Google Cloud Developer Flashcards
What is the main goal of machine learning?
Answer:
Machine learning aims to teach machines to recognize patterns similarly to how humans do.
What challenge is highlighted when comparing human and machine learning capabilities?
Answer:
Even a two-year-old can easily distinguish between an apple and an orange, but it’s difficult to teach a computer to do the same thing.
What does Google offer to make it easier for developers to use machine learning?
Answer:
Google offers pre-trained machine learning models through easy-to-use Google Cloud APIs.
What areas of AI are covered by Google’s pre-trained APIs mentioned in this module?
Answer:
The APIs cover vision, speech, video intelligence, and natural language processing.
What is Generative AI, and why is it important?
Answer:
Generative AI is a type of AI that creates new content based on learned patterns. It enhances application capabilities and improves the developer experience by making development more efficient.
What are pre-trained machine learning models used for in Google Cloud?
Answer:
They help developers easily add powerful features like image recognition, speech processing, and language understanding to their applications without requiring ML expertise.
What does the Vision API allow developers to do?
Answer:
It allows for complex image detection, including object labeling, OCR, landmark detection, logo recognition, face detection, and identifying explicit content.
What do the Speech-to-Text and Text-to-Speech APIs do?
Answer:
Speech-to-Text converts audio to text, while Text-to-Speech converts text to audio.
What is the purpose of the Cloud Translation API?
Answer:
It enables fast, dynamic translation of text between supported languages, making it useful for websites and applications needing multilingual support.
What kind of analysis can the Cloud Natural Language API perform?
Answer:
It can extract information about entities in text, analyze sentiment, and interpret customer intent from written content.
What does the Video Intelligence API do?
Answer:
It annotates videos by labeling entities at the shot, frame, or video level, helping identify key objects and when they appear in the video.
How does AutoML on Vertex AI benefit developers with limited ML expertise?
Answer:
It allows them to train high-quality models on their own image, text, tabular, or video data without writing code.
What ML frameworks can be used with Vertex AI for custom model training?
Answer:
TensorFlow, PyTorch, and other ML frameworks.
How does Google use ML in its conference room systems?
Answer:
They use motion detection with VC cameras to determine occupancy. If motion is detected 6–8 minutes after a meeting starts, the room is marked as occupied.
How is the Vision API used in the provided examples?
Answer:
It accurately detects emotional expressions in a wedding photo and distinguishes the Sphinx in Las Vegas from the one in Egypt.
What is Generative AI?
Answer:
Generative AI is a type of artificial intelligence that creates new content based on what it has learned from existing content through a process called training.
What is the input provided to a generative AI model called?
Answer:
It is called a prompt.
What is a foundation model?
Answer:
A foundation model is a large AI model trained on massive datasets that can perform general tasks and be fine-tuned for specific purposes.
What is a Large Language Model (LLM)?
Answer:
An LLM is a type of foundation model trained on large-scale text data that can generate, understand, and manipulate human language.
What are two meanings of the word “large” in Large Language Models?
Answer:
It refers to the large training dataset (often petabyte scale) and the large number of parameters (in the billions or trillions).
How does traditional programming differ from generative AI?
Answer:
Traditional programming requires manually defined rules, while generative AI learns patterns from data and generates outputs based on learned concepts.
What is the difference between pre-training and fine-tuning in generative AI?
Answer:
Pre-training uses a large dataset for general-purpose learning; fine-tuning uses a smaller, domain-specific dataset to adapt the model to specific tasks.
What types of content can generative AI create?
Answer:
Text (stories, poems), images, summaries, answers, support tickets, and even code.
How does generative AI assist in content summarization?
Answer:
It can automatically summarize video, audio, and text, and generate Q&A content from it.
What are some use cases for generative AI in workflow automation?
Answer:
Extracting and labeling contracts, classifying feedback, and creating support tickets.
How can generative AI improve software development?
Answer:
It can generate code, write unit tests, explain code, fix bugs, complete code, and translate code between languages.
What is the role of Vertex AI Codey APIs?
Answer:
They provide generative AI features like code generation, code chat, and code completion.
How does generative AI help with code translation?
Answer:
It can convert code from one programming language to another, following best practices of the new language.
What is Gemini in the context of Generative AI?
Answer:
Gemini is an AI-powered assistant designed to help developers write code faster and more efficiently using generative AI.
Why is generative AI revolutionary for app development?
Answer:
Because it enhances productivity, simplifies complex tasks, and reduces the barrier to developing intelligent, feature-rich applications.
ofttware Delivery Sheild work.
What triggers a continuous integration process in a CI/CD pipeline?
Answer: A developer commits changes into a feature branch in a code repository, which automatically triggers a build service like Cloud Build.
Where are application artifacts stored after the CI build process?
Answer: In Artifact Registry.
What event typically triggers continuous delivery in a CI/CD pipeline?
Answer: Changes being pushed to the main branch in the code repository.
hat is the role of Cloud Deploy in the CI/CD pipeline?
Answer: It deploys application images to environments like Cloud Run or GKE, supports release strategies (like canary or blue-green), and provides approval workflows and security insights.
What happens after all tests pass in the staging environment?
Answer: The build is tagged as a release candidate, which can be manually approved for production deployment.
What’s the key difference between continuous delivery and continuous deployment?
Answer: Continuous deployment skips manual approval and automatically deploys release candidates to production.
What is the purpose of Google Cloud’s Software Delivery Shield?
Answer: It provides a fully managed, end-to-end software supply chain security solution that protects each step of the CI/CD process.
What does Artifact Analysis do?
Answer: It scans for vulnerabilities in container images and packages (like Maven and Go) stored in Artifact Registry and continuously monitors metadata for new vulnerabilities.
What is Binary Authorization used for in CI/CD pipelines?
Answer: It ensures only trusted images are deployed by verifying that artifacts meet predefined attestation policies.
How does Cloud Build contribute to CI/CD security?
Answer: It executes builds on Google Cloud infrastructure and maintains verifiable metadata, helping ensure artifacts are built from trusted sources.
What is the main advantage of using containers over virtual machines?
What is the main advantage of using containers over virtual machines?
Answer: Containers are faster to start and use fewer resources because they don’t require a full operating system instance.
What are containers primarily used for?
Answer: Packaging and deploying applications in a lightweight, portable, and isolated environment.
What does a container runtime do?
Answer: It launches and runs containers, calls into the operating system kernel as needed, and determines the image format.
How do containers support workload portability?
Answer: Containers can run anywhere—on a developer’s laptop, on-premises VMs, or any cloud—with consistent behavior.
What kind of isolation do containers provide?
Answer: Application isolation at the OS level, including virtualized CPU, memory, storage, and network resources.
What is typically included in a container image?
Answer: The application binary and all necessary software dependencies to run the application.
How long does it usually take for a container to “boot”?
Answer: A fraction of a second.
What is the purpose of Cloud Build in Google Cloud?
Answer: To create automated pipelines that build container images and push them to Artifact Registry.
What service stores the container images built by Cloud Build?
Answer: Artifact Registry
What triggers a build in Cloud Build?
Answer: A build trigger, which can be based on commits to a specific branch or tags in a repository.
In Cloud Build, what file defines the build steps?
Answer: A build configuration file written in YAML or JSON.
Where is the source code mounted during a build step?
Answer: Into the /workspace directory inside the build step’s Docker container.
What is the purpose of the images attribute in a Cloud Build config file?
Answer: It specifies the name of the container image to be created during the build process.
Can Cloud Build send notifications about build status?
If yes, how?
Answer: Yes, it can publish notifications to Pub/Sub, which other services can subscribe to.
What is a key benefit of using Cloud Build for CI/CD?
Answer: You don’t need to manage your own build infrastructure or install local build tools—everything runs in the cloud.
What is Google Cloud’s most flexible option for running applications?
Answer: Compute Engine
What are Cloud Run functions?
Answer: Cloud Run functions are event-driven, serverless microservices that automatically scale and execute small pieces of code in response to events.
What kind of architecture do Cloud Run functions support?
Answer: They support an event-driven, serverless, and highly scalable architecture.
What is a common use case for Cloud Run functions?
Answer: Cloud Run functions are ideal for lightweight microservices that quickly process data in response to events.
How are Cloud Run functions billed?
Answer: Billing is based on:
Execution duration
Number of invocations
Provisioned resources (CPU, memory)
What Google Cloud services can be integrated with Cloud Run functions in an event-driven application?
Answer:
Cloud Storage
Pub/Sub
Cloud Run functions
Vision API
Cloud Translation API
Key Takeaways for compute comparisons?
Start with serverless (Cloud Run or Functions) unless you have specific infra needs.
Choose GKE or Compute Engine for:
Stateful apps
Custom networking or protocols
Special hardware (GPU/TPU)
Use App Engine only if:
You prefer PaaS simplicity over containers
You have legacy apps that fit its model
Migration & Flexibility
Using Cloud Client Libraries = Easier migration across platforms
Containers can move between Cloud Run ↔ GKE
Buildpacks can turn source code into containers for deployment
Can start serverless, then move to GKE for more control later
How does your team’s balance of development and operations skills influence your platform choice, and how might that evolve as your application scales and matures?
Follow-up: Could starting with serverless simplify your MVP and allow you to defer infrastructure complexity until you truly need it?
What are the long-term implications of choosing a fully managed serverless platform like Cloud Run or Cloud Functions for application portability, vendor lock-in, and future compliance requirements?
Follow-up: If you needed to migrate to a hybrid or multicloud setup in the future, how would your initial platform decision impact that journey?
In what scenarios would you intentionally trade off operational simplicity for infrastructure control — and how would you know when you’ve reached that inflection point?
Follow-up: How would observability and performance monitoring guide that decision?
How will your CI/CD pipeline, security posture, and software supply chain strategy (e.g., with Cloud Build, Binary Authorization, Artifact Registry) influence or constrain your choice of compute platform?
Follow-up: Which platform best aligns with your internal governance, audit, and DevSecOps policies?
How can you architect your application to be platform-agnostic — and what are the practical limits of that approach when dealing with stateful components, scaling behavior, and cost management?
Follow-up: Where does abstraction (e.g., containers, Cloud Client Libraries, buildpacks) break down?
Decision Drivers
Main Question: “Where should I run my application?”
Answer: It depends on:
Infrastructure control needed
Team structure
Application requirements
Pricing model
Future flexibility
What is the primary benefit of using Cloud Run functions?
- Answer: They let you focus solely on your code, while Google Cloud manages the infrastructure and scaling.
What libraries should you use to interact with other Google Cloud services?
Answer: Use Cloud Client Libraries for the appropriate language.
Do you need to upload zip files to deploy Node.js Cloud Run functions?
Answer: No. Cloud Run functions handle the build and dependency installation automatically.
How are dependencies handled in Cloud Run functions for Node.js?
Answer: Dependencies are listed in a package.json file and are automatically installed.
What does a Node.js Cloud Run function need to export?
Answer: It must export its source code as a Node.js module.
What programming languages are currently supported by Cloud Run functions?
Answer:
Node.js
Python
Go
Java
.NET
Ruby
PHP
What is a typical event source for a Cloud Run function?
Answer: Events from services like Cloud Storage, Pub/Sub, HTTP requests, or webhooks.
Can Cloud Run functions be used as webhook targets?
Answer: Yes. They can handle direct HTTP calls from webhooks to trigger microservices.
What is an example of a data workflow where Cloud Run functions would be useful?
Answer: Lightweight ETL operations or message processing from a Pub/Sub topic.
How do these services support scaling?
Answer: They all scale automatically based on incoming data volume and compute needs.
What Google Cloud services can be integrated with Cloud Run functions in an event-driven application?
Answer:
Cloud Storage
Pub/Sub
Cloud Run functions
Vision API
Cloud Translation API
. How are Cloud Run functions billed?
Answer: Billing is based on:
Execution duration
Number of invocations
Provisioned resources (CPU, memory)
What is a common use case for Cloud Run functions?
Answer: Cloud Run functions are ideal for lightweight microservices that quickly process data in response to events.
What kind of architecture do Cloud Run functions support?
Answer: They support an event-driven, serverless, and highly scalable architecture.
What are Cloud Run functions?
Answer: Cloud Run functions are event-driven, serverless microservices that automatically scale and execute small pieces of code in response to events.
How does your team’s balance of development and operations skills influence your platform choice, and how might that evolve as your application scales and matures?
Follow-up: Could starting with serverless simplify your MVP and allow you to defer infrastructure complexity until you truly need it?
What are the long-term implications of choosing a fully managed serverless platform like Cloud Run or Cloud Functions for application portability, vendor lock-in, and future compliance requirements?
Follow-up: If you needed to migrate to a hybrid or multicloud setup in the future, how would your initial platform decision impact that journey?
In what scenarios would you intentionally trade off operational simplicity for infrastructure control — and how would you know when you’ve reached that inflection point?
Follow-up: How would observability and performance monitoring guide that decision?
How will your CI/CD pipeline, security posture, and software supply chain strategy (e.g., with Cloud Build, Binary Authorization, Artifact Registry) influence or constrain your choice of compute platform?
Follow-up: Which platform best aligns with your internal governance, audit, and DevSecOps policies?
How would you design an observability strategy to distinguish between application performance degradation caused by code regressions vs. infrastructure bottlenecks?
Follow-up: How do tools like Cloud Profiler, Cloud Trace, and Cloud Monitoring complement each other in surfacing root causes?
What trade-offs are involved in configuring alerting thresholds for latency and saturation, and how would you avoid alert fatigue while ensuring critical issues are surfaced early?
Follow-up: How would you incorporate golden signals to strike this balance?
How could you leverage historical data from Cloud Monitoring and Cloud Logging to proactively prevent outages or performance degradation in a production system?
Follow-up: Can you describe a use case where trend analysis helped you improve reliability or performance?
In a multi-cloud or hybrid environment, how would you ensure consistent observability across different infrastructures and services?
Follow-up: What role does Cloud Monitoring’s support for external data sources play in your solution?
If your application consists of multiple microservices, how would you ensure traceability and latency analysis across service boundaries?
Follow-up: How do distributed tracing (Cloud Trace) and structured logging work together to give you a complete picture?
If your application consists of multiple microservices, how would you ensure traceability and latency analysis across service boundaries?
Follow-up: How do distributed tracing (Cloud Trace) and structured logging work together to give you a complete picture?
When would you use a log-based metric versus a standard Cloud Monitoring metric, and how would you design an alerting strategy using both?
Follow-up: Can you describe a real-world use case where combining log-based alerts and system metrics helped catch or prevent an issue?
What are the benefits of structured logging over plain text logs, and how does structured logging improve troubleshooting in large-scale distributed systems?
Follow-up: How would you implement structured logging in a microservices-based architecture using Cloud Run or GKE?
How would you differentiate and correlate anomalies in latency with logs and traces in a multi-service application using Cloud Logging, Trace, and Profiler?
Follow-up: How would you identify whether the root cause is in the application logic, a dependency, or infrastructure?
In a hybrid environment (cloud + on-prem), how would you implement centralized logging with fine-grained access control and auditability across teams?
Follow-up: How would Cloud Logging and Managed Service for Prometheus help simplify this setup?
Compare Prometheus with Google Cloud Managed Service for Prometheus. What are the key operational trade-offs, and in what scenarios would you choose one over the other?
Follow-up: How do managed collectors vs. self-deployed collectors affect scalability, maintenance, and security?
How does Error Reporting determine whether a log entry contains an error, and what are the implications of relying on inferred errors versus explicitly reported ones?
Follow-up: In what scenarios would you prefer to use the Error Reporting API directly?
What strategies would you use to reduce noise and improve the signal-to-noise ratio in Error Reporting when dealing with high-volume applications?
Follow-up: How would you configure deduplication or error grouping for custom frameworks or edge cases?
Explain how Error Reporting integrates with Cloud Logging and how you would use both tools together to troubleshoot and resolve a production issue.
Follow-up: How would you navigate from an error in Error Reporting to the root cause in the logs?
ow can you extend the functionality of Error Reporting with automation (e.g., linking to issue trackers or triggering remediation workflows)?
Follow-up: Describe a scenario where a recurring error is automatically logged as an issue in a ticketing system like Jira or GitHub Issues.
In a multi-service microservices architecture using different runtimes (e.g., Node.js, Python, Java), how would you design a unified error reporting strategy across services?
Follow-up: What role do client libraries and consistent error formatting play in this strategy?
What is the difference between codebase and dependencies with monoliths and microservices?
How can you design for lose coupling?
🔑 Core Principles of Loose Coupling
Minimize direct dependencies between services/components.
Encapsulate functionality so changes in one part don’t break others.
Use contracts/interfaces rather than direct implementations.
Prefer asynchronous communication over synchronous when possible.
Continuous delivery is a
Continuous delivery is a workflow that is triggered when changes are pushed to the main branch in the repository.
what are the benefits of using docker containers vs vms.
Containers start much faster than virtual machines and use fewer resources because each container does not have its own instance of the operating system.
04:20
Instead, developers configure each container with a minimal set of software libraries to do the job.
04:26
A lightweight container runtime does the plumbing jobs needed to allow that container to launch and run, calling into the Kernel as necessary.
04:35
The container runtime also determines the image format.
04:38
Google Kubernetes Engine uses the Docker container runtime, and Docker containers are what we’ll focus on in this course.
Why Use Containers?
Efficiency, by specifying CPU and memory requirements of containers, Kubernetes can efficiently pack containers and nodes to efficiently use compute nodes.
03:05
Declarative configuration.
03:08
You can configure the desired state you want to achieve.
03:11
Rather than issuing a series of commands to achieve that desired state Kubernetes will make your system conform to that desired state.
03:20
This greatly reduces the operational complexity of large systems.
03:24
Self-healing, Kubernetes can automatically replace containers that have failed or are failing a health check.
describe the container build pipeline.
Describe the cloud foundation toolkit and how it relates to entprise development
The Cloud Foundation toolkit is designed specifically to meet the compliance and security needs of enterprises.
06:49
By creating a foundational environment using these templates, you can be confident that best practices are implemented out of the box, including key security and governance controls.
06:59
With the Cloud Foundation toolkit, you don’t need to spend time developing your own templates and patterns for Google Cloud.
07:05
Instead, you can build on open source templates and focus only on the customizations, which are unique to your company and workloads.
07:13
Developers can move faster and migrations are less time consuming.
07:19
Each template from the Cloud Foundation toolkit can be used independently.
How can Cloud Build and Container Registry help you build a continuous integration and delivery pipeline? Select three.
By using Container Registry and Cloud Build, you can create build pipelines that are automatically triggered when you commit code to a repository.
Cloud Build is a fully managed service. You do not need to download all build tools and container images to a build machine or manage build infrastructure.
With Cloud Build, the artifacts produced by each build step are persisted in the /workspace folder and can be used by the following build step.
When you commit code to a repository, you must start a build manually using the gcloud command.
You can install Cloud Build on Google Kubernetes Engine. GKE will autoscale depending on the number of builds.
The three correct statements are:
✅ By using Container Registry and Cloud Build, you can create build pipelines that are automatically triggered when you commit code to a repository.
✅ Cloud Build is a fully managed service. You do not need to download all build tools and container images to a build machine or manage build infrastructure.
✅ With Cloud Build, the artifacts produced by each build step are persisted in the /workspace folder and can be used by the following build step.
What is the primary use case for Terraform?
Terraform templates can be tested locally before deploying infrastructure on Google Cloud.
Terraform enables you to build Docker images.
Terraform enables you to stand up infrastructure. You can treat infrastructure as code.
Terraform enables you to build applications in a continuous integration and delivery pipeline.
Terraform enables you to stand up infrastructure. You can treat infrastructure as code.
Which of the following statements about continuous integration and delivery are accurate? Select two.
If all tests pass, builds generated from continuous integration in a feature branch can be released on a production environment.
Continuous integration is a developer workflow in which developers frequently pull from the master and commit their changes into a feature branch in a source code repository.
Continuous delivery is a workflow that is triggered when changes are pushed to the master repository.
To benefit from continuous integration and delivery developers must use GitHub.
All questions must be answered before submitting.
The two accurate statements about continuous integration (CI) and continuous delivery (CD) are:
✅ Continuous integration is a developer workflow in which developers frequently pull from the master and commit their changes into a feature branch in a source code repository.
