60 TO 125 sexy

Question 1

You have an application running in Google Kubernetes Engine (GKE) with cluster autoscaling enabled. The
application exposes a TCP endpoint. There are several replicas of this application. You have a Compute
Engine instance in the same region, but in another Virtual Private Cloud (VPC), called gce-network, that
has no overlapping IP ranges with the first VPC. This instance needs to connect to the application on GKE.
You want to minimize effort. What should you do?

Answer 1

1. In GKE, create a Service of type LoadBalancer that uses the application’s Pods as backend. 2. Add an
   annotation to this service: cloud.google.com/load-balancer-type: Internal 3. Peer the two VPCs together.
2. Configure the Compute Engine instance to use the address of the load balancer that has been
   created.

Question 2

Your organization is a financial company that needs to store audit log files for 3 years. Your organization has
hundreds of Google Cloud projects. You need to implement a cost-effective approach for log file retention.
What should you do?

Answer 2

Create an export to the sink that saves logs from Cloud Audit to a Coldline Storage bucket.

coldline = for longterm infrequent storage

Question 3

You want to run a single caching HTTP reverse proxy on GCP for a latency-sensitive website. This
specific reverse proxy consumes almost no CPU. You want to have a 30-GB in-memory cache, and
need an additional 2 GB of memory for the rest of the processes. You want to minimize cost. How
should you run this reverse proxy?

latency sensitive: immediate data required ;

reverse proxy = read and verify client requests

Answer 3

Create a Cloud Memorystore for Redis instance with 32-GB capacity.

redis instance: fastest data retrieving instance

Question 4

You are hosting an application on bare-metal servers in your own data center. The application
needs access to Cloud Storage. However, security policies prevent the servers hosting the
application from having public IP addresses or access to the internet. You want to follow Google-
recommended practices to provide the application with access to Cloud Storage. What should you
do?

bare-metal : single compute server

Answer 4

1. Using Cloud VPN or Interconnect, create a tunnel to a VPC in Google Cloud. 2.
   Use. 2.Cloud Router to create a custom route advertisement for 199.36.153.4/30.
   Announce that network to your on-premises network through the VPN tunnel. 3. In your
   on-premises network, configure your DNS server to resolve *.googleapis.com as a
   CNAME to restricted.googleapis.com.

Question 5

You want to deploy an application on Cloud Run that processes messages from a Cloud Pub/Sub
topic. You want to follow Google-recommended practices. What should you do?

cloud run = directly run code on google infra;

pub sub = asynchronous exchange of msg between appln and services

Answer 5

1. Create a service account. 2. Give the Cloud Run Invoker role to that service account
   for your Cloud Run application. 3. Create a Cloud Pub/Sub subscription that uses that
   service account and uses your Cloud Run application as the push endpoint.

Question 6

You need to deploy an application, which is packaged in a container image, in a new project. The
application exposes an HTTP endpoint and receives very few requests per day. You want to minimize
costs. What should you do?

Answer 6

Deploy the container on Cloud Run.

instance of creating new instance and deploying there = costly

Question 7

Your company has an existing GCP organization with hundreds of projects and a billing account.
Your company recently acquired another company that also has hundreds of projects and its own
billing account. You would like to consolidate all GCP costs of both GCP organizations onto a
single invoice. You would like to consolidate all costs as of tomorrow. What should you do?

Answer 7

Link the acquired company’s projects to your company’s billing account.

Question 8

You built an application on Google Cloud that uses Cloud Spanner. Your support team needs to
monitor the environment but should not have access to table data.
You need a streamlined solution to grant the correct permissions to your support team, and you
want to follow Google-recommended practices. What should you do?

Answer 8

Add the support team group to the roles/monitoring.viewer role

Question 9

For analysis purposes, you need to send all the logs from all of your Compute Engine instances to
a BigQuery dataset called platform-logs. You have already installed the Cloud Logging agent on all
the instances. You want to minimize cost. What should you do?

Answer 9

1. In Cloud Logging, create a filter to view only Compute Engine logs. 2. Click Create Export. 3.
   Choose BigQuery as Sink Service, and the platform-logs dataset as Sink Destination.

Question 10

You are using Deployment Manager to create a Google Kubernetes Engine cluster. Using the same
Deployment Manager deployment, you also want to create a
DaemonSet in the kube-system namespace ofthe cluster. You want a solution that uses the fewest
possible services. What should you do?

