Infra, Apps & APIs

Question 1

What are the four overarching managed service options on GCP?

Answer 1

IaaS - Compute Engine
PaaS - App Engine
CaaS - Cloud Run
FaaS - Cloud Functions

Question 2

What are the five fundamental attributes of Cloud Services?

Answer 2

1) On-demand Self-Service - No human intervention needed to access resources
2) Resource Pooling - Provider shares resources to customers
3) Rapid Elasticity
4) Measured Service - Pay for what we consume
5) Internet-Enabled - Access from Anywhere

Question 3

What are the two primary design principles of cloud native architecting?

Answer 3

1) Scalability:
- Ability to handle varying demands
- Reduce cost of under-utilised resources
- Scale up and down without compromising performance

2) Resilience:
- Functions despite failures of individual components

Question 4

What are the three migration methodologies for Google Cloud, and what are their pros and cons?

Answer 4

1) Lift and Shift
Pro: No need to rebuild applications or learn cloud skills.
Cons: Ignores cloud-native benefits, applications run without scaling and resilience benefits of cloud-native technologies.

2) Improve and Move
Pro: Introduces automation of scaling and reslience.
Cons: New skills and code management.

3) Rip and Replace
Pro: Remove technical debt
Cons: Requires highest level of time and skill investment.

Question 5

What are the 4 key design implementation choices to achieve a microservice architecture?

Answer 5

1) Loosely coupled services.
2) Asynchronous operations.
3) Stateless components.
4) Caching.

Question 6

What is the strangler pattern?

Answer 6

A methodology of incrementally replacing components of legacy applications with new services.

Named after the strangler tree.

Question 7

What are the four types of technical testing?

Answer 7

1) Unit Testing - Tests individual components of the application.
2) Integration Testing - Tests components grouped together.
3) Performance Testing - Tests the responsiveness of individual components.
4) Load / Endurance Testing - Tests the entire system placed under heavy load.

Question 8

What is Unit Testing and what are its pros and cons?

Answer 8

Tests individual components of the application.

Pro: Easy to spot errors and automate.
Con: Does not test external dependencies.

Question 9

What is Integration Testing and what are its pros and cons?

Answer 9

Tests components of an application when they are grouped together and reliant on one another.

Pro: Tests external dependencies and can be automated through mocking.
Cons: Can be difficult to understand the root of errors due to the black-box nature of integration.

Question 10

What is the recommended production-grade method for running Cloud Build?

Answer 10

Declaratively, by creating a cloudbuild.yaml in your SCR.

Question 11

What are the 3 types of roles you give to a GCP account within a project and what do they provide?

Answer 11

Primitive Roles - Applys at Project Level: Owner, Editor, Viewer and Billing Administrator.

Predefined Roles - Applys at GCP service level: Such as write access to Cloud Storage, but only view access to Compute Engine.

Custom Roles - Create your own roles such as “instanceOperator” where you can specify and manage the permissions. They can only be specified at the project level, not folder or org.

Question 12

Explain what blue / green deployment strategy is.

Answer 12

Blue-green deployment is a deployment strategy that utilizes two identical environments, a “blue” (aka staging) and a “green” (aka production) environment with different versions of an application or service. Quality assurance and user acceptance testing are typically done within the blue environment that hosts new versions or changes. User traffic is shifted from the green environment to the blue environment once new changes have been tested and accepted within the blue environment.

Question 13

What are the pros and cons of a blue / green deployment strategy?

Answer 13

Benefit - Rollback is straight forward, traffic can simply be routed back to the Green environment if the Blue environment sees any issues.

Drawbacks -

1) Cost of running two production-grade environments.
2) Depending on the implementation, shifting all user traffic at once can present risks.
3) In-flight user transactions may be lost when the shift in traffic is made.

Question 14

Explain what canary deployment is.

Answer 14

A canary deployment is a deployment strategy that releases an application or service incrementally to a subset of users. All infrastructure in a target environment is updated in small phases (e.g: 2%, 25%, 75%, 100%). A canary release is the lowest risk-prone, compared to all other deployment strategies, because of this control.

Question 15

What is the primary benefit and drawback of canary deployment strategies?

Answer 15

Pro: It’s cheaper than a blue-green deployment because it does not require two production environments.

Con:

• Some tests will need to be conducted in production.
• Often need to establish a trusted tester user base to roll out new features to.

Question 16

Which fully managed platform uses a container as its sole deployment artifact?

Answer 16

Cloud Run

Question 17

What are some good uses cases for a message bus like Cloud Pub/Sub?

Answer 17

Distributing messages between downstream microservices.

Question 18

You wish to direct a small percentage of production traffic to a new version of your application, so that your changes can be tested with live users. What is the name of this deployment pattern?

Answer 18

Canary Deployment

Question 19

How should application source code be stored for cloud-native software development?

Answer 19

The full codebase, including configuration and deployment files, should be stored in a collaborative source code repository, such as git.

Question 20

What type of testing tests external dependencies and multiple components and is sometimes referred to as a type of “black box” testing?

Answer 20

Integration testing

Question 21

You wish to maintain two entirely separate production environments, so that you can work on each one in isolation and then switch all production traffic between them when you are ready to release updates. What is the name of this deployment pattern?

Answer 21

Blue/Green Deployments

Question 22

What is the MOST efficient way to grant access to an object in cloud storage to an external user with no Google account?

Answer 22

Create a signed URL to grant temporary access to the object.

Signed URLs are a convenient way to embed the necessary authentication information into the URL itself, and to grant time-restricted access to specific objects in file storage.

Question 23

How can you prevent accidental deletion of objects in cloud storage for a minimum period of time?

Answer 23

Apply a retention policy to the bucket to prevent the deletion of objects until they have reached a minimum age.

Question 24

Your application expects a MySQL database connection to exist on localhost (i.e., running on the same server), but you would rather use Cloud SQL. How can you facilitate this?

Answer 24

Use the Cloud SQL proxy.