✅ Continuous delivery is a workflow that is triggered when changes are pushed to the master repository.
eview the following Cloud Build build configuration file. Which of the following statements accurately describes the build steps in this configuration?
steps:
- name: gcr.io/cloud-builders/git
args: [‘clone’, ‘https://github.com/GoogleCloudPlatform/cloud-builders’]
env: [‘PROJECT_ROOT=hello’]
- name: gcr.io/cloud-builders/docker
args: [‘build’, ‘-t’, ‘gcr.io/my-project-id/myimage’, ‘.’]
The build configuration file is invalid because Docker cannot build the contents of a GiHub repository.
The build configuration file is invalid because the two steps are independent and don’t share the same working directory.
There are two steps. The first step clones a GitHub repository. The second step builds a Docker image based on the contents of the repository.
There are two steps. The first step creates a repository called cloud-builders on GitHub. The second step creates a cloud-native application image for that repository.
There are two steps. The first step clones a GitHub repository. The second step builds a Docker image based on the contents of the repository.
Which of the following statements about Terraform are true? Choose two.
The Cloud Foundation Toolkit provides reference Terraform templates that reflect Google Cloud best practices.
Terraform is a tool used only for Google Cloud.
Terraform provides a single location for storing the provisioning instructions that are used to create your Google Cloud resources.
Terraform calls private code built into Google Cloud services, which makes it more efficient than other provisioning solutions.
Terraform allows you to build and delete Google Cloud resources in a repeatable fashion.
The two correct statements about Terraform are:
✅ The Cloud Foundation Toolkit provides reference Terraform templates that reflect Google Cloud best practices.
✅ Terraform allows you to build and delete Google Cloud resources in a repeatable fashion.
Which of the following statements about Cloud Build, Container Registry, and Terraform are accurate? Select two.
You can use Terraform to set up virtual machine instances on-premise.
Build triggers can be helpful when building a continuous integration and delivery pipeline using Cloud Build and Container Registry.
Cloud Build and Terraform enable you to treat infrastructure as code.
You cannot mix and match tool chains. For example, you cannot use Cloud Build and Container Registry with Spinnaker.
What are some compute options for my applications?
Cloud Run is a fully managed serverless platform that also runs containerized applications.
01:51
Unlike with GKE, all infrastructure management for Cloud Run is abstracted away.
01:58
Cloud Run automatically scales up and down from zero almost instantaneously, depending on traffic.
02:06
You only pay when your code is running.
02:10
Cloud functions also lets you run your code in the cloud with zero management of servers or containers.
02:18
Write your event-driven code, and Google Cloud manages everything, scaling from zero to planet-scale.
How can you use CI/CD as part of your pipeline.
What are good candidates for Cloud Run?
Why run CE vs K8 vs CR vs Cloud Functions?
Cloud Run can scale up and down almost immediately in response to traffic spikes.
07:21
Unlike App Engine, you only pay for Cloud Run when you are processing requests, rounded up to the nearest 10th of a second.
07:30
This pricing model can result in significant cost savings for your application.
07:36
App engine is fully supported and it works well for creating web applications and web APIs, but cloud run is often a better choice for those use cases.
07:47
Returning to the question “Where should I run my applications?”, the best answer is that you should run each application on the platform that best fits its requirements.
07:59
Most applications written with the Cloud Client Libraries can be easily moved from platform to platform, so you can change your decision later.
08:08
If you do not have complex infrastructure requirements, start with a serverless platform that lets you focus on the application instead of the infrastructure.
08:18
If you later want more control over the infrastructure, you can move your application to a platform that requires more operational effort but provides the needed control or flexibility.
What is the difference between GKE and DIY Kubernetes?
GKE (Google Kubernetes Engine)
Fully managed Kubernetes service provided by Google Cloud.
🔹 Pros:
Managed control plane – Google handles the Kubernetes master nodes, upgrades, and patches.
Integrated monitoring & logging – Built-in with Google Cloud Operations.
Auto-scaling, auto-upgrades, auto-repair – Cluster management is automated.
Security – Native integration with IAM, workload identity, and private clusters.
Easy setup – One command to spin up a production-ready cluster.
Cost-effective options – Includes Autopilot mode where you only pay for running pods.
🔸 Cons:
Less control over the master components.
Slightly higher cost vs DIY in some environments.
GKE simplifies cluster deployment and scaling.
You can describe the compute, memory, network, and storage resources that you want to make available across all the containers required by your applications.
Your application requires highly customized VMs for specialized applications that have specific operating system requirements. Which execution environment should you consider?
Compute Engine
Google Kubernetes Engine
App Engine flexible environment
Cloud Functions
Compute Engine gives you the most flexibility and control over the VM configuration — perfect for:
Specialized applications
Custom OS requirements
High-performance workloads
Custom kernel modules, drivers, or legacy dependencies
For what types of applications should you consider an execution environment other than Cloud Functions? (Select the 2 correct answers)
Applications that have a large and complex codebase
Applications that are lightweight microservices
Applications that must be run in a container
Applications that are written in the Node.js programming language
Applications that have a large and complex codebase
Applications that must be run in a container
Your application is containerized, and requires automatic scaling, but you would prefer to not manage compute infrastructure. Which would be the ideal execution environment for your application?
Cloud Run
Cloud Functions
Google Compute Engine
Google Kubernetes Engine
The ideal execution environment for a containerized application that:
Requires automatic scaling
And where you prefer not to manage compute infrastructure
is:
🟢 Cloud Run
✅ Why Cloud Run?
Runs containers (your app is already containerized)
Fully managed – no infrastructure or cluster management
Automatic scaling – from zero to thousands of instances
Supports any language or framework
Can be triggered via HTTP, Pub/Sub, etc.
🔍 Why Not the Others?
Option Reason It’s Less Ideal
Cloud Functions Meant for small, function-based apps, not full containers
Compute Engine Requires VM management, patching, scaling setup
GKE (Kubernetes Engine) Powerful, but you must manage clusters, nodes, and scaling policies
Your code needs to create a thumbnail of an image in response to a Pub/Sub event. Which of the following execution environments should you consider?
Google Kubernetes Engine
App Engine (flexible environment)
Cloud Functions
Compute Engine
Why Cloud Functions?
It’s event-driven — perfect for responding to a Pub/Sub event.
Automatically scales with demand.
Ideal for small, single-purpose tasks like generating a thumbnail.
No need to manage servers or infrastructure.
Why not the others?
❌ Google Kubernetes Engine (GKE)
Powerful but overkill for a simple event-driven task like this. More ops overhead.
❌ App Engine (flexible environment)
Meant for long-running services — not optimized for quick event-driven responses.
❌ Compute Engine
Too much manual setup for something lightweight. You’d need to handle instance management, scaling, etc.
Your application uses network protocols other than HTTPS, and the application is run partially on-premises and partially in the cloud. Which execution environment should you consider?
Compute Engine
Cloud Functions
Google Kubernetes Engine
App Engine (standard environment)
Google Kubernetes Engine (GKE)
✅ Why GKE?
Supports any network protocol (not just HTTPS)
Can run hybrid deployments with on-prem via Anthos or VPN/Interconnect
Offers full control over networking, container orchestration, and scaling
Works well in multi-cloud and hybrid environments
❌ Why Not the Others?
Option Limitations
Compute Engine Supports custom protocols, but lacks built-in container orchestration and hybrid capabilities
Cloud Functions Only supports HTTP/S or Pub/Sub triggers; no support for arbitrary protocols
App Engine (Standard) Only supports HTTP/S; no custom protocol support or hybrid deployment
What are key requirements for applications that run in the cloud?
Answer: Cloud applications should be built for:
Global reach (accessible to users worldwide),
Scalability and high availability (elastic handling of traffic),
Security (implementing best practices and complying with data isolation requirements).
Why should you avoid storing external dependencies in your code repository?
Answer: External dependencies like JAR files or packages should not be stored in the repository because:
They bloat the codebase,
It’s better to declare them explicitly using dependency managers (e.g., npm for Node.js),
It improves portability and manageability.
What is the recommended way to manage configuration settings in a cloud application?
Answer: Store configuration settings as environment variables, not as constants in source code. This allows different values for dev, test, and production environments without changing code.
What are some benefits of refactoring a monolithic application into microservices?
Answer:
Easier to test, update, and deploy services independently,
Services can be scaled separately,
Clear mapping to business domains,
Improved modularity and reduced interdependencies.
Why should backend operations be performed asynchronously?
Answer:
To reduce perceived slowness for the user,
Asynchronous processing avoids delays from remote operations,
Event-driven architectures (e.g., Cloud Run functions triggered by Cloud Storage) help manage load better.
What tools can be used to loosely couple application components?
Answer:
Eventarc (event queue),
Pub/Sub (message queue), These tools help with async processing and buffering during traffic spikes.
How should API consumers handle HTTP payloads for future compatibility?
Answer:
Consumers should loosely bind to payloads,
Only use necessary fields (e.g., name and email),
Avoid reliance on all payload fields to support backward compatibility when APIs evolve.
Why should application components avoid maintaining internal or shared state?
Answer:
Shared state limits scalability,
Stateless components allow for:
Faster startup,
Easier shutdown,
Scalability using patterns like Workers or Cloud Run.
What mechanisms can help applications be resilient to transient and persistent errors?
Answer:
Retry logic with exponential backoff for transient errors,
Circuit breakers for long-lasting errors,
Graceful degradation (e.g., hiding unavailable features instead of showing errors).
What is an example of graceful degradation in a cloud application?
Answer: If a recommendation engine fails, the app could hide the recommendation section instead of showing an error message to the user.
Why is caching important in cloud applications?
Answer: Caching improves application performance and reduces network latency by storing frequently accessed or computationally expensive data, allowing faster responses to user requests.
How does Cloud CDN enhance content delivery?
Answer: Cloud CDN caches web content using Google’s global edge network, enabling faster delivery of static content by serving it closer to users.
What role does Apigee play in API management?
Answer: Apigee provides a proxy layer for backend APIs, offering features like security, rate limiting, analytics, and quotas, making backend services more accessible and manageable.
How can APIs help with legacy applications?
Answer: Instead of refactoring legacy systems, APIs can expose their functionality, allowing modern consumer apps to interact with them without relying on outdated protocols.
Why should logs be treated as event streams?
Answer: Logs are continuous streams of application events. Writing logs to stdout lets cloud infrastructure collect, analyze, and trace requests more efficiently, especially for serverless environments.
How can identity management be simplified in cloud apps?
Answer: Delegate user authentication to external providers (e.g., Google, Facebook, GitHub) using tools like Identity Platform or Firebase Authentication, which support email/password, SAML, OIDC, and MFA.
What is Google Cloud Observability used for?
Answer: It provides tools for logging, error reporting, monitoring, and logs-based metrics, helping monitor application health across multi-cloud environments.
What are the benefits of implementing CI/CD pipelines?
Answer: CI/CD pipelines:
Automate testing and deployment,
Increase release speed and reliability,
Reduce risk of regressions,
Enable incremental rollouts and quick rollbacks.
What’s the difference between continuous integration, delivery, and deployment?
Answer:
CI: Automates build and testing on code commits.
CD (Delivery): Prepares validated builds for manual deployment.
CD (Deployment): Automatically deploys validated builds to production.
What is the strangler pattern in application modernization?
Answer: It’s an approach to migrate legacy systems by gradually replacing features with new services. A strangler facade routes requests to either the legacy or new system during the transition.
What deployment strategies help prevent production issues?
Answer:
Blue-green deployments: Switch traffic between two environments.
Canary testing: Gradually release to a subset of users to detect issues early.
What tools support CI/CD in Google Cloud?
Answer:
Cloud Build: Detects commits, builds, and runs tests.
Artifact Registry: Stores deployment artifacts.
Cloud Deploy: Automates deployments to test and prod environments.
Which of the following is an anti-pattern when designing a cloud application?
Perform asynchronous operations
Cache application data and frontend content
Embed configuration settings in your source code
Use APIs and API gateways to connect to legacy systems in applications
Why is the strangler pattern effective?
Answer: It reduces risk by allowing incremental changes, continuous learning, and avoids major disruptions to business-critical systems.
Which of the following is an anti-pattern when designing a cloud application?\
Perform asynchronous operations
Cache application data and frontend content
Embed configuration settings in your source code
Use APIs and API gateways to connect to legacy systems in applications
✅ Embed configuration settings in your source code
✅ Explanation:
Embedding configuration settings in source code is considered an anti-pattern because:
It reduces flexibility between environments (dev, test, prod).
It increases the risk of exposing secrets or sensitive information.
It makes updates and deployments more error-prone.
Instead, configuration should be managed via environment variables or external configuration management systems.
The other options are best practices:
✅ Asynchronous operations improve responsiveness and scalability.
✅ Caching boosts performance and reduces load.
✅ APIs and gateways modernize access to legacy systems securely and efficiently.
Let me know if you’d like a full list of cloud app anti-patterns for review.
For transient network issues, what error-handling approach should you implement?
Implement a circuit breaker
Retry with exponential backoff
Display the error to the user
Retry constantly until the call succeeds
The correct answer is:
✅ Retry with exponential backoff
✅ Explanation:
For transient network issues, the recommended approach is to retry the operation with exponential backoff, which means:
Waiting longer between each retry attempt (e.g., 1s, 2s, 4s…).
Adding jitter (randomness) to avoid request bursts.
Prevents overloading the system and increases chances of recovery.
❌ The other options:
Circuit breaker: Better for long-lasting or repeated failures, not short-lived issues.
Display the error to the user: Avoid showing raw errors for transient issues; retry silently first.
Retry constantly until the call succeeds: Bad practice. Can overload systems and lead to infinite loops or cascading failures.
What are Cloud APIs used for in Google Cloud?
Answer: Cloud APIs provide programmatic interfaces to Google Cloud services, allowing developers to access features like compute, networking, storage, and machine learning within their applications.
What formats can be used to call Google Cloud APIs?
Answer: Cloud APIs can be called using:
HTTP requests with JSON payloads, or
gRPC requests, which use a compact and efficient binary format.
What is gRPC and why is it used?
Answer: gRPC is an open-source remote procedure call (RPC) framework that:
Can run across platforms,
Uses an efficient binary request format,
Offers high performance communication between services.
What must a caller provide when making a request to a Cloud API?
Answer: The caller must provide application credentials, which are used to authenticate and authorize access to Google Cloud projects and resources.
What is the Google Cloud SDK?
Answer: The Google Cloud SDK is a set of tools and libraries used to interact with Google Cloud products and services, either from the command line or through language-specific client libraries.
How does the Google Cloud SDK communicate with Google Cloud services?
Answer: The SDK tools and libraries use Cloud APIs to send requests and manage resources in Google Cloud.
What is the bq CLI tool and what is its primary use?
Answer: The bq CLI is used to interact with BigQuery, mainly for:
Running SQL queries,
Managing datasets, tables, and other BigQuery resources.
What commands can you perform with gcloud storage?
Answer: You can:
Create, list, and delete buckets (gcloud storage buckets),
Manage objects (gcloud storage objects),
Copy, move, list, and delete objects.
What is the preferred CLI tool for managing Cloud Storage now?
Answer: gcloud storage is the preferred tool over gsutil, offering better performance and consistency with other gcloud commands.
How do you install a missing CLI component (e.g., kubectl)?
Answer: Run:
bash
Copy
Edit
gcloud components install kubectl
This installs the Kubernetes CLI component.
How can you check the installed components of the Google Cloud CLI?
Answer: Use:
bash
Copy
Edit
gcloud components list
This shows all components, including their installation and update status.
How do you list Compute Engine VM instances using the gcloud CLI?
Answer:
bash
Copy
Edit
gcloud compute instances list
This command lists all virtual machine instances in the current Google Cloud project
What are other tools included in the Google Cloud CLI suite?
Answer:
gcloud: Core tool for managing Google Cloud resources.
gsutil: Manages Cloud Storage buckets and objects (being replaced by gcloud storage).
bq: Manages BigQuery and runs SQL queries.
kubectl: Manages Kubernetes clusters.
Tools for emulating services (e.g., Firestore, Pub/Sub), and infrastructure management with Terraform.
What are some common tasks you can perform with the gcloud CLI?
Answer: You can:
Manage virtual machines,
Deploy applications,
Create and configure resources like buckets, databases, and networks.
How does the gcloud CLI simplify working with Cloud APIs?
Answer: The gcloud CLI:
Automates sending credentials in API calls,
Combines multiple API calls into single commands for common tasks,
Provides a user-friendly interface for managing resources.
What is the Google Cloud CLI (gcloud CLI) used for?
Answer: The gcloud CLI is a command-line tool that allows users to manage Google Cloud services from the terminal or in automated scripts, offering a simpler interface to interact with Cloud APIs.
Why are Cloud Client Libraries preferred over direct API calls?
Answer: Because they:
Are easier to use,
Follow the natural coding style of each supported language,
Automatically handle authentication, retries, and sometimes use gRPC APIs for performance.
Which programming languages are supported by Cloud Client Libraries?
Answer: Languages include:
Python
Node.js
Java
Go
PHP
Ruby
C++
.NET languages, including C#
How does a Cloud Client Library authenticate API requests in an application?
Answer: It uses default credentials, typically provided by a service account, to authenticate API calls
What is an example of what a Cloud Client Library can do?
Answer: Using the Python Cloud Client Library, you can:
Import the storage library,
Instantiate a client with default credentials,
Create a Cloud Storage bucket programmatically.
What does the gcloud init command do?
Answer: It initializes the Google Cloud SDK by setting up:
A default configuration,
Selected project and credentials,
Command-line readiness to use gcloud tools.
What features does the gcloud CLI interactive shell provide?
Answer:
Command prompt completion
Command suggestions
Interactive help, which streamlines the CLI experience
Can gcloud CLI commands be used in scripts?
Answer: Yes, gcloud CLI commands are fully scriptable, making them ideal for automating deployment and resource management workflows.
How long do Cloud Shell sessions last, and what happens after inactivity?
Answer: Cloud Shell sessions terminate after 1 hour of inactivity, but your persistent disk is retained and reused in future sessions.
What is the built-in code editor in Cloud Shell based on?
Answer: Cloud Shell includes a code editor based on Theia, allowing you to browse directories and edit files directly within your VM.
What is Cloud Code and what does it provide?
Answer: Cloud Code is a set of IDE plugins that streamline cloud application development by integrating:
Deployment
Debugging
Kubernetes and Cloud Run workflows It’s available for Cloud Shell Editor, Visual Studio Code, and JetBrains IDEs (like IntelliJ and PyCharm).
What are some capabilities of Cloud Code in the IDE?
Answer:
Manage Cloud APIs and browse code samples,
Integrate with Secret Manager,
Simplify Kubernetes YAML authoring with autocomplete and inline docs,
Develop and deploy Cloud Run services with emulators and explorers.
Which command-line tools does the Google Cloud SDK include? Select two.
ruby
node
gRPC
bq
gcloud
bq
gcloud
Which of the following statements about Google Cloud Client Libraries are true? Select two.
Cloud Client Libraries support a language’s natural conventions and styles.
Cloud Client Libraries include the Cloud SDK.
Cloud Client Libraries should only be used when you cannot call Cloud APIs directly.
Cloud Client Libraries are provided in all languages that can be used on Google Cloud.
Cloud Client Libraries handle retry logic and authentication
The correct answers are:
✅ Cloud Client Libraries support a language’s natural conventions and styles.
✅ Cloud Client Libraries handle retry logic and authentication.
❓ Explanation of each option:
✅ Cloud Client Libraries support a language’s natural conventions and styles.
✔️ True – They are designed to feel idiomatic in each supported language (e.g., Pythonic in Python, Java-style in Java).
❌ Cloud Client Libraries include the Cloud SDK.
✖️ False – The Cloud Client Libraries are separate from the Cloud SDK. The SDK includes tools like gcloud, not the language libraries.
❌ Cloud Client Libraries should only be used when you cannot call Cloud APIs directly.
✖️ False – The libraries are the recommended way to call Cloud APIs, not just a fallback.
❌ Cloud Client Libraries are provided in all languages that can be used on Google Cloud.
✖️ False – They are provided in many popular languages (like Python, Java, Node.js, etc.), but not all possible languages used on Google Cloud.
Which of the following statements about Cloud Code are true? Select two.
Cloud Code’s YAML authoring assistance provides autocomplete and inline documentation for Docker files.
Cloud Code integrates with Secret Manager to securely store sensitive data.
