Visit here for our full Google Associate Cloud Engineer exam dumps and practice test questions.
Question 21
Your application deployed on App Engine needs to scale automatically based on the number of concurrent requests. Which scaling type should you configure?
A) Manual scaling
B) Basic scaling
C) Automatic scaling
D) Fixed scaling
Answer: C
Explanation:
Google App Engine provides different scaling types that determine how instances are created and destroyed in response to traffic patterns. Each scaling type has distinct characteristics regarding instance lifecycle, cost implications, and response to load variations. Understanding these differences is essential for optimizing application performance and cost.
Automatic scaling is the correct choice for scaling based on concurrent requests because it continuously adjusts the number of instances based on request volume, request latency, and other application metrics. Automatic scaling creates and removes instances dynamically as traffic fluctuates, allowing configuration of target CPU utilization and concurrent request thresholds. When concurrent requests exceed configured thresholds, App Engine automatically provisions additional instances to handle the load. When traffic decreases, instances are automatically removed to reduce costs. This scaling type provides the best balance between performance and cost for applications with variable traffic patterns. Automatic scaling supports sophisticated configuration including minimum and maximum instance counts, target CPU utilization, target throughput utilization, and maximum concurrent requests per instance. It’s ideal for web applications, APIs, and services with unpredictable traffic where you want instances to scale up during peaks and scale down during quiet periods without manual intervention.
A is incorrect because manual scaling requires explicitly setting the number of instances and doesn’t automatically adjust based on traffic, requiring manual intervention to handle load changes. B is incorrect because basic scaling creates instances when requests arrive but doesn’t scale based on concurrent requests; instead, it creates instances on demand and shuts them down after idle timeout, making it suitable for intermittent workloads but not optimized for concurrent request-based scaling. D is incorrect because fixed scaling is not a valid App Engine scaling type; the three types are manual, basic, and automatic.
Question 22
You need to connect your on-premises network to GCP with a dedicated private connection. Which service should you use?
A) Cloud VPN
B) Cloud Interconnect
C) VPC Peering
D) Direct Peering
Answer: B
Explanation:
Connecting on-premises infrastructure to Google Cloud Platform requires choosing the appropriate connectivity option based on bandwidth requirements, latency sensitivity, security needs, and budget. GCP offers multiple connectivity solutions ranging from encrypted internet-based VPN to dedicated physical connections, each with different characteristics and use cases.
Cloud Interconnect is the correct service for establishing a dedicated private connection between on-premises networks and GCP. Cloud Interconnect provides direct physical connections that don’t traverse the public internet, offering two options: Dedicated Interconnect provides direct physical connections between your network and Google’s network with bandwidth from 10 Gbps to 200 Gbps, while Partner Interconnect provides connections through supported service providers with bandwidth from 50 Mbps to 50 Gbps. Both options provide private IP connectivity to VPC networks with lower latency than internet-based connections, higher reliability through SLA-backed connections, reduced egress costs compared to internet-based data transfer, and no encryption overhead since traffic doesn’t traverse the public internet. Cloud Interconnect is ideal for enterprise hybrid cloud deployments, large data transfers, latency-sensitive applications, and scenarios requiring predictable network performance. Organizations commonly use Interconnect for extending on-premises data centers into GCP, disaster recovery configurations, and hybrid applications spanning both environments.
A is incorrect because Cloud VPN creates encrypted tunnels over the public internet rather than dedicated private connections, providing lower bandwidth and potentially higher latency than Interconnect. C is incorrect because VPC Peering connects VPC networks within Google Cloud, not on-premises networks to GCP. D is incorrect because Direct Peering provides direct connections to Google services like Google Workspace but doesn’t provide private access to VPC resources; it’s used for accessing Google public services, not private VPC connectivity.
Question 23
Your development team needs to test new application versions with a small percentage of traffic before full rollout. Which deployment strategy should you use on Cloud Run?
A) Blue-green deployment
B) Rolling update
C) Traffic splitting
D) Canary deployment using labels
Answer: C
Explanation:
Deploying new application versions requires strategies that minimize risk and enable gradual validation of changes. Different deployment strategies offer varying levels of control over traffic distribution and rollback capabilities. Cloud Run provides built-in features for sophisticated deployment patterns without requiring external traffic management infrastructure.