Question 25

What is the equivilent of a deployment within Kubernetes for Compute Engine?

Answer 25

Managed Instance Groups allow you to spread compute across multiple zones within a region,auto-scaling and auto-healing and from an instance template.

Question 26

What is the recommended way to install the Cloud Logging agent on a Compute Engine instance running Debian or Ubuntu Linux?

Answer 26

Add the logging agent repo and install using the system package manager.

Question 27

What are the two methods for running a startup script on a new Compute Engine instance?

Answer 27

1) Define the startup script metadata when the instance is created containing the script itself.
2) Upload a startup script to Cloud Storage, and add its URI as metadata with the key: startup-script-url.

Question 28

What IAM role is granted to the Compute Engine default service account?

Answer 28

Project Editor

Question 29

You are running a managed instance group of application servers that you need to make available to other applications in Compute Engine. The application servers should only be accessed internally via private IPs from other Compute Engine services.

What two methods of service discovery could you use for this?

Answer 29

1) Create an internal load balancer with the managed instance group as a backend. Configure an internal DNS name in Cloud DNS for the frontend of the load balancer.
2) Nominate a primary application server and store its private IP in project metadata. Have other services query the metadata server to retrieve the primary application server IP.

Question 30

You have created a compute engine instance that will connect to a Cloud SQL instance. Following best practice, you are using a custom service account that only grants the Cloud SQL Client permission. You are also using a startup script stored in Cloud Storage to configure your instance. However, when your instance starts, the script does not seem to run. What could be the problem and how might you fix it?

Answer 30

The service account does not have permission to access the startup script in Cloud Storage. Add the Storage Object Viewer role to the service account and reset the instance.

Question 31

You want to manage a group of stateless web server instances on Compute Engine in a way that would be resilient to the loss of a single GCP zone. What is the best way to achieve this?

Answer 31

Create a regional managed instance group.

Question 32

Your application requires a VM with 10 vCPUs and 64GB of memory, but this isn’t a predefined option for a machine type in Compute Engine. What do you do?

Answer 32

Create a custom machine type using the GCP console that matches the exact requirements.

Question 33

Why would you use Cloud Run over Cloud Functions?

Answer 33

1) If you require a runtime-environment not provided by Cloud Functions.
2) If you want to include a persistent file system
3) You can spin up multiple requests per instance with Cloud Run whereas Cloud Functions are one request per instance.

Question 34

You have a workload running in a deployment on GKE, with a replica set of 4 Pods. Your dev team has provided you with an updated container image and asked you to deploy the update. You want to do this in a way that causes minimal service interruption, but you also want to control the overall amount of resources being consumed, so you don’t need to add nodes to the cluster. What is the best way to update the deployment?

Answer 34

Ensure deployment is using a rolling update. Kubernetes’ default rolling update strategy means that the rollout will pause if more than 25% of new Pods are not healthy, but it will also limit the increased number of Pods in use during the rollout (the surge), to 25%. You can amend this in the deployment.yaml if necessary.

Question 35

Which of the following is the correct explanation of why a Pod would be in a Succeeded or Completed state?

1) All of the containers in a Pod are running and ready to serve.
2) All of the necessary container images have been downloaded and the Pod is getting ready to start.
3) All of the containers in a Pod have terminated in success and will not be restarted.
4) A Pod has been successfully deleted.

Answer 35

3) All of the containers in a Pod have terminated in success and will not be restarted.

Question 36

What is the cause of a CrashLoopBackOff error in GKE?

Answer 36

A container has failed to start successfully and continued to fail on repeated attempts.

Question 37

Your application in GKE needs access to a MySQL database, and your organization has a technical requirement to use managed databases wherever possible. What is the best solution here?

Answer 37

Use Cloud SQL for the database, and use a sidecar container to run the Cloud SQL proxy inside your application’s Pod.

Question 38

You have a small piece of code that takes an image and resamples it to a thumbnail version. You want to run this code in your GCP project every time a user uploads a photo with your application, which stores user photos in a Cloud Storage bucket. How could you implement this with managed services in a way that does not interfere with the running of the main application?

Answer 38

Deploy the resampling code as a small API program to Cloud Functions. Configure the function to be triggered whenever a new image is uploaded to the storage bucket.

Question 39

Which open standard specification does Cloud Endpoints and API Gateway require APIs to be defined with?

Answer 39

OpenAPI 2.0

Question 40

What are some best practices for Google Cloud Functions? (Select 3)

a) Use multiple dependencies for your chosen programming language to avoid the risk of missing libraries.
b) Don’t start background processes.
c) Use only the dependences that are specifically required by the function.
d) Don’t delete temporary files as part of the logic of the function. This is a computing overhead, and the platform automatically clears temporary files.
e) Spawn all processing in the background.
f) Always delete temporary files as part of the logic of the function.

Answer 40

b) Don’t start background processes.
c) Use only the dependences that are specifically required by the function.
f) Always delete temporary files as part of the logic of the function.

Question 41

What is the default retention period for user logs stored in the default logs bucket?

Answer 41

30 days, and retention can be configured from 1 day to 10 years.

Question 42

You are developing a backend for a mobile game. The game includes a market place where players can trade items with each other. The details of each trade are written to application logs. You would like to monitor the average price of some items in the game and also create an alert when you suspect an item has been sold for an artificially inflated price. How can you use Operations Suite to help you achieve this in a quick and easy way?

Answer 42

Configure logs-based metrics to track trade prices in Cloud Monitoring. Create an an alerting policy to notify you when a trade price is above a certain threshold.

Question 43

You have several GCP projects containing resources that you would like to monitor with a single dashboard. What is the recommended way to achieve this?

Answer 43

Configure a separate project as a “host” project for a Cloud Monitoring workspace and use it to manage all the other projects.

Question 44

You would like to use BigQuery to analyse logs that are collected by Cloud Logging. What is the easiest way to enable this?

Answer 44

Configure BigQuery as a custom sink for logs.