Cloud Code works with both Cloud Run and Kubernetes applications.
Cloud Code is only available in the Cloud Shell editor.
Cloud Code is an integrated development environment for creating cloud applications.
The correct answers are:
✅ Cloud Code integrates with Secret Manager to securely store sensitive data.
✅ Cloud Code works with both Cloud Run and Kubernetes applications.
❓ Explanation of each option:
❌ Cloud Code’s YAML authoring assistance provides autocomplete and inline documentation for Docker files.
✖️ False – The YAML authoring assistance is designed for Kubernetes configuration files, not Dockerfiles.
✅ Cloud Code integrates with Secret Manager to securely store sensitive data.
✔️ True – Cloud Code lets you manage secrets like passwords and API keys securely from within your IDE.
✅ Cloud Code works with both Cloud Run and Kubernetes applications.
✔️ True – Cloud Code supports development, debugging, and deployment for Cloud Run and Kubernetes apps.
❌ Cloud Code is only available in the Cloud Shell editor.
✖️ False – It’s available in multiple IDEs, including Cloud Shell Editor, Visual Studio Code, and JetBrains IDEs (like IntelliJ, PyCharm).
❌ Cloud Code is an integrated development environment for creating cloud applications.
✖️ False – Cloud Code is not an IDE itself; it’s a plugin/extension that enhances existing IDEs for cloud development.
You have a very large database that you’re using for complex queries in a suite of business intelligence applications. You want to move the data to a fully-managed solution. Which option is ideal for such use cases?
Bigtable
Cloud SQL
BigQuery
Firestore
The correct answer is:
✅ BigQuery
✅ Explanation:
BigQuery is a fully managed, serverless data warehouse built for:
Complex queries
OLAP (Online Analytical Processing) workloads
Large-scale analytics
Business intelligence tools
It can handle terabytes to petabytes of data with high performance and scalability, making it ideal for your described use case.
❌ Why not the others?
Bigtable: Best for single-keyed access, IoT, and time-series data, not complex analytical queries.
Cloud SQL: Good for OLTP (transactional apps), but not optimized for large-scale analytics or BI workloads.
Firestore: A NoSQL document database, great for mobile/web apps, but not designed for analytical queries or massive datasets.
You’re building a banking application that is expected to have a very large number of users around the world. When users make a deposit, they want to see the result of this deposit reflected immediately when they view their balance. What data storage option is ideal for storing account balance information for users?
Firestore is ideal because it lets you develop a mobile app.
Spanner is ideal because it supports strongly consistent reads in addition to horizontal scalability, low latency, and high throughput.
Cloud SQL is ideal because it’s a relational database that supports transactions.
Bigtable is ideal because it supports low-latency read/write access
The correct answer is:
✅ Spanner is ideal because it supports strongly consistent reads in addition to horizontal scalability, low latency, and high throughput.
✅ Explanation:
Cloud Spanner is the best choice for a globally distributed, high-traffic banking application because it offers:
Strong consistency (important for real-time balance updates),
Horizontal scalability (supports many users worldwide),
Low latency and high throughput,
ACID-compliant transactions for reliable financial operations
A restaurant in your neighborhood wants to put up a website that displays static information including a menu, restaurant hours, and location on a map. What is the best solution for serving the website’s content on Google Cloud?
Serve the website’s content from Bigtable.
Serve the website’s content from a Cloud Storage bucket.
Serve the website’s content from a web server running on a Compute Engine instance.
Serve the website’s content from Firestore.
The correct answer is:
✅ Serve the website’s content from a Cloud Storage bucket.
✅ Explanation:
Cloud Storage is the ideal solution for serving static website content like:
Menus
Business hours
Location maps
Images, HTML, CSS, and JavaScript files
It’s:
Cost-effective
Scalable
Simple to set up
Can be combined with Cloud CDN for even faster delivery
❌ Why not the others?
Bigtable: Designed for massive key-value data and analytics, not static websites.
Compute Engine: Can host a web server, but it’s overkill and more expensive for static content.
Firestore: A NoSQL database for structured data, not for serving static files.
What is the principle of least privilege in IAM?
Answer: It means granting only the minimum permissions required for a user or service to perform their job—nothing more.
Who can be an IAM principal in Google Cloud?
Answer: IAM principals include:
Google Accounts (individual users)
Service accounts (for applications or workloads)
Google Groups
Google Workspace accounts
Cloud Identity domain users
What is a service account used for in Google Cloud?
Answer: A service account represents an application or compute workload, allowing code running in the cloud to authenticate and access Google Cloud resources securely.
Can Google Groups be used to authenticate directly to access a resource?
Answer: ❌ No – Google Groups are for managing access policies, but they cannot be used to establish identity or make authenticated requests.
What is the difference between Google Workspace and Cloud Identity domains?
Answer:
Both represent a collection of Google Accounts under an organization’s domain.
Google Workspace includes access to productivity tools like Gmail and Docs.
Cloud Identity does not include those apps, but both can manage permissions for Google Cloud resources.
What is a role in IAM?
Answer: A role is a collection of permissions. You assign roles to principals, and they inherit all the permissions in that role.
Can you assign a permission directly to a user?
Answer: ❌ No – You must assign a role, and permissions are granted as part of that role.
What are the three types of IAM roles in Google Cloud?
Answer:
Basic roles: Broad, project-wide (e.g., Viewer, Editor)
Predefined roles: Granular, maintained by Google (e.g., run.invoker)
Custom roles: User-defined for specific, fine-grained access control
When should you use custom roles?
Answer: When predefined roles are too permissive, and you want to enforce least privilege by selecting only the permissions needed for a specific task.
- Can a user be granted multiple roles?
Answer: When predefined roles are too permissive, and you want to enforce least privilege by selecting only the permissions needed for a specific task.
What is BigQuery and what is it designed for?
Answer: BigQuery is a fully managed, serverless enterprise data warehouse designed for analytics. It supports:
Machine learning
Geospatial analysis
Business intelligence (BI)
It excels at OLAP workloads, scanning terabytes in seconds and petabytes in minutes
What are common use cases for BigQuery?
Answer:
Big data exploration
Real-time analytics
Reporting with BI tools
OLAP workloads
. What factors should be considered when choosing a Google Cloud storage option?
Answer:
Read/write latency
Typical data size
Storage type (e.g., structured vs unstructured)
Ideal vs non-ideal use cases
Scalability and performance needs
Can you exceed size limits for a single database in Google Cloud?
Answer: Yes — by splitting your data into multiple databases, you can work around the size limits that apply to a single instance.
What is Spanner and what is it built for?
Answer: Spanner is a fully managed, horizontally scalable relational database offering:
Strong consistency
Multi-region replication
5-nines (99.999%) SLA
It’s built for mission-critical OLTP applications.
What kind of applications is Spanner ideal for?
Answer: Apps that need:
Relational or semi-structured data
High availability
Strong consistency
Transactional reads and writes at global scale
What makes AlloyDB ideal for modern applications?
Answer:
High performance
PostgreSQL compatibility
Automatic scaling and high availability
AlloyDB Auth Proxy for secure access
How does the Cloud SQL Auth Proxy work?
Answer: It uses a local client proxy that securely connects to the Cloud SQL instance via a secure tunnel, removing the need to configure IPs or SSL certificates.
What is Cloud SQL and what databases does it support?
Answer: Cloud SQL is a managed relational database service that supports:
MySQL
PostgreSQL
SQL Server
It handles replication, backups, and failover automatically.
What are key features of Bigtable?
Answer:
Supports billions of rows, thousands of columns
Sparsely populated tables
No downtime during reconfiguration
HBase API compatibility
What kind of workloads is Bigtable ideal for?
Answer: Bigtable is ideal for:
Operational and analytical applications,
Large-scale key-value lookups,
Workloads requiring sub-10ms latency, such as user behavior tracking and IoT data ingestion.
How is data structured in Firestore?
Answer: Data is stored in documents, which are grouped into collections. Documents can contain nested objects and subcollections.
What is Firestore and when is it a good fit?
Answer: Firestore is a fully managed, serverless, NoSQL document database optimized for:
Web and mobile apps,
Real-time updates,
Offline sync,
Applications requiring flexible, hierarchical data structures.
What is the difference between authentication and authorization in Google Cloud?
Answer:
Authentication verifies who you are (your identity).
Authorization defines what you can do (your permissions), managed by IAM.
What are the three main ways to authenticate API calls in Google Cloud?
Answer:
API keys – For low-security, read-only access.
OAuth tokens for user accounts – Based on user login credentials.
OAuth tokens for service accounts – Based on assigned IAM roles and key pairs.
When should API keys be used?
Answer: Only for low-security, read-only APIs, since a compromised API key provides long-term access and is hard to revoke securely.
What is a service account in Google Cloud?
Answer: A service account represents an application or workload, not a person. It is identified by a unique email address and is used to authenticate and authorize programmatic access to Google Cloud resources.
How are service accounts authenticated?
Answer: Using an RSA public/private key pair, where the private key can be stored in a JSON key file. This key is used to generate access tokens.
What are the risks of using downloaded service account keys?
Answer:
Credential leakage – e.g., committing a key to a public repository.
Privilege escalation – a bad actor could grant themselves more access.
Identity masking – malicious activity might be attributed to the service account, hiding the real user.
How can you mitigate risks associated with service account keys?
Answer:
Avoid using downloaded keys whenever possible.
Use workload identity, attached service accounts, or Cloud IAM roles directly to authenticate securely.
What is the recommended way for applications running on Google Cloud to authenticate?
Answer: Use the default service account or an attached service account with appropriate IAM roles, avoiding downloaded keys and using built-in mechanisms for secure authentication.
What is the first question to ask when deciding how an application should authenticate to Google Cloud APIs?
Answer: Whether the application is running on Google Cloud or outside Google Cloud.
What is the preferred authentication method for applications running on Google Cloud (but not on GKE)?
Answer: Attach a user-managed service account directly to the Compute Engine instance or serverless service (like Cloud Run).
What authentication method is recommended for applications running on GKE?
Answer: ✅ Workload Identity, which allo
What should developers use for authentication in a local development environment?
Answer: Run:
bash
Copy
Edit
gcloud auth application-default login
This generates user credentials that Application Default Credentials (ADC) can use for local development.
What is Workload Identity Federation used for?
Answer: It allows applications running outside Google Cloud (e.g., on-premises or multi-cloud) to authenticate securely using external identity providers, without requiring a service account key.
What is Application Default Credentials (ADC)?
Answer: ADC is a mechanism that automatically finds and uses the best available credentials for your application in a specific environment, in this order:
GOOGLE_APPLICATION_CREDENTIALS environment variable
Local user credentials (gcloud auth application-default login)
Attached service account (on GCP)
Why should service account keys be avoided when possible?
Answer: They pose security risks, including:
Credential leakage
Privilege escalation
Identity masking
What is the difference between gcloud auth login and gcloud auth application-default login?
Answer:
gcloud auth login: Authenticates for CLI use (e.g., running gcloud commands).
gcloud auth application-default login: Authenticates for code-level API access via ADC.
What is Secret Manager used for in Google Cloud?
Answer: Secret Manager provides a secure and centralized way to store, manage, and access sensitive information like:
API keys
Passwords
Certificates
Your photo-sharing application requires user login. You don’t want to build a custom user authentication system that stores usernames and passwords. What is the best way to authenticate your users?
You can leverage federated identity management by using Firebase Authentication.
You can use OAuth 2.0 to access resources on behalf of a user.
You can give employees read permissions to critical resources in the project.
You can use Identity-Aware Proxy to provide application-level access.
The correct answer is:
✅ You can leverage federated identity management by using Firebase Authentication.
✅ Explanation:
Firebase Authentication provides a secure, drop-in authentication system that supports:
Federated identity providers (Google, Facebook, GitHub, etc.)
Email/password sign-in
Multi-factor authentication (MFA)
User management out of the box
It allows you to avoid building a custom auth system while securely managing user sign-in flows.
❌ Why not the others?
OAuth 2.0: Used for delegated access to other services (e.g., access a user’s Google Drive), not primarily for sign-in to your own app.
Giving employees read permissions: Irrelevant to user authentication; this is about IAM roles for project access.
Identity-Aware Proxy (IAP): Best for controlling access to web apps for corporate/internal users, not for user authentication in public-facing applications.
What is the benefit of using “latest” as the version identifier when accessing secrets?
Answer: Using “latest” retrieves the most recent version of the secret, which is helpful when your app always needs the current valid credential without specifying version numbers.
Your enterprise has an online expense reporting application. Employees must be able to access the application without having to log into the corporate VPN. How can you enable this type of access?
You can use Identity-Aware Proxy to provide application-level access.
You can use OAuth 2.0 to access resources on behalf of a user.
You can leverage federated identity management by using Firebase authentication.
You can give employees read permissions to critical resources in the project.
he correct answer is:
✅ You can use Identity-Aware Proxy to provide application-level access.
✅ Explanation:
Identity-Aware Proxy (IAP) allows you to control access to web applications and VMs based on the identity of the user, without requiring a VPN. It:
Authenticates users with Google Identity or other identity providers,
Enforces access control policies,
Provides secure, zero-trust access to apps from anywhere.
This is ideal for secure remote access to internal applications like an expense reporting system.
❌ Why not the others?
OAuth 2.0: Used for authorizing apps to access resources on behalf of a user, not for access control to internal apps.
Firebase Authentication: Good for public-facing user auth, but not intended for enterprise access control to internal apps.
Giving employees read permissions: Grants access to Google Cloud resources, not application-level access.
How should you authenticate to Google Cloud APIs from your production application that is deployed to Cloud Run?
Use a service account key.
Attach a service account to your application.
Use “gcloud auth application-default login.”
Use workload identity federation.
The correct answer is:
✅ Attach a service account to your application.
✅ Explanation:
For production applications running on Cloud Run, the recommended and secure method is to:
Attach a service account with the minimum required IAM permissions to the Cloud Run service.
This allows Application Default Credentials (ADC) to automatically detect and use the attached service account without needing to manage keys.
❌ Why not the others?
Use a service account key: ❌ Not recommended — managing and securing keys is risky and error-prone.
Use “gcloud auth application-default login”: ❌ Intended for local development, not production.
Use workload identity federation: ❌ Used for external environments (on-premises or multi-cloud), not needed for apps running within Google Cloud.
Can you build custom ML models on Google Cloud?
Answer: ✅ Yes — You can use tools like TensorFlow, PyTorch, or Vertex AI to build and deploy custom models tailored to your business needs.
✅ Explanation:
Pre-trained ML APIs like Vision API, Natural Language API, Speech-to-Text, and Translation API are designed to be invoked via REST APIs from your application. You send a JSON request and receive a JSON response.
This allows:
Easy integration with web and mobile apps,
No need for machine learning expertise or model training,
Language-agnostic implementation.
❌ Why not the others?
Google Cloud Console: Used for testing or managing APIs, not for programmatic invocation in apps.
gcloud CLI: Useful for setup or one-time commands, but not meant for application logic.
TensorFlow: Used for building and training custom ML models, not for calling pre-trained APIs.
How can you invoke pre-trained machine learning APIs (such as the Vision API or Natural Language API) from your application?
Use the Google Cloud console.
Use the REST API.
Use a gcloud CLI command.
Use TensorFlow.
The correct answer is:
✅ Use the REST API.
✅ Explanation:
Pre-trained ML APIs like Vision API, Natural Language API, Speech-to-Text, and Translation API are designed to be invoked via REST APIs from your application. You send a JSON request and receive a JSON response.
This allows:
Easy integration with web and mobile apps,
No need for machine learning expertise or model training,
Language-agnostic implementation.
❌ Why not the others?
Google Cloud Console: Used for testing or managing APIs, not for programmatic invocation in apps.
gcloud CLI: Useful for setup or one-time commands, but not meant for application logic.
TensorFlow: Used for building and training custom ML models, not for calling pre-trained APIs.
You’re developing an application that labels entities in video before storing the files. Which API should you use?
Vision API
Cloud Natural Language API
Cloud Translation API
Video Intelligence API
The correct answer is:
✅ Video Intelligence API
✅ Explanation:
The Video Intelligence API is specifically designed to:
Label entities in videos,
Detect entities at the video, shot, or frame level,
Annotate video files stored in Cloud Storage,
Help identify what appears in the video and when it appears.
Perfect for use cases like:
Content tagging
Search and retrieval
Content moderation
Which of the following statements about continuous integration and delivery are accurate? Select two.
To benefit from continuous integration and delivery developers must use GitHub.
Any continuous integration and delivery pipeline built on Google Cloud will automatically provide best security practices.
Continuous integration is a developer workflow in which developers pull from the main branch and commit their changes into a feature branch in a source code repository.
Continuous delivery is a workflow that is triggered when changes are pushed to the main branch in the repository.
If all tests pass, builds generated from continuous integration in a feature branch can be released on a production environment.
The correct answers are:
✅ Continuous delivery is a workflow that is triggered when changes are pushed to the main branch in the repository.
✅ If all tests pass, builds generated from continuous integration in a feature branch can be released on a production environment.
✅ Explanation of correct answers:
Continuous delivery means that validated builds (after passing CI tests) are automatically prepared for deployment when changes reach the main branch.
With CI, builds from feature branches are tested and can be released to production if tests pass and policies allow, typically via manual approval or automated CD.
❌ Why the other options are incorrect:
“Developers must use GitHub” – ❌ False.
CI/CD works with many version control systems, not just GitHub (e.g., GitLab, Bitbucket, Cloud Source Repositories).
“Google Cloud pipelines automatically provide best security practices” – ❌ False.
While Google Cloud provides tools for secure CI/CD, you must configure and enforce best security practices (e.g., secrets management, artifact signing, access control).
“CI means developers pull from main and commit to a feature branch” – ❌ Misleading.
In CI, developers typically commit to feature branches, but CI builds are triggered when changes are pushed to the shared branch, not just based on pull actions.
How can Cloud Build and Artifact Registry help you build a continuous integration and delivery pipeline? S
he correct answers are:
✅ With Cloud Build, the artifacts produced by each build step are persisted in the /workspace folder and can be used by the following build step.
✅ By using Artifact Registry and Cloud Build, you can create build pipelines that are automatically triggered when you commit code to a repository.
✅ Explanation of correct answers:
Cloud Build /workspace folder:
Each build step runs in a container, but they all share the /workspace directory. This allows intermediate files or artifacts to pass between steps.
Cloud Build + Artifact Registry:
You can set up triggers so that builds run automatically when code is committed. Cloud Build can build and test the app, then push container images or other artifacts to Artifact Registry.
When is a build triggered in continuous integration (CI)?
Answer: When developers commit code to a feature branch, a service like Cloud Build is triggered to build the application.
What happens in the continuous delivery (CD) phase after pushing to the main branch?
Answer:
The code is built and container images are created.
Images are deployed to staging (e.g., GKE or Cloud Run) for integration and performance tests.
If tests pass, the build is marked as a release candidate and may be manually approved for production deployment.
You want to set up monitoring for your mission-critical application. What signals should you monitor in your dashboards?
Security, Latency, Throttling, Errors
Saturation, Latency, Throttling, Errors
Saturation, Latency, Traffic, Errors
Contrast, Latency, Traffic, Errors
How does Cloud Monitoring support a CI/CD pipeline?
Answer: It helps track application performance in production, so you can validate new deployments or roll back quickly if issues arise.
What is Google Cloud’s Software Delivery Shield?
Answer: A fully managed, end-to-end software supply chain security solution that protects every stage of the CI/CD process.
What is Binary Authorization and how does it enhance CI/CD security?
Answer: Binary Authorization uses attestations to ensure only trusted, verified images are deployed. It enforces policies to block unverified images from being released.
What does Artifact Analysis do?
Answer: It scans artifacts in Artifact Registry for vulnerabilities, offering on-demand and automated scanning for container images and packages like Maven and Go.
You want to set up monitoring for your mission-critical application. What signals should you monitor in your dashboards?
Security, Latency, Throttling, Errors
Saturation, Latency, Throttling, Errors
Saturation, Latency, Traffic, Errors
Contrast, Latency, Traffic, Errors
The correct answer is:
✅ Saturation, Latency, Traffic, Errors
✅ Explanation:
These four signals are part of the “Golden Signals” of monitoring, which are widely recommended by Google’s Site Reliability Engineering (SRE) practices. They help ensure your application’s health and performance:
Saturation – How full your system is (e.g., CPU, memory, queue usage).