Traffic splitting is the correct Cloud Run feature for testing new versions with a small percentage of traffic before full rollout. Cloud Run allows configuring traffic percentages across multiple revisions of the same service, enabling granular control over which revision receives what proportion of requests. You can deploy a new revision without sending it traffic, then gradually increase its traffic percentage while monitoring performance, errors, and business metrics. For example, you might route 5 percent of traffic to the new revision initially, then increase to 25 percent, 50 percent, and finally 100 percent as confidence builds. Traffic splitting supports tag-based routing for testing specific revisions with URLs, gradual migration with percentage-based distribution, instant rollback by adjusting traffic percentages, and A/B testing different implementations. Cloud Run handles the traffic distribution automatically based on configured percentages, making it simple to implement sophisticated deployment strategies without additional infrastructure or tools.
A is incorrect because while blue-green deployment is a valid strategy where you maintain two complete environments, Cloud Run’s traffic splitting provides more granular control than binary switching between environments. B is incorrect because rolling update refers to gradually replacing instances with new versions, which is the default Kubernetes update strategy but not how Cloud Run deployments are typically described or configured. D is incorrect because while canary deployment describes the testing pattern, Cloud Run implements this through traffic splitting rather than labels; the specific feature to use is traffic splitting configuration.
Question 24
You need to ensure that a Compute Engine instance can only be accessed from specific IP addresses. What should you configure?
A) Identity-Aware Proxy
B) VPC firewall rules
C) Cloud Armor security policies
D) Network tags
Answer: B
Explanation:
Controlling network access to Compute Engine instances requires implementing appropriate network security controls. Google Cloud Platform provides multiple layers of network security, each serving different purposes and operating at different levels of the network stack. Understanding which control applies to different scenarios is essential for proper security implementation.
VPC firewall rules are the correct mechanism for restricting Compute Engine instance access to specific IP addresses. VPC firewall rules control ingress and egress traffic at the network level based on source and destination IP addresses, protocols, and ports. You create ingress allow rules specifying the source IP ranges permitted to connect to instances and ingress deny rules to explicitly block traffic from specific ranges. Firewall rules can target all instances in a network, instances with specific network tags, or instances using specific service accounts. For example, to allow SSH access only from corporate IP ranges, you would create an ingress allow rule for TCP port 22 with source IP ranges matching your corporate network addresses. Firewall rules are stateful, meaning return traffic from allowed connections is automatically permitted. They provide the fundamental network access control layer for VPC resources and are evaluated before traffic reaches instances. Priority values determine rule evaluation order when multiple rules could apply.
A is incorrect because Identity-Aware Proxy provides application-level access control based on user identity and requires authentication through Google accounts, operating at a different layer than network-based IP filtering. C is incorrect because Cloud Armor provides DDoS protection and application-level security policies for load-balanced services, not direct Compute Engine instance access control. D is incorrect because network tags are labels applied to instances that can be referenced by firewall rules but aren’t security controls themselves; they’re used as targets in firewall rule configuration.
Question 25
Your application needs to process messages from Cloud Pub/Sub with guaranteed exactly-once processing. Which approach should you implement?
A) Use Cloud Pub/Sub exactly-once delivery feature
B) Implement idempotent message processing with message deduplication
C) Use Cloud Pub/Sub ordering keys
D) Configure subscriber acknowledgment deadline
Answer: B
Explanation:
Message processing in distributed systems faces challenges around delivery guarantees. Cloud Pub/Sub provides at-least-once delivery, meaning messages might be delivered multiple times. Achieving exactly-once semantics requires application-level design patterns since the infrastructure cannot guarantee this property in distributed systems due to fundamental constraints.
Implementing idempotent message processing with message deduplication is the correct approach for achieving exactly-once processing semantics. Since Cloud Pub/Sub provides at-least-once delivery, subscribers must handle potential duplicate messages. Idempotency means processing a message multiple times produces the same result as processing it once. Applications implement this by tracking processed message IDs in persistent storage like Cloud Firestore, Memorystore, or database tables, checking whether a message was already processed before performing operations, and using atomic transactions to update both application state and processed message tracking together. Common patterns include using message IDs or business transaction IDs for deduplication, implementing database constraints preventing duplicate operations, and designing operations that are naturally idempotent such as setting values rather than incrementing them. This application-level approach provides reliable exactly-once semantics regardless of infrastructure behavior. Many frameworks and libraries provide idempotency helpers for common patterns.
A is incorrect because Cloud Pub/Sub does not offer an exactly-once delivery feature; it provides at-least-once delivery, and subscribers must handle potential duplicates. C is incorrect because ordering keys ensure messages with the same key are delivered in order but don’t prevent duplicate delivery or provide exactly-once semantics. D is incorrect because acknowledgment deadline controls how long Pub/Sub waits before redelivering unacknowledged messages but doesn’t prevent duplicates; it actually can cause duplicates if processing takes longer than the deadline.
