PCA-QA - 126-169

Question 1

Your company has an application deployed on Anthos clusters (formerly Anthos GKE) that is running multiple
microservices. The cluster has both Anthos Service
Mesh and Anthos Config Management configured. End users inform you that the application is responding very
slowly. You want to identify the microservice that is causing the delay. What should you do?

Answer 1

A. Use the Service Mesh visualization in the Cloud Console to inspect the telemetry between the microservices.

Question 2

You are working at a financial institution that stores mortgage loan approval documents on Cloud Storage. Any change to these approval documents must be uploaded as a separate approval file, so you want to ensure that these documents cannot be deleted or overwritten for the next 5 years. What should you do?

Answer 2

A. Create a retention policy on the bucket for the duration of 5 years. Create a lock on the retention policy.

Question 3

Your team will start developing a new application using microservices architecture on Kubernetes Engine. As part of the development lifecycle, any code change that has been pushed to the remote develop branch on your GitHub repository should be built and tested automatically. When the build and test are successful, the relevant microservice will be deployed automatically in the development environment. You want to ensure that all code deployed in the development environment follows this process. What should you do?

Answer 3

C. Create a Cloud Build trigger based on the development branch that tests the code, builds the container, and stores it in Container Registry. Create a deployment pipeline that watches for new images and deploys the new image on the development cluster. Ensure only the deployment tool has access to deploy new versions.

Question 4

Your operations team has asked you to help diagnose a performance issue in a production application that runs on Compute Engine. The application is dropping requests that reach it when under heavy load. The process list for affected instances shows a single application process that is consuming all available CPU, and autoscaling has reached the upper limit of instances. There is no abnormal load on any other related systems, including the database. You want to allow production traffic to be served again as quickly as possible. Which action should you recommend?

Answer 4

D. Increase the maximum number of instances in the autoscaling group.

Question 5

You are implementing the infrastructure for a web service on Google Cloud. The web service needs to receive and store the data from 500,000 requests per second. The data will be queried later in real time, based on exact matches of a known set of attributes. There will be periods where the web service will not receive any requests. The business wants to keep costs low. Which web service platform and database should you use for the application?

Answer 5

B. Cloud Run and Cloud Bigtable

Question 6

You are developing an application using different microservices that should remain internal to the cluster. You want to be able to configure each microservice with a specific number of replicas. You also want to be able to address a specific microservice from any other microservice in a uniform way, regardless of the number of replicas the microservice scales to. You need to implement this solution on Google Kubernetes Engine. What should you do?

Answer 6

A. Deploy each microservice as a Deployment. Expose the Deployment in the cluster using a Service, and use the Service DNS name to address it from other microservices within the cluster.

Question 7

Your company has a networking team and a development team. The development team runs applications on
Compute Engine instances that contain sensitive data. The development team requires administrative permissions
for Compute Engine. Your company requires all network resources to be managed by the networking team. The
development team does not want the networking team to have access to the sensitive data on the instances. What
should you do?

Answer 7

B. 1. Create a project with a standalone Virtual Private Cloud (VPC), assign the Network Admin role to the networking team, and assign the Compute Admin role to the development team.

Question 8

Your company wants you to build a highly reliable web application with a few public APIs as the backend. You don’t expect a lot of user traffic, but traffic could spike occasionally. You want to leverage Cloud Load Balancing, and the solution must be cost-effective for users. What should you do?

Answer 8

D. Store static content such as HTML and images in a Cloud Storage bucket. Use Cloud Functions to host the APIs and save the user data in Firestore.

Question 9

Your company sends all Google Cloud logs to Cloud Logging. Your security team wants to monitor the logs. You want to ensure that the security team can react quickly if an anomaly such as an unwanted firewall change or server breach is detected. You want to follow Google-recommended practices. What should you do?

Answer 9

C. Export logs to a Pub/Sub topic, and trigger Cloud Function with the relevant log events.

Question 10

You have deployed several instances on Compute Engine. As a security requirement, instances cannot have a public IP address. There is no VPN connection between Google Cloud and your office, and you need to connect via SSH into a specific machine without violating the security requirements. What should you do?