Latency – Time taken to process a request.
Traffic – Demand on the system (e.g., number of requests per second).
Errors – Rate of failed requests.
❌ Why the others are incorrect:
Security and Contrast are not among the golden signals.
Throttling might be a useful metric in some contexts but is not one of the core four golden signals.
You want to stream logs into Cloud Logging from third-party applications running on Compute Engine instances. What service should you consider?
Cloud Monitoring
Cloud Trace
Error Reporting
Ops Agent
You want to stream logs into Cloud Logging from third-party applications running on Compute Engine instances. What service should you consider?
Cloud Monitoring
Cloud Trace
Error Reporting
Ops Agent
Users are encountering errors in your application. You want to view the stack trace to determine where the error occurred. Which service would help you view the stack trace?
Cloud Logging
Error Reporting
Cloud Monitoring
Cloud Trace
The correct answer is:
✅ Error Reporting
✅ Explanation:
Error Reporting automatically aggregates and analyzes errors from your applications and displays:
Stack traces
Error frequency
Affected services and versions
Notifications and alerts
This helps you quickly identify, triage, and debug application issues.
You want to stream logs into Cloud Logging from third-party applications running on Compute Engine instances. What service should you consider?
Cloud Trace
Cloud Monitoring
Error Reporting
Ops Agent
The correct answer is:
✅ Ops Agent
✅ Explanation:
The Ops Agent is the recommended agent for collecting both logs and metrics from third-party applications and system services running on Compute Engine instances. It is:
Optimized for performance
Capable of structured and unstructured log ingestion
Fully integrated with Cloud Logging and Cloud Monitoring
❌ Other options explained:
Cloud Trace: Used for analyzing request latency, not for log streaming.
Cloud Monitoring: Visualizes metrics but does not collect logs directly from applications.
Error Reporting: Aggregates and displays application errors, but relies on logs being ingested—it doesn’t collect logs itself.
An event-driven function: (Select three).
Responds to events that occur in your cloud infrastructure.
Can only be implemented as a CloudEvent function.
Uses event triggers for various services like Pub/Sub, and Cloud Storage.
Can be triggered from Eventarc sources.
he correct answers are:
✅ Responds to events that occur in your cloud infrastructure
✅ Uses event triggers for various services like Pub/Sub, and Cloud Storage
✅ Can be triggered from Eventarc sources
✅ Explanation of correct answers:
Responds to events that occur in your cloud infrastructure:
Event-driven functions react to changes such as file uploads, database updates, or Pub/Sub messages.
Uses event triggers for various services like Pub/Sub, and Cloud Storage:
Google Cloud Functions and Cloud Run can be triggered by native events from services like Pub/Sub, Cloud Storage, Firestore, etc.
Can be triggered from Eventarc sources:
Eventarc routes events from a wide range of sources (e.g., Firebase, Cloud Audit Logs, custom apps) to services like Cloud Run and Cloud Functions.
Which of these statements about Cloud Run functions are correct? Select three. Cloud Run functions:
Is integrated with Cloud Logging.
Can only be invoked by sending HTTP requests.
Is a scalable functions-as-a-service platform.
Can be used to extend Cloud services.
Require servers or VMs to be provisioned.
The correct answers are:
✅ Is integrated with Cloud Logging
✅ Is a scalable functions-as-a-service platform
✅ Can be used to extend Cloud services
✅ Explanation of correct answers:
Is integrated with Cloud Logging:
Cloud Run automatically writes logs to Cloud Logging, making it easy to monitor and debug services.
Is a scalable functions-as-a-service platform:
Cloud Run is serverless, meaning it scales automatically based on incoming requests — from zero to thousands of instances.
Can be used to extend Cloud services:
Cloud Run can be triggered by Eventarc, Pub/Sub, or HTTP requests, making it great for extending services like Cloud Storage, Firestore, or even third-party APIs.
What are some features and benefits of using Cloud Run functions? Select four. Cloud Run functions:
Can be integrated with Cloud databases.
Supports seamless authentication with IAM.
Are triggered by HTTP requests and events from Cloud Services.
Uses a fixed pricing model.
Can be locally developed and tested.
The correct answers are:
✅ Can be integrated with Cloud databases
✅ Supports seamless authentication with IAM
✅ Are triggered by HTTP requests and events from Cloud Services
✅ Can be locally developed and tested
✅ Explanation of correct answers:
Can be integrated with Cloud databases:
Cloud Run functions can easily connect to services like Cloud SQL, Firestore, and BigQuery using environment variables and client libraries.
Supports seamless authentication with IAM:
Cloud Run integrates with IAM to control who can invoke your service and access other Google Cloud services securely.
Are triggered by HTTP requests and events from Cloud Services:
Cloud Run services can be invoked via HTTP, or automatically triggered by events using Eventarc, Pub/Sub, or Cloud Scheduler.
Can be locally developed and tested:
You can run Cloud Run containers locally using tools like the Cloud SDK (gcloud), Docker, or Cloud Code in VS Code/JetBrains.
❌ Incorrect option:
Uses a fixed pricing model – ❌ False
Cloud Run uses pay-per-use pricing, based on the actual resources consumed (CPU, memory, requests, and execution time). It scales to zero when idle.
Would you like a development template or guide for setting up local testing of a Cloud Run function?
You said:
An HTTP function: (Select three).
Can be used to implement a webhook.
Can only be invoked with authentication credentials.
Is triggered by a request made to its URL endpoint.
Must send back an HTTP response.
ChatGPT said:
The correct answers are:
✅ Can be used to implement a webhook
✅ Is triggered by a request made to its URL endpoint
✅ Must send back an HTTP response
✅ Explanation of correct answers:
Can be used to implement a webhook:
HTTP functions are ideal for webhooks, since they respond to incoming HTTP requests from external systems.
Is triggered by a request made to its URL endpoint:
Every HTTP function has a public (or secured) URL that clients use to trigger the function.
Must send back an HTTP response:
HTTP functions are request-response based and must return a response, such as a status code, message, or data.
❌ Incorrect option:
Can only be invoked with authentication credentials – ❌ False
While authentication can be required (based on IAM settings), you can configure HTTP functions to allow unauthenticated access (e.g., for public APIs or webhooks).
Would you like a sample HTTP function setup in Python or Node.js?
An HTTP function: (Select three).
Can be used to implement a webhook.
Can only be invoked with authentication credentials.
Is triggered by a request made to its URL endpoint.
Must send back an HTTP response.
The correct answers are:
✅ Can be used to implement a webhook
✅ Is triggered by a request made to its URL endpoint
✅ Must send back an HTTP response
✅ Explanation of correct answers:
Can be used to implement a webhook:
HTTP functions are ideal for webhooks, since they respond to incoming HTTP requests from external systems.
Is triggered by a request made to its URL endpoint:
Every HTTP function has a public (or secured) URL that clients use to trigger the function.
Must send back an HTTP response:
HTTP functions are request-response based and must return a response, such as a status code, message, or data.
❌ Incorrect option:
Can only be invoked with authentication credentials – ❌ False
While authentication can be required (based on IAM settings), you can configure HTTP functions to allow unauthenticated access (e.g., for public APIs or webhooks).
What does it mean to write a function to be idempotent?
Answer:
An idempotent function produces the same result when called multiple times, which is essential for safely retrying failed invocations without side effects.
Why should background activities not run after a function invocation ends?
Answer:
Because the CPU becomes inaccessible after the function terminates. Any lingering activity could interfere with subsequent invocations, causing errors and unexpected behavior.
What is the risk of writing to the file system in Cloud Run functions?
Answer:
The temp files are stored in in-memory storage, which persists between invocations. Not deleting them may lead to memory exhaustion and cold starts.
How should HTTP and event-driven functions terminate?
Answer:
HTTP functions must always return an HTTP response.
Event-driven functions should return or report an error explicitly.
Avoid using process.exit() (Node.js) or sys.exit() (Python).
What causes cold starts, and how can you reduce them?
Answer:
Cold starts occur when a function instance needs to be initialized from scratch. You can reduce them by:
Avoiding unnecessary imports
Using global variable caching
Setting a minimum instance count
Why is caching objects like API clients in global scope beneficial?
Answer:
Because the function environment is reused between invocations, caching reduces connection overhead and improves performance.
How can you enable retries for event-driven functions?
Answer: Use the –retry flag during deployment or enable the Retry on failure option in the Cloud Console.
. When are retries helpful, and when should they be avoided?
Answer:
Retries are good for transient errors (e.g., timeouts, network failures), but should be avoided for persistent bugs, which would cause infinite retry loops unless conditions are added to stop them.
What is a best practice for IAM and service accounts in functions?
Answer:
Follow the principle of least privilege
Use user-managed service accounts instead of default ones
Assign minimal necessary permissions to each function
How does function concurrency work in Cloud Run?
Answer:
You can configure a function to handle multiple simultaneous requests per instance. This reduces cold starts but requires your code to be thread-safe and stateless.
What happens when you deploy a new version of a Cloud Run function?
Answer:
A new immutable revision is created. By default, all traffic routes to the latest revision, but you can split traffic between revisions or roll back to a previous one.
How does Cloud Run scaling work?
Answer:
Instances scale up or down based on traffic
You can set min and max instance counts per revision
More than the max may be briefly allowed during rollout
hat happens each time you deploy a Cloud Run function?
✅ Select one.
A. Previous revision is overwritten
B. A new revision is created
C. All traffic is paused
D. Scaling is reset to zero
✅ Correct Answer: B
Explanation: Each deployment creates a new, immutable revision of the function.
Why should you assign user-managed service accounts to Cloud Run functions?
✅ Select one.
A. To enable auto-scaling
B. To give each function minimal, isolated access
C. To support concurrency
D. To reduce memory usage
✅ Correct Answer: B
Explanation: User-managed service accounts allow granular access control per function.
What must you do to enable retries for an event-driven function?
✅ Select one.
A. Use –timeout flag
B. Update IAM permissions
C. Use –retry flag during deployment
D. Enable concurrency
✅ Correct Answer: C
Explanation: Use the –retry flag or console option to enable retries for event-driven functions.
. What kind of failures are most appropriate for function retries?
✅ Select one.
A. Application bugs
B. Authentication errors
C. Transient errors like network timeouts
D. Missing environment variables
✅ Correct Answer: C
Explanation: Transient issues (e.g., timeouts or unreachable services) often succeed on retry.
How can you reduce the time it takes for a cold start?
✅ Select two.
A. Load only necessary dependencies
B. Initialize all variables globally
C. Cache connections and clients in global scope
D. Use process.exit() to clean up faster
✅ Correct Answers: A, C
Explanation: Avoiding unnecessary imports and caching expensive objects improves cold start performance.
What causes a cold start in Cloud Run functions
?
✅ Select one.
A. Too many concurrent requests
B. Retrying failed invocations
C. Creating and initializing a new execution environment
D. Logging to Cloud Logging
✅ Correct Answer: C
Explanation: A cold start happens when a new instance of a function needs to be initialized.
What is the best way to exit from an event-driven function?
✅ Select one.
A. Use process.exit() or sys.exit()
B. Let the function time out
C. Throw an exception
D. Return explicitly or implicitly
✅ Correct Answer: D
Explanation: Explicit or implicit return is recommended. Forceful exits may cause errors.
What is the risk of leaving files in the temporary directory between invocations?
✅ Select one.
A. It triggers autoscaling
B. It causes memory leaks and cold starts
C. It blocks incoming requests
D. It prevents retries
✅ Correct Answer: B
Explanation: Files persist between invocations and consume memory, possibly causing cold starts.
What must an HTTP function always do to avoid timeouts and extra charges?
✅ Select one.
A. Execute background tasks
B. Log to stdout
C. Return an HTTP response
D. Use persistent storage
✅ Correct Answer: C
Explanation: HTTP functions must always send a response; otherwise, they run until timeout.
Why should you write your functions to be idempotent?
✅ Select one.
A. To avoid handling asynchronous code
B. So the function can be retried without side effects
C. To allow global variable reuse
D. To prevent cold starts
✅
Correct Answer: B
Explanation: Idempotent functions return the same result when called multiple times, making retries safe.
Which three statements about using environment variables with Cloud Run functions are correct? Environment variables:
Are provided during function deployment.
Are key-value pairs that are accessed by the function code at runtime.
Can be shared and used by multiple functions.
Can be stored in a YAML file, whose filename can be provided during function deployment.
Cannot be added, updated, or removed.
The three correct statements about using environment variables with Cloud Run functions are:
✅ Are provided during function deployment.
✅ Are key-value pairs that are accessed by the function code at runtime.
✅ Can be stored in a YAML file, whose filename can be provided during function deployment.
✅ Explanation:
Provided during function deployment:
You can define environment variables using the –set-env-vars flag in the gcloud CLI or via the Cloud Console when deploying a function.
Key-value pairs accessible at runtime:
The function accesses these environment variables using standard language-specific methods (e.g., os.environ[‘VAR_NAME’] in Python).
Stored in a YAML file:
You can store environment variables in a YAML or .env.yaml file and load them during deployment using –env-vars-file.
Which statements about triggering Cloud Run functions from Firestore database events are correct? Select two.
A function can be triggered when a Firestore document is created, updated, or deleted.
To trigger a function, you must specify an event type and the document path.
A function can only be triggered on changes to an individual Firestore document.
A function cannot be triggered when a Firestore document is deleted.
A function can be triggered when a specific field in a Firestore document is changed.
The two correct statements are:
✅ A function can be triggered when a Firestore document is created, updated, or deleted.
✅ To trigger a function, you must specify an event type and the document path.
✅ Explanation:
Firestore triggers support events such as create, update, delete, and write on documents.
To set up a trigger, you must define:
An event type (e.g., create)
A document path (e.g., users/{userId})
❌ Incorrect statements:
“A function can only be triggered on changes to an individual Firestore document” – ❌
You specify a document path pattern, so triggers can apply to multiple documents using wildcards (e.g., users/{userId}).
“A function cannot be triggered when a Firestore document is deleted” – ❌
Deletion events are supported.
“A function can be triggered when a specific field in a Firestore document is changed” – ❌
Firestore triggers operate at the document level, not at the field level.
What are two methods of making a secret available to a cloud function?
Mount the secret as a volume so that the function can access the secret from a file.
Provide the secret name and value as query parameters to the function.
Secrets cannot be accessed from Cloud Run functions.
Provide the secret as an environment variable when deploying the function.
The two correct methods of making a secret available to a Cloud Run function are:
✅ Mount the secret as a volume so that the function can access the secret from a file.
✅ Provide the secret as an environment variable when deploying the function.
✅ Explanation:
Mount as a volume:
You can mount a secret from Secret Manager as a file inside the container, allowing the function to read it at runtime.
Environment variable:
You can inject secrets as environment variables when deploying the function using the –set-secrets flag (e.g., gcloud run deploy –set-secrets).
❌ Incorrect statements:
“Provide the secret name and value as query parameters to the function” – ❌
This is insecure and not recommended. Secrets should never be passed in query strings.
“Secrets cannot be accessed from Cloud Run functions” – ❌
Cloud Run functions can securely access secrets from Secret Manager.
What is Google Cloud Workflows primarily used for?
✅ Select one.
A. Hosting containerized applications
B. Running machine learning models
C. Orchestrating services and API calls in a defined order
D. Monitoring Cloud Run performance
✅ Correct Answer: C
Explanation: Workflows is a serverless orchestration platform for coordinating services and APIs in a defined sequence.
- What formats can you use to define a Google Cloud Workflow?
✅ Select two.
A. YAML
B. Terraform
C. JSON
D. Bash
✅ Correct Answers: A, C
Explanation: Workflows can be defined in YAML or JSON format.
What is the role of Serverless VPC Access when using Cloud Run?
A. It allows Cloud Run to scale beyond 1000 instances
B. It enables Cloud Run functions to connect to internal VPC resources
C. It provides logging and monitoring
D. It provisions private GKE clusters
✅ Correct Answer: B
Explanation: Serverless VPC Access lets Cloud Run functions communicate securely with resources like VMs or Memorystore using internal IPs.
Which steps are required to configure a Cloud Run function to use Serverless VPC Access?
✅ Select three.
A. Enable the Serverless VPC Access API
B. Create and attach a VPC connector
C. Move your function into the same VPC as your Compute Engine instance
D. Match the connector’s region with your Cloud Run function’s region
E. Create a Pub/Sub topic for the function
✅ Correct Answers: A, B, D
Explanation:
You must enable the API
Create and configure a connector in the correct region
The connector must be in the same region as the function
What are some features of Google Cloud Workflows?
✅ Select all that apply.
A. Can hold state and wait up to a year
B. Replaces the need for Cloud Functions
C. Logs each execution for observability
D. Can integrate Cloud Run, external APIs, and other services
✅ Correct Answers: A, C, D
Explanation:
Workflows can hold state, wait, and retry
It logs executions for debugging
It can orchestrate Cloud Run, Cloud Functions, APIs, and other services
Which of these statements about Cloud Run functions triggers are correct? Select three.
A function can be bound to multiple triggers at the same time.
Multiple functions can be triggered by the same trigger settings.
Triggers are specified during function deployment.
An event trigger reacts to cloud events.
he three correct statements about Cloud Run function triggers are:
✅ Multiple functions can be triggered by the same trigger settings.
✅ Triggers are specified during function deployment.
✅ An event trigger reacts to cloud events.
✅ Explanation:
Multiple functions can be triggered by the same trigger settings
→ Yes, multiple functions can listen to the same event source, like a Pub/Sub topic or Cloud Storage bucket.
Triggers are specified during function deployment
→ When deploying a function, you define the trigger type and source using the Google Cloud Console or gcloud CLI.
An event trigger reacts to cloud events
→ Event triggers use Eventarc to react to events from services like Firestore, Cloud Storage, Pub/Sub, etc.
Which of these statements about Workflows are correct? Select three.
In a workflow, data cannot be shared between steps.
Workflows is serverless.
Workflows can combine services or functions hosted on Cloud Run.
A workflow step can be defined to make an HTTP call to a URL.
The three correct statements about Workflows are:
✅ Workflows is serverless.
✅ Workflows can combine services or functions hosted on Cloud Run.
✅ A workflow step can be defined to make an HTTP call to a URL.
✅ Explanation:
Workflows is serverless
→ It runs in a fully managed environment, requiring no infrastructure management.
Workflows can combine services or functions hosted on Cloud Run
→ You can orchestrate Cloud Run, Cloud Functions, external APIs, and other Google Cloud services.
A workflow step can be defined to make an HTTP call to a URL
→ Workflows can invoke HTTP endpoints, including Cloud Run functions or third-party services.
What are two reasons for using Serverless VPC Access?
To expose requests and responses to and from a VPC network to the internet.
To connect Cloud Run functions to internal resources in a VPC network.
To enable Cloud Run functions to access external HTTP endpoints.
To send requests and receive responses using internal DNS and IP addresses.
he two correct reasons for using Serverless VPC Access are:
✅ To connect Cloud Run functions to internal resources in a VPC network.
✅ To send requests and receive responses using internal DNS and IP addresses.
✅ Explanation:
Connect to internal resources
→ Serverless VPC Access enables Cloud Run functions to reach internal services like Compute Engine VMs, Memorystore, or private databases that aren’t exposed to the internet.
Use internal DNS/IPs
→ It ensures communication stays private by allowing functions to resolve and access resources via internal IPs and DNS.
❌ Incorrect reasons:
“To expose requests and responses to and from a VPC network to the internet”
→ This is the opposite of what Serverless VPC Access is meant for—it enables private, not public, connectivity.
“To enable Cloud Run functions to access external HTTP endpoints”
→ Cloud Run functions can already access external endpoints without Serverless VPC Access.
An HTTP trigger: (Select two)
Enables a function to respond to HTTP requests.
Generates a URL when it is assigned to a function.
Does not support the DELETE HTTP request method.
Enables a function to respond to events from cloud infrastructure.
The two correct statements about an HTTP trigger are:
✅ Enables a function to respond to HTTP requests.
✅ Generates a URL when it is assigned to a function.
✅ Explanation:
Enables a function to respond to HTTP requests
→ HTTP triggers are used to invoke Cloud Run functions via GET, POST, PUT, DELETE, etc.
Generates a URL
→ When an HTTP trigger is assigned, Cloud Run automatically generates an HTTPS endpoint for the function.