Question 26
You need to export Cloud Logging logs to BigQuery for long-term analysis. What should you configure?
A) Log sink with BigQuery destination
B) Cloud Scheduler job to export logs
C) Logging API to query and export logs
D) Cloud Functions triggered by log entries
Answer: A
Explanation:
Cloud Logging retains logs for limited periods, and analyzing logs over extended timeframes or performing complex analytics requires exporting logs to appropriate storage and analysis platforms. Google Cloud Platform provides log sinks as the primary mechanism for routing logs to various destinations for long-term retention and analysis.
Log sink with BigQuery destination is the correct configuration for exporting logs to BigQuery for long-term analysis. Log sinks continuously export log entries matching specified filters to configured destinations including BigQuery datasets, Cloud Storage buckets, or Cloud Pub/Sub topics. For BigQuery destinations, log sinks automatically create tables and stream log entries in real-time, enabling immediate querying and analysis. You configure sinks by specifying an inclusion filter using Cloud Logging query language to select which logs to export, the destination BigQuery dataset, and optionally whether to use partitioned tables for better query performance and cost management. BigQuery’s SQL interface enables complex log analysis including joining logs with other data, aggregating metrics over time, identifying patterns and anomalies, and building dashboards with Data Studio. Log sinks handle schema evolution as log formats change and provide reliable, streaming export without requiring custom code or scheduled jobs. This is the standard pattern for long-term log retention and analysis in GCP.
B is incorrect because while Cloud Scheduler could trigger periodic exports, log sinks provide continuous streaming export without scheduling complexity or gaps between exports. C is incorrect because using the Logging API for manual export would require custom code and scheduled execution rather than the built-in streaming export that sinks provide. D is incorrect because Cloud Functions could process individual log entries but would be inefficient and complex compared to log sinks for bulk export to BigQuery, though Functions are useful for real-time log-triggered actions.
Question 27
Your Kubernetes application needs to access a Cloud SQL database. What is the recommended way to establish the connection?
A) Direct connection using public IP address
B) Cloud SQL Proxy sidecar container
C) VPC peering connection
D) Expose database through Kubernetes service
Answer: B
Explanation:
Connecting applications running on Google Kubernetes Engine to Cloud SQL databases requires secure, reliable connectivity that handles authentication, encryption, and connection management. While multiple connection methods exist, some provide better security and operational characteristics than others.
Cloud SQL Proxy sidecar container is the recommended approach for connecting Kubernetes applications to Cloud SQL databases. The Cloud SQL Proxy is a lightweight connector that handles authentication using IAM, encrypts connections using SSL/TLS without requiring SSL certificate management, and manages connection pooling and automatic reconnection. In Kubernetes, the proxy runs as a sidecar container in the same pod as the application container, providing a local endpoint that the application connects to. The proxy then forwards connections to Cloud SQL over secure channels. This approach provides automatic IAM-based authentication without embedding database credentials in configuration, encrypted connections without managing certificates, simplified connection strings using localhost addresses, and connection reliability through automatic retry logic. The sidecar pattern means each pod has its own proxy instance, eliminating shared proxy bottlenecks. Configuration involves adding the Cloud SQL Proxy container to pod specifications and granting the GKE service account cloudsql.client IAM role. This is the Google-recommended best practice for GKE to Cloud SQL connectivity.
A is incorrect because direct connections to public IP addresses require managing database credentials as Kubernetes secrets, don’t provide automatic IAM authentication, and expose database connections to the public internet even with SSL encryption. C is incorrect because VPC peering connects networks but doesn’t provide the connection management, authentication, and encryption handling that Cloud SQL Proxy offers; it’s used for VPC connectivity but not the application connection method. D is incorrect because Kubernetes services expose applications running in Kubernetes, not external databases; you cannot expose Cloud SQL as a Kubernetes service without something like Cloud SQL Proxy.
Question 28
You need to migrate a large dataset from on-premises storage to Cloud Storage with minimal network bandwidth impact. Which service should you use?
A) gsutil command-line tool
B) Storage Transfer Service
C) Transfer Appliance
D) Cloud Storage API
Answer: C
Explanation:
Migrating large datasets to Google Cloud Platform presents challenges around transfer time, network bandwidth consumption, and cost. The appropriate migration method depends on data volume, available bandwidth, timeline requirements, and cost considerations. For very large datasets where network transfer would take excessive time or consume too much bandwidth, physical transfer options provide practical alternatives.