Question 45

What is the default retention period for audit security logs on GCP?

Answer 45

400 days, and it cannot be changed.

Question 46

You have deployed an app to App Engine, which seems to be mostly working. Occasionally the application returns an HTTP 500 Internal Server error. It generates lots of logs per request, so you are having difficulty tracking down the problem. Which Operations Suite tool could you most easily use to help you?

Answer 46

Cloud Error Reporting

Question 47

You have deployed an internal tool to App Engine, and you wish to grant access to other members of your team. You all work remotely, and there is no VPN configuration for your organization. However, everyone has a Google Workspace identity. What is the easiest way to handle authentication for your app?

Answer 47

Use Cloud Identity Aware Proxy and grant the IAP-secured Web App User role to users who should be permitted to access the app.

Question 48

Which managed GCP service crawls an App Engine, Compute Engine, or GKE application URL to identify security vulnerabilities?

Answer 48

Web Security Scanner

Question 49

You need to store a series of API keys inside your GCP project, ideally using a managed service. Which is the best option?

Answer 49

Cloud Secret Manager

Question 50

Your organization works in a regulated industry where you must be able to guarantee the safety and location of data. You are storing sensitive information in Cloud Storage. Which options will help you ensure that data remains in a specific region and is not moved? (Select 2)

A) Multi-region storage buckets
B) Firewall rules
C) Regional storage buckets
D) VPC Service Perimeter

Answer 50

C) Regional storage buckets - Using the regional storage class will allow you to choose a region for data to be stored.

D) VPC Service Perimeter - A VPC service perimeter can guarantee that data will not leave a defined boundary inside a project.

Question 51

Your organization has two separate product teams that develop their own services in isolation. Each team requires a way to develop their application and deploy it to separate development, staging, and production environments. What is the best way to set this up in the GCP hierarchy?

Answer 51

Use a single GCP organization, and create folders for each of the product teams. Within each folder, create separate projects for development, staging, and production environments.

Question 52

You are storing billing reports in a storage bucket and need to grant read-only access to your finance team. What is the best way to set this up?

Answer 52

Add the members of the finance team to a group, and grant the group the Storage Object Viewer role on the bucket containing the reports.

Question 53

Your development team uses GitHub to manage their code. You need to perform debugging tasks to resolve an error that was recently reported by the QA team. What should you do?

Answer 53

Set up Cloud Debugger, create a snapshot, and set log points.

Question 54

You have written a Cloud Function in Node.js with source code stored in a Git repository. You want any committed changes to the source to be automatically tested. You write a Cloud Build configuration that pushes the source to a uniquely named Cloud Function, then calls the function as a test, and then deletes the Cloud Function as cleanup. You discover that if the test fails, the Cloud Function is not deleted. What should you do?

A. Change the order of the steps to delete the Cloud Function before performing the test, which can indicate a result failure.

B. Include a waitFor option in the configuration for the Cloud Function deletion that identifies the test step as a required preceding step.

C. Have the test write its results to a file and return 0. Add a final step after the Cloud Function deletion that checks whether the file contains the expected results.

D. Have the test set its outcome in an environment variable called result and return 0. Add a final step after the Cloud Function deletion that checks whether the result contains the expected results.

Answer 54

C is correct. There is a persistent file system that is shared between steps in a Cloud Build. We change the story to be:

1. Deploy the Cloud Function.
2. Save the results of calling the Cloud Function to a file.
3. Delete the Cloud Function.
4. Test the content of the file.
   Since step 2 can now never fail, step 3 is executed and step 4 defines the outcome of the build as a whole.

Question 55

You have deployed a web application in a Google Kubernetes Engine (GKE) cluster. You are reviewing the Cloud Monitoring metrics and find that your cluster’s CPU load fluctuates throughout the day. To maximize performance while minimizing cost, you want the number of replicas to automatically adjust. What should you do?

A. Modify the managed instance group (MIG) to enable Autoscaling to configure max and min amount of nodes based on CPU load.

B. Enable Cluster Autoscaler on the GKE cluster, and configure the Horizontal Pod Autoscaler (HPA) to autoscale the workload based on CPU load.

C. Enable Cluster Autoscaler on the GKE cluster, and configure the HPA to autoscale the workloads based on a custom metric.

D. Modify the MIG to enable Autoscaling to configure max and min amount of nodes based on CPU load, and configure the Vertical Pod Autoscaler (VPA) to scale workloads based on CPU load.

Answer 55

B. Enable Cluster Autoscaler on the GKE cluster, and configure the Horizontal Pod Autoscaler (HPA) to autoscale the workload based on CPU load.

Question 56

Your organization develops and tests multiple applications on Compute Engine virtual machine instances across 3 environments; Test, Staging, and Production. The separate development teams for each application require minimal access to Production but broad access in Test and Staging. You need to design the Resource Manager structure to support your organization in following least-privilege best practices. What should you do?

A. Create one project per environment per application. Assign the application team members an IAM role at the project level.

B. Create one project per environment. Assign the application team members an Identity Access Management (IAM) role at the project level.

C. Create one project per environment. Group each application team member into a Google Group. Assign the application team’s Google Group an IAM role at the project level.

D. Create one project per environment per application. Group each application team member into a Google Group. Assign the application team’s Google Group an IAM role at the project level.

Answer 56

D is correct because a project provides good isolation for each application team, and managing membership via a group is easier to maintain over time.

Question 57

Your application that is deployed in the App Engine standard environment receives a large amount of traffic. You are concerned that deploying changes to the application could affect all users negatively. You want to avoid full-scale load testing due to cost concerns, but you still want to deploy new features as quickly as possible. Which approach should you take?

Answer 57

Use App Engine traffic splitting to have a smaller part of the users test out new features, and slowly adjust traffic splitting until all users get the new features. Traffic splitting allows real user testing without impacting all users and reduces load testing costs.