❌ Incorrect statements:
“Does not support the DELETE HTTP request method”
→ ❌ Incorrect — HTTP triggers do support all standard methods including DELETE.
“Enables a function to respond to events from cloud infrastructure”
→ ❌ Incorrect — That applies to event-driven triggers (e.g., Pub/Sub, Firestore, Cloud Storage), not HTTP triggers.
- What are the two primary ways to secure access to Cloud Run functions?
✅ Select two.
A. Environment variable injection
B. Identity-based access controls
C. Network-based access controls
D. Logging and Monitoring
✅
Correct Answers: B, C
Explanation: Identity-based controls (IAM) handle who can access, while network-based controls manage from where functions can be invoked.
Which of the following tokens is used to authenticate API calls to Cloud Run functions?
A. Session token
B. OAuth 2.0 access token
C. Secret key token
D. JSON Web Signature token
Correct Answer: B
Explanation: OAuth 2.0 access tokens are used for authenticating API calls to Cloud Run.
. What role should you assign to allow one Cloud Run function to call another?
A. roles/owner
B. roles/cloudfunctions.viewer
C. roles/cloudfunctions.invoker
D. roles/editor
✅ Correct Answer: C
Explanation: The Cloud Functions Invoker role (roles/cloudfunctions.invoker) allows calling HTTP functions.
What must a calling function include when invoking another Cloud Run function securely?
A. OAuth 2.0 token in the query string
B. Static API key
C. Signed ID token with the audience set to the receiving function’s URL
D. Shared secret passed in request body
✅ Correct Answer: C
Explanation: The Google-signed ID token must include the audience field (aud) set to the receiving function’s URL.
When should you use a user-managed (custom) runtime service account instead of the default?
A. Only during testing
B. For functions requiring environment variables
C. For production environments to enforce least privilege
D. When using Firebase Hosting
✅ Correct Answer: C
Explanation: Always use a custom service account in production with only the minimum required permissions.
What is the purpose of using Customer-Managed Encryption Keys (CMEK) with Cloud Run functions?
A. To reduce storage costs for container images
B. To allow Google full access to encryption keys
C. To encrypt data at rest using keys you control
D. To speed up function cold starts
✅ Correct Answer: C
Explanation: CMEKs let you manage encryption for data at rest used by Cloud Run functions.
What happens if a CMEK used by a Cloud Run function is disabled or destroyed?
A. The function will fail only during redeployment
B. Only Google engineers can recover the key
C. No one, including the owner, can access the protected data
D. The function becomes public
✅ Correct Answer: C
Explanation: If a CMEK is disabled or destroyed, access to the protected data is permanently blocked.
Which of the following data types are encrypted when CMEK is used with Cloud Run?
✅ Select two.
A. API request logs
B. Function source code stored in Cloud Storage
C. Container images from function builds
D. Stackdriver monitoring data
✅ Correct Answers: B, C
Explanation: CMEK encrypts:
What must you do before enabling CMEK for a Cloud Run function?
✅ Select two.
A. Create a multi-region encryption key
B. Grant key access to Cloud Run, Artifact Registry, and Cloud Storage service accounts
C. Enable HTTPS load balancing
D. Create a CMEK-enabled Artifact Registry repository in the same region
✅ Correct Answers: B, D
Explanation: You must:
Grant service accounts access to the key
Create a CMEK-enabled Artifact Registry in the same region as your function
CMEK keys can be stored in all the following ways EXCEPT:
A. As software keys
B. In HSM clusters
C. In an external key management system
D. In Cloud Storage buckets
✅ Correct Answer: D
Explanation: CMEKs are stored using Cloud KMS, not directly in Cloud Storage.
Which statements about function identity are correct? Select three.
Every function is associated with a runtime service account that serves as its identity.
The App Engine default service account is used as the default runtime service account for Cloud Run functions (1st gen).
The Compute Engine default service account is used as the default runtime service account for Cloud Run functions.
In production environments, you should use a runtime service account for a function’s identity with the maximum set of permissions.
The three correct statements about function identity are:
✅ Every function is associated with a runtime service account that serves as its identity.
✅ The App Engine default service account is used as the default runtime service account for Cloud Run functions (1st gen).
✅ The Compute Engine default service account is used as the default runtime service account for Cloud Run functions.
❌ Incorrect statement:
“In production environments, you should use a runtime service account for a function’s identity with the maximum set of permissions.”
🚫 Incorrect: In production, you should follow the principle of least privilege and assign only the minimum required permissions to the service account.
Which network setting allows Cloud Run functions to route all outbound traffic from a function through a VPC network?
Ingress setting to allow internal traffic and traffic from Cloud Load Balancing.
Egress setting to route all traffic through a Serverless VPC connector.
Ingress setting to allow all traffic.
Egress setting to route traffic only to private IPs through a Serverless VPC connector.
The correct answer is:
✅ Egress setting to route all traffic through a Serverless VPC connector.
✅ Explanation:
Egress settings control outbound traffic from Cloud Run functions.
To route all outbound traffic through a VPC network, you must use:
Egress setting: “All traffic” with a Serverless VPC Access connector.
❌ Incorrect options:
“Ingress setting to allow internal traffic and traffic from Cloud Load Balancing”
→ Ingress controls incoming traffic, not outbound.
“Ingress setting to allow all traffic”
→ Again, this is about who can call your function.
“Egress setting to route traffic only to private IPs through a Serverless VPC connector”
→ This routes only private traffic through the connector—not all traffic.
A customer-managed encryption key (CMEK) is used to encrypt a function and its related data. What is the impact when such a key is disabled or destroyed?
Executions of the function that are already in progress are terminated.
There is no impact to the function.
Executions that require new function instances will fail.
Active instances of the function are shut down.
When a Customer-Managed Encryption Key (CMEK) is disabled or destroyed:
New function instances cannot be created because Cloud Run cannot decrypt the function’s container image or configuration data.
As a result, any execution that triggers the creation of a new instance will fail.
However, already-running (active) instances may continue to work as long as they don’t require access to encrypted resources.
❌ Incorrect options:
“Executions of the function that are already in progress are terminated”
→ Not necessarily. Already-running instances can continue if no additional decryption is needed.
“There is no impact to the function”
→ ❌ Disabling or destroying the key definitely impacts new deployments or scaling.
“Active instances of the function are shut down”
→ Active instances are not immediately shut down, but future operations may fail.
To limit access to Cloud Run functions, what methods can you use? Select two.
Use network-based access controls.
Use an encryption key.
Use a username and password.
Use HTTPS.
Use identity-based access controls.
The correct answers are:
✅ Use network-based access controls.
✅ Use identity-based access controls.
✅ Explanation:
To limit access to Cloud Run functions, you can use:
Identity-based access controls
Uses IAM roles and permissions to control who can invoke or manage your functions.
Example: Assigning the roles/cloudfunctions.invoker role to specific users or service accounts.
Network-based access controls
Configure ingress settings to allow only internal traffic or traffic through Cloud Load Balancing.
You can also use VPC Service Controls for added protection.
❌ Incorrect options:
Use an encryption key
→ Encryption (e.g., CMEK) protects data at rest, not access control.
Use a username and password
→ Not a supported authentication method for Cloud Run functions.
Use HTTPS
→ HTTPS encrypts communication, but doesn’t restrict access by itself.
Cloud Run functions uses IAM to authorize the requesting identity. Which predefined IAM roles are used by Cloud Run functions? Select four.
Cloud Functions Reader
Cloud Functions Developer
Cloud Functions Viewer
Cloud Functions Invoker
Cloud Functions Admin
The correct answers are:
✅ Cloud Functions Developer
✅ Cloud Functions Viewer
✅ Cloud Functions Invoker
✅ Cloud Functions Admin
✅ Explanation of each role:
Cloud Functions Admin (roles/cloudfunctions.admin)
Full control over Cloud Functions, including deploy, update, and delete.
Cloud Functions Developer (roles/cloudfunctions.developer)
Can create and update functions but cannot delete them or change IAM policies.
Cloud Functions Viewer (roles/cloudfunctions.viewer)
Read-only access to view function metadata and configurations.
Cloud Functions Invoker (roles/cloudfunctions.invoker)
Allows invoking (executing) Cloud Functions — often used for HTTP or event-driven triggers.
❌ Incorrect option:
Cloud Functions Reader
→ ❌ Not a valid predefined IAM role in Google Cloud.
What are three best practices to use when implementing IAM policies for functions?
Allocate the minimum set of permissions required to develop and use your functions.
Ensure that a function sends requests only to a subset of your other functions that are needed to perform its job.
Limit the number of user and service accounts that can access the function.
In production environments, use the default runtime service account for a function’s identity.
The correct answers are:
✅ Allocate the minimum set of permissions required to develop and use your functions.
✅ Ensure that a function sends requests only to a subset of your other functions that are needed to perform its job.
✅ Limit the number of user and service accounts that can access the function.
✅ Explanation of each best practice:
Minimum Permissions (Principle of Least Privilege):
Grant only the exact permissions needed—nothing more. This minimizes risk.
Targeted Communication Between Functions:
Functions should only talk to specific other functions they actually need to interact with. This improves security and clarity of access paths.
Limit Access:
Fewer service accounts and users with access reduces the attack surface and enforces better control.
To improve the performance of your function, what are three best practices to follow?
Remove any unused dependencies from the function source.
In your function code, reuse objects with global variables.
Set a minimum number of instances when deploying your function.
Initialize global variables in your function code eagerly.
The correct answers are:
✅ Remove any unused dependencies from the function source.
✅ In your function code, reuse objects with global variables.
✅ Set a minimum number of instances when deploying your function.
✅ Explanation of each best practice:
Remove unused dependencies:
Reduces cold start time and deployment size, improving overall function performance.
Reuse objects with global variables:
Caching expensive resources (like DB connections or API clients) in the global scope allows them to be reused across invocations, reducing latency.
Set a minimum number of instances:
Keeps a certain number of instances “warm” and ready to serve requests, which reduces cold starts.
❌ Incorrect option:
“Initialize global variables in your function code eagerly”
→ ❌ Wrong. You should initialize them lazily, only when needed, to reduce cold start latency.
Which two statements about retrying of functions are correct? Function retry:
If enabled, causes the function to be retried on failure for up to 7 days.
Can be enabled or disabled in Google Cloud console or with the gcloud CLI.
Is enabled by default.
Is supported for both HTTP and event-driven functions.
The correct answers are:
✅ If enabled, causes the function to be retried on failure for up to 7 days.
✅ Can be enabled or disabled in Google Cloud console or with the gcloud CLI.
✅ Explanation:
Retries for up to 7 days:
If retries are enabled, event-driven functions will retry failures automatically for up to 7 days or until successful execution.
Configuration methods:
You can enable or disable retry behavior during deployment via:
Google Cloud Console (checkbox)
gcloud CLI using the –retry flag
❌ Incorrect options:
“Is enabled by default”
→ ❌ Retry is disabled by default. You must explicitly enable it.
“Is supported for both HTTP and event-driven functions”
→ ❌ Retry is only supported for event-driven functions, not HTTP functions.
How can you control the scaling behavior of functions?
Because there are no servers to manage, functions cannot be scaled.
Set the minimum and maximum number of function instances during deployment.
Use a common configuration to control the scaling behavior of all of your functions.
Function scaling is handled automatically and cannot be controlled.
The correct answer is:
✅ Set the minimum and maximum number of function instances during deployment.
✅ Explanation:
Cloud Run functions scale automatically, but you can control their scaling behavior by:
Setting a minimum number of instances to keep some instances warm and reduce cold starts.
Setting a maximum number of instances to avoid overwhelming downstream services (e.g., databases) or limit cost.
You can configure this during deployment using:
The Google Cloud Console, or
The gcloud CLI with flags like –min-instances and –max-instances.
❌ Incorrect options:
“Because there are no servers to manage, functions cannot be scaled.”
→ ❌ False. Serverless functions do scale, and you can control that behavior.
“Use a common configuration to control the scaling behavior of all of your functions.”
→ ❌ Scaling is configured per function, not globally.
“Function scaling is handled automatically and cannot be controlled.”
→ ❌ While scaling is automatic, it can be tuned with min/max instance settings.
Which statement regarding revisions of Cloud Run functions is correct?
You cannot roll back a function to a prior revision.
When a function is deployed, a new revision is not automatically created.
You can split traffic between different revisions of a function.
You can change an existing revision of a deployed function.
The correct answer is:
✅ You can split traffic between different revisions of a function.
✅ Explanation:
Cloud Run creates a new revision each time you deploy a function.
Revisions are immutable — you cannot change a revision once deployed.
You can roll back by routing traffic to a previous revision.
You can also split traffic between revisions (e.g., 90% to new, 10% to old) for canary deployments or gradual rollouts.
❌ Incorrect options:
“You cannot roll back a function to a prior revision.”
→ ❌ False. You can roll back by re-routing traffic.
“When a function is deployed, a new revision is not automatically created.”
→ ❌ False. Every deployment creates a new revision.
“You can change an existing revision of a deployed function.”
→ ❌ False. Revisions are immutable — any changes require a new deployment.
To optimize networking for your function, which two approaches should you use?
Local scope to initialize and store network connections and API client objects.
Persistent HTTP connections.
Serverless VPC Access connectors to connect your cloud function to project resources.
The correct answers are:
✅ Persistent HTTP connections.
✅ Serverless VPC Access connectors to connect your cloud function to project resources.
✅ Explanation:
Persistent HTTP connections:
Reusing connections reduces CPU time and improves latency by avoiding repeated connection setups on each invocation.
Serverless VPC Access connectors:
Allow functions to access internal resources (like databases or VMs) within a VPC using internal IPs and DNS, keeping traffic secure and private.
❌ Incorrect option:
“Local scope to initialize and store network connections and API client objects.”
→ ❌ While global scope is preferred to cache objects across invocations, local scope does not help with connection reuse or performance optimization.
You are developing an online gaming platform as a microservices application on GKE. Users on social media are complaining about long loading times in certain parts of the application. You need to investigate performance bottlenecks in the application and identify which HTTP requests have a significantly high latency span in user requests. What should you do?
A. Instrument your microservices by installing the OpenTelemetry tracing package. Update your application code to send traces to Trace for inspection and analysis. Create an analysis report on Trace to analyze user requests.
B. Update your microservices to log HTTP request methods and requests to STDOUT. Use the logs router to send container logs to Cloud Logging. Create filters in Cloud Logging to evaluate the latency of user requests across different methods and request paths.
C. Configure GKE workload metrics using kubectl. Select all Pods to send their metrics to Cloud Monitoring. Create a custom dashboard of application metrics in Cloud Monitoring to determine performance bottlenecks of your GKE cluster.
D. Install tcpdump on your GKE nodes. Run tcpdump to capture network traffic over an extended period of time to collect data. Analyze the data files using Wireshark to determine the cause of high latency.
The correct answer is:
✅ A. Instrument your microservices by installing the OpenTelemetry tracing package. Update your application code to send traces to Trace for inspection and analysis. Create an analysis report on Trace to analyze user requests.
✅ Why A is correct:
Cloud Trace (part of Google Cloud Operations) is designed specifically to analyze latency and performance of distributed systems.
OpenTelemetry is a standard way to collect traces and metrics across microservices.
Traces help you visualize request paths, identify slow spans, and pinpoint bottlenecks in complex applications.
❌ Why the others are not ideal:
B. Cloud Logging is useful for debugging and diagnostics, but not optimized for latency analysis or tracing across distributed microservices.
C. Cloud Monitoring dashboards are great for system-level metrics (CPU, memory, etc.), but won’t give you per-request span data for identifying slow paths in HTTP requests.
D. tcpdump/Wireshark provides very low-level network traffic data. It’s not scalable or appropriate for application-level latency investigation in microservices, and not viable in managed environments like GKE.
You need to containerize a web application that will be hosted on Google Cloud behind a global load balancer with SSL certificates. You don’t have the time to develop authentication at the application level, and you want to offload SSL encryption and management from your application. You want to configure the architecture using managed services where possible. What should you do?
A. Host the application on GKE, and use Identity-Aware Proxy (IAP) with Cloud Load Balancing and Google-managed certificates.
B. Host the application on GKE, and deploy an NGINX Ingress Controller to handle authentication.
C. Host the application on GKE, and deploy cert-manager to manage SSL certificates.
D. Host the application on Compute Engine, and configure Cloud Endpoints for your application.
The correct answer is:
✅ A. Host the application on GKE, and use Identity-Aware Proxy (IAP) with Cloud Load Balancing and Google-managed certificates.
✅ Why A is correct:
This approach meets all the requirements:
Managed services: GKE, Cloud Load Balancing, Google-managed SSL certificates, and IAP are all managed.
Authentication: Identity-Aware Proxy (IAP) offloads authentication and access control at the load balancer layer, so you don’t have to build it into your app.
SSL offload: Google-managed certificates terminate SSL at the global load balancer, offloading encryption/decryption from your app.
Scalability and security: This architecture is scalable, secure, and aligned with best practices for zero-trust networking.
You manage a microservice-based ecommerce platform on Google Cloud that sends confirmation emails to a third-party email service provider using a Cloud Run function. Your company just launched a marketing campaign, and some customers are reporting that they have not received order confirmation emails. You discover that the services triggering the Cloud Run function are receiving HTTP 500 errors. You need to change the way emails are handled to minimize email loss. What should you do?
A. Increase the Cloud Run function’s timeout to nine minutes.
B. Configure the sender application to publish the outgoing emails in a message to a Pub/Sub topic. Update the Cloud Run function configuration to consume the Pub/Sub queue.
C. Configure the sender application to retry the execution of the Cloud Run function every one second if a request fails.
D. Configure the sender application to write emails to Memorystore and then trigger the Cloud Run function. When the function is triggered, it reads the email details from Memorystore and sends them to the email service.
The correct answer is:
✅ B. Configure the sender application to publish the outgoing emails in a message to a Pub/Sub topic. Update the Cloud Run function configuration to consume the Pub/Sub queue.
✅ Why B is the best option:
Pub/Sub decouples the sender from the email-sending process, making the system more resilient.
Messages published to Pub/Sub are persisted until successfully acknowledged, reducing the chance of email loss.
Cloud Run can be triggered by Pub/Sub, which is designed for event-driven, at-least-once delivery — ideal for background tasks like sending emails.
This pattern is asynchronous, scalable, and fault-tolerant.
❌ Why the other options are not ideal:
A. Increase the Cloud Run function’s timeout to nine minutes
→ ❌ This only helps for long-running processes, but does not prevent email loss if the function fails or the service returns HTTP 500 errors.
C. Retry every one second if a request fails
→ ❌ Aggressive retries can cause rate-limiting or overload, and manual retry logic is brittle. Better to use Pub/Sub’s built-in retry capabilities.
D. Use Memorystore to queue messages
→ ❌ Memorystore (Redis) is not a message queue. It lacks durability guarantees and is not designed for message-based triggering or retry logic.
You are developing a web application that contains private images and videos stored in a Cloud Storage bucket. Your users are anonymous and do not have Google Accounts. You want to use your application-specific logic to control access to the images and videos. How should you configure access?
A. Generate a signed URL that grants read access to the bucket. Allow users to access the URL after authenticating through your web application.
B. Configure Identity-Aware Proxy (IAP) to authenticate users into the web application. Allow users to access the bucket after authenticating through IAP.
C. Grant the Storage Object Viewer IAM role to allUsers. Allow users to access the bucket after authenticating through your web application.
D. Cache each web application user’s IP address to create a named IP list using Google Cloud Armor. Create a Google Cloud Armor security policy that allows users to access the backend bucket.
The correct answer is:
✅ A. Generate a signed URL that grants read access to the bucket. Allow users to access the URL after authenticating through your web application.
✅ Why A is the best option:
Signed URLs allow you to grant temporary, time-limited access to specific Cloud Storage objects without requiring the user to have a Google Account.
You can generate the URL after authenticating the user through your app, giving you full control over access logic.
Ideal for anonymous users and private media that needs access control.
❌ Why the other options are not ideal:
B. Configure Identity-Aware Proxy (IAP)
→ ❌ IAP requires users to have a Google identity, which is not suitable for anonymous users.
C. Grant the Storage Object Viewer IAM role to allUsers
→ ❌ This makes the bucket public to the internet, defeating the purpose of access control.