Transfer Appliance is the correct service for migrating large datasets with minimal network bandwidth impact because it uses physical devices to transfer data without consuming network bandwidth. Transfer Appliance involves Google shipping a storage appliance to your location, you copy data to the appliance locally, then ship the appliance back to Google where the data is uploaded to Cloud Storage. This approach is ideal for multi-terabyte to petabyte-scale migrations where network transfer would take weeks or months, network bandwidth is limited or expensive, or you need minimal impact on production network capacity. Transfer Appliance eliminates network transfer time for large initial migrations and avoids saturating internet connections. After the initial bulk transfer, you can use other methods for incremental updates. Google provides appliances with up to 1 petabyte capacity and handles the secure data transfer process. This is commonly used for large database migrations, media library transfers, and data center evacuations.
A is incorrect because gsutil transfers data over the network and would consume significant bandwidth for large datasets, exactly what the question asks to minimize. B is incorrect because Storage Transfer Service also transfers data over the network, whether from other cloud providers or on-premises sources, consuming bandwidth proportional to data volume. D is incorrect because using Cloud Storage API directly involves network transfers similar to gsutil, providing programmatic access but not solving the bandwidth consumption issue for large datasets.
Question 29
Your application uses Cloud Firestore and needs to retrieve documents where a specific field equals a value and another field is greater than a threshold. What should you configure?
A) Single-field index
B) Composite index
C) Collection group query
D) Array-contains query
Answer: B
Explanation:
Cloud Firestore is a NoSQL document database that uses indexes to enable efficient queries. Different query types require different index configurations. Firestore automatically creates single-field indexes but requires explicit composite indexes for queries involving multiple fields with different comparison operators or inequality filters.
Composite index is the correct configuration for queries filtering on multiple fields with different conditions. Composite indexes combine multiple fields in a specific order, enabling efficient queries that filter or sort on those fields. When a query includes equality filters on one field and inequality or range filters on another field, Firestore requires a composite index covering both fields. For example, querying documents where status equals “active” and price is greater than 100 requires a composite index on status and price fields. Firestore provides error messages with direct links to create required composite indexes when queries need them. You define composite indexes in firestore.indexes.json configuration or through the Firebase Console. The index order matters because Firestore uses the index to efficiently locate matching documents without scanning the entire collection. Composite indexes are essential for complex queries and are automatically used by Firestore’s query planner when appropriate indexes exist.
A is incorrect because single-field indexes only support queries on individual fields and cannot efficiently handle queries with multiple field conditions that composite indexes enable. C is incorrect because collection group queries search across multiple collections with the same name but don’t address the need for indexing multiple field conditions. D is incorrect because array-contains queries filter documents where array fields contain specific values, which is a different query type than the equality and inequality filters described in the question.
Question 30
You need to provide temporary elevated permissions to a user for emergency maintenance. What is the best practice approach?
A) Add user to a group with elevated permissions permanently
B) Use IAM Conditions with time-based access
C) Grant project owner role temporarily
D) Create a shared service account with elevated permissions
Answer: B
Explanation:
Security best practices emphasize the principle of least privilege and time-based access restrictions. Temporary elevated permissions for emergency scenarios should be granted with automatic expiration rather than requiring manual revocation, reducing the risk of forgotten elevated access. Google Cloud IAM provides features for implementing time-limited access grants.
IAM Conditions with time-based access is the best practice for providing temporary elevated permissions because it automatically expires access at a specified time without manual intervention. IAM Conditions allow attaching constraints to IAM bindings using Common Expression Language, including time-based conditions specifying access expiration dates and times. You grant the necessary role with a condition like request.time < timestamp(‘2024-12-31T23:59:59Z’), and IAM automatically denies access after that time. This approach provides automatic expiration eliminating manual revocation, audit trail of time-limited grants, fine-grained temporal control, and enforcement at the IAM level before resource access. Time-based conditions are ideal for temporary contractors, emergency access, scheduled maintenance windows, and trial periods. Combined with access approval requirements and justification logging, IAM Conditions provide robust temporary access management. The automatic expiration prevents security risks from forgotten elevated permissions that should have been revoked.
A is incorrect because adding users to groups with elevated permissions permanently violates the principle of temporary access and requires manual removal, risking forgotten elevated permissions. C is incorrect because granting project owner role provides excessive permissions beyond what’s needed for specific maintenance tasks and lacks automatic expiration. D is incorrect because shared service accounts create security risks from credential sharing, don’t provide user attribution in audit logs, and don’t implement time-based automatic expiration unless combined with additional mechanisms.