Question 58

Your website is deployed on Compute Engine. Your marketing team wants to test conversion rates between 3 different website designs. You are not able to make changes to your application code. What should you do?

Answer 58

Deploy website on App Engine and use traffic splitting.

Question 59

You have an application that accepts inputs from users. The application needs to kick off different background tasks based on these inputs. You want to allow for automated asynchronous execution of these tasks as soon as input is submitted by the user. Which product should you use?

Answer 59

You would choose Cloud Tasks over Cloud Pub/Sub as Pub/Sub is only a messaging service.

Question 60

You have deployed your website in a managed instance group. The managed instance group is configured to have a size of three instances and to perform an HTTP health check on port 80. When the managed instance group is created, three instances are created and started. When you connect to the instance using SSH, you confirm that the website is running and available on port 80. However, the managed instance group is re-creating the instances when they fail verification. What should you do?

A. Change the type to an unmanaged instance group.

B. Disable autoscaling on the managed instance group.

C. Increase the initial delay timeout to ensure that the instance is created.

D. Check the firewall rules and ensure that the probes can access the instance.

Answer 60

D. is correct because the instance has been created and the website is being served, but the health check is failing verification.

Question 61

Your application starts on the virtual machine (VM) as a systemd service. Your application outputs its log information to stdout. You want to review the application logs. What should you do?

A. Review the application logs from the Compute Engine VM instance activity logs in Cloud Logging.

B. Review the application logs from the Compute Engine VM instance data access logs in Cloud Logging.

C. Install Cloud Logging Agent. Review the application logs from the Compute Engine VM instance syslog logs in Cloud Logging.

D. Install Cloud Logging Agent. Review the application logs from the Compute Engine VM instance system event logs in Cloud Logging.

Answer 61

C is correct: a service running in systemd that outputs to stdout will have logs in syslog and will be scraped by the logging agent.

Question 62

You are writing an API endpoint to process orders from a web application and save the data into a Firestore collection. During application testing, you notice that when your application encounters an HTTP 5xx server error from the Firestore API, it catches this error and returns an HTTP 200 OK response code to the client, but does not store the data within Firestore. You want the consumers of your API endpoint to know that the write request was unsuccessful. What should you do?

Answer 62

Return a 500-class response. This clearly communicates to clients that the API call was unsuccessful, and the client can re-submit independently.

Question 63

Why might a GCP customer use resources in several zones or regions?

Answer 63

1) Improved fault tolerance
2) Bring applications closer to users
3) Zones within a region still have fast network connectivity among them.

Question 64

What is Cloud CDN?

Answer 64

Automatically caches “cacheable” content from web applications such as images, videos and js / css files.

Question 65

What are the primary 2 reasons for choosing Apigee over API Gateway / Cloud Endpoints?

Answer 65

If you have services / backends that are outside of GCP, you can only use Apigee.

If you want to billing and analytics on a customer facing API, Apigee is a better alternative.

Question 66

What is the key difference between “Container Analysis API On-Demand Vulnerability Scanning” and “Container Analysis API Automatic Vulnerability Scanning”?

Answer 66

Automatic vulnerability scanning will provide notes on vulnerabilities detected in containers uploaded to Artifact Registry, but the information must be acted on manually, so this won’t stop any developers deploying insecure containers.

Integrating on-demand vulnerability scanning into your Cloud Build pipeline will allow you to block a build or deployment if a container image has vulnerabilities matching a predefined severity.

Question 67

How does oAuth 2.0 work?

Answer 67

“Open Authentication” requires three players: the end user, the application (API), and the resource (service provider that has stored your privileged credentials). The transaction begins once the user expresses intent to access the API.

1) Application asks permission: The application or the API asks for authorization from the resource by providing the user’s verified identity as proof.
2) Application requests Access Token: After the authorization has been authenticated, the resource grants an Access Token to the API, without having to divulge usernames or passwords.
3) Application accesses resource: Tokens come with access permission for the API. These permissions are called scopes and each token will have an authorized scope for every API. The application gets access to the resource only to the extent the scope allows.

Think of this like a hotel. You are the application requesting permission, you prove your identity before getting given your hotel key card…which is your Access/Bearer Token as it only grants you access to the room you have permission to access and the hotel room is the resource.

Question 68

What is the purpose of Kubernetes RBAC?

Answer 68

Offers control over lower-level kubernetes resources within the cluster supplementing the control provided directly by cloud IAM which allows you to control access at the gke and cluster level.

Question 69

What is Workload Identity?

Answer 69

A workload identity pool allows you to organise and manage external identity providers, including Cloud IAM.

Question 70

What is the difference between Cloud Logging, Cloud Error Reporting and Cloud Trace?

Answer 70

Cloud logging lets you view logs from your applications and filter and search on them.

Cloud Error Reporting tracks and groups the errors in your cloud applicaitions and notifies you when new errors are detected.

Cloud Trace sample’s the latency of applications and allows you to drill down into multi-tiered request procedures.

Question 71

Describe how Cloud Debugger works?

Answer 71

Connects your applications production data to the respective source code repository so you can inspect the state of the app without having to add logging statements.

Allows you to set watchpoints of application state during code execution. In many ways, it’s like an IDE, allowing you to insert snapshots and log points into production code.

Question 72

What’s the difference between a snapshot and a log point in Cloud Debugger?

Answer 72

Snapshot - Captures the state of your application variables and call stack in production at a specific line location.

Log Point - Every time any instance executes code at the logpoint location, Cloud Debugger logs a message.

Question 73

You are helping your organization move some applications to the cloud. Your HR department relies on a legacy application that runs on a single Windows server. It is due to be replaced in the next two years but for now just needs to be moved out of your private datacenter. What is the best migration target for this server?