D. Use Cloud Armor with named IP list
→ ❌ IP-based access control is inflexible and insecure, especially for anonymous, internet-wide users. It also doesn’t protect individual object access.
You work on an application that relies on Cloud Spanner as its main datastore. New application features have occasionally caused performance regressions. You want to prevent performance issues by running an automated performance test with Cloud Build for each commit made. If multiple commits are made at the same time, the tests might run concurrently. What should you do?
A. Create a project with a Cloud Spanner instance and the required data. Adjust the Cloud Build build file to automatically restore the data to its previous state after the test is complete.
B. Create a new project with a random name for every build. Load the required data. Delete the project after the test is complete.
C. Create a new Cloud Spanner instance for every build. Load the required data. Delete the Cloud Spanner instance after the test is complete.
D. Start the Cloud Spanner emulator locally. Load the required data. Shut down the emulator after the test is complete.
✅ Correct answer: C. Create a new Cloud Spanner instance for every build. Load the required data. Delete the Cloud Spanner instance after the test is complete.
✅ Why C is correct:
Cloud Spanner is a global, strongly consistent, horizontally scalable database.
To avoid test interference and support parallel test execution, isolated environments are essential.
Creating a dedicated Cloud Spanner instance per build ensures:
No concurrency issues between builds
Clean state for each test
Accurate performance evaluation
Spanner instances are ephemeral in this context—created before the test, destroyed after.
❌ Why the other options are less ideal:
A. Restore data after each test in a shared instance
❌ Risk of race conditions and interference between concurrent builds.
❌ Adds complexity and overhead in state management.
B. Create a new project for every build
❌ Project creation is slow (can take minutes).
❌ Introduces unnecessary resource management complexity (IAM, billing, quotas).
D. Use the Cloud Spanner emulator
❌ The emulator is not suitable for performance testing. It does not replicate Spanner’s scalability, consistency, or performance characteristics.
Would you like a sample Cloud Build YAML that sets this up for testing Spanner instances?
You need to deploy an internet-facing microservices application to GKE. You want to validate new features using the A/B testing method. You have the following requirements for deploying new container image releases:
- There is no downtime when new container images are deployed.
- New production releases are tested and verified using a subset of production users.
What should you do?
A. 1. Configure your CI/CD pipeline to update the Deployment manifest file by replacing the container version with the latest version. 2. Recreate the Pods in your cluster by applying the Deployment manifest file. 3. Validate the application’s performance by comparing its functionality with the previous release version, and roll back if an issue arises.
B. 1. Install Cloud Service Mesh on your GKE cluster. 2. Create two Deployments on the GKE cluster, and label them with different version names. 3. Configure a weight-based traffic splitting action to send a small percentage of traffic to the Deployment that references the new version of the application.
C. 1. Create a second namespace on GKE for the new release version. 2. Create a Deployment configuration for the second namespace with the desired number of Pods. 3. Deploy new container versions in the second namespace. 4. Update the Ingress configuration to route traffic to the namespace with the new container versions.
D. 1. Implement a rolling update pattern by replacing the Pods gradually with the new release version. 2. Validate the application’s performance for the new subset of users during the rollout, and roll back if an issue arises.
Here’s why B is the best choice:
✅ Cloud Service Mesh (such as Anthos Service Mesh or Istio) provides advanced traffic management features, like:
A/B testing and canary deployments
Traffic splitting based on weights
Fine-grained routing rules and observability
✅ This setup allows you to:
Deploy two versions of the app simultaneously.
Send a small portion of traffic to the new version (e.g., 10%).
Validate the behavior in production without affecting most users.
Perform a gradual rollout or rollback depending on test re
Your team is writing a backend application to implement the business logic for an interactive voice response (IVR) system that will support a payroll application.
The IVR system has the following technical characteristics:
- Each customer phone call is associated with a unique IVR session.
- The IVR system creates a separate persistent gRPC connection to the backend for each session.
- If the connection is interrupted, the IVR system establishes a new connection, causing a slight latency for that call.
You need to determine which compute environment should be used to deploy the backend application. Using current call data, you determine that:
- Call duration ranges from 1 to 30 minutes.
- Calls are typically made during business hours.
- There are significant spikes of calls around certain known dates (e.g., pay days), or when large payroll changes occur.
You want to minimize cost, effort, and operational overhead. Where should you deploy the backend application?
A. Cloud Run
B. Cloud Run functions
C. GKE cluster in Standard mode
D. Compute Engine
Correct answer: A. Cloud Run
🧠 Reasoning:
You need to choose a compute option that:
Handles persistent gRPC connections
Scales rapidly to handle bursty traffic (e.g., paydays)
Supports long-lived sessions (up to 30 minutes)
Has low operational overhead and cost
Doesn’t require managing infrastructure manually
🔍 Option Analysis:
A. Cloud Run — ✅ Best Fit
✅ Supports gRPC natively, including bidirectional streaming
✅ Automatic scaling — handles bursts gracefully (perfect for paydays)
✅ Pay-per-use pricing — great for variable traffic
✅ Supports long-lived requests (up to 60 minutes)
✅ Very low operational overhead — no servers or clusters to manage
➡️ Ideal for backend services that handle individual session-based gRPC connections.
B. Cloud Run functions — ❌ Not Suitable
❌ Not designed for persistent connections
❌ Best for short-lived event-driven functions (not 30-minute calls)
❌ No gRPC support in current Cloud Functions (1st or 2nd gen)
C. GKE Standard — ❌ Overkill
✅ Can handle gRPC and scaling with proper configuration
❌ High operational complexity — you manage nodes, networking, autoscaling, etc.
❌ More expensive and requires significant setup and maintenance
D. Compute Engine — ❌ Too Manual
✅ Can support gRPC
❌ Manual scaling
❌ You manage VMs, updates, load balancing
❌ Poor fit for bursty workloads or high scaling needs
✅ Conclusion: Use Cloud Run
It gives you everything you need:
gRPC support
Long call durations
Auto-scaling
You are developing a new application. You want the application to be triggered only when a given file is updated in your Cloud Storage bucket. Your trigger might change, so your process must support different types of triggers. You want the configuration to be simple so that multiple team members can update the triggers in the future. What should you do?
A. Configure a Cloud Run function that executes your application and is triggered when an object is updated in Cloud Storage.
B. Create an Eventarc trigger that monitors your Cloud Storage bucket for a specific filename, and set the target as Cloud Run.
C. Configure a Firebase function that executes your application and is triggered when an object is updated in Cloud Storage.
D. Configure Cloud Storage events to be sent to Pub/Sub, and use Pub/Sub events to trigger a Cloud Build job that executes your application.
You are developing a new application. You want the application to be triggered only when a given file is updated in your Cloud Storage bucket. Your trigger might change, so your process must support different types of triggers. You want the configuration to be simple so that multiple team members can update the triggers in the future. What should you do?
A. Configure a Cloud Run function that executes your application and is triggered when an object is updated in Cloud Storage.
B. Create an Eventarc trigger that monitors your Cloud Storage bucket for a specific filename, and set the target as Cloud Run.
C. Configure a Firebase function that executes your application and is triggered when an object is updated in Cloud Storage.
D. Configure Cloud Storage events to be sent to Pub/Sub, and use Pub/Sub events to trigger a Cloud Build job that executes your application.
You are a developer at a large organization. You have an application written in Go running in a production GKE cluster. You need to add a new feature that requires access to BigQuery. You want to grant BigQuery access to your GKE cluster following Google-recommended best practices. What should you do?
A. Create a Google service account with BigQuery access. Add the JSON key to Secret Manager, and use the Go client library to access the JSON key.
B. Create a Google service account with BigQuery access. Add the Google service account JSON key as a Kubernetes secret, and configure the application to use this secret.
C. Create a Google service account with BigQuery access. Add the Google service account JSON key to Secret Manager, and use an init container to access the secret for the application to use.
D. Create a Google service account and a Kubernetes service account. Configure Workload Identity on the GKE cluster, and reference the Kubernetes service account on the application Deployment.
Correct answer: D. Create a Google service account and a Kubernetes service account. Configure Workload Identity on the GKE cluster, and reference the Kubernetes service account on the application Deployment.
🧠 Explanation:
This question is about granting secure, least-privilege access to BigQuery from a GKE workload — while following Google-recommended best practices.
🔍 Option Analysis:
A. Use service account JSON key in Secret Manager — ❌ Not best practice
Storing long-lived credentials like service account keys in Secret Manager is better than hardcoding, but still not recommended.
Google Cloud strongly recommends avoiding downloading and managing keys whenever possible.
B. Add service account JSON key as Kubernetes secret — ❌ Risky
This is a legacy approach and poses security risks (keys can be leaked, rotated incorrectly, etc.).
It goes against the principle of least privilege and secure identity federation.
C. Use init container to fetch key from Secret Manager — ❌ Still uses a service account key
Slightly more secure than B, but still uses a long-lived service account key, which is discouraged.
Extra complexity with key management and lifecycle.
D. Workload Identity with GKE — ✅ Recommended
🔐 Most secure and scalable method to authenticate workloads in GKE.
🔄 Eliminates the need to manage service account keys.
🧠 Integrates IAM with Kubernetes Service Accounts using identity federation.
👌 Google’s best practice for accessing Google Cloud APIs from GKE workloads.
✅ How it works:
Enable Workload Identity on the GKE cluster.
Create a Google service account with BigQuery access.
Create a Kubernetes service account in your namespace.
Bind the GCP IAM service account to the Kubernetes service account using an IAM policy binding.
Reference the KSA in your Deployment YAML.
The Go app will use Application Default Credentials (ADC) via the Workload Identity to access BigQuery securely.
You are developing a Java Web Server that needs to interact with the Cloud Storage API on your users’ behalf. Users should be able to authenticate to the Cloud Storage API using their Google identities. Which workflow should you implement in your web application?
A. 1. When a user arrives at your application, prompt them for their Google username and password. 2. Store an SHA password hash in your application’s database along with the user’s username. 3. The application authenticates to the Cloud Storage API using HTTPs requests with the user’s username and password hash in the Authorization request header.
B. 1. When a user arrives at your application, prompt them for their Google username and password. 2. Forward the user’s username and password in an HTTPS request to the Google authorization server, and request an access token. 3. The Google server validates the user’s credentials and returns an access token to the application. 4. The application uses the access token to call the Cloud Storage API.
C. 1. When a user arrives at your application, route them to an Oauth consent screen with a list of requested permissions that prompts the user to sign in with SSO to their Google Account. 2. After the user signs in and provides consent, your application receives an authorization code from a Google server. 3. The Google server returns the authorization code to the user, which is stored in the browser’s cookies. 4. The user authenticates to the Cloud Storage API using the authorization code in the cookie.
D. 1. When a user arrives at your application, route them to an Oauth consent screen with a list of requested permissions that prompts the user to sign in with SSO to their Google Account. 2. After the user signs in and provides consent, your application receives an authorization code from a Google server. 3. The application requests a Google Server to exchange the authorization code with an access token. 4. The Google server responds with the access token that is used by the application to call the Cloud Storage API.
✅ Correct answer: D.
🧠 Explanation:
You’re building a Java Web Server that needs to access Google Cloud Storage on behalf of users using their Google identities. This is a classic case for using OAuth 2.0 Authorization Code Flow, which is the standard Google-recommended approach for server-side web applications.
✅ Why D is correct:
✅ OAuth Consent Screen: This is required to let users authorize access to their Google account (and permissions to use services like Cloud Storage).
✅ Authorization Code: After the user consents, Google returns an authorization code to your server (not to the browser cookies).
✅ Token Exchange: Your server securely exchanges the authorization code for an access token by making a call to Google’s OAuth token endpoint.
✅ Access Token Usage: Your backend app uses this access token to call the Cloud Storage API on the user’s behalf.
This process is secure, standard, and follows best practices for web server applications.
❌ Why the other options are wrong:
A: Asking for and storing user passwords violates Google policies and security best practices. Never handle raw credentials.
B: Same issue as A – you’re handling usernames and passwords directly, which is insecure and not supported by Google.
C: Although it starts off correctly with the OAuth consent screen, it wrongly suggests the authorization code is stored in cookies and used directly by the user to authenticate to Google APIs. That’s not how OAuth 2.0 works.
You have an application running on GKE. The application is currently using a logging library and is outputting to standard output. You need to export the logs to Cloud Logging, and you need the logs to include metadata about each request. You want to use the simplest method to accomplish this. What should you do?
A. Update your application to output logs in JSON format, and add the necessary metadata to the JSON.
B. Change your application’s logging library to the Cloud Logging library, and configure your application to export logs to Cloud Logging.
C. Install the Fluent Bit agent on each of your GKE nodes, and have the agent export all logs from /var/log.
D. Update your application to output logs in CSV format, and add the necessary metadata to the CSV.
Correct answer: B.
Change your application’s logging library to the Cloud Logging library, and configure your application to export logs to Cloud Logging.
🧠 Explanation:
Since your application is already running on Google Kubernetes Engine (GKE) and you want the simplest method to export logs with metadata about each request, the best solution is to:
Use the Cloud Logging client library for your application’s language (e.g., Java, Go, Python).
This client automatically adds metadata such as trace IDs, severity, timestamps, resource labels (e.g., GKE pod, cluster, namespace), etc.
Logs are sent directly to Cloud Logging without needing to manage external agents or parse log files.
❌ Why the other options are incorrect:
A. JSON output: This requires you to manually add metadata and format logs, which is more complex and error-prone.
C. Fluent Bit: This is not the simplest option. Fluent Bit or Fluentd can be used for custom log pipelines but require extra setup and maintenance.
D. CSV format: Not supported by Cloud Logging, and doesn’t provide structured logging or automatic metadata enrichment.
You are a developer at a financial institution. You use Cloud Shell to interact with Google Cloud services. User data is currently stored on an ephemeral disk; however, a new company policy mandates that you can no longer store sensitive information on an ephemeral disk. You need to implement a new storage solution for your user data. You want to minimize code changes. Where should you store your user data?
A. Store user data on a Cloud Shell home disk, and log in at least every 120 days to prevent its deletion.
B. Store user data on a persistent disk in a Compute Engine instance.
C. Store user data in a Cloud Storage bucket.
D. Store user data in BigQuery tables.
✅ Correct answer: C. Store user data in a Cloud Storage bucket.
🧠 Explanation:
Cloud Shell ephemeral disks are not suitable for storing sensitive or persistent data.
Cloud Storage is:
Durable and persistent.
Easy to integrate with Cloud Shell (via gsutil or the Cloud Console).
Requires minimal code changes — simply replace local file paths with a Cloud Storage URI (e.g., gs://your-bucket-name/filename).
Secure, with support for IAM, audit logging, and encryption (including CMEK if needed).
❌ Why the other options are incorrect:
A. Cloud Shell home disk: While more persistent than the ephemeral disk, it can still be deleted after 120 days of inactivity — not reliable for sensitive, long-term storage.
B. Persistent disk in a Compute Engine instance: Adds operational complexity — requires managing VMs, networking, and security.
D. BigQuery tables: Designed for structured analytics, not general-purpose file or object storage. Overkill unless the data will be queried.
Your team is developing unit tests for Cloud Run function code. The source code is stored in a Cloud Source Repositories repository. You are responsible for implementing the tests. Only a specific service account has the necessary permissions to deploy the code to Cloud Run functions. You want to ensure that the code cannot be deployed without first passing the tests. How should you configure the unit testing process?
A. Configure Cloud Build to deploy the Cloud Run function. If the code passes the tests, a deployment approval is sent to you.
B. Configure Cloud Build to deploy the Cloud Run function, using the specific service account as the build agent. Run the unit tests after successful deployment.
C. Configure Cloud Build to run the unit tests. If the code passes the tests, the developer deploys the Cloud Run function.
D. Configure Cloud Build to run the unit tests, using the specific service account as the build agent. If the code passes the tests, Cloud Build deploys the Cloud Run function.
✅ Correct answer: D. Configure Cloud Build to run the unit tests, using the specific service account as the build agent. If the code passes the tests, Cloud Build deploys the Cloud Run function.
🧠 Explanation:
This option ensures that:
Unit tests run before any deployment.
The deployment only happens if tests pass, which enforces quality control.
The deployment uses the correct service account, which has the required permissions.
The entire process is automated, secure, and aligned with CI/CD best practices.
❌ Why the other options are incorrect:
A. Sending a manual approval adds human error and delays. It doesn’t ensure that only passing code is deployed automatically.
B. Running unit tests after deployment defeats the purpose of preventing bad code from being deployed in the first place.
C. Involves manual deployment by a developer, which bypasses automation and the permissions restriction.
You are planning to add unit tests to your application. You need to be able to assert that published Pub/Sub messages are processed by your subscriber in order. You want the unit tests to be cost-effective and reliable. What should you do?
A. Create a topic and subscription for each tester.
B. Implement a mocking framework.
C. Use the Pub/Sub emulator.
D. Add a filter by tester to the subscription.
✅ Correct answer: C. Use the Pub/Sub emulator.
🧠 Explanation:
Using the Pub/Sub emulator is the best option for cost-effective and reliable unit testing:
No cost: The emulator runs locally and avoids charges from the actual Pub/Sub service.
Reliable and repeatable: It enables deterministic testing scenarios, including verifying message order.
Faster feedback loop: No need to interact with real infrastructure.
Simulates real Pub/Sub behavior for development and testing, without external dependencies.
❌ Why the other options fall short:
A. Create a topic and subscription for each tester:
Costly and hard to manage. Doesn’t ensure ordered processing or reliability.
B. Implement a mocking framework:
Useful in some cases, but doesn’t test actual Pub/Sub message handling logic or ordering behavior like the emulator can.
D. Add a filter by tester to the subscription:
This helps isolate messages but doesn’t help test order or reduce cost.
Before promoting your new application code to production, you want to conduct testing across a variety of different users. Although this plan is risky, you want to test the new version of the application with production users and you want to control which users are forwarded to the new version of the application based on their operating system. If bugs are discovered in the new version, you want to roll back the newly deployed version of the application as quickly as possible. What should you do?
A. Deploy your application on Cloud Run. Use traffic splitting to direct a subset of user traffic to the new version based on the revision tag.
B. Deploy your application on Compute Engine. Use Traffic Director to direct a subset of user traffic to the new version based on predefined weights.
C. Deploy your application on GKE with Cloud Service Mesh. Use traffic splitting to direct a subset of user traffic to the new version based on the user-agent header.
D. Deploy your application on Cloud Run. Use traffic splitting to direct a subset of user traffic to a list of revisions with specified weights.
Correct Answer: C. Deploy your application on GKE with Cloud Service Mesh. Use traffic splitting to direct a subset of user traffic to the new version based on the user-agent header.
🧠 Explanation:
You want fine-grained control to direct traffic based on user attributes (like operating system).
GKE with Cloud Service Mesh (formerly Istio) supports advanced traffic management features, including:
Traffic splitting by HTTP headers, like User-Agent.
Canary deployments and staged rollouts.
Fast rollback by updating routing rules.
The User-Agent header contains OS info, so this lets you test new versions with users on specific operating systems.
❌ Why the other options don’t fit:
A. Cloud Run + revision tag traffic splitting
Traffic splitting in Cloud Run is based on percentages, not user attributes like headers.
B. Compute Engine + Traffic Director
Traffic Director allows load balancing but doesn’t support fine-grained header-based routing without a lot of extra setup.
D. Cloud Run + traffic weights
Again, this is percentage-based, and cannot route based on request content (like User-Agent).
You are responsible for deploying a new API. That API will have three different URL paths:
- https://yourcompany.com/students
- https://yourcompany.com/teachers
- https://yourcompany.com/classes
You need to configure each API URL path to invoke a different function in your code. What should you do?
A. Create three Cloud Run functions as three backend services exposed using an HTTPS load balancer.
B. Create one Cloud Run function exposed directly.
C. Create one Cloud Run function as a backend service exposed using an HTTPS load balancer.
D. Create three Cloud Run functions exposed directly.
✅ Correct Answer: A. Create three Cloud Run functions as three backend services exposed using an HTTPS load balancer.
🧠 Explanation:
You want each URL path (/students, /teachers, /classes) to invoke a different function. This means:
You need routing logic to direct traffic based on the URL path.
Cloud Run does not support native path-based routing across multiple services.
The best solution is to:
Deploy each function as a separate Cloud Run service.
