: https://cloud.google.com/iam/docs/understanding-roles#resource-manager-roles

Ask an engineer with Project Owner IAM role to identify all resources in the
project and delete them. is not right.
The primitive Project Owner role provides permissions to delete project
https://cloud.google.com/iam/docs/understanding-roles#primitive_roles
But locating all the resources and deleting them is a manual task, time-consuming and
error-prone. Our goal is to accomplish the same but with fewest possible steps.

Ask an engineer with Project Owner IAM role to locate the project and shut
down. is the right answer.
The primitive Project Owner role provides permissions to delete project
https://cloud.google.com/iam/docs/understanding-roles#primitive_roles
You can shut down projects using the Cloud Console. When you shut down a project,
this immediately happens: All billing and traffic serving stops, You lose access to the
project, The owners of the project will be notified and can stop the deletion within 30
days, The project will be scheduled to be deleted after 30 days. However, some
resources may be deleted much earlier.
Ref: https://cloud.google.com/resource-manager/docs/creating-managing-
projects#shutting_down_projects

Question 33: Correct

The operations manager has asked you to identify the IAM users with Project
Editor role on the GCP production project. What should you do?

Execute gcloud projects get-iam-policy to retrieve this information.

(Correct)


 Check the permissions assigned in all Identity Aware Proxy (IAP) tunnels.

Extract all project-wide SSH keys.

Turn on IAM Audit logging and build a Cloud Monitoring dashboard to display
this information.

Explanation
Extract all project-wide SSH keys. is not right.
Project-wide SSH keys provide the ability to connect to most instances in your project. It
can't be used to identify who has been granted the project editor role.
Ref: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-
keys#edit-ssh-metadata

Check the permissions assigned in all Identity Aware Proxy (IAP) tunnels. is
not right.
Identity Aware Proxy is for controlling access to your cloud-based and on-premises
applications and VMs running on Google Cloud. It can't be used to gather who has been
granted the project editor role.
Ref: https://cloud.google.com/iap

Turn on IAM Audit logging and build a Cloud Monitoring dashboard to display
this information. is not right.
Once enabled, new users signing in with a project editor role are recorded in logs, and
you can query this information, but these logs don't give you a full list of all users who
currently have Project editors role but have not logged in.

Execute gcloud projects get-iam-policy to retrieve this information. is the

right answer.
gcloud projects get-iam-policy lets you retrieve IAM policy for a project. You can
combine this with various flags to retrieve the required information. e.g.

gcloud projects get-iam-policy $PROJECT_ID --filter="bindings.role:roles/owner"

Question 34: Correct

You work for a multinational delivery services company that uses Apache
Cassandra DB as the backend store for its delivery track and trace system. The
 existing on-premises data centre is out of space. To cope with an anticipated
increase in requests in the run-up to Christmas, you want to move this application
rapidly to Google Cloud with minimal effort whilst ensuring you can spin up
multiple stacks (development, test, production) and isolate them from each other.
How can you do this?

Install an instance of Cassandra DB on Google Cloud Compute Engine, take a

snapshot of this instance and upload to Google Cloud Storage bucket. Every time
you need a new instance of Cassandra DB, spin up a new compute engine instance
from the snapshot.

Launch Cassandra DB from Cloud Marketplace.

(Correct)

Download the installation guide for Cassandra on GCP and follow the instructions
to install the database.

Install an instance of Cassandra DB on Google Cloud Compute Engine, take a

snapshot of this instance and use the snapshot to spin up additional instances of
Cassandra DB.

Explanation
Download the installation guide for Cassandra on GCP and follow the
instructions to install the database. is not right.
There is a simple and straightforward way to deploy Cassandra as a Service, called Astra,
on the Google Cloud Marketplace. You don't need to follow the installation guide to
install it.
Ref: https://cloud.google.com/blog/products/databases/open-source-cassandra-now-
managed-on-google-cloud
Ref: https://console.cloud.google.com/marketplace/details/click-to-deploy-
images/cassandra?filter=price:free&filter=category:database&id=25ca0967-cd8e-419e-
b554-fe32e87f04be&pli=1
Install an instance of Cassandra DB on Google Cloud Compute Engine, take a
snapshot of this instance and use the snapshot to spin up additional
instances of Cassandra DB. is not right.
Like above, there is a simple and straightforward way to deploy Cassandra as a Service,
called Astra, on the Google Cloud Marketplace. You don't need to do this in a
convoluted way.
Ref: https://cloud.google.com/blog/products/databases/open-source-cassandra-now-
managed-on-google-cloud
Ref: https://console.cloud.google.com/marketplace/details/click-to-deploy-
images/cassandra?filter=price:free&filter=category:database&id=25ca0967-cd8e-419e-
b554-fe32e87f04be&pli=1