Answer 73

Compute Engine

Question 74

Your organization contains multiple product teams that are working on their own microservice applications in isolation, ready to deploy to the cloud. Each application should have a reliable way of communicating with other applications once deployed. While designing the cloud infrastructure, what advice can you offer the product teams to achieve this? (Select 2)

A. Use REST APIs that conform to an API contract

B. Use a message bus middleware service, like Cloud Pub/Sub

C. Store messages that are destined for other applications in a relational database

D. Make HTTP calls with increased error checking to allow for discrepancies

Answer 74

Correct Answer: A
Microservices can expose a REST API for communication. The API design should conform to a contract, so that dependent microservices all understand how to talk to each other even if individual microservices are updated.

Correct Answer: B
Messaging middleware like Cloud Pub/Sub can provide even greater flexibility and scalability for communication between microservices.

Question 75

Your organization works in a regulated industry where you must be able to guarantee the safety and location of data. You are storing sensitive information in Cloud Storage. Which options will help you ensure that data remains in a specific region and is not moved?

A. Regional storage buckets
B. VPC service perimeter
C. Firewall rules
D. Subnets

Answer 75

Correct Answer: A
Using the regional storage class will allow you to choose a region for data to be stored.

Correct Answer: B
A VPC service perimeter can guarantee that data will not leave a defined boundary inside a project.

Question 76

Your organization contains multiple product teams who each deploy their applications within their own GCP projects. Applications must communicate with each other within the same VPC. However, application teams should not be allowed to control or administer VPC settings. How can you set this up?

Answer 76

Create a host project to control VPC networks, and share them with application teams using Shared VPC. This will allow the application teams to run their apps on the same VPC network, without giving them any control of the network.

Question 77

You have created a simple web API that runs in Cloud Functions. To make the API available to the public, you would like to integrate authentication from Auth0. Which is the easiest way to do this?

Answer 77

Cloud API Gateway will provide a managed serverless API layer that can integrate with Auth0.

If you then wish to enable billing and analytics, Apigee will become the more viable option.

Question 78

You are managing a team of developers who will be deploying apps to Kubernetes Engine. You need to be able to restrict specific users to deploying to a certain namespace only, that is within a GKE cluster. How can you set this up?

Answer 78

Using RBAC, create a Kubernetes Role with the necessary permissions within the appropriate namespace and assign it to the user.

Cloud IAM can be used to manage permissions to GKE and Cluster level, however RBAC is used for individual Kubernetes resources, such as namespaces.

Question 79

You are running a website for a famous photographer in Compute Engine using autoscaling Managed Instance Groups (MIGs) and the Cloud Load Balancer. When your customer takes a photo that goes viral, load to the site increases dramatically and more instances are spun up, as per design. However this costs more as you are running more instances. What change could you make to reduce costs?

Answer 79

Enable Cloud CDN.

The Cloud CDN will cache content on Google Front End (GFE), which will reduce overall load on the MIG.

Question 80

Your organization has just completed a large deployment to Kubernetes Engine with multiple interconnected microservices. However, after two separate reviews it has been found that you need to add two important operational features: secure communication and observability of latency between microservices. What is the quickest and easiest way to set this up?

Answer 80

Install Istio service mesh - The Istio service mesh will add a sidecar container to all deployed Pods to instantly provide secure mTLS communication, as well as latency observability between microservices.

Question 81

Your CSO is concerned that developers in your organization’s application teams may be using insecure container images that may expose vulnerabilities when deployed. What GCP service can you leverage to help stop this happening?

Answer 81

Container Analysis API On-Demand Vulnerability Scanning

Why?
Integrating on-demand vulnerability scanning into your Cloud Build pipeline will allow you to block a build or deployment if a container image has vulnerabilities matching a predefined severity.

Question 82

An application team in your organization has developed a cloud-native app, and they have configured a deployment pipeline using Cloud Build, Container Registry, and Cloud Run. However, they set up their GCP project and the supporting resources (storage buckets, database, etc.) manually using the web UI. They now need to create separate GCP projects for staging and production environments. They want to reduce repetition and improve parity between environments. What approach should they use to do this?

Answer 82

Use Infrastructure-as-Code (IAC) such as Terraform or Deployment Manager to create GCP environments.

Question 83

You are creating an application and need to choose a database. Your application stores records about customers, products, purchases, prices, and locations. You believe that queries will often require looking at many of these types of data at once and combining them to produce a result. What sort of database should you choose?

A. In-memory database
B. Time-series database
C. Non-relational database
D. Relational database

Answer 83

D Relational database

Question 84

A development team in your organization is deploying their application by manually building Docker images, pushing them to Container Registry, and then creating a new Cloud Run service revision using the GCP console UI. What could you recommend to help them make this process more efficient?

Answer 84

Use Cloud Build to automate building the image, storing it in Container Registry, and updating the Cloud Run service.

Question 85

You are managing an application that is deployed to a Managed Instance Group (MIG) of Compute Engine VMs. When the group scales up, new instances in the group run a startup script that updates their packages and installs the required software before they are ready to serve. This means that autoscaling events normally take 10-20 minutes before the group can respond to the new demand in traffic. How could you speed this up?

A
Create a Compute Engine custom image using the latest version of the software. Apply only the security updates on the instance when it first runs.

B
Create a pipeline that creates a new Compute Engine custom image every week with the latest security updates, plus the latest version of the software. Use the custom image in the MIG.

C
Do not apply security patches, only install the application on first boot.

D
Create a Compute Engine custom image with the latest security updates. Apply only the application software installation when it first runs.

Answer 85

Correct Answer: B

This solution is the best of both worlds, as it will keep an up to date image that will boot in the quickest time possible. It will also allow you to test for compatibility with updates as part of the pipeline.

Question 86

You want to run a public Cloud Run service that should be able to trigger a private HTTP cloud function. The function will access a private database. What is the most secure way to configure this?

A
Create a single custom service account for the identity of the Cloud Run service and the Cloud Run function. Grant only the permissions required for both services to work.

B
Create a custom service account for the Cloud Function. Grant only the permissions required to the function for it to work. Make the Cloud Run service allow unauthenticated invocations to make it public.