Use an HTTPS Load Balancer with URL map rules to route traffic to each function based on the path.
❌ Why the other options don’t work:
B. One Cloud Run function exposed directly
You could handle routing in your application code, but the question specifies that each path should invoke a different function, not just different logic in one function.
C. One Cloud Run function as a backend service exposed via load balancer
Again, this implies only one deployed function is handling all routes, which doesn’t meet the requirement.
D. Three Cloud Run functions exposed directly
This lacks centralized routing. Each function would need its own domain or custom routing logic in your client — not ideal for a unified API.
Your team has created an application that is deployed in a single GKE cluster. The application is split into two different Deployments, each with their own Service and accessed using a different HTTP path.
A legacy client running on-premises needs to access the application through Cloud Interconnect through a single IP address. How should you expose the application? (choose two)
A. Create a Gateway with the Gateway Class Name: gke-l7-rilb specification.
B. Create a Service with the networking.gke.io/load-balancer-type: “Internal” annotation.
C. Create a Service of type LoadBalancer.
D. Create a Service of type NodePort.
E. Create a Service with a selector that matches both Deployments.
F. Create a HTTPRoute pointing to both Services.
✅ Correct Answers: A and F
🔍 Explanation:
You need to expose multiple services in a GKE cluster under different HTTP paths using a single IP address, accessible via Cloud Interconnect (i.e., internal access).
✅ A. Create a Gateway with the Gateway Class Name: gke-l7-rilb specification.
This sets up a Regional Internal Layer 7 Load Balancer (RILB), perfect for routing HTTP traffic to multiple backend services based on path or host rules.
Required for internal access via Cloud Interconnect.
✅ F. Create an HTTPRoute pointing to both Services.
Defines HTTP path-based routing to each of your GKE services.
HTTPRoute is part of the GKE Gateway API, used with the Gateway to direct traffic correctly.
❌ Why the others are incorrect:
B. Service with networking.gke.io/load-balancer-type: “Internal”
Only gives you an L4 Internal Load Balancer, which doesn’t support HTTP path-based routing.
C. Service of type LoadBalancer
By default, this creates a public IP, which won’t work with Cloud Interconnect unless additional setup is done — and it’s not needed here.
D. Service of type NodePort
Exposes individual Pods directly on each node, not ideal for centralized access or L7 routing.
E. Service with selector matching both Deployments
You cannot route path-based traffic to different backends this way. You’d just combine them into one backend, which breaks the separation by path.
You are developing an application using different microservices that must remain internal to the cluster. You want the ability to configure each microservice with a specific number of replicas. You also want the ability to address a specific microservice from any other microservice in a uniform way, regardless of the number of replicas the microservice scales to. You plan to implement this solution on GKE. What should you do?
A. Deploy each microservice as a Deployment. Expose the Deployment in the cluster using a Service, and use the Service DNS name to address it from other microservices within the cluster.
B. Deploy each microservice as a Deployment. Expose the Deployment in the cluster using an Ingress, and use the Ingress IP address to address the Deployment from other microservices within the cluster.
C. Deploy each microservice as a Pod. Expose the Pod in the cluster using a Service, and use the Service DNS name to address the microservice from other microservices within the cluster.
D. Deploy each microservice as a Pod. Expose the Pod in the cluster using an Ingress, and use the Ingress IP address to address the Pod from other microservices within the cluster.
Correct Answer: A.
✅ A. Deploy each microservice as a Deployment. Expose the Deployment in the cluster using a Service, and use the Service DNS name to address it from other microservices within the cluster.
This is the Google-recommended and Kubernetes-native approach.
Deployment: Manages the replica count and handles rolling updates.
ClusterIP Service: Exposes the Deployment internally within the cluster (default Service type).
DNS Resolution: Kubernetes automatically creates a DNS name for the Service (<service-name>.<namespace>.svc.cluster.local), allowing uniform access regardless of replicas.</namespace></service-name>
Your application is running as a container in a GKE cluster. You need to add a secret to your application using a secure approach that prevents the secret being revealed by calls to the Kubernetes API server. What should you do?
A. Create a Kubernetes Secret, and pass the Secret as an environment variable to the container.
B. Enable GKE Application-layer Secrets Encryption on the cluster using a Cloud Key Management Service (KMS) key.
C. Store the Secret in Cloud KMS. Create a Google service account to read the Secret from Cloud KMS. Export the service account key in JSON format, and mount the JSON file on the container as a ConfigMap volume which can read the Secret from Cloud KMS.
D. Store the Secret in Secret Manager. Create a Google service account to read the Secret from Secret Manager. Create a Kubernetes service account to run the container. Use Workload Identity to authenticate as the Google service account.
Correct Answer: D.
🔐 D. Store the Secret in Secret Manager. Create a Google service account to read the Secret from Secret Manager. Create a Kubernetes service account to run the container. Use Workload Identity to authenticate as the Google service account.
This is the most secure and recommended Google Cloud approach:
Secret Manager: Secure, managed service for storing secrets.
Workload Identity: Allows GKE workloads to authenticate as a Google service account without using long-lived credentials.
No secrets exposed via Kubernetes API: Avoids risk of API server exposure.
IAM-based access: Fine-grained control over who/what can access the secret.
❌ Why the other options are not ideal:
A. Kubernetes Secret + env variable
Secrets are base64 encoded and can be accessed through the Kubernetes API, which does not meet the requirement of not revealing the secret that way.
B. GKE Application-layer Secrets Encryption
This encrypts Kubernetes secrets at rest, but the secret can still be retrieved via the Kubernetes API by authorized users — so it doesn’t meet the requirement.
C. Store secret in KMS + mount JSON key
This involves managing long-lived service account keys, which is a security risk and goes against best practices.
🔐 Summary:
Use Secret Manager for secure storage and Workload Identity for secure, keyless access from GKE workloads. It’s scalable, manageable, and compliant with Google’s security recommendations.
Would you like a YAML or Terraform example for this setup?
You manage a microservices application on GKE using Istio. You secure the communication channels between your microservices by implementing an Istio AuthorizationPolicy, a Kubernetes NetworkPolicy, and mTLS on your GKE cluster. You discover that HTTP requests between two Pods to specific URLs fail, while other requests between the pods to other URLs succeed. What is the cause of the connection issue?
A. A Kubernetes NetworkPolicy resource is blocking HTTP traffic between the Pods.
B. The Pod initiating the HTTP requests is attempting to connect to the target Pod via an incorrect TCP port.
C. The AuthorizationPolicy of your cluster is blocking HTTP requests for specific paths within your application.
D. The cluster has mTLS configured in permissive mode, but the Pod’s sidecar proxy is sending unencrypted traffic in plain text.
Correct Answer: C. The AuthorizationPolicy of your cluster is blocking HTTP requests for specific paths within your application.
🧠 Explanation:
You mentioned that:
Some HTTP requests between pods are working, while others (to specific URLs) are failing.
You are using Istio with:
mTLS
Istio AuthorizationPolicy
Kubernetes NetworkPolicy
You are developing a microservice-based application that will run on GKE. Some of the services need to access different Google Cloud APIs. How should you set up authentication of these services in the cluster following Google-recommended best practices? (choose two)
A. Use the service account attached to the GKE node.
B. Enable Workload Identity on the cluster.
C. Access the Google service account keys from Secret Manager.
D. Store the Google service account keys in Secret Manager.
E. Use gcloud to bind the Google service accounts and the Kubernetes service accounts using roles/iam.workloadIdentityUser.
Correct Answers: B and E
🧠 Explanation:
To authenticate microservices in GKE to access Google Cloud APIs following best practices, you should use Workload Identity instead of relying on service account keys.
✅ B. Enable Workload Identity on the cluster
This is Google’s recommended approach.
Workload Identity allows Kubernetes service accounts to act as Google service accounts, enabling secure and manageable identity-based access to GCP APIs without using keys.
✅ E. Use gcloud to bind the Google service accounts and the Kubernetes service accounts using roles/iam.workloadIdentityUser
This step is essential to link the GKE identity to the GCP identity.
The roles/iam.workloadIdentityUser role allows a Kubernetes service account to impersonate the linked Google service account.
❌ Why the other options are incorrect:
A. Use the service account attached to the GKE node
❌ This is not recommended because all pods on the node share the same identity, which violates the principle of least privilege.
C/D. Access or store service account keys in Secret Manager
❌ Using downloaded service account keys is discouraged due to security risks (e.g., key leakage).
Workload Identity eliminates the need for managing and rotating keys manually.
Your company’s product team has a new requirement based on customer demand to autoscale your stateless and distributed service running in a GKE cluster. You want to find a solution that minimizes changes because this feature will go live in two weeks. What should you do?
A. Deploy a Vertical Pod Autoscaler, and scale based on the CPU load.
B. Deploy a Vertical Pod Autoscaler, and scale based on a custom metric.
C. Deploy a Horizontal Pod Autoscaler, and scale based on the CPU load.
D. Deploy a Horizontal Pod Autoscaler, and scale based on a custom metric.
Correct Answer: C. Deploy a Horizontal Pod Autoscaler, and scale based on the CPU load.
🧠 Explanation:
Horizontal Pod Autoscaler (HPA) is designed to automatically scale the number of pods in a Kubernetes deployment based on observed metrics like CPU utilization or custom metrics.
CPU load is one of the most common, supported, and simplest metrics to use for autoscaling.
Since this is a stateless, distributed service, it’s ideal for horizontal scaling.
Given the tight timeline (two weeks), using HPA with CPU metrics ensures:
Minimal configuration and changes
Native support in GKE
Proven reliability
❌ Why the other options are less suitable:
A. Vertical Pod Autoscaler (VPA), CPU load
VPA adjusts resource requests/limits of pods, not the number of pods.
It can cause pod restarts and is not ideal for stateless services needing quick autoscaling.
B. VPA, custom metric
Same issue as above, plus custom metrics require more setup (e.g., Prometheus + Adapter), which isn’t ideal for a short timeline.
D. HPA, custom metric
While valid for advanced use cases, it requires more setup and monitoring infrastructure (like Prometheus + Metrics Server + Custom Metrics Adapter).
Your team is developing an ecommerce platform for your company. Users will log in to the website and add items to their shopping cart. Users will be automatically logged out after 30 minutes of inactivity. When users log back in, their shopping cart should be available. How should you store users’ session and shopping cart information while following Google-recommended best practices?
A. Store the session and shopping cart information in local memory and enable cookie-based session affinity in a global external HTTP(S) load balancer.
B. Store the shopping cart information in an object on Cloud Storage where the object name is the session identifier.
C. Store the session and shopping cart information in BigQuery.
D. Store the session information in Memorystore for Redis, and store the shopping cart information in Firestore.
Correct Answer: D. Store the session information in Memorystore for Redis, and store the shopping cart information in Firestore.
🧠 Explanation:
Google-recommended best practices for modern web apps suggest separating session state from application instances and using fully managed, scalable, and low-latency services. Let’s break down why D is the best fit:
✅ Memorystore for Redis (for session management):
Ideal for short-lived, fast-access data like session tokens or user session data.
Low latency with in-memory storage.
30-minute inactivity expiration fits perfectly with Redis TTL (Time to Live).
Fully managed, scalable, and easy to integrate with GKE, App Engine, or Cloud Run.
✅ Firestore (for shopping cart storage):
NoSQL database ideal for semi-structured data like shopping carts.
Built-in real-time updates, offline support, and strong consistency.
Allows cart persistence across sessions.
Scales automatically and is cost-effective for ecommerce-style applications.
❌ Why the other options are not ideal:
A. Local memory + cookie-based affinity
Not fault-tolerant or scalable.
Session lost if instance crashes or scales down.
Session stickiness doesn’t guarantee resilience.
B. Cloud Storage per-session object
Not optimal for fast, transactional data like cart interactions.
High-latency for frequent updates.
C. BigQuery
Built for analytics, not transactional operations.
Slower and more expensive for frequent reads/writes.
You recently developed a web application to transfer log data to a Cloud Storage bucket daily. Authenticated users will regularly review logs from the prior two weeks for critical events. After that, logs will be reviewed once annually by an external auditor. Data must be stored for a period of no less than 7 years. You want to propose a storage solution that meets these requirements and minimizes costs. What should you do? (Choose two)
A. Use the Bucket Lock feature to set the retention policy on the data.
B. Run a scheduled job to set the storage class to Coldline for objects older than 14 days.
C. Create a JSON Web Token (JWT) for users needing access to the Coldline storage buckets.
D. Create a lifecycle management policy to set the storage class to Coldline for objects older than 14 days.
E. Create a lifecycle management policy to set the storage class to Nearline for objects older than 14 days.
The correct answers are:
✅ A. Use the Bucket Lock feature to set the retention policy on the data.
✅ D. Create a lifecycle management policy to set the storage class to Coldline for objects older than 14 days.
✅ Explanation:
A. Use the Bucket Lock feature
Required to enforce the 7-year retention policy.
Prevents deletion or modification of objects before the specified retention period ends.
Meets compliance and audit requirements.
D. Lifecycle policy to Coldline for objects older than 14 days
Coldline is optimized for infrequently accessed data (like yearly audits).
Lifecycle rules automatically move older objects to cheaper storage tiers, saving costs.
Moving objects after 14 days ensures performance for recent access and savings for long-term retention.
❌ Why the other options are incorrect:
B. Run a scheduled job
Manual and error-prone. Lifecycle policies are preferred for automatic and reliable data tiering.
C. Create a JWT for access
JWTs are used for short-lived access tokens, not a storage class or access management strategy for Coldline buckets.
E. Use Nearline
Nearline is for access about once a month. Coldline is more cost-effective for annual access (e.g., external audits).
You are developing an application that will store and access objects in a Cloud Storage bucket. To comply with regulatory requirements, you need to ensure that all objects are available for at least 7 years after their initial creation. Objects created more than 3 years ago are accessed very infrequently (less than once a year). You need to configure object storage while ensuring that storage cost is optimized. What should you do? (choose two)
A. Set a retention policy on the bucket with a period of 7 years.
B. Include the creation time in the prefix name of the object, and use IAM Conditions to provide only read access to objects within 7 years of the object creation date.
C. Enable Object Versioning to prevent objects from being accidentally deleted for 7 years after object creation.
D. Create an object lifecycle policy on the bucket that moves objects from Standard Storage to Archive Storage after 3 years.
E. Implement a Cloud Run function that checks the age of each object in the bucket and moves the objects older than 3 years to a second bucket with the Archive Storage class. Use Cloud Scheduler to trigger the Cloud Run function on a daily schedule.
The correct answers are:
✅ A. Set a retention policy on the bucket with a period of 7 years.
✅ D. Create an object lifecycle policy on the bucket that moves objects from Standard Storage to Archive Storage after 3 years.
✅ Explanation:
A. Set a retention policy on the bucket with a period of 7 years
This ensures compliance by preventing deletion or modification of objects for at least 7 years.
Meets regulatory requirements for data retention.
D. Create a lifecycle policy to move objects to Archive Storage after 3 years
Archive Storage is the lowest-cost storage tier, ideal for rarely accessed data (less than once per year).
Automatically transitioning objects after 3 years optimizes cost while keeping data accessible when needed.
❌ Why the other options are incorrect:
B. Use IAM Conditions with creation time in prefix
IAM Conditions don’t guarantee data retention or protection against deletion — they only control access, not lifecycle or compliance.
C. Enable Object Versioning
Object versioning protects against accidental deletion, but it doesn’t enforce retention or cost optimization. It could actually increase storage costs if old versions pile up.
E. Use Cloud Run with Cloud Scheduler
This is overly complex and unnecessary. Google Cloud Storage lifecycle management policies already provide this functionality natively and more efficiently.
You are developing a web application that will run on Google Cloud. The rate of the incoming user traffic is expected to be unpredictable, with no traffic on most days and large spikes on other days. You need the application to automatically scale up and down, and you need to minimize the cost associated with running the application. What should you do?
A. Build the application with Firestore as the database. Deploy the application to Cloud Run.
B. Build the application with Firestore as the database. Deploy the application to a GKE Standard cluster.
C. Build the application with Cloud SQL as the database. Deploy the application to a GKE Autopilot cluster.
D. Build the application with Firestore as the database. Deploy the application to a Compute Engine managed instance group with autoscaling.
The correct answer is:
✅ A. Build the application with Firestore as the database. Deploy the application to Cloud Run.
✅ Explanation:
Cloud Run
Fully managed and serverless, so you only pay when your application is running.
Auto-scales instantly and automatically based on incoming traffic — including scaling down to zero when there’s no traffic, which minimizes cost.
Firestore
Serverless NoSQL database with automatic scaling and real-time capabilities.
Ideal for web applications with unpredictable workloads.
❌ Why not the others?
B. GKE Standard
Offers autoscaling, but you still pay for control plane and base node pool resources, even during idle times.
C. GKE Autopilot
Better than Standard in terms of cost-efficiency, but not as cost-effective as Cloud Run for bursty traffic that frequently scales to zero.
D. Compute Engine managed instance group
More manual setup and not serverless; higher baseline costs due to VM overhead even with autoscaling.
our company’s development teams want to use various open source operating systems in their container images. When images are published, you need to scan them for Common Vulnerabilities and Exposures (CVEs). The scanning process must not impact software development agility. You want to use managed services where possible. What should you do?
A. Enable the Container Analysis API to conduct vulnerability scans on images in Artifact Registry.
B. Create a Cloud Run service that is triggered on a code check-in and scan the code for CVEs.
C. Disallow the use of non-commercially supported base images in your development environment.
D. Use Cloud Monitoring to review the output of Cloud Build to determine whether a vulnerable version has been used.
he correct answer is:
✅ A. Enable the Container Analysis API to conduct vulnerability scans on images in Artifact Registry.
✅ Explanation:
Container Analysis API is a managed Google Cloud service that automatically scans container images stored in Artifact Registry or Container Registry for known vulnerabilities (CVEs).
It integrates seamlessly with your CI/CD pipeline and doesn’t slow down development, satisfying the requirement of not impacting software development agility.
Scans are done automatically after image push, with findings available in the Cloud Console or via API.
❌ Why not the others?
B. Cloud Run service triggered on check-in: This would require custom development, does not integrate directly with container image scanning, and is not an efficient or managed solution.
C. Disallowing non-commercial base images: This limits developer flexibility and doesn’t provide active CVE scanning, which is the key requirement.
D. Using Cloud Monitoring to review Cloud Build output: This is manual and reactive, and not a proper CVE scanning solution. It lacks automation and doesn’t meet the requirement for agility.
You have developed an application and want to host it on Cloud Run. This application writes log records as text in local files. You want the logs to be written to Cloud Logging while minimizing the amount of code you have to maintain. What should you do?
A. Import the Cloud Logging library in your code and use it to write logs.
B. Use your programming language logger to write logs to Standard output (stdout) and Standard error (stderr) streams.
C. Expose the log files to www.mycompany.com/logs. Use a browser to manually download the files and upload them to Cloud Storage.
D. Using cron, schedule a job to copy the log files to Cloud Storage once a day.
The correct answer is:
✅ B. Use your programming language logger to write logs to Standard output (stdout) and Standard error (stderr) streams.
✅ Explanation:
Cloud Run automatically captures anything written to stdout and stderr and sends it to Cloud Logging.
This approach requires minimal code changes and no extra configuration.
It’s the Google-recommended best practice for logging in serverless environments like Cloud Run.
❌ Why not the others?
A. Import the Cloud Logging library: While valid, it’s more complex and requires additional maintenance. Using stdout/stderr is simpler and achieves the same result.
C. Expose log files via a URL: This is manual, insecure, and not scalable or efficient.
D. Using cron to copy logs to Cloud Storage: This is unnecessary overhead and doesn’t integrate with Cloud Logging, which is the desired logging backend.
You recently developed an application. You need to call the Cloud Storage API from a Compute Engine instance that doesn’t have a public IP address. What should you do?
A. Use Carrier Peering
B. Use VPC Network Peering
C. Use Shared VPC networks
D. Use Private Google Access
✅ D. Use Private Google Access
✅ Explanation:
Private Google Access allows VM instances without public IP addresses (internal-only) to reach Google APIs and services (like Cloud Storage) over the internal network.
This is the recommended way to securely access Google services without exposing your VM to the internet.
❌ Why not the others?
A. Carrier Peering: Used for connecting your on-prem network to Google over a service provider’s network. Not applicable for internal GCP VM access.
