ForMe1 Flashcards
You work in a small company where everyone should be able to view all resources of a specific project. You want to grant them access following Google’s recommended practices. What should you do?
Create a new Google Group and add all users to the group. Use “gcloud projects add-iam-policy-binding” with the Project Viewer role and Group email address.
Your project manager accidentally created an auto mode VPC. He is now asking you to convert the same to custom mode VPC as the applications are already deployed and they rely on static internal IP addresses. Is it possible?
Auto mode VPC can be converted to manual but the vice versa is not possible.
A health care company that provides medical service to the users want to track their network forensics, real-time security analysis and optimize the expense. The manager would like to track the network sent from and received by VM instances. What do you suggest they do?
VPC Flow Logs
Flow Logs are used to track network related findings.
You have been assigned to a new health application project where the backend instances are deployed using Managed Instance Groups. There are 4 instances running. The MIG is not set to automatically scale and you are asked to resize a group to handle an expected increase in traffic. Which of the following statements about MIG is incorrect?
When updating a MIG, no more than 500 instances can be specified in a single request.
When updating a MIG, up to 1000 instances can be specified in a single request.
?????????
What is the gcloud command to create a cluster named ch09-cluster-10 with four nodes?
gcloud container clusters create ch09-cluster-10 –num-nodes=4
A development team works with two Cloud Functions using node.js code. Each function corresponds to environments for development and production. The code is same except for the Cloud SQL database values used in each function. Team wants to maintain code in a clean and reusable fashion and decides to pass the database value during function execution. Which feature will allow you to do this?
Environment Variables
Environment variables for cloud functions enable you to dynamically pass settings to your function code and libraries, without making changes to your code
https://cloud.google.com/functions/docs/env-var
What is the correct command to create an IAM user using Google Cloud CLI?
The gcloud command to create an IAM user is gcloud projects add-iam-policy-binding whizlabs-prj –member “user:bob@xyz.com” –role “roles/editor”.
A developer has asked you to create a single nginx server for dev environment. Which service would allow you to launch VM using predefined images?
Marketplace
Marketplace provides you with pre-built images which can be launched with just a few clicks without doing any configuration.
Which of the following export options are available with Google Cloud Billing?
BigQuery and File
Billing export at the time of writing supports only BigQuery and File export
You are working for a service company that has an automobile client. The client has developed an application for internal use with Erlang and has approached your company to help him to ease the application deployment process on Google Cloud. The company does not have highly trained people so, wants you to deploy the application in such a way that post-deployment, they will be able to manage it without worrying about the infrastructure. Which of the following service would you prefer?
Using App Engine Flexible environment, you can deploy an application written in any language without managing instances, load balancers, etc. manually.
Using the principle of least privilege, your colleague Bob needs to be able to create new instances on Compute Engine in project ‘Project A’. How should you give him access without giving more permissions than is necessary?
Give Bob Compute Engine Instance Admin Role for Project A - The Compute Engine Instance Admin role only gives access to create/edit compute engine resources such as instances, disks, and snapshots.
You have an application server running on Compute Engine in the europe-west1-d zone. You need to ensure high availability and replicate the server to the europe-west2-c zone using the fewest steps possible. What should you
Create a snapshot from the disk.
Create a disk from the snapshot in the europe-west2-c zone.
Create a new VM with that disk.
This makes sure the VM gets replicated in the new zone.
Which command will let you enable Google Compute service using gcloud CLI?
gcloud services enable compute
Your company has purchased a threat detection service from a third party and have asked you to upload all network logs to the application. Which of the following service will meet your requirements?
Flow logs capture each and every packet flowing within your network. It will record details like source IP, destination IP, source port, destination port, timestamp, etc.
You have a Kubernetes cluster with 1 node-pool. The cluster receives a lot of traffic and needs to grow. You decide to add a node. What should you do?
Use “gcloud container clusters resize” with the desired number of nodes.
This resizes the cluster to the desired number of nodes
Your team has deployed a few windows web servers on a custom VPC network and the same is running properly. After a few hours of the app suddenly crashes, developers are trying to remote access web servers, but are failing to do so. While troubleshooting the issue you realize that the firewall rule is missing. Which command will help you solve the problem?