C
Create a custom service account for the Cloud Function. Grant only the permissions required to the function for it to work. Do not allow unauthenticated invocations for the Cloud Run service.

D
Create separate custom service accounts for the Cloud Run service and the Cloud Function. Grant only the permissions required to the function for it to work. Grant the Cloud Run account only the permission to trigger the cloud function. Make the Cloud Run service allow unauthenticated invocations to make it public.

Answer 86

Correct Answer: D

This solution follows the security principle of least privilege. The public facing service only has permission to invoke the function and cannot access any other resources in your GCP project if it is compromised.

Question 87

You have been asked to deploy PostgreSQL to Kubernetes to provide a database for your organization’s app. The containerized PostgreSQL workload is stateful and requires a persistent disk for each Pod. In addition, the first Pod that comes up will assume it is the master of the database cluster, with subsequent Pods assuming a replica role. What is the correct object to use to create this workload in Kubernetes?

Answer 87

StatefulSet

Question 88

As your development team moves towards cloud-native app design, what methods would you recommend getting software deployed to a Compute Engine VM? (Select all that apply)

A
Bootstrapping installation using a startup script
B
Using a configuration management tool like Ansible
C
Using SSH to connect to an instance to install packages
D
Using a custom machine image to deploy a pre-installed application

Answer 88

A, B and D

Question 89

You have created a stateless web application that you will deploy to Compute Engine. You need to ensure that it can autoscale based on demand, and that it is resilient to the loss of a single GCP zone. What is the best way to achieve this?

Answer 89

Create a regional managed instance group.

This not only automates the creation of the instances for you, but distributes them across multiple zones in a region for high availability.

Question 90

Your organization is running an application in Google Kubernetes Engine. The new version of the app contains a major change that can only be tested with production traffic. You would like to perform a safe deployment that allows testing on production traffic while minimizing the risk for the majority of users. How can you achieve this?

A) Create a new deployment for a canary release. Ensure that each deployment has labels that identify it as either “production” or “canary”. Update the Service selector to point to the canary deployment for roughly 2.4 hours of the day, providing it with the 10% of production traffic required for testing.

B) Create a new deployment for a canary release. Ensure that the old and new deployments share the same label for the application name. Make sure the size of the canary deployment is appropriate (e.g., 10% the size of the current deployment). Use a Service with a selector that routes traffic to Pods based on the application label.

C) Create a traffic split across multiple backends using the Cloud Load Balancer to point 10% of traffic at the new release.

D) Update 10% of the Pods within the deployment to the new version of the application.

Answer 90

Correct Answer: B

Why?
As both deployments share the same label, traffic from the Service could route to either deployment, but through deployment sizing you will route roughly 10% of traffic to the canary deployment as per the requirement.

Question 91

You are creating a startup script to run on a fleet of Compute Engine instance. The script will configure the instance based on its location and desired purpose (e.g., frontend, backend, etc.). Using GCP services, what is the easiest and most simple form of service discovery that the script can use to identify what to do with an instance?

A) Store instance locations and profiles in Cloud Firestore.

B) Store instance locations and profiles in Cloud SQL.

C) Compile a list of instances and profiles in CSV format and store it in Cloud Storage. Retrieve the data from Cloud Storage at startup.

D) Use the GCE Metadata server to retrieve instance location and tags.

Answer 91

Correct Answer: D

Simple service discovery can be managed using just the metadata server. Tags, location and other data can be retrieved at startup time by the script.

Question 92

Your application needs to register new users and send them a welcome email. You use a third-party service, which simply accepts an HTTP request, to send emails, but occasionally the requests take up to a minute to be accepted or they time out. How can you utilize GCP services to help you reduce the impact on users of using this service?

Answer 92

Cloud Tasks queues are perfect for queuing tasks that can be completed asynchronously without blocking the current user activity. Failed attempts will be retried automatically.

Question 93

You are designing the infrastructure for a new ecommerce application. It is important that logs from every part of the application are available for your data analytics team to query using standard SQL syntax. The solution you choose must scale as your application grows. What is the best way to set this up?

Answer 93

Use Cloud Logging for your application and configure BigQuery as a sink.

Question 94

You are monitoring an application that handles queues of tasks for an internal system. You have configured a custom logs-based metric to alert you whenever a queue has over 100 uncompleted tasks. Sometimes, however, a queue can have no tasks for a length of time, which usually means some other part of the system has gone wrong. How can you also use Cloud Monitoring to alert you of this situation?

Question 95

Which of the following actions require you to stop a Compute Engine instance? (Select 2)

A Creating a snapshot of a persistent disk
B Migrating to a different VPC
C Resizing a persistent disk
D Changing a machine type

Answer 95

B and D

Question 96

You are trying to scale up a deployment in Kubernetes Engine, but your Pods are not being scheduled. You can see an error regarding “insufficient CPU”. What could be causing this problem? (Select all that apply)

A) There are currently no more instances that can be scheduled by Compute Engine for your cluster.

B) The Pod has been scheduled but keeps crashing because it is using too much CPU.

C) Pods cannot be scheduled because all of the available CPU of the available nodes has already been consumed.

D) Pods cannot be scheduled because they are requesting more CPU than is currently available.

Answer 96

C and D

Question 97

You have updated an existing deployment in Google Kubernetes Engine with a new version of your application, but Pods in the new ReplicaSet are failing to start, reporting an error of ImagePullErr. What could be the cause of this error?

Answer 97

The updated container image is not available.

Question 98

Your monitoring dashboard is showing you that 10% of requests are responding with a significant delay. However, each request has to traverse several application layers and you are not sure which layer may be causing the most latency. What is the best way to troubleshoot this?

Answer 98

Cloud Trace

Question 99

You are managing an application that is deployed as a Managed Instance Group (MIG) in Compute Engine. It is set to autoscale when demand increases, but the application take some time to start so there is a delay before an autoscaling event can accommodate the extra demand in traffic. You believe that you could trigger the autoscaling earlier based the number of a type of event recorded in your application logs, rather than using a simple CPU metric. How can you set this up?