B. VPC Network Peering: Allows private connectivity between two VPCs, not for accessing Google services.
C. Shared VPC: Helps share VPC resources across projects but doesn’t solve the issue of accessing Google APIs privately.
Your application performs well when tested locally, but it runs significantly slower after you deploy it to a Compute Engine instance. You need to diagnose the problem with the least number of changes. What should you do?
A. File a ticket with Cloud Support indicating that the application performs faster locally.
B. Use Cloud Debugger snapshots to look at a point-in-time execution of the application.
C. Use Cloud Profiler to determine which functions within the application take the longest amount of time.
D. Add logging commands to the application and use Cloud Logging to check where the latency problem occurs.
✅ C. Use Cloud Profiler to determine which functions within the application take the longest amount of time.
✅ Explanation:
Cloud Profiler is a low-overhead sampling-based tool that helps you analyze the performance of your application in production.
It identifies which parts of your code consume the most CPU or memory, helping you pinpoint bottlenecks without modifying your application.
This is the most efficient and least intrusive way to diagnose performance issues in production.
❌ Why not the others?
A. File a ticket with Cloud Support: Premature. Support would first ask for diagnostics—use Cloud Profiler or other tools first.
B. Cloud Debugger: Helps inspect application state but isn’t optimal for performance profiling or identifying slow functions.
D. Add logging commands: Useful, but requires code changes and is more manual compared to using Cloud Profiler.
You are developing an ecommerce web application that uses Cloud Run and Memorystore for Redis. When a user logs into the app, the application caches the user’s information (e.g., session, name, address, preferences), which is stored for quick retrieval during checkout. While testing your application in a browser, you get a 502 Bad Gateway error. You have determined that the application is not connecting to Memorystore. What is the reason for this error?
A. Your Memorystore for Redis instance was deployed without a public IP address.
B. You configured your Serverless VPC Access connector in a different region than your Cloud Run service.
C. The firewall rule allowing a connection between Cloud Run and Memorystore was removed during an infrastructure update by the DevOps team.
D. You configured your application to use a Serverless VPC Access connector on a different subnet in a different region than your Cloud Run service
B. You configured your Serverless VPC Access connector in a different region than your Cloud Run service.
✅ Explanation:
Cloud Run needs to use a Serverless VPC Access connector to communicate with Memorystore, which only has internal IP addresses.
One critical requirement is that the connector must be in the same region as the Cloud Run service.
If the connector is in a different region, Cloud Run won’t be able to connect to Memorystore, resulting in a 502 Bad Gateway error due to backend connection failure.
❌ Why not the others?
A. Memorystore has no public IP: True, but this is expected. It’s by design, and that’s why you use Serverless VPC Access.
C. Firewall rule issue: Cloud Run to Memorystore access via the connector doesn’t usually require custom firewall rules unless you’ve added very restrictive policies.
D. Different subnet: Different subnets are fine, as long as they’re in the same region. The region mismatch is the real issue.
Your organization has recently begun an initiative to replatform their legacy applications onto GKE. You need to decompose a monolithic application into microservices. Multiple instances have read and write access to a configuration file, which is stored on a shared file system. You want to minimize the effort required to manage this transition, and you want to avoid rewriting the application code. What should you do?
A. Create a new Cloud Storage bucket, and mount it via FUSE in the container.
B. Create a new persistent disk, and mount the volume as a shared PersistentVolume.
C. Create a new Filestore instance, and mount the volume as an nfs PersistentVolume.
D. Create a new ConfigMap and volumeMount to store the contents of the configuration file.
✅ Correct answer: C. Create a new Filestore instance, and mount the volume as an NFS PersistentVolume.
🔍 Explanation:
Since multiple instances of the microservice need read/write access to a shared file, and you want to avoid rewriting the application, you need a POSIX-compliant shared file system.
Filestore is Google Cloud’s managed NFS solution, which integrates well with GKE via PersistentVolumes.
This allows the existing app code that relies on shared file access to continue functioning without significant refactoring.
❌ Why not the other options?
A. Cloud Storage with FUSE: Not recommended for applications with concurrent read/write or low-latency file access needs. GCS is object storage, not a true file system.
B. Persistent Disk (PD): PDs can only be attached read-write by a single node at a time. Not suitable for multi-writer scenarios.
D. ConfigMap: Meant for static, configuration data, and is read-only when mounted as a volume. Not suitable for read/write operations by the app.
You need to redesign the ingestion of audit events from your authentication service to allow it to handle a large increase in traffic. Currently, the audit service and the authentication service run in the same Compute Engine virtual machine. You plan to split each service into their own pool of Compute Engine VM instances and use Pub/Sub to send events from the authentication service to the audit service.
How should you set up the Pub/Sub topics and subscriptions to ensure that the system can handle a large volume of messages and can scale efficiently?
A. Create one Pub/Sub topic. Create one pull subscription.
B. Create one Pub/Sub topic. Create one pull subscription per audit service instance.
C. Create one Pub/Sub topic. Create one push subscription.
D. Create one Pub/Sub topic per authentication service instance. Create one pull subscription per topic.
Correct answer: B. Create one Pub/Sub topic. Create one pull subscription per audit service instance.
🔍 Explanation:
To decouple the authentication and audit services and scale efficiently, you want:
A single Pub/Sub topic to centralize event ingestion from all auth service instances.
Multiple pull subscribers (one per audit service instance) to allow parallel processing and scalability.
Pull subscriptions are ideal for horizontal scaling, especially when audit service instances increase or decrease dynamically.
💡 Key Pub/Sub Best Practices:
Single topic is better than one-per-producer to keep system design simple and avoid topic explosion.
Multiple subscribers sharing a subscription helps balance load across instances.
Pull subscriptions allow the subscriber to control when and how much to consume (important during traffic spikes).
Pub/Sub automatically load balances messages across subscriber instances of the same pull subscription.
❌ Why not the other options?
A. One pull subscription only: Doesn’t allow horizontal scaling of the audit service — all messages go to a single consumer.
C. One push subscription: Push model requires endpoint management, isn’t ideal for scalable, high-throughput use cases.
D. One topic per authentication instance: Overcomplicates the architecture. Managing many topics and subscriptions makes scaling harder.
You are developing an application using a new programming language that does not have support for Cloud Client Libraries. Your application makes REST API calls to invoke Google Cloud services. The application runs on Cloud Run with an associated service account. You want to configure this service account to act as the authorization identity for the Google Cloud service calls. What should you do?
A. Include an API key with the application and pass the value in the Authorization header.
B. Retrieve the access token from the metadata server and pass the value in the Authorization header.
C. Use an API key for the service account as the value of the GOOGLE_APPLICATION_CREDENTIALS environment variable.
D. Store the value for gcloud auth application-default print-access-token at startup in a file whose path is set in the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Correct answer: B. Retrieve the access token from the metadata server and pass the value in the Authorization header.
🔍 Explanation:
Since your application is running on Cloud Run and making REST API calls directly (because there’s no Cloud Client Library support), you need to authenticate those API requests using an OAuth 2.0 access token. The correct and secure way to do this is:
Retrieve the access token for the associated service account from the Cloud Run metadata server endpoint:
http
Copy
Edit
GET http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Headers: Metadata-Flavor: Google
Extract the access_token from the response and include it in your request headers:
http
Copy
Edit
Authorization: Bearer ACCESS_TOKEN
This method works regardless of programming language, and it’s the Google-recommended approach for authenticating from a Cloud Run (or any GCE-based) environment.
❌ Why not the other options?
A. API key: Not secure for production, and not sufficient for many authenticated API calls (especially for data-modifying operations).
C. Use API key in GOOGLE_APPLICATION_CREDENTIALS: API keys are not used this way and don’t work as service account credentials.
D. Use gcloud auth application-default print-access-token: This is intended for local development, not for production use in Cloud Run.
You are creating a web application that writes a file to the user’s Drive regardless of their account domain. The application will be hosted on Cloud Run. You need to configure the application to authenticate to the Google Drive API. What should you do?
A. Use an OAuth Client ID with delegated domain-wide authority.
B. Use a service account with delegated domain-wide authority.
C. Use an OAuth Client ID and https://www.googleapis.com/auth/drive.file scope to obtain an access token for each user.
D. Use a service account and https://www.googleapis.com/auth/drive.file scope to generate a signed JSON Web Token (JWT).
Correct answer: C. Use an OAuth Client ID and https://www.googleapis.com/auth/drive.file scope to obtain an access token for each user.
🔍 Explanation:
Since your web application writes to the user’s personal Google Drive, regardless of their account domain, you need to authenticate on behalf of the user — not as a service account.
🔐 OAuth 2.0 is the correct flow for user data.
OAuth Client ID is used to identify your application to Google’s OAuth 2.0 system.
The https://www.googleapis.com/auth/drive.file scope allows the app to read and write files created or opened by the app, which is ideal for limiting permissions to only what’s needed.
You’ll use OAuth 2.0 Consent Screen and obtain the user’s access token after they grant permission.
This approach works across any Google user — even those outside your organization or domain.
❌ Why not the others?
A. OAuth Client ID with delegated domain-wide authority: Only applies to G Suite/Workspace admin-level delegation for users within a domain, not for public user apps.
B. Service account with domain-wide delegation: Also applies only within a domain — doesn’t work for arbitrary Google users.
D. Service account with Drive scope and JWT: Service accounts are not authorized to write to a user’s personal Drive unless used in conjunction with domain-wide delegation (which again only works in G Suite environments and not for public users).
Your team has developed a mobile web application where global users vote on popular topics. For each topic, you expect a very high volume of votes during each individual 30-minute voting window. You need to capture and count each topic’s votes within every 30 minute window. You also need to store the votes for future analysis and reporting. What should you do?
A. Save the votes to Memorystore, and use Cloud Run functions to insert the counts into BigQuery. Display the results in Google Data Studio.
B. Publish the votes to Pub/Sub, and use a Datafow pipeline to insert the counts and votes into BigQuery. Display the results in Google Data Studio.
C. Publish the votes to Pub/Sub, and use Cloud Run functions to insert the counts and votes into Cloud Storage. Display the results in Google Data Studio.
D. Use Firebase to authenticate the mobile users, and publish the votes directly to Firestore. Export the votes to a CSV file, and import it into Sheets for reporting.
Correct answer: B. Publish the votes to Pub/Sub, and use a Dataflow pipeline to insert the counts and votes into BigQuery. Display the results in Google Data Studio.
🔍 Why this is the best solution:
You’re dealing with:
High-volume, time-bound event ingestion (votes in 30-minute windows),
Scalable, real-time data processing, and
Storage for future analysis/reporting.
This makes Pub/Sub + Dataflow + BigQuery the ideal pipeline.
✔ Breakdown of the correct approach:
Pub/Sub: Handles massive, real-time streaming ingestion of vote events.
Dataflow (Apache Beam): Performs windowed aggregations (e.g., count votes per topic per 30-minute window), transforms, filters, and routes data.
BigQuery: Stores both raw votes and aggregated results for long-term querying and reporting.
Google Data Studio (now Looker Studio): Visualizes BigQuery data in real time for stakeholders.
❌ Why the other options are not ideal:
A. Memorystore + Cloud Run + BigQuery:
Memorystore isn’t designed for long-term or massive-scale write-heavy workloads.
It’s in-memory only — no persistence by default.
Not a good fit for vote counting + historical analysis.
C. Pub/Sub + Cloud Run + Cloud Storage:
Cloud Storage isn’t ideal for queryable data.
You’ll have to manually parse logs or files for analytics.
No built-in time-windowed aggregation.
D. Firestore + CSV + Sheets:
Firestore may struggle at scale without careful sharding.
Manual CSV + Sheets is not scalable or real-time.
Not suited for high-velocity, analytical workloads.
Let me know if you’d like help building a simple Beam pipel
You have written a Cloud Run function in Node.js with source code stored in a Git repository. You want any committed changes to the source code to be automatically tested. You write a Cloud Build configuration that pushes the source code to a uniquely named Cloud Run function, then calls the function as a test, and then deletes the Cloud Run function as cleanup. You discover that if the test fails, the Cloud Run function is not deleted. What should you do?
A. Change the order of the steps to delete the Cloud Run function before performing the test.
B. Include a waitFor option in the Cloud Build step that deletes the Cloud Run function test step as a required preceding step.
C. Have the Cloud Build step write the Cloud Run function results to a file and return 0. Add a step after the Cloud Run function deletion that checks whether the file contains the expected results and fails if it doesn’t.
D. Have the Cloud Build test step set its outcome in an environment variable called result and return 0. Add a final step after the Cloud Run function deletion that checks whether the environment variable contains the expected results.
Correct answer: C. Have the Cloud Build step write the Cloud Run function results to a file and return 0. Add a step after the Cloud Run function deletion that checks whether the file contains the expected results and fails if it doesn’t.
🔍 Why this works best:
The issue is that Cloud Build stops executing further steps when a step fails (i.e., exits with a non-zero code). That means if your test step fails, the cleanup step to delete the Cloud Run function is never reached.
✔ Why option C is the best solution:
You prevent Cloud Build from failing early by making the test step always return 0 (success).
Instead of failing immediately, the test writes its result (e.g., response body or status code) to a file.
Then, after the deletion step, you add a final step to evaluate the result file and explicitly fail the build if needed.
This guarantees that:
Cleanup always runs, regardless of test success.
You can still fail the build based on test results — just in the final step.
❌ Why the other options don’t work:
A. Change the order to delete before test:
This defeats the purpose — you need the function to exist for the test.
B. waitFor option:
This controls execution order, not error handling.
If the test step fails, no further steps are run, regardless of waitFor.
D. Use environment variable to store result:
Environment variables in Cloud Build aren’t shared across steps.
Each step runs in a separate container, so this won’t work as intended.
You have deployed a web application in a GKE cluster. You are reviewing the Cloud Monitoring metrics and find that your cluster’s CPU load fluctuates throughout the day. To maximize performance while minimizing cost, you want the number of pods and notes to automatically adjust. What should you do?
A. Modify the managed instance group (MIG) to enable Autoscaling to configure max and min amount of nodes based on CPU load.
B. Enable Cluster Autoscaler on the GKE cluster, and configure the Horizontal Pod Autoscaler (HPA) to autoscale the workload based on CPU load.
C. Enable Cluster Autoscaler on the GKE cluster, and configure the HPA to autoscale the workloads based on a custom metric.
D. Modify the MIG to enable Autoscaling to configure max and min amount of nodes based on CPU load, and configure the Vertical Pod Autoscaler (VPA) to scale workloads based on CPU load.
Correct answer: B. Enable Cluster Autoscaler on the GKE cluster, and configure the Horizontal Pod Autoscaler (HPA) to autoscale the workload based on CPU load.
🔍 Why this is correct:
To automatically adjust the number of nodes and pods based on CPU usage in a GKE cluster:
Cluster Autoscaler handles the number of nodes in the cluster.
Horizontal Pod Autoscaler (HPA) adjusts the number of pods in a deployment or replica set based on metrics like CPU utilization.
This combination ensures:
Pods scale up/down as CPU load increases or decreases.
If more pods are scheduled than the cluster can handle, the Cluster Autoscaler will provision more nodes.
❌ Why the other options are incorrect:
A. Modify the MIG only:
GKE manages node groups for you. You shouldn’t manually modify Managed Instance Groups (MIGs).
It doesn’t address pod-level scaling.
C. HPA with custom metrics is valid, but the question is about CPU, so you don’t need custom metrics — built-in CPU utilization is sufficient.
D. Vertical Pod Autoscaler (VPA) adjusts resource requests (like CPU/memory) for individual pods — it doesn’t scale pod count. It also doesn’t replace HPA in most scenarios and doesn’t help with node scaling.
You have a Java application running on Cloud Run. Your application’s error messages do not appear in the Error Reporting console. What should you do?
A. Ensure that Cloud Monitoring client libraries are bundled with the Java application.
B. Verify that application logs are being written to the correct regional storage bucket.
C. Verify that application errors are being written to stderr.
D. Log exceptions using System.out.println.
✅ Correct answer: C. Verify that application errors are being written to stderr.
🔍 Explanation:
Cloud Run integrates automatically with Cloud Logging and Error Reporting. However, Error Reporting only picks up logs that contain properly formatted error messages written to stderr.
For Java applications:
Exceptions and errors should be logged to stderr, and in a format that Error Reporting can recognize (e.g., including a stack trace).
❌ Why the other options are incorrect:
A. Cloud Monitoring libraries are not required for Error Reporting to work. Error Reporting reads logs from Cloud Logging.
B. There’s no need to manually verify a regional storage bucket — Cloud Run handles log routing to Cloud Logging automatically.
D. System.out.println writes to stdout, not stderr, so it won’t trigger Error Reporting for errors.
✅ Best Practice for Java on Cloud Run:
Use a logging framework like SLF4J, Logback, or java.util.logging, and make sure it writes exceptions to stderr with stack traces for proper error detection.
Let me know if you want a quick example of how to log Java exceptions properly in Cloud Run!
Your company has a successful multi-player game that has become popular in the US. Now, it wants to expand to other regions. It is launching a new feature that allows users to trade points. This feature will work for users across the globe. Your company’s current MySQL backend is reaching the limit of the Compute Engine instance that hosts the game. Your company wants to migrate to a different database that will provide global consistency and high availability across the regions. Which database should they choose?
A. BigQuery
B. Cloud SQL
C. Cloud Spanner
D. Cloud Bigtable
Correct answer: C. Cloud Spanner
🔍 Explanation:
Cloud Spanner is Google Cloud’s fully managed, horizontally scalable, globally distributed relational database that provides:
Global consistency (strong consistency across all regions)
High availability and fault tolerance
SQL support and ACID transactions
Automatic scaling as your user base grows
These features make it ideal for global, multi-player games where users from different regions interact with shared data (like trading points), and where consistency, performance, and uptime are critical.
❌ Why not the others?
A. BigQuery: Meant for analytics, not for transactional, low-latency, real-time workloads like game data and user interactions.
B. Cloud SQL: A managed MySQL/PostgreSQL service, but not built for global distribution or scalability. It would hit performance limits quickly in a global scenario.
D. Cloud Bigtable: Great for very high-throughput workloads (like telemetry), but it’s not relational, doesn’t support SQL or multi-row transactions, and not ideal for global consistency.
Your application that is deployed on Cloud Run receives a large amount of traffic. You are concerned that deploying changes to the application could affect all users negatively. You want to avoid full-scale load testing due to cost concerns, but you still want to deploy new features as quickly as possible. Which approach should you take?
A. Schedule weekly load tests against the production application.
B. Use the local development environment to perform load testing outside Google Cloud.
C. Before allowing users to access new features, deploy as a new version and perform smoke tests. Then enable all users to access the new features.
D. Use traffic splitting to have a smaller part of the users test out new features, and slowly adjust traffic splitting until all users get the new features.
Correct answer: D. Use traffic splitting to have a smaller part of the users test out new features, and slowly adjust traffic splitting until all users get the new features.
🔍 Explanation:
Cloud Run supports traffic splitting, which allows you to:
Deploy a new version of your service
Gradually roll it out to a percentage of users (e.g., 5%, 10%, 50%)
Monitor performance and behavior
Quickly roll back if any issues arise
This approach lets you release features safely and iteratively, minimizing risk without needing expensive load testing.
Your website is deployed on Compute Engine. Your marketing team wants to test conversion rates between three different website designs. You are not able to make changes to your application code. What should you do?
A. Deploy the website on Cloud Run and use traffic splitting.
B. Deploy the website on Cloud Run as three separate revisions.
C. Deploy the website on Cloud Run functions as three separate functions.
D. Deploy the website on Cloud Run functions and implement custom code to show different designs.
✅ Correct answer: A. Deploy the website on Cloud Run and use traffic splitting.
🔍 Explanation:
Since:
Your website is currently on Compute Engine
You can’t modify the application code
The marketing team wants A/B/C testing (3 designs)
The best solution is to migrate the site to Cloud Run and use traffic splitting, which allows you to:
Deploy multiple versions (revisions) of your site
Distribute traffic among them (e.g., 33%, 33%, 34%) without needing to change application logic
Easily monitor conversion rates across versions
❌ Why not the others?
B. Deploy as three separate revisions: You still need traffic splitting, which is part of Option A.
C & D. Cloud Run functions: Functions are designed for event-driven tasks, not ideal for full website hosting.