Answer 10

Add the cluster’s API as a new Type Provider in Deployment Manager, and use the new type to
create the DaemonSet.

Question 11

You are building an applicati on that will run in your data center. The application will use Google
Cloud Platform (GCP) services like AutoML. You created a service account that has appropriate
access to AutoML. You need to enable authentication to the APIs from your on-premises
environment. What should you do?

Answer 11

Use gcloud to create a key file for the service account that has appropriate permissions.

Question 12

You are using Container Registry to centrally store your company’s container images in a separate
project. In another project, you want to create a Google
Kubernetes Engine (GKE) cluster. You want to ensure that Kubernetes can download images from
Container Registry. What should you do?

Answer 12

In the project where the images are stored, grant the Storage Object Viewer IAM role to the
service account used by the Kubernetes nodes.

Question 13

Question no 73

Answer 13

Review details of myapp-deployment-58ddbbb995-lp86m Pod and check for warning messages

Question 14

You are setting up a Windows VM on Compute Engine and want to make sure you can log in to the
VM via RDP. What should you do?

Answer 14

After the VM has been created, use gcloud compute reset-windows-password to retrieve the
login credentials for the VM.

Question 15

You want to configure an SSH connection to a single Compute Engine instance for users in the
dev1 group. This instance is the only resource in this particular
Google Cloud Platform project that the dev1 users should be able to connect to. What should you
do?

Answer 15

Set metadata to enable-oslogin=true for the instance. Grant the dev1 group the
compute.osLogin role. Direct them to use the Cloud Shell to ssh to that instance.

Question 16

You need to produce a list ofthe enabled Google Cloud Platform APIs for a GCP project using the
gcloud command line in the Cloud Shell. The project name is my-project. What should you do?

Answer 16

Run gcloud projects list to get the project ID, and then run gcloud services list –project .

Question 17

You are building a new version of an application hosted in an App Engine environment. You want to
test the new version with 1% of users before you completely switch your application over to the
new version. What should you do?

Answer 17

Deploy a new version of your application in App Engine. Then go to App Engine settings in GCP
Console and split traffic between the current version and newly deployed versions accordingly.

Question 18

You need to provide a cost estimate for a Kubernetes cluster using the GCP pricing calculator for
Kubernetes. Your workload requires high IOPs, and you will also be using disk snapshots. You start
by entering the number of nodes, average hours, and average days. What should you do next?

Answer 18

Fill in local SSD. Fill in persistent disk storage and snapshot storage.

Question 19

You are using Google Kubernetes Engine with autoscaling enabled to host a new application. You
want to expose this new application to the public, using HTTPS on a public IP address. What
should you do?

Answer 19

Create a Kubernetes Service of type NodePort for your application, and a Kubernetes Ingress to
expose this Service via a Cloud Load Balancer.

Question 20

You need to enable traffic between multiple groups of Compute Engine instances that are currently
running two different GCP projects. Each group of Compute Engine instances is running in its own VPC. What should you do?

Answer 20

Verify that both projects are in a GCP Organization. Share the VPC from one project and
request that the Compute Engine instances in the other project use this shared VPC.

Question 21

You want to add a new auditor to a Google Cloud Platform project. The auditor should be allowed
to read, but not modify, all project items.How should you configure the auditor’s permissions?

Answer 21

Select the built-in IAM project Viewer role. Add the user’s account to this role.

Question 22

You are operati ng a Google Kubernetes Engine (GKE) cluster for your company where different
teams can run non-production workloads. Your Machine Learning
(ML) team needs access to Nvidia Tesla P100 GPUs to train their models. You want to minimize
effort and cost. What should you do?

Answer 22

Add a new, GPU-enabled, node pool to the GKE cluster. Ask your ML team to add the
cloud.google.com/gke -accelerator: nvidia-tesla-p100 nodeSelector to their pod specification.

Question 23

Your VMs are running in a subnet that has a subnet mask of 255.255.255.240. The current subnet
has no more free IP addresses and you require an additional
10 IP addresses for new VMs. The existing and new VMs should all be able to reach each other
without additional routes. What should you do?

Answer 23

Use gcloud to expand the IP range of the current subnet.

Question 24

Your organization uses G Suite for communication and collaboration. All users in your organization
have a G Suite account. You want to grant some G Suite users access to your Cloud Platform
project. What should you do?