Install an instance of Cassandra DB on Google Cloud Compute Engine, take a

snapshot of this instance and upload to Google Cloud Storage bucket. Every
time you need a new instance of Cassandra DB, spin up a new compute engine
instance from the snapshot. is not right.
Like above, there is a simple and straightforward way to deploy Cassandra as a Service,
called Astra, on the Google Cloud Marketplace. You don't need to do this in a
convoluted way.
Ref: https://cloud.google.com/blog/products/databases/open-source-cassandra-now-
managed-on-google-cloud
Ref: https://console.cloud.google.com/marketplace/details/click-to-deploy-
images/cassandra?filter=price:free&filter=category:database&id=25ca0967-cd8e-419e-
b554-fe32e87f04be&pli=1

Launch Cassandra DB from Cloud Marketplace. is the right answer.

You can deploy Cassandra as a Service, called Astra, on the Google Cloud Marketplace.
Not only do you get a unified bill for all GCP services, but you can also create Cassandra
clusters on Google Cloud in minutes and build applications with Cassandra as a
database as a service without the operational overhead of managing Cassandra. Each
instance is deployed to a separate set of VM instances (at the time of writing this, 3 x
VM instance: 4 vCPUs + 26 GB memory (n1-highmem-4) + 10-GB Boot Disk) which are
all isolated from the VM instances for other Cassandra deployments.
Ref: https://cloud.google.com/blog/products/databases/open-source-cassandra-now-
managed-on-google-cloud
Ref: https://console.cloud.google.com/marketplace/details/click-to-deploy-
images/cassandra?filter=price:free&filter=category:database&id=25ca0967-cd8e-419e-
b554-fe32e87f04be&pli=1

Question 35: Incorrect

 Your company has deployed all its production applications in a single Google
Cloud Project and uses several GCP projects for development and test
environments. The operations team requires access to all production services in
this project to debug live issues and deploy enhancements. Your security team
prevents the creation of IAM roles that automatically broaden to include new
permissions/services in future. How should you design the IAM role for operations
team?

Grant the Project Editor role on the production GCP project to all members of the
operations team.

Create a custom role with the necessary permissions and grant the role on the
production GCP project to all members of the operations team.

(Correct)

Create a custom role with the necessary permissions and grant the role at the
organization level to all members of the operations team.

Grant the Project Editor role at the organization level to all members of the
operations team.

(Incorrect)

Explanation
Grant the Project Editor role on the production GCP project to all members
of the operations team. is not right.
You want to prevent Google Cloud product changes from broadening their permissions
in the future. So you shouldn't use predefined roles, e.g. Project Editor. Predefined roles
are created and maintained by Google. Their permissions are automatically updated as
necessary, such as when new features or services are added to Google Cloud.
Ref: https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts
Grant the Project Editor role at the organization level to all members of
the operations team. is not right.
You want to prevent Google Cloud product changes from broadening their permissions
in the future. So you shouldn't use predefined roles, e.g. Project Editor. Predefined roles
are created and maintained by Google. Their permissions are automatically updated as
necessary, such as when new features or services are added to Google Cloud.
Ref: https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts

Create a custom role with the necessary permissions and grant the role at
the organization level to all members of the operations team. is not right.
Unlike predefined roles, the permissions in custom roles are not automatically updated
when Google adds new features or services. So the custom role is the right choice.
Ref: https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts
However, granting the custom role at the organization level grants the DevOps team
access to not just the production project but also testing and development projects
which go against the principle of least privilege and should be avoided.
Ref: https://cloud.google.com/iam/docs/understanding-roles

Create a custom role with the necessary permissions and grant the role on
the production GCP project to all members of the operations team. is the right
answer.
Unlike predefined roles, the permissions in custom roles are not automatically updated
when Google adds new features or services. So the custom role is the right choice.
Ref: https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts
Granting the custom role at the production project level grants the DevOps team access
to just the production project and not testing and development projects which aligns
with the principle of least privilege and should be preferred.
Ref: https://cloud.google.com/iam/docs/understanding-roles

Question 36: Correct

You work for a multinational car insurance company that specializes in rewarding
safer drivers with cheaper premiums. Your company does this by installing black
box IoT devices in its 2 million insured drivers’ cars. These devices capture driving
behaviours such as acceleration/deceleration, speed compared to speed limits, and
types of driving, such as commuting on freeway compared to commuting on
surface streets etc. You expect to receive hundreds of events per minute from
every device. You need to store this data and retrieve data consistently based on
the event time, and both operations should be atomic. How should you store this
data?