Question 31
Your company needs to ensure that Compute Engine instances comply with specific OS configurations. Which service should you use to automate compliance checking and remediation?
A) Cloud Deployment Manager
B) OS Config Management
C) Cloud Asset Inventory
D) Security Command Center
Answer: B
Explanation:
Maintaining consistent configurations across fleets of virtual machines presents operational challenges. Manual configuration leads to drift, security vulnerabilities, and compliance violations. Google Cloud Platform provides tools for automating OS-level configuration management, patch deployment, and compliance enforcement across Compute Engine instances.
OS Config Management is the correct service for automating compliance checking and remediation of Compute Engine instance OS configurations. OS Config provides features including patch management for automated OS and software updates, OS inventory management for tracking installed packages and software, OS policy assignment for desired state configuration, and vulnerability reporting. OS policies define desired configurations using policies specifying required packages, configuration files, and system states. OS Config agents on instances continuously evaluate policies and automatically remediate drift by installing required packages, updating configurations, or removing prohibited software. This enables declaring desired state for security configurations, compliance requirements, and operational standards, then letting OS Config enforce those states automatically. The service provides compliance reporting showing which instances meet policies and which require remediation. OS Config integrates with organization policies and Security Command Center for comprehensive compliance management. It’s essential for maintaining secure, compliant server fleets at scale.
A is incorrect because Cloud Deployment Manager automates infrastructure provisioning through infrastructure-as-code but doesn’t continuously monitor or remediate OS-level configurations on running instances. C is incorrect because Cloud Asset Inventory provides visibility into resources and their configurations but doesn’t actively enforce or remediate compliance violations. D is incorrect because Security Command Center aggregates security findings and provides security posture visibility but doesn’t directly enforce OS configurations; it consumes data from services like OS Config.
Question 32
You need to run a stateful application on Google Kubernetes Engine that requires persistent storage and stable network identity. Which Kubernetes resource should you use?
A) Deployment
B) StatefulSet
C) DaemonSet
D) ReplicaSet
Answer: B
Explanation:
Kubernetes provides different controller resources for managing application replicas, each designed for specific use cases. Stateless applications work well with standard Deployments, but stateful applications requiring stable identity, ordered deployment, and persistent storage need specialized controllers that provide these guarantees.
StatefulSet is the correct Kubernetes resource for stateful applications requiring persistent storage and stable network identity. StatefulSets provide unique properties essential for stateful workloads including stable, persistent pod identities with predictable names, ordered graceful deployment and scaling where pods are created sequentially, stable network identifiers through headless services providing DNS entries for each pod, and persistent storage through VolumeClaimTemplates that create separate PersistentVolumeClaims for each pod. When pods are rescheduled, they maintain the same identity and reconnect to the same storage volumes. This makes StatefulSets ideal for databases, message queues, distributed systems, and other applications requiring stable network identity or data persistence across pod restarts. For example, a StatefulSet named “db” with 3 replicas creates pods named db-0, db-1, and db-2 with stable DNS names and dedicated persistent volumes. StatefulSets ensure ordered startup, allowing database replicas to initialize in sequence, and ordered shutdown for graceful quorum management.
A is incorrect because Deployments are designed for stateless applications and don’t provide stable pod identities, ordered deployment, or automatic persistent volume management that stateful applications require. C is incorrect because DaemonSets run one pod per node for system-level services like logging or monitoring agents, not for stateful applications. D is incorrect because ReplicaSets maintain a specified number of pod replicas but like Deployments don’t provide the stability guarantees needed for stateful applications; Deployments actually manage ReplicaSets internally.
Question 33
Your web application experiences traffic spikes during business hours. You want to optimize costs by using less expensive resources during off-peak hours. Which Compute Engine feature should you use?
A) Committed use discounts
B) Sustained use discounts
C) Instance scheduling with machine type changes
D) Preemptible VMs
Answer: C
Explanation:
Optimizing cloud costs requires matching resource allocation to actual demand patterns. Applications with predictable usage patterns can benefit from adjusting resources based on time of day or day of week. Different GCP features address cost optimization in different ways, from discounts on continuous usage to automation of resource adjustment based on schedules.
Instance scheduling with machine type changes optimizes costs by automatically adjusting instance resources based on time schedules. Compute Engine instance scheduling allows starting and stopping instances on schedules, but more importantly, you can change machine types during off-peak hours. The approach involves using Instance Schedule to stop instances during off-peak times, changing to smaller machine types when restarting, or using Cloud Scheduler with Cloud Functions to automate machine type changes for running instances. For example, running n1-standard-8 instances during business hours for high traffic, then automatically switching to n1-standard-2 during nights and weekends when traffic is minimal, significantly reduces costs while maintaining availability. This requires application architecture supporting graceful shutdowns or connection draining. The instance scheduler can also be combined with autoscaling where you adjust minimum and maximum instance counts based on time schedules, running fewer instances during known low-traffic periods.