Answer 99

A logs-based counter metric counts the number of log entries that contain a specific message. You can then use this logs-based metric to configure autoscaling.

Question 100

Please describe the differences between Cloud Tasks and Cloud Pub Sub and when is the best time to use both?

Answer 100

Pub/Sub supports implicit invocation: a publisher implicitly causes the subscribers to execute by publishing an event.

By contrast, Cloud Tasks is aimed at explicit invocation where the publisher retains full control of execution. In particular, a publisher specifies an endpoint where each message is to be delivered and when it needs to be delivered.

Overall Cloud Tasks are appropriate for use cases where a task producer needs to defer or control the execution timing of a specific webhook or remote procedure call. Pub/Sub is optimal for more general event data ingestion and distribution patterns where some degree of control over execution can be sacrificed.

Question 101

What is an SRE?

Answer 101

What happens when you ask a software engineer to design an operations team

Question 102

What is the name of Google’s internal version of kubernetes?

Answer 102

Borg

Question 103

What is the structural conflict that SRE attempts to resolve, and what mechanism do we use to resolve it?

Answer 103

Pace of Innovation vs Product Stability

We resolve it through the introduction of an error budget.

Error budgets observe that a reliability target of 100% is counter productive, as users do not see the benefit between 99.999% and 100%. So the 0.001% is the error budget.

This makes outages something that the product and ops teams expect and budget for…rather than fear.

Question 104

You have a service running on Compute Engine virtual machine instances behind a global load balancer. You need to ensure that when the instance fails, it is recovered. What should you do?

Answer 104

Set up health checks in the managed instance group configuration.

Question 105

You are planning to deploy your application in a Google Kubernetes Engine (GKE) cluster. The application exposes an HTTP-based health check at /healthz. You want to use this health check endpoint to determine whether traffic should be routed to the pod by the load balancer.
Which code snippet should you include in your Pod configuration?

A) livenessProbe
B) Liveness
C) readinessProbe
D) readiness
E) LoadbalancerHealthCheck
F) healthCheck

Answer 105

C) readinessProbe

Question 106

You are developing a JPEG image-resizing API hosted on Google Kubernetes Engine (GKE). Callers of the service will exist within the same GKE cluster. You want clients to be able to get the IP address of the service.
What should you do?

Answer 106

Define a GKE Service. Clients should use the name of the A record in Cloud DNS to find the service’s cluster IP address.

Question 107

Your service adds text to images that it reads from Cloud Storage. During busy times of the year, requests to Cloud Storage fail with an HTTP 429 “Too Many
Requests” status code.
How should you handle this error?

Answer 107

Retry the request with a truncated exponential backoff strategy.

Question 108

Your application is controlled by a managed instance group. You want to share a large read-only data set between all the instances in the managed instance group. You want to ensure that each instance can start quickly and can access the data set via its filesystem with very low latency. You also want to minimize the total cost of the solution.
What should you do?

Answer 108

Move the data to a Compute Engine persistent disk, and attach the disk in read-only mode to multiple Compute Engine virtual machine instances.

Question 109

Your existing application keeps user state information in a single MySQL database. This state information is very user-specific and depends heavily on how long a user has been using an application. The MySQL database is causing challenges to maintain and enhance the schema for various users.

What recommendation do you have?

Answer 109

Migrate to Cloud Firestore in order to reduce maintenance of the schema.

Question 110

You are building a new API. You want to minimize the cost of storing and reduce the latency of serving images.
Which architecture should you use?

Answer 110

Cloud Content Delivery Network (CDN) backed by Cloud Storage

Question 111

Your company’s development teams want to use Cloud Build in their projects to build and push Docker images to Container Registry. The operations team requires all Docker images to be published to a centralized, securely managed Docker registry that the operations team manages.
What should you do?

Answer 111

Create a separate project for the operations team that has Container Registry configured. Assign appropriate permissions to the Cloud Build service account in each developer team’s project to allow access to the operation team’s registry.

Question 112

You are planning to deploy your application in a Google Kubernetes Engine (GKE) cluster. Your application can scale horizontally, and each instance of your application needs to have a stable network identity and its own persistent disk.
Which GKE object should you use?

Answer 112

StatefulSet

Question 113

You are using Cloud Build to build a Docker image. You need to modify the build to execute unit and run integration tests. When there is a failure, you want the build history to clearly display the stage at which the build failed.
What should you do?

Answer 113

Create a Cloud Build build config file with separate cloud builder steps to compile and execute unit and integration tests.

Question 114

You are using Cloud Build to create a new Docker image on each source code commit to a Cloud Source Repositories repository. Your application is built on every commit to the master branch. You want to release specific commits made to the master branch in an automated method.
What should you do?

Answer 114

Create a build trigger on a Git tag pattern. Use a Git tag convention for new releases.

Question 115

What is the difference between blackbox monitoring and whitebox monitoring?

Answer 115

White Box Monitoring - This type of monitoring mainly refers to the monitoring the internal states of the applications running on your system. Mainly this type of monitoring involves exposing metrics that are specific to your application like total number of http requests received / latency etc.

Black Box Monitoring - This type of monitoring mainly refers to the monitoring state of services in the system. Using this type of monitoring we ensure things like status of the application being alive or dead , cpu / disk usage etc.

Question 116

What is the difference between SLI’s, SLO’s and SLA’s?

Answer 116

SLI - Service Level Indicators
SLO - A certain metric that you want to measure
SLA - A group of SLO’s that have consequences if you don’t satisfy them

Question 117

You’ve been tasked with evaluating Cloud Pub/Sub. What features do you include in your report? (Choose all that apply.)

A) Both push and pull delivery options.

B) Connections to Google Cloud services exclusively.

C) One-to-many, many-to-one, and many-to-many delivery possibilities.

D) HIPAA-compliant service.