Store the data in Cloud Storage. Have a file per IoT device and append new data to
the file.

Store the data in Cloud Filestore. Have a file per IoT device and append new data
to the file.

Store the data in Cloud BigTable. Have a row key based on the ingestion
timestamp.

(Correct)

Store the data in Cloud Datastore. Have an entity group per device.

Explanation
Store the data in Cloud Storage. Have a file per IoT device and append new
data to the file. is not right.
Terrible idea!! Cloud Storage Objects are immutable, which means that an uploaded
object cannot change throughout its storage lifetime. In practice, this means that you
cannot make incremental changes to objects, such as append operations. However, it is
possible to overwrite objects that are stored in Cloud Storage, and doing so happens
atomically — until the new upload completes the old version of the object will be served
to the readers, and after the upload completes the new version of the object will be
served to readers. So for each update, the clients (construction equipment)) will have to
read the full object, append a single row and upload the full object again. With the high
frequency of IoT data here, different clients may read different data while the updates
happen, and this can mess things up big time.
Ref: https://cloud.google.com/storage/docs/key-terms#immutability

Store the data in Cloud Filestore. Have a file per IoT device and append new
data to the file. is not right.
Like above, there is no easy way to append data to a file in Cloud Filestore. For each
update, the clients will have to read the full file, append a single row and upload the full
file again. A client has to lock the file before updating, and this prevents other clients
 from modifying the file. With the high frequency of IoT data here, this design is
impractical.
Ref: https://cloud.google.com/filestore/docs/limits#file_locks

Store the data in Cloud Datastore. Have an entity group per device. is not
right.
Cloud Datastore isn't suitable for ingesting IoT data. It is more suitable for Gaming
leaderboard/player profile data, or where direct client access and real-time sync to
clients is required.
Ref: https://cloud.google.com/products/databases
Also, storing data in an entity group based on the device means that the query has to
iterate through all entities and look at the timestamp value to arrive at the result which
isn't the best design.

Store the data in Cloud BigTable. Have a row key based on the ingestion
timestamp. is the right answer.
Cloud Bigtable provides a scalable NoSQL database service with consistent low latency
and high throughput, making it an ideal choice for storing and processing time-series
vehicle data.
Ref: https://cloud.google.com/solutions/designing-connected-vehicle-
platform#data_ingestion
By creating a row key based on the event timestamp, you can easily/fetch data based on
the time of the event, which is our requirement.
Ref: https://cloud.google.com/bigtable/docs/schema-design-time-series

Question 37: Correct

You are running an application on a Google Compute Engine instance. You want to
create multiple copies of this VM to handle the burst in traffic. What should you
do?

Create a snapshot of the compute engine instance disk, create a custom image
from the snapshot, create instances from this image to handle the burst in traffic.

(Correct)

Create a snapshot of the compute engine instance disk and create instances from
this snapshot to handle the burst in traffic.


Create a snapshot of the compute engine instance disk, create custom images
from the snapshot to handle the burst in traffic.

Create a snapshot of the compute engine instance disk and create images from
this snapshot to handle the burst in traffic.

Explanation
Create a snapshot of the compute engine instance disk and create images from
this snapshot to handle the burst in traffic. is not right.
You can't process additional traffic with images. It would be best if you spun up new
compute engine VM instances.
Ref: https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots

Create a snapshot of the compute engine instance disk, create custom images
from the snapshot to handle the burst in traffic. is not right.
You can't process additional traffic with images. It would be best if you spun up new
compute engine VM instances.
Ref: https://cloud.google.com/compute/docs/images

Create a snapshot of the compute engine instance disk and create instances
from this snapshot to handle the burst in traffic. is not right.
The documentation states you can do this.
Ref: https://cloud.google.com/compute/docs/instances/create-start-
instance#restore_boot_snapshot
But, further down in step 7, you see that you are creating a new disk which will be used
by the compute engine instance. You can’t directly create a VM from a snapshot without
the disk. You can use the snapshot to create a disk for the new instance, but you can’t
create the instance directly from a snapshot without the disk.