The correct command to allow developers to remote access windows is:
gcloud compute firewall-rules create “remote-access” –network “whizlab-network” –allow tcp:3389.
You are trying to fetch metadata of a VM using “curl metadata.google.internal/computeMetadata/v1/” command but are constantly receiving 403 Forbidden. What could be the possible reason?
While querying metadata of an instance you must provide header “Metadata-Flavor: Google”. This header indicates that the request was sent with the intention of retrieving metadata values, rather than unintentionally from an insecure source, and allows the metadata server to return the data you requested. If you do not provide this header, the metadata server denies your request.
In VPC, which firewall rules are created by default while creating an automatic default VPC?
Allow SSH, RDP, ICMP, and internal traffic
One of your team members had accidentally included service account private JSON key while pushing code to GitHub. What steps should you immediately perform?
Private keys are meant to be kept safe and if they are uploaded to repositories, you must immediately delete them from the source and repository as well.
You have been hired as a contractor by one of the travel technology company who is planning to containerize their existing applications in such a way that they can perform a lift and shift very easily in future if they plan to move away from Google Cloud. Which service will best suit this case?
Kubernetes Engine
Kubernetes is an open-source solution supported by major cloud platforms and will be very easy for company to move out at later stage if required because they can use the same config files with very minor changes.
Your client wants to develop a new cost effective web application that runs on serverless platform using Cloud Function, Cloud Storage, Pub/Sub and Cloud CDN. The expected data would be 20 GB. Which of the following database would be the most suitable schemaless option to support the serverless functionality?
Cloud Firestore
Cloud Firestore is a fast, fully managed, serverless, cloud-native NoSQL document database that simplifies storing, syncing, and querying data for your mobile, web, and IoT apps at global scale
You have recently joined a startup that is migrating its infrastructure from AWS to Google Cloud. A junior has been assigned the task of migrating one of their web servers with Amazon Linux OS from AWS to GCP in a public subnet of custom VPC. He is able to migrate the instance successfully, but not able to get SSH access of migrated instance. What are the possible steps to look for? (Multiple Answer)
1-Check if he has added SSH key to the instance while launching phase. 2-Make sure the firewall is attached to the instance with tcp port 22 open. SSH works on TCP port 22 and hence that has to be allowed at firewall level along with public SSH key configured on VM
You need to allow traffic from specific virtual machines in ‘subnet-a’ network access to machines in ‘subnet-b’ without giving the entirety of subnet-a access. How can you accomplish this?
Create a firewall rule to allow traffic from resources with specific network tags, then assign the machines in subnet-a the same tags.
Network tags allow more granular access based on individually tagged instances - Instances by target tags: The firewall rule is applicable only to VMs if they have a matching network tag.
You have set a firewall rule that will permit inbound connections to a VM instance named whizserver-2. You want to apply this rule only if there is not another rule that would deny that traffic. What priority would you give to this rule?
65535 is the largest number that is allowed in the range of value for priorities.
You have a system generated log files required to be later uploaded to Google Storage in the data lake. Since the data is only accessed couple of times in a year by the development team for debugging and log analysis. You are looking for a cheaper storage option for log files than the standard class. Which of the following is suitable?
Cloud Storage Coldline
You want your application hosted on a VM to fetch metadata of that instance. Which command will help you to fetch it?
curl metadata.google.internal/computeMetadata/v1/
Which of the following command could be used to change the storage class of an object in Cloud Storage?
gsutil rewrite -s [STORAGE_CLASS] gs://Reports-PDF/[OBJECT_NAME]
The gsutil rewrite command rewrites cloud objects, applying the specified transformations to them. The transformation(s) are atomic and applied based on the input transformation flags (-s). Object metadata values are preserved unless altered by a transformation.
Your customer is moving their corporate applications to Google Cloud Platform. The security team wants detailed visibility of all projects in the organization. You provision the Google Cloud Resource Manager and set up yourself as the org admin. Which Google Cloud Identity and Access Management (Cloud IAM) roles should you give to the security team?
Org viewer, project viewer
Gives the security team read only access to everything your company produces, anything else gives them the ability to, accidentally or otherwise, change things, a violation to the principle of least privilege.
Engineering team is building an application which routes request on TCP layer. They need a load balancer with support of SSL termination on load balancer. Which of the following is the best available option?