A is incorrect because committed use discounts provide cost savings for committing to use resources for 1 or 3 years but don’t allow adjusting resources based on time-of-day demand patterns; you pay for the commitment regardless of usage. B is incorrect because sustained use discounts automatically apply to instances running more than 25 percent of the month but don’t involve adjusting resources based on schedules. D is incorrect because preemptible VMs provide discounts but can be terminated any time, making them unsuitable as the primary method for handling business hours traffic where reliability is important.
Question 34
You need to query data across multiple BigQuery datasets located in different projects. What is the most efficient approach?
A) Export data to Cloud Storage and query from there
B) Create authorized views in a central project
C) Use federated queries with fully qualified table names
D) Copy all data into a single project
Answer: C
Explanation:
BigQuery’s scalability and SQL capabilities make it ideal for analyzing data across organizational boundaries. However, data often exists in multiple projects for organizational, security, or billing isolation. Understanding how to efficiently query across project boundaries without duplicating data is essential for effective data analysis.
Using federated queries with fully qualified table names is the most efficient approach for querying data across multiple BigQuery datasets in different projects. BigQuery supports cross-project queries using fully qualified table names in the format project_id.dataset_id.table_id. When you have read permissions on datasets in multiple projects, you can write queries joining tables across those projects as if they were in the same location. For example, SELECT * FROM project-a.sales.orders JOIN project-b.products.catalog ON product_id works seamlessly across projects. This approach requires no data copying or movement, provides real-time access to source data, maintains single source of truth without duplication, and allows leveraging existing access controls in each project. Users need appropriate IAM permissions including bigquery.tables.getData on the source datasets. Cross-project queries execute with the same performance as single-project queries since BigQuery’s distributed architecture handles the complexity transparently. This is the standard pattern for enterprise data analytics spanning multiple projects.
A is incorrect because exporting to Cloud Storage and querying external data adds complexity, latency, and potential consistency issues compared to direct BigQuery queries, and external queries have limitations compared to native tables. B is incorrect because authorized views can enable access but add administrative overhead and an additional layer rather than directly querying source tables, though they’re useful when you want to restrict visibility to subsets of data. D is incorrect because copying data creates duplication, staleness issues, storage costs, and maintenance burden, violating single-source-of-truth principles.
Question 35
Your application needs to encrypt data before storing it in Cloud Storage using encryption keys managed by your organization. Which encryption option should you use?
A) Google-managed encryption keys (default)
B) Customer-managed encryption keys (CMEK) with Cloud KMS
C) Customer-supplied encryption keys (CSEK)
D) Client-side encryption
Answer: B
Explanation:
Data encryption in Google Cloud Storage provides multiple options with different levels of control over encryption keys. All data in Cloud Storage is encrypted at rest by default, but organizations may require control over encryption keys for compliance, security, or operational reasons. Understanding the differences between encryption key management options helps select the appropriate approach.
Customer-managed encryption keys (CMEK) with Cloud KMS provide the right balance of key control and operational simplicity for organizational key management. CMEK allows using encryption keys you create and manage in Cloud KMS while Google handles the encryption operations. You create keys in Cloud KMS, grant Cloud Storage permission to use those keys, then specify which key to use when creating buckets or objects. This approach provides centralized key management through Cloud KMS, key lifecycle control including rotation and destruction, audit logging of key usage, ability to revoke access by disabling keys, and integration with Cloud IAM for key access control. CMEK supports compliance requirements mandating customer control over encryption keys while maintaining the operational benefits of server-side encryption. Cloud KMS handles key security including hardware security module storage, automatic replication, and cryptographic operations. Organizations commonly use CMEK for sensitive data requiring key control without the complexity of client-side key management.
A is incorrect because Google-managed encryption keys don’t provide organizational control over keys as specified in the question; Google fully manages these keys. C is incorrect because customer-supplied encryption keys require providing keys with each API request and managing key material outside GCP, adding operational complexity compared to CMEK’s centralized management. D is incorrect because client-side encryption requires applications to perform encryption before sending data to Cloud Storage, adding application complexity and making data inaccessible to Google services that process data, though it provides maximum control.
Question 36
You need to create a pipeline that ingests streaming data, processes it, and writes results to BigQuery. Which GCP service should you use for stream processing?