Ref: https://cloud.google.com/compute/docs/instances/create-start-
instance#creating_a_vm_from_a_custom_image

Also, Google says if you plan to create many instances from the same boot disk
snapshot, consider creating a custom image and creating instances from that image
instead. Custom images can create the boot disks for your instances more quickly and
efficiently than snapshots.
 Create a snapshot of the compute engine instance disk, create a custom image
from the snapshot, create instances from this image to handle the burst in
traffic. is the right answer.
To create an instance with a custom image, you must first have a custom image. You can
create custom images from source disks, images, snapshots, or images stored in Cloud
Storage. You can then use the custom image to create one or more instances as needed.
Ref: https://cloud.google.com/compute/docs/instances/create-start-
instance#creating_a_vm_from_a_custom_image
Ref: https://cloud.google.com/compute/docs/images
These additional instances can be used to handle the burst in traffic.

Question 38: Correct

Your company uses Google Cloud for all its compute workloads. One of the
applications that you developed has passed unit testing, and you want to use
Jenkins to deploy the application in User Acceptance Testing (UAT) environment.
Your manager has asked you to automate Jenkins installation as quickly and
efficiently as possible. What should you do?

Deploy Jenkins on a GKE Cluster.

Deploy Jenkins on a Google Compute Engine VM.

Deploy Jenkins on a fleet of Google Cloud Compute Engine VMs in a Managed

Instances Group (MIG) with autoscaling.

Use GCP Marketplace to provision Jenkins.

(Correct)

Explanation
Deploy Jenkins on a Google Compute Engine VM. is not right.
While this can be done, this involves a lot more work than installing the Jenkins server
through GCP Marketplace.
 Deploy Jenkins on a GKE Cluster. is not right.
While this can be done, this involves a lot more work than installing the Jenkins server
through GCP Marketplace.

Deploy Jenkins on a fleet of Google Cloud Compute Engine VMs in a Managed

Instances Group (MIG) with autoscaling. is not right.
Like the above options, this can be done, but it involves a lot more work than installing
the Jenkins server through GCP Marketplace.

Use GCP Marketplace to provision Jenkins. is the right answer.

The simplest way to launch a Jenkins server is from GCP Market place. GCP market place
has several builds available for Jenkins:
https://console.cloud.google.com/marketplace/browse?q=jenkins.
All you need to do is spin up an instance from a suitable market place build, and you
have a Jenkins server in a few minutes with just a few clicks.

Question 39: Incorrect

You run a business-critical application in a Google Cloud Compute Engine instance, and
you want to set up a cost-efficient solution for backing up the data on the boot disk.
You want a solution that: • minimizes operational overhead • backs up boot disks daily •
allows quick restore of the backups when needed, e.g. disaster scenarios • deletes
backups older than a month automatically. What should you do?

Set up a cron job with a custom script that uses gcloud APIs to create a new disk
from existing instance disk for all instances daily.

(Incorrect)

Enable Snapshot Schedule on the disk to enable automated snapshots per

schedule.

(Correct)

Deploy a Cloud Function to initiate the creation of instance templates for all
instances daily.


Configure a Cloud Task to initiate the creation of images for all instances daily and
upload them to Cloud Storage.

Explanation
Deploy a Cloud Function to initiate the creation of instance templates for
all instances daily. is not right.
This option does not fulfil our requirement of allowing quick restore and automatically
deleting old backups.

Set up a cron job with a custom script that uses gcloud APIs to create a new
disk from existing instance disk for all instances daily. is not right.
This option does not fulfil our requirement of allowing quick restore and automatically
deleting old backups.

Configure a Cloud Task to initiate the creation of images for all instances
daily and upload them to Cloud Storage. is not right.
This option does not fulfil our requirement of allowing quick restore and automatically
deleting old backups.

Enable Snapshot Schedule on the disk to enable automated snapshots per

schedule. is the right answer.
Create snapshots to periodically back up data from your zonal persistent disks or
regional persistent disks. To reduce the risk of unexpected data loss, consider the best
practice of setting up a snapshot schedule to ensure your data is backed up on a regular
schedule.
Ref: https://cloud.google.com/compute/docs/disks/create-snapshots
You can also delete snapshots on a schedule by defining a snapshot retention policy. A
snapshot retention policy defines how long you want to keep your snapshots. If you
choose to set up a snapshot retention policy, you must do so as part of your snapshot
schedule.
Ref: https://cloud.google.com/compute/docs/disks/scheduled-
snapshots#retention_policy

Question 40: Incorrect

EU GDPR requires you to respond to a Subject Access Request (SAR) within one
month. To be compliant, your company deployed an application that uses Apache
WebServer to provide SAR archive (tar) files back to customers requesting them.
Your compliance team has asked you to send them an email notification when the
 network egress charges for this server in the GCP project exceeds 250 dollars per
month. What should you do?