Answer 117

A, C and D

Question 118

You have an autoscaled managed instance group that is set to scale based on CPU utilization of 60%. There are currently 3 instances in the instance group. You’re connected to one of the instances and notice that the CPU usage is a 70%. However, the instance group isn’t starting up another instance. What’s the most likely reason?

Answer 118

The average CPU for the entire instance group is below 60%.

The autoscaler averages the CPU usage of the entire group. so one instance could be higher than the usage threshold.

Question 119

You need to find a way to connect your on-premises network with Cloud VPC. Which Google Cloud service offers the lowest latency and RFC 1918 communication?

Answer 119

Cloud Interconnect

Question 120

You are running an autoscaling Managed Instance Group (MIG) in Compute Engine. The instances themselves conduct simulations that are fed to it from a scheduling application. This scheduling application has a simple API and also provides service discovery. When instances scale down, the scheduling applications needs to know that they are no longer available to receive simulation jobs. What is the easiest way to configure this?

Answer 120

Provide a local shutdown script as part of the Instance Template that contacts the scheduling API.

Question 121

You are creating a complex design for your GCP project with numerous applications that exist within different trust boundaries. Network traffic must be restricted to specific applications and ports and should not be allowed to leave a specific trust boundary across the network. Which GCP services will help you achieve this?
(Select All)

A) Network tags

B) Firewall rules

C) Cloud Interconnect

D) VPC networks

E) Shared VPC

Answer 121

A, B and D

Question 122

You want to run a workload in GKE that should have access to a private Cloud Run service. Permission to access the Cloud Run service has been granted to a custom service account. Ideally, you don’t want to alter the container running in GKE. Which of the following is the best approach to take?

A) Get JSON credentials for the service account and create an environment variable in the Pod manifest to store them.

B) Create a Kubernetes service account to run the workload in GKE. Use Workload Identity to map the Kubernetes service account to the GCP service account.

C) Get JSON credentials for the service account and include them in the container that is deployed to GKE.

D) Get JSON credentials for the service account and store them as a Secret object in Kubernetes. Mount the Secret object in the Pod alongside the container in GKE to access the credentials.

Answer 122

B) Create a Kubernetes service account to run the workload in GKE. Use Workload Identity to map the Kubernetes service account to the GCP service account.

Question 123

You are running a backend service in Kubernetes Engine that is required to communicate with the Cloud Vision API. In order for this to work, you must authenticate with the API. What options do you have for setting this up securely?
(Select 2)

A) Create a custom service account for the backend app, use workload identity in GKE, and have the app retrieve a valid JWT token from the metadata server to use as a bearer token in its request to the Cloud Vision API.

B) Create an API key in the GCP project, Use a Secret object in Kubernetes to assign the key as an environment variable for the backend app to use when making requests to the Cloud Vision API

C) Create a custom service account for the backend app and generate a JSON key. Copy the JSON key into the container image used to deploy the backend app. Send the JSON key in the header when making requests to the Cloud Vision API.

D) Create a custom service account for the backend app and generate a JSON key. Copy the JSON key into the container image used to deploy the backend app. Use gcloud inside the container to activate the service account using the key.

Answer 123

A and B

Question 124

What are the differences vetween a VPC network and subnets within GCP?

Answer 124

1) Subnets are regional resources, as opposed to VPC networks which are global resources.
2) Each subnet defines a range of IP addresses. VPC networks do not have any IP address ranges associated to them.

Question 125

How would you go about connecting VPC networks securely within a hybrid environment?

Answer 125

Cloud VPN or Cloud Interconnect.

Question 126

What is the difference between Shared VPC and VPC Peering?

Answer 126

VPC Peering - Establishes a relationship between 2 VPC’s in different projects so they can exchange traffic.

Shared VPC - Enables the full capabilities of IAM across multiple VPC’s in multiple projects to control who and what can interact with resources within another peered VPC.

Question 127

What are the benefits of Terraform?

Answer 127

1) Automation of multi-cloud environments.
2) Reduced development costs - Reduced time and errors in provisioning infrastructure and less repeatability in provisioning infrastructure.
3) Collaborative infrastructure management - Easy integration with SCR’s for enhanced version control and collaboration.
4) No need to write additional documentation - The tf files become the documentation.

Question 128

What are providers within Terraform?

Answer 128

A plugin that allows us to talk and authenticate to a specific set of APIs.

Question 129

What does the Terraform Plan command do?

Answer 129

Dry run of the code so you can see all the changes that will take place, demonstating what new instances will be created, changed or destroyed prior to implementing the change. Allows you to reduce the risk of breaking your production environment.

Question 130

What does the Terraform Apply command do?

Answer 130

Checks for changes between the deployed environment and the configuration within the declarative tf file and implement changes on any resources that have a change in configuration.

Question 131

How would you go about terminating all resources using Terraform?

Answer 131

in cli, run “terraform destroy”

Question 132

What does the terraform.tfstate file contain?

Answer 132

The latest applied state of the tf files, so it can be used to compare to previous deployed versions to identify where changes have been made.

Question 133

What are the 4 benefits of gRPC over REST API’s?

Answer 133

1) Lightweight messages. Depending on the type of call, gRPC-specific messages can be up to 30 percent smaller in size than JSON messages.
2) High performance. By different evaluations, gRPC is 5, 7, and even 8 times faster than REST+JSON communication.
3) Built-in code generation. gRPC has automated code generation in different programming languages including Java, C++, Python, Go, Dart, Objective-C, Ruby, and more.
4) More connection options. While REST focuses on request-response architecture, gRPC provides support for data streaming with event-driven architectures: server-side streaming, client-side streaming, and bidirectional streaming.

Question 134

What is the primary use case for gRPC and what are some of the features that support this use case?

Answer 134

You would use gRPC in envy where:

1) Real-time communication services where you deal with streaming calls
2) In multi-language environments
3) For internal APIs where you don’t have to force technology choices on clients

Therefore, Microservices are the best use case for gRPC.