Answer 10

C. Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance.

Question 11

Your company is using Google Cloud. You have two folders under the Organization: Finance and Shopping. The members of the development team are in a
Google Group. The development team group has been assigned the Project Owner role on the Organization. You want to prevent the development team from creating resources in projects in the Finance folder. What should you do?

Answer 11

C. Assign the development team group the Project Owner role on the Shopping folder, and remove the development team group Project Owner role from the Organization.

Question 12

You are developing your microservices application on Google Kubernetes Engine. During testing, you want to validate the behavior of your application in case a specific microservice should suddenly crash. What should you do?

Answer 12

B. Use Istio’s fault injection on the particular microservice whose faulty behavior you want to simulate.

Question 13

Your company is developing a new application that will allow globally distributed users to upload pictures and share them with other selected users. The application will support millions of concurrent users. You want to allow developers to focus on just building code without having to create and maintain the underlying infrastructure. Which service should you use to deploy the application?

Answer 13

A. App Engine

Question 14

Your company provides a recommendation engine for retail customers. You are providing retail customers with an API where they can submit a user ID and the
API returns a list of recommendations for that user. You are responsible for the API lifecycle and want to ensure stability for your customers in case the API makes backward-incompatible changes. You want to follow Google-recommended practices. What should you do?

Answer 14

C. Use a versioning strategy for the APIs that increases the version number on every backward-incompatible change.

Question 15

Your company has developed a monolithic, 3-tier application to allow external users to upload and share files. The
solution cannot be easily enhanced and lacks reliability. The development team would like to re-architect the
application to adopt microservices and a fully managed service approach, but they need to convince their
leadership that the effort is worthwhile. Which advantage(s) should they highlight to leadership?

Answer 15

C. The new approach will make it easier to decouple infrastructure from application, develop and release new
features, manage the underlying infrastructure, manage CI/CD pipelines and perform A/B testing, and scale the
solution if necessary.

Question 16

Your team is developing a web application that will be deployed on Google Kubernetes Engine (GKE). Your CTO expects a successful launch and you need to ensure your application can handle the expected load of tens of thousands of users. You want to test the current deployment to ensure the latency of your application stays below a certain threshold. What should you do?

Answer 16

A. Use a load testing tool to simulate the expected number of concurrent users and total requests to your application, and inspect the results.

Question 17

Your company has a Kubernetes application that pulls messages from Pub/Sub and stores them in Filestore. Because the application is simple, it was deployed as a single pod. The infrastructure team has analyzed Pub/Sub metrics and discovered that the application cannot process the messages in real time. Most of them wait for minutes before being processed. You need to scale the elaboration process that is I/O-intensive. What should you do?

Answer 17

D. Configure a Kubernetes autoscaling deployment based on the subscription/num_undelivered_messages metric.

Question 18

Your company is developing a web-based application. You need to make sure that production deployments are linked to source code commits and are fully auditable. What should you do?

Answer 18

C. Make the container tag match the source code commit hash.

Question 19

An application development team has come to you for advice. They are planning to write and deploy an HTTP(S) API using Go 1.12. The API will have a very unpredictable workload and must remain reliable during peaks in traffic. They want to minimize operational overhead for this application. Which approach should you recommend?

Answer 19

B. Develop the application for App Engine standard environment.

Question 20

Your company is designing its data lake on Google Cloud and wants to develop different ingestion pipelines to collect unstructured data from different sources.
After the data is stored in Google Cloud, it will be processed in several data pipelines to build a recommendation engine for end users on the website. The structure of the data retrieved from the source systems can change at any time. The data must be stored exactly as it was retrieved for reprocessing purposes in case the data structure is incompatible with the current processing pipelines. You need to design an architecture to support the use case after you retrieve the data. What should you do?

Answer 20

D. Store the data in a Cloud Storage bucket. Design the processing pipelines to retrieve the data from the bucket.

Question 21

You are responsible for the Google Cloud environment in your company. Multiple departments need access to their
own projects, and the members within each department will have the same project responsibilities. You want to