Export the logs from Apache server to Cloud Logging and deploy a Cloud Function
to parse the logs, extract and sum up the size of response payload for all requests
during the current month; and send an email notification when spending exceeds
$250.

Configure a budget with the scope set to the project, the amount set to $250,
threshold rule set to 100% of actual cost & trigger email notifications when
spending exceeds the threshold.

Configure a budget with the scope set to the billing account, the amount set to
$250, threshold rule set to 100% of actual cost & trigger email notifications when
spending exceeds the threshold.

(Incorrect)

Export the project billing data to a BigQuery dataset and deploy a Cloud Function
to extract and sum up the network egress costs from the BigQuery dataset for the
Apache server for the current month, and send an email notification when
spending exceeds $250.

(Correct)

Explanation
Configure a budget with the scope set to the project, the amount set to
$250, threshold rule set to 100% of actual cost & trigger email
notifications when spending exceeds the threshold. is not right.
This budget alert is defined for the project, which means it includes all costs and not just
the egress network costs - which goes against our requirements. It also contains costs
across all applications and not just the Compute Engine instance containing the Apache
webserver. While it is possible to set the budget scope to include the Product (i.e.
Google Compute Engine) and a label that uniquely identifies the specific compute
engine instance, the option doesn't mention this.
Ref: https://cloud.google.com/billing/docs/how-to/budgets#budget-scope

Configure a budget with the scope set to the billing account, the amount set
to $250, threshold rule set to 100% of actual cost & trigger email
notifications when spending exceeds the threshold. is not right.
Like above, but worse as this budget alert includes costs from all projects linked to the
billing account. And like above, while it is possible to scope an alert down to
Project/Product/Labels, the option doesn't mention this.
Ref: https://cloud.google.com/billing/docs/how-to/budgets#budget-scope

Export the logs from Apache server to Cloud Logging and deploy a Cloud
Function to parse the logs, extract and sum up the size of response payload
for all requests during the current month; and send an email notification
when spending exceeds $250. is not right.
You can't arrive at the exact egress costs with this approach. You can configure apache
logs to include the response object size.
Ref: https://httpd.apache.org/docs/1.3/logs.html#common
And you can then do what this option says to arrive at the combined size of all the
responses, but this is not 100% accurate as it does not include header sizes. Even if we
assume the header size is insignificant compare to the large files published on the
apache web server, our question asks us to do this the Google way "as measured by
Google Cloud Platform (GCP)". GCP does not look at the response sizes in the Apache
log files to determine the egress costs. The GCP egress calculator takes into
consideration the source and destination (source = the region that hosts the Compute
Engine instance running Apache Web Server; and the destination is the destination
region of the packet). The egress cost is different for different destinations, as shown in
this pricing reference.
Ref: https://cloud.google.com/vpc/network-pricing#internet_egress
The Apache logs do not give you the destination information, and without this
information, you can't accurately calculate the egress costs.

Export the project billing data to a BigQuery dataset and deploy a Cloud
Function to extract and sum up the network egress costs from the BigQuery
dataset for the Apache server for the current month, and send an email
notification when spending exceeds $250. is the right answer.
This option is the only one that satisfies our requirement. We do it the Google way by
(re)using the Billing Data that GCP uses. And we scope down the costs to just egress
 network costs for the apache web server. Finally, we schedule this to run hourly and
send an email if the costs exceed 250 dollars.

Question 41: Correct

You plan to deploy an application to Google Compute Engine instance, and it
relies on making connections to a Cloud SQL database for retrieving information
about book publications. To minimize costs, you are developing this application
on your local workstation, and you want it to connect to a Cloud SQL instance.
Your colleague suggested setting up Application Default Credentials on your
workstation to make the transition to Google Cloud easier. You are now ready to
move the application to Google Compute Engine instance. You want to follow
Google recommended practices to enable secure IAM access. What should you do?

Grant the necessary IAM roles to a service account and configure the application
running on Google Compute Engine instance to use this service account.