Answer 24

Grant them the required IAM roles using their G Suite email address.

Question 25

You have a Google Cloud Platform account with access to both production and development
projects. You need to create an automated proces s to list all compute instances in develop ment
and production projects on a daily basis. What should you do?

Answer 25

Create two configurations using gcloud config. Write a script that sets configurations as
active, individually. For each configuration, use gcloud compute instances list to get a list of
compute resources.

Question 26

You have a large 5-TB AVRO file stored in a Cloud Storage bucket. Your analysts are proficient only
in SQL and need access to the data stored in this file. You want to find a cost-effective way to
complete their request as soon as possible. What should you do?

Answer 26

Create external tables in BigQuery that point to Cloud Storage buckets and run a SQL query on
these external tables to complete your request.

Question 27

You need to verify that a Google Cloud Platform service account was created at a particular time.
What should you do?

Answer 27

Filter the Activity log to view the Configuration category. Filter the Resource type to Service
Account.

Question 28

You deployed an LDAP server on Compute Engine that is reachable via TLS through port 636 using
UDP. You want to make sure it is reachable by clients over that port. What should you do?

Answer 28

Add a network tag of your choice to the instance. Create a firewall rule to allow ingress on UDP
port 636 for that network tag.

Question 29

You need to set a budget alert for use of Compute Engineer services on one of the three Google
Cloud Platform projects that you manage. All three projects are linked to a single billing account.
What should you do?

Answer 29

Verify that you are the project billing administrator. Select the associated billing account and
create a budget and alert for the appropriate project.

Question 30

You are migrating a production-critical on-premises application that requires 96 vCPUs to perform
its task. You want to make sure the application runs in a similar environment on GCP. What should
you do?

Answer 30

When creating the VM, use machine type n1-standard-96.

Question 31

You want to configure a solution for archiving data in a Cloud Storage bucket. The solution must
be cost-effective. Data with multiple versions should be archived after 30 days. Previous versions
are accessed once a month for reporting. This archive data is also occasionally updated at month-
end. What should you do?

Answer 31

Add a bucket lifecycle rule that archives data with newer versions after 30 days to Nearline
Storage.

Question 32

Your company’s infrastructure is on-premises, but all machines are running at maximum capacity.
You want to burst to Google Cloud. The workloads on Google Cloud must be able to directly communicate to the workloads on-premises using a private IP
range. What should you do?

Answer 32

Set up Cloud VPN between the infrastructure on-premises and Google Cloud.

Question 33

You want to select and configure a solution for storing and archiving data on Google Cloud
Platform. You need to support compliance objectives for data from one geographic location. This
data is archived after 30 days and needs to be accessed annually. What should you do?

Answer 33

Select Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Coldline
Storage.

Question 34

Your company uses BigQuery for data warehousing. Over time, many different business units in
your company have created 1000+ datasets across hundreds of projects. Your CIO wants you to
examine all datasets to find tables that contain an employee_ssn column. You want to minimize
effort in performing this task.
What should you do?

Answer 34

Go to Data Catalog and search for employee_ssn in the search box.

Question 35

Question no 95

Answer 35

Too many Pods are already running in the cluster, and there are not enough resources left to
schedule the pending Pod.

Question 36

You want to find out when users were added to Cloud Spanner Identity Access Management (IAM)
roles on your Google Cloud Platform (GCP) project. What should you do in the GCP Console?

Answer 36

Go to the Stackdriver Logging console, review admin activity logs, and filter them for Cloud
Spanner IAM roles.

Question 37

Your company implemented BigQuery as an enterprise data warehouse. Users from multiple
business units run queries on this data warehouse. However, you notice that query costs for
BigQuery are very high, and you need to control costs. Which two methods should you use?
(Choose two.)

Answer 37

Apply a user- or project-level custom query quota for BigQuery data warehouse. and “Change your BigQuery query model from on-demand to flat rate. Apply the appropriate number of slots to each Project.” B AND E OPTIONS

Question 38

You are building a product on top of Google Kubernetes Engine (GKE). You have a single GKE
cluster. For each of your customers, a Pod is running in that cluster, and your customers can run
arbitrary code inside their Pod. You want to maximize the isolation between your customers’ Pods.
What should you do?

Answer 38

Create a GKE node pool with a sandbox type configured to gvisor. Add the parameter
runtimeClassName: gvisor to the specification of your customers’ Pods.