SSL Proxy Load Balancer
SSL Proxy is a Layer 3 load balancer with support of SSL termination
A GKE cluster was created with 4 nodes initially and after looking at the few months of monitoring report you realized that cluster is underutilized. You plan to reduce the number of nodes to 3 to save the cost. Which gcloud command will help you to do that?
The right way to update the number of nodes within a GKE cluster is via gcloud container clusters resize whizlabs-cluster –num-nodes=3
Among the list of permissions attached below, which of the following permissions are required to manage SSH keys on the project while setting project-wide metadata to access the instance if the OS Login is not working? Select 2.
The following 2 permissions are required on the project if setting project-wide metadata:
compute. project.setCommonInstanceMetadata
iam. serviceAccounts.actAs
You are a Google Cloud Engineer and assigned to set up a project for the team of four members. You need to grant only general permissions for all the resources of the project. You decided to grant a primitive role to each person for different levels of access on the basis of their responsibilities in the project. What is not considered as a primitive role in the Google Cloud Platform console?
Publisher is not a primitive role in Google Cloud Platform, but a predefined role.
Your client has prepared a new company policy in which each developer must sign a Contributor License Agreement (CLA) before code changes are committed to any version control repository. You have been asked to check each commit in a repository that includes the policy and your manager has also provided you with node.js code. Which of the following services can help you implement this solution?
Cloud Function
Cloud Function can be used to retrieve commits, analyze code, committers and perform creative tasks such as checking a CLA.
You are managing the GCP Account of a client, the client raises a request to attach 9 local SSDs and launch a VM instance in us-east1 Region, as a Cloud Architect what would be your response to the above request?
Each local SSD is 375 GB in size, but you can attach up to 24 local SSD devices for 9 TB of total local SSD storage space per instance. If a resource is not available, you won’t be able to create new resources of that type, even if you still have remaining quota in your region or project.
Read more about it here: https://cloud.google.com/compute/docs/disks/local-ssd
https://cloud.google.com/compute/quotas
You need to deploy an update to an application in Google App Engine. The update is risky, but it can only be tested in a live environment. What is the best way to introduce the update to minimize risk?
Deploy a new version of the application but use traffic splitting to only direct a small number of users to the new version.
Deploying a new version without assigning it as the default version will not create downtime for the application. Using traffic splitting allows for easily redirecting a small amount of traffic to the new version and can also be quickly reverted without application downtime
Your company has an application that is deployed using serverless architecture by making use of Cloud Function as backend code, Pub/Sub, Endpoints and serve the static content via Cloud Storage. Your application is used heavily and you were informed about an issue with respect to the Cloud Function. You realised that the issue is because of invocation limit per second. What is the default limit set by GCP to invoke a function per second?
The default invocation limit set by GCP is
1000 per seconds
As per your manager’s instruction, you created a custom VPC with a subnet mask of 24 which provides 256 IP addresses but are only able to use 252 addresses out of it. You manager is trying to figure out what’s going wrong and approaches you for the answer. What will you answer to your manager?
GCP reserves four IP addresses in each primary subnet range, because of which the usable IP count is 252.
One of your clients has asked you to create an SFTP server on Google Cloud. Which storage service of Google Cloud will be the most reliable and durable option?
For file storage purpose, Filestore is the best option. Cloud Filestore is a managed file storage service for applications that require a filesystem interface and a shared filesystem for data. Filestore gives users a simple, native experience for standing up managed Network Attached Storage (NAS) with their Google Compute Engine and Kubernetes Engine instances.
You have an on-premise MySQL database that you have been asked to move to Google Cloud. Users should run SQL queries to fetch data from the database. Your solution should be cost-effective and allow increasing read capacities in the future. Which of the following Google Cloud product is the best for this scenario?
Cloud SQL
Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.
Your company hired a Big Data consultant for creating real-time reporting application using roles/bigquery.dataOwner role provides permission to read, update, and delete the dataset. can create table but not new datasetGoogle Cloud service like BigQuery and PowerBI reporting tool. Your manager asked you to create an IAM user which gives him access to read, update, and delete the dataset but not to create one. Which role would you assign to him?
roles/bigquery.dataOwner role provides permission to read, update, and delete the dataset. can create table but not new dataset