Grant the necessary IAM roles to a service account, download the JSON key file
and package it with your application.

Grant the necessary IAM roles to the service account used by Google Compute
Engine instance.

(Correct)

Grant the necessary IAM roles to a service account, store its credentials in a config
file and package it with your application.

Explanation
Grant the necessary IAM roles to a service account, download the JSON key
file and package it with your application. is not right.
To use a service account outside of Google Cloud, such as on other platforms or on-
premises, you must first establish the identity of the service account. Public/private key
pairs provide a secure way of accomplishing this goal. Since our application is running
 inside Google Cloud, Google's recommendation is to assign the required permissions to
the service account and not use the service account keys.
Ref: https://cloud.google.com/iam/docs/creating-managing-service-account-keys

Grant the necessary IAM roles to a service account, store its credentials in
a config file and package it with your application. is not right.
For application to application interaction, Google recommends the use of service
accounts. A service account is an account for an application instead of an individual
end-user. When you run code that's hosted on Google Cloud, the code runs as the
account you specify. You can create as many service accounts as needed to represent
the different logical components of your application.
Ref: https://cloud.google.com/iam/docs/overview#service_account

Grant the necessary IAM roles to a service account and configure the
application running on Google Compute Engine instance to use this service
account. is not right.
Using Application Default Credentials ensures that the service account works seamlessly.
When testing on your local machine, it uses a locally-stored service account key, but
when running on Compute Engine, it uses the project's default Compute Engine service
account. So we have to provide access to the service account used by the compute
engine VM and not the service account used by the application.
Ref: https://cloud.google.com/iam/docs/service-
accounts#application_default_credentials

Grant the necessary IAM roles to the service account used by Google Compute
Engine instance. is the right answer.
Using Application Default Credentials ensures that the service account works seamlessly.
When testing on your local machine, it uses a locally-stored service account key, but
when running on Compute Engine, it uses the project's default Compute Engine service
account. So we have to provide access to the service account used by the compute
engine VM.
Ref: https://cloud.google.com/iam/docs/service-
accounts#application_default_credentials

Question 42: Correct

Your company stores an export of its Customer PII data in a multi-regional Google
Cloud storage bucket. Your legal and compliance department has asked you to
record all operations/requests on the data in this bucket. What should you do?


 Use the Data Loss Prevention API to record this information.

Use the Identity Aware Proxy API to record this information.

Turn on data access audit logging in Cloud Storage to record this information.

(Correct)

Enable the default Cloud Storage Service account exclusive access to read all
operations and record them.

Explanation
Use the Identity Aware Proxy API to record this information. is not right.

Identity Aware Proxy is for controlling access to your cloud-based and on-premises
applications and VMs running on Google Cloud. It can't be used to record/monitor data
access in Cloud Storage bucket.
Ref: https://cloud.google.com/iap

Use the Data Loss Prevention API to record this information. is not right.
Cloud Data Loss Prevention is a fully managed service designed to help you discover,
classify, and protect your most sensitive data. It can't be used to record/monitor data
access in Cloud Storage bucket.
Ref: https://cloud.google.com/dlp

Enable the default Cloud Storage Service account exclusive access to read
all operations and record them. is not right.
You need access logs, and service account access has no impact on that. Moreover,
there is no such thing as a default Cloud Storage service account.
Ref: https://cloud.google.com/storage/docs/access-logs

Turn on data access audit logging in Cloud Storage to record this

information. is the right answer.
Data Access audit logs contain API calls that read the configuration or metadata of
resources, as well as user-driven API calls that create, modify, or read user-provided
 resource data.
Ref: https://cloud.google.com/logging/docs/audit#data-access
You can enable data access audit logs at multiple levels as described here.
Ref: https://cloud.google.com/logging/docs/audit/configure-data-
access#configuration_overview

Question 43: Incorrect

You run a batch job every month in your on-premises data centre that downloads
clickstream logs from Google Cloud Storage bucket, enriches the data and stores
them in Cloud BigTable. The job runs for 32 hours on average, is fault-tolerant and
can be restarted if interrupted, and must complete. You want to migrate this batch
job onto a cost-efficient GCP compute service. How should you deploy it?

Deploy the batch job in a GKE Cluster with preemptible VM node pool.

(Correct)

Deploy the batch job on a Google Cloud Compute Engine non-preemptible VM.
Restart instances as required.