Question 39

Question no 99

Answer 39

Change the primary key to not have monotonically increasing values

Question 40

Your finance team wants to view the billing report for your projects. You want to make sure that the
finance team does not get additional permissions to the project. What should you do?

Answer 40

Add the group for the finance team to roles/billing viewer role.

Question 41

Your organization has strict requirements to control access to Google Cloud projects. You need to
enable your Site Reliability Engineers (SREs) to approve requests from the Google Cloud support
team when an SRE opens a support case. You want to follow Google-recommended practices.
What should you do?

Answer 41

Add your SREs to a group and then add this group to roles/accessapproval.approver role.

Question 42

You need to host an application on a Compute Engine instance in a project shared with other
teams. You want to prevent the other teams from accidentally causing downtime on that
application. Which feature should you use?

Answer 42

Enable deletion protection on the instance.

Question 43

Your organization needs to grant users access to query datasets in BigQuery but prevent them
from accidentally deleting the datasets. You want a solution that follows Google-recomm ended
practices. What should you do?

Answer 43

Create a custom role by removing delete permissions. Add users to the group, and then add
the group to the custom role.

Question 44

You have a developer laptop with the Cloud SDK installed on Ubuntu. The Cloud SDK was installed
from the Google Cloud Ubuntu package repository. You want to test your application locally on
your laptop with Cloud Datastore. What should you do?

Answer 44

Install the cloud-datastore-emulator component using the gcloud components install
command.

Question 45

Your company set up a complex organizational structure on Google Cloud. The structure includes
hundreds offolders and projects. Only a few team members should be able to view the hierarchical
structure. You need to assign minimum permissions to these team members, and you want to
follow Google-recommended practices. What should you do?

Answer 45

Add the users to a group, and add this group to roles/browser.

Question 46

Your company has a single sign-on (SSO) identity provider that supports Security Assertion Markup
Language (SAML) integration with service providers. Your company has users in Cloud Identity.
You would like users to authenticate using your company’s SSO provider. What should you do?

Answer 46

In Cloud Identity, set up SSO with a third-party identity provider with Google as a service
provider.

Question 47

Your organization has a dedicated person who creates and manages all service accounts for
Google Cloud projects. You need to assign this person the minimum role for projects. What should
you do?

Answer 47

Add the user to roles/iam.serviceAccountAdmin role.

Question 48

You are building an archival solution for your data warehouse and have selected Cloud Storage to
archive your data. Your users need to be able to access this archived data once a quarter for some
regulatory requirements. You want to select a cost-efficient option. Which storage option should
you use?

Answer 48

Nearline Storage

Question 49

A team of data scientists infrequently needs to use a Google Kubernetes Engine (GKE) cluster that
you manage. They require GPUs for some long-running, non- restartable jobs. You want to
minimize cost. What should you do?

Answer 49

Create a node pool of instances with GPUs, and enable autoscaling on this node pool with a
minimum size of 1.

Question 50

Your organization has user identities in Active Directory. Your organization wants to use Active
Directory as their source of truth for identities. Your organizati on wants to have full control over
the Google accounts used by employees for all Google services, including your Google Cloud
Platform (GCP) organization. What should you do?

Answer 50

Use Google Cloud Directory Sync (GCDS) to synchronize users into Cloud Identity.

Question 51

You have successfully created a development environment in a project for an application. This
application uses Compute Engine and Cloud SQL. Now you need to create a production
environment for this application. The securi ty team has forbidden the existenc e of network routes
between these 2 environments and has asked you to follow Google-recommended practices. What
should you do?

Answer 51

Create a new project, modify your existing VPC to be a Shared VPC, share that VPC with your
new project, and replicate the setup you have in the development environment in that new project
in the Shared VPC.

Question 52

Your management has asked an external auditor to review all the resources in a specifi c project.
The security team has enabled the Organization Policy called
Domai n Restri cted Sharing on the organizati on node by specifyi ng only your Cloud Identity domain.
You want the auditor to only be able to view, but not modify, the resourc es in that project. What
should you do?

Answer 52

Ask the auditor for their Google account, and give them the Security Reviewer role on the
project.

Question 53

You have a workload running on Compute Engine that is critical to your business. You want to
ensure that the data on the boot disk ofthis workload is backed up regularly. You need to be able
to restore a backup as quickly as possible in case of disaster. You also want older backups to be
cleaned automatically to save on cost. You want to follow Google-recommended practices. What
should you do?