A) Cloud Composer
B) Cloud Dataflow
C) Cloud Data Fusion
D) Cloud Dataproc
Answer: B
Explanation:
Stream processing requires services capable of handling continuous data flows with low latency processing. Different GCP data processing services target different use cases, from batch processing to real-time streaming. Selecting the appropriate service depends on processing patterns, latency requirements, and data volumes.
Cloud Dataflow is the correct service for stream processing pipelines ingesting data, processing it, and writing to BigQuery. Dataflow provides fully managed stream and batch data processing based on Apache Beam, supporting unified batch and streaming pipelines with the same code. For streaming workloads, Dataflow processes data continuously as it arrives from sources like Cloud Pub/Sub, applies transformations including filtering, aggregation, windowing, and enrichment, and writes results to sinks like BigQuery, Cloud Storage, or Cloud Bigtable. Dataflow automatically handles resource provisioning, autoscaling, fault tolerance, and exactly-once processing semantics. The service optimizes resource usage by automatically scaling workers based on data volume and provides features like windowing for time-based aggregations, stateful processing for complex event tracking, and side inputs for enrichment. Dataflow is ideal for real-time analytics, ETL pipelines, event-driven processing, and IoT data processing where you need serverless stream processing with automatic scaling and operational simplicity.
A is incorrect because Cloud Composer orchestrates workflows and schedules batch jobs using Apache Airflow but doesn’t provide stream processing capabilities; it coordinates other services rather than processing data itself. C is incorrect because Cloud Data Fusion is a visual data integration service for building ETL pipelines primarily focused on batch processing with a UI-driven approach, not optimized for real-time streaming. D is incorrect because Cloud Dataproc provides managed Hadoop and Spark clusters suitable for batch processing but requires more operational management than Dataflow and is not optimized for continuous streaming compared to Dataflow’s fully managed streaming engine.
Question 37
Your application deployed on Cloud Run needs to scale to zero when not receiving requests to minimize costs. Which Cloud Run feature enables this?
A) Minimum instances set to 0
B) Maximum instances configuration
C) Concurrency setting
D) CPU allocation
Answer: A
Explanation:
Serverless platforms like Cloud Run provide cost optimization through scaling to zero when applications are idle, eliminating charges for unused resources. Different configuration parameters control scaling behavior, and understanding these settings helps optimize both cost and performance characteristics.
Minimum instances set to 0 enables Cloud Run to scale to zero when not receiving requests, minimizing costs by running no container instances during idle periods. Cloud Run’s serverless model automatically creates container instances when requests arrive and removes them when idle. The minimum instances setting controls how many instances remain running at all times. With minimum instances set to 0, which is the default, Cloud Run completely shuts down all instances after a period without requests, resulting in zero compute charges during idle time. When new requests arrive, Cloud Run starts instances to handle them, introducing cold start latency as containers initialize. This configuration is ideal for applications with intermittent traffic, development and testing environments, webhooks, scheduled jobs, and any workload where cost optimization outweighs cold start concerns. For applications requiring faster response times, you can set minimum instances to 1 or higher to maintain warm instances ready to handle requests, eliminating cold starts but incurring continuous costs.
B is incorrect because maximum instances control the upper scaling limit preventing excessive scaling but don’t affect the ability to scale to zero during idle periods. C is incorrect because concurrency setting determines how many simultaneous requests each instance handles, affecting scaling behavior but not whether the service scales to zero. D is incorrect because CPU allocation determines whether CPU is available only during request processing or continuously, affecting performance and cost but not controlling whether instances scale to zero when idle.
Question 38
You need to enforce organizational policies across multiple GCP projects to prevent users from creating external IP addresses on Compute Engine instances. What should you use?
A) IAM deny policies
B) VPC firewall rules
C) Organization Policy constraints
D) Resource labels
Answer: C
Explanation:
Managing security and compliance across multiple projects in large organizations requires centralized policy enforcement mechanisms that prevent non-compliant configurations rather than relying on individual project security. Google Cloud provides Organization Policies as a hierarchical governance tool for enforcing consistent guardrails across the resource hierarchy.
Organization Policy constraints are the correct mechanism for enforcing policies like preventing external IP addresses across multiple projects. Organization Policies define constraints that restrict resource configurations, services, or actions across folders, projects, or the entire organization. For preventing external IPs, you would enable the compute.vmExternalIpAccess constraint which blocks creating Compute Engine instances with external IP addresses. Organization Policies inherit down the resource hierarchy from organization to folders to projects, with policies at lower levels optionally overriding inherited policies based on configuration. The external IP constraint applied at the organization level prevents all projects from creating instances with external IPs unless exceptions are granted. This provides centralized governance ensuring compliance without requiring configuration in each project, prevents policy drift through inheritance, and blocks non-compliant actions before they occur rather than detecting them afterward. Organization Policies cover numerous GCP services and resources, providing comprehensive guardrails for security, compliance, and cost management.