Deploy the batch job on a fleet of Google Cloud Compute Engine preemptible VM
in a Managed Instances Group (MIG) with autoscaling.

(Incorrect)

Deploy the batch job on a Google Cloud Compute Engine Preemptible VM.

Explanation
Deploy the batch job on a Google Cloud Compute Engine Preemptible VM. is not
right.
A preemptible VM is an instance that you can create and run at a much lower price than
regular instances. However, Compute Engine might terminate (preempt) these instances
if it requires access to those resources for other tasks. Preemptible instances are excess
 Compute Engine capacity, so their availability varies with usage. Since our batch process
must be restarted if interrupted, a preemptible VM by itself is not sufficient.
https://cloud.google.com/compute/docs/instances/preemptible#what_is_a_preemptible
_instance

Deploy the batch job on a Google Cloud Compute Engine non-preemptible VM.
Restart instances as required. is not right.
Stopping and starting instances as needed is a manual activity and incurs operational
expenditure. Since we require to minimize cost, we shouldn't do this.

Deploy the batch job on a fleet of Google Cloud Compute Engine preemptible
VM in a Managed Instances Group (MIG) with autoscaling. is not right.
Our requirement is not to scale up or scale down based on target CPU utilization.

Deploy the batch job in a GKE Cluster with preemptible VM node pool. is the
right answer.
Preemptible VMs are Compute Engine VM instances that last a maximum of 24 hours
and provide no availability guarantees. Preemptible VMs are priced lower than standard
Compute Engine VMs and offer the same machine types and options. You can use
preemptible VMs in your GKE clusters or node pools to run batch or fault-tolerant jobs
that are less sensitive to the ephemeral, non-guaranteed nature of preemptible VMs.
Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/preemptible-vms
GKE’s autoscaler is very smart and always tries to first scale the node pool with cheaper
VMs. In this case, it scales up the preemptible node pool. The GKE autoscaler then scales
up the default node pool—but only if no preemptible VMs are available.
Ref: https://cloud.google.com/blog/products/containers-kubernetes/cutting-costs-with-
google-kubernetes-engine-using-the-cluster-autoscaler-and-preemptible-vms

Question 44: Correct

You have an application in your on-premises data centre with an API that is
triggered when a new file is created or updated in a NAS share. You want to
migrate this solution to Google Cloud Platform and have identified Cloud Storage
as the replacement service for NAS. How should you deploy the API?

Trigger a Cloud Function whenever files in Cloud Storage are created or updated.

(Correct)


Configure Cloud Pub/Sub to capture details of files created/modified in Cloud

Storage. Deploy the API in App Engine Standard and use Cloud Scheduler to
trigger the API to fetch information from Cloud Pub/Sub.

Trigger a Cloud Dataflow job whenever files in Cloud Storage are created or
updated.

Deploy the API on GKE cluster and use Cloud Scheduler to trigger the API to look
for files in Cloud Storage there were created or update since the last run.

Explanation
Configure Cloud Pub/Sub to capture details of files created/modified in
Cloud Storage. Deploy the API in App Engine Standard and use Cloud Scheduler
to trigger the API to fetch information from Cloud Pub/Sub. is not right.
Cloud Scheduler lets you run your batch and big data jobs on a recurring schedule.
Since it doesn't work real-time, you can't execute a code snippet whenever a new file is
uploaded to a Cloud Storage bucket.
Ref: https://cloud.google.com/scheduler

Deploy the API on GKE cluster and use Cloud Scheduler to trigger the API to
look for files in Cloud Storage there were created or update since the last
run. is not right.
You can use CronJobs to run tasks at a specific time or interval. Since it doesn't work
real-time, you can't execute a code snippet whenever a new file is uploaded to a Cloud
Storage bucket.
Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/cronjobs

Trigger a Cloud Dataflow job whenever files in Cloud Storage are created or
updated. is not right.
Dataflow is Unified stream and batch data processing that's serverless, fast, and cost-
effective. Batch processing is not real-time, so you can't execute a code snippet
whenever a new file is uploaded to a Cloud Storage bucket.
Ref: https://cloud.google.com/dataflow
 Trigger a Cloud Function whenever files in Cloud Storage are created or
updated. is the right answer.
Cloud Functions can respond to change notifications emerging from Google Cloud
Storage. These notifications can be configured to trigger in response to various events
inside a bucket—object creation, deletion, archiving and metadata updates.
Ref: https://cloud.google.com/functions/docs/calling/storage

Question 45: Incorrect

You work for a startup company where every developer has a dedicated
development GCP project linked to a central billing account. Your finance lead is
concerned that some developers may leave some services running unnecessarily or
may not understand the cost implications of turning on specific services in Google
Cloud Platform. They want to be alerted when a developer spends more than 750$
per month in their GCP project. What should you do?