Answer 53

Create a snapshot schedule for the disk using the desired interval.

Question 54

You need to assign a Cloud Identity and Access Management (Cloud IAM) role to an external
auditor. The auditor needs to have permissions to review your
Google Cloud Platform (GCP) Audit Logs and also to review your Data Access logs. What should
you do?

Answer 54

Assign the auditor the IAM role roles/logging.privateLogViewer. Direct the auditor to also
review the logs for changes to Cloud IAM policy.

Question 55

You are managing several Google Cloud Platform (GCP) projects and need access to all logs for
the past 60 days. You want to be able to explore and quickly analyze the log contents. You want to
follow Google-recommended practices to obtain the combined logs for all projects. What should
you do?

Answer 55

Create a Stackdriver Logging Export with a Sink destination to a BigQuery dataset. Configure
the table expiration to 60 days.

Question 56

You need to reduce GCP service costs for a division of your company using the fewest possible
steps. You need to turn off all configured services in an existing
GCP project. What should you do?

Answer 56

1. Verify that you are assigned the Project Owners IAM role for this project. 2. Locate the
   project in the GCP console, click Shut down and then enter the project ID.

Question 57

You are configuring service accounts for an application that spans multiple projects. Virtual

machines (VMs) running in the web-applications project need access to BigQuery datasets in crm-
databases-proj. You want to follow Google-recommended practices to give access to the service

account in the web-applications project. What should you do?

Answer 57

Give bigquery.dataViewer role to crm-databases-proj and appropriate roles to web-
applications.

Question 58

An employee was terminated, but their access to Google Cloud was not removed until 2 weeks
later. You need to find out this employ ee access ed any sensiti ve custom er information after their
termination. What should you do?

Answer 58

View Data Access audit logs in Cloud Logging. Search for the user’s email as the principal.

Question 59

You need to create a custom IAM role for use with a GCP service. All permissions in the role must
be suitable for production use. You also want to clearly share with your organization the status of
the custom role. This will be the first version of the custom role. What should you do?

Answer 59

Use permissions in your role that use the ‘supported’ support level for role permissions. Set the
role stage to ALPHA while testing the role permissions.

Question 60

Your company has a large quantity of unstructured data in different file formats. You want to
perform ETL transformations on the data. You need to make the data accessible on Google Cloud
so it can be processed by a Dataflow job. What should you do?

Answer 60

Upload the data to Cloud Storage using the gsutil command line tool.

Question 61

You need to manage multiple Google Cloud projects in the fewest steps possible. You want to
configure the Google Cloud SDK command line interface (CLI) so that you can easily manage
multiple projects. What should you do?

Answer 61

1. Create a configuration for each project you need to manage. 2. Activate the appropriate
   configuration when you work with each of your assigned Google Cloud projects.

Question 62

Your managed instance group raised an alert stating that new instance creation has failed to
create new instances. You need to maintain the number of running instances specified by the
template to be able to process expected application traffic. What should you do?

Answer 62

Create an instance template that contains valid syntax which will be used by the instance
group. Delete any persistent disks with the same name as instance names.

Question 63

Your company is moving from an on-premises environment to Google Cloud. You have multiple
development teams that use Cassandra environments as backend databases. They all need a
development environment that is isolated from other Cassandra instances. You want to move to
Google Cloud quickly and with minimal support effort. What should you do?

Answer 63

1. Advise your developers to go to Cloud Marketplace. 2. Ask the developers to launch a
   Cassandra image for their development work.

Question 64

You have a Compute Engine instance hosting a production application. You want to receive an
email if the instance consumes more than 90% of its CPU resources for more than 15 minutes. You
want to use Google services. What should you do?

Answer 64

1. Create a Stackdriver Workspace, and associate your Google Cloud Platform (GCP) project
   with it. 2. Create an Alerting Policy in Stackdriver that uses the threshold as a trigger condition. 3.
   Configure your email address in the notification channel.

Question 65

You have an application that uses Cloud Spanner as a backend database. The application has a
very predictable traffic pattern. You want to automati cally scale up or down the number of Spanner
nodes depending on traffic. What should you do?

Answer 65

Create a Cloud Monitoring alerting policy to send an alert to webhook when Cloud Spanner
CPU is over or under your threshold. Create a Cloud Function that listens to HTTP and resizes
Spanner resources accordingly.