A is incorrect because IAM deny policies control who can perform actions but don’t prevent specific resource configurations like external IP addresses; they focus on identity permissions rather than resource configuration constraints. B is incorrect because VPC firewall rules control network traffic but don’t prevent creating external IP addresses; they filter traffic after resources are created. D is incorrect because resource labels are metadata tags for organization and billing allocation but don’t enforce policies or prevent specific configurations.
Question 39
Your application needs to access secrets stored in Secret Manager from Cloud Functions. What is the most secure authentication method?
A) Store service account keys in environment variables
B) Use the default Cloud Functions service account with Secret Manager access
C) Embed secrets directly in function code
D) Pass secrets as function parameters
Answer: B
Explanation:
Accessing secrets from serverless environments like Cloud Functions requires secure authentication mechanisms that avoid storing credentials in code or configuration files. Google Cloud Platform provides automatic authentication for services through service accounts and metadata servers, eliminating the need for explicit credential management in most scenarios.
Using the default Cloud Functions service account with Secret Manager access is the most secure authentication method because it leverages automatic authentication without managing keys. Each Cloud Function runs with an associated service account that provides identity for authentication to other GCP services. The function runtime automatically obtains short-lived access tokens from the metadata server, which client libraries use transparently for authentication. To enable Secret Manager access, you grant the IAM role roles/secretmanager.secretAccessor to the function’s service account for specific secrets or the project. The function code then uses Secret Manager client libraries which automatically authenticate using the service account identity without any explicit credential configuration. This approach provides several security advantages including no service account keys to manage or secure, automatic token rotation without application changes, fine-grained access control through IAM on specific secrets, complete audit trail of secret access, and elimination of credential exposure in environment variables or code. This is the Google-recommended pattern for service-to-service authentication within GCP.
A is incorrect because storing service account keys anywhere creates security risks from potential key exposure, requires key rotation management, and represents unnecessary credential storage when automatic authentication is available. C is incorrect because embedding secrets in code creates severe security vulnerabilities including exposure in source control, difficulty updating secrets, and potential unauthorized access if code is compromised. D is incorrect because passing secrets as parameters exposes them in function configuration, logs, and deployment history, and doesn’t provide the security isolation that Secret Manager offers.
Question 40
You need to deploy a multi-region application that requires data replication across regions with automatic failover. Which database service provides this capability?
A) Cloud SQL with regional instances
B) Cloud Spanner with multi-region configuration
C) Cloud Firestore in Datastore mode
D) Cloud Bigtable with replication
Answer: B
Explanation:
Building globally distributed applications requires database services that provide data replication across geographic regions with automatic failover capabilities. Different GCP database services offer varying levels of geographic distribution, consistency guarantees, and failover automation. Understanding these capabilities helps select appropriate services for multi-region requirements.
Cloud Spanner with multi-region configuration provides native multi-region data replication with automatic failover. Cloud Spanner is specifically designed for global database deployments, offering multi-region configurations that automatically replicate data across multiple regions within a geographic area such as North America or Europe. The service provides synchronous replication with strong consistency across all regions, automatic failover with no data loss if a region becomes unavailable, external consistency which is the strongest consistency model, and transparent read-write splitting where reads can be served from nearby replicas. Multi-region Spanner instances automatically place data across regions for optimal availability and performance, using Paxos-based consensus for coordinated writes and replication. Applications experience continued operation during regional failures with automatic failover requiring no manual intervention. This makes Cloud Spanner ideal for mission-critical applications requiring global scale, high availability, strong consistency, and automatic disaster recovery. Use cases include financial systems, global e-commerce platforms, and inventory management systems requiring worldwide data access.
A is incorrect because Cloud SQL regional instances remain within a single region with high availability across zones but don’t provide multi-region replication or automatic cross-region failover; cross-region replicas require manual promotion. C is incorrect because Cloud Firestore in Datastore mode is single-region though multi-region Firestore in Native mode offers multi-region capabilities with eventual consistency rather than the strong consistency that Spanner provides. D is incorrect because Cloud Bigtable supports replication across clusters for increased availability and can span regions, but doesn’t provide the same automatic failover with strong consistency that Cloud Spanner delivers; it requires application-level failover logic.