Export Billing data from each development GCP projects to a separate BigQuery
dataset. On each dataset, use a Data Studio dashboard to plot the spending.

Set up a single budget for all development GCP projects. Trigger an email
notification when the spending exceeds $750 in the budget.

(Incorrect)

Set up a budget for each development GCP projects. For each budget, trigger an
email notification when the spending exceeds $750.

(Correct)

Export Billing data from all development GCP projects to a single BigQuery
dataset. Use a Data Studio dashboard to plot the spend.

Explanation
 Set up a single budget for all development GCP projects. Trigger an email
notification when the spending exceeds $750 in the budget. is not right.
A budget enables you to track your actual Google Cloud spend against your planned
spend. After you've set a budget amount, you set budget alert threshold rules that are
used to trigger email notifications. Budget alert emails help you stay informed about
how your spend is tracking against your budget. But since a single budget is created for
all projects, it is not possible to identify if a developer has spent more than $750 per
month on their development project.
Ref: https://cloud.google.com/billing/docs/how-to/budgets

Export Billing data from each development GCP projects to a separate

BigQuery dataset. On each dataset, use a Data Studio dashboard to plot the
spending. is not right.
This option does not alert the finance team if any of the developers have spent above
$750.

Export Billing data from all development GCP projects to a single BigQuery
dataset. Use a Data Studio dashboard to plot the spend. is not right.
This option does not alert the finance team if any of the developers have spent above
$750.

Set up a budget for each development GCP projects. For each budget, trigger
an email notification when the spending exceeds $750. is the right answer.
A budget enables you to track your actual Google Cloud spend against your planned
spend. After you've set a budget amount, you set budget alert threshold rules that are
used to trigger email notifications. Budget alert emails help you stay informed about
how your spend is tracking against your budget. As the budget is created per project,
the alert triggers whenever spent in the project is more than $750 per month.
Ref: https://cloud.google.com/billing/docs/how-to/budgets

Question 46: Incorrect

You are migrating a complex on-premises data warehousing solution to Google
Cloud. You plan to create a fleet of Google Compute Engine instances behind a
Managed Instances Group (MIG) in the app-tier project, and BigQuery in the data-
warehousing project. How should you configure the service accounts used by
Compute Engine instances to allow them query access to BigQuery datasets?


 Grant the compute engine service account roles/bigquery.dataViewer role on the
data-warehousing GCP project.

(Correct)

Grant the compute engine service account roles/owner on data-warehousing GCP

project.

Grant the BigQuery service account roles/owner on app-tier GCP project.

Grant the compute engine service account roles/owner on data-warehousing GCP

project and roles/bigquery.dataViewer role on the app-tier GCP project.

(Incorrect)

Explanation
Grant the BigQuery service account roles/owner on app-tier GCP project. is
not right.
The requirement is to identify the access needed for the service account in the app-tier
project, not the service account in the data-warehousing project.

Grant the compute engine service account roles/owner on data-warehousing GCP

project. is not right.
The primitive project owner role provides permissions to manage all resources within
the project. For this scenario, the service account in the app-tier project needs access to
BigQuery datasets in the data-warehousing project. Granting the project owner role
would fall foul of least privilege principle.
Ref: https://cloud.google.com/iam/docs/recommender-overview

Grant the compute engine service account roles/owner on data-warehousing GCP

project and roles/bigquery.dataViewer role on the app-tier GCP project. is
not right.
The primitive project owner role provides permissions to manage all resources within
the project. For this scenario, the service account in the app-tier project needs access to
BigQuery datasets in the data-warehousing project. Granting the project owner role
would fall foul of least privilege principle.
Ref: https://cloud.google.com/iam/docs/recommender-overview

Grant the compute engine service account roles/bigquery.dataViewer role on

the data-warehousing GCP project. is the right answer.
bigquery.dataViewer role provides permissions to read the dataset's metadata and list
tables in the dataset as well as Read data and metadata from the dataset's tables. This
role is what we need to fulfil this requirement and follows the least privilege principle.
Ref: https://cloud.google.com/iam/docs/understanding-roles#bigquery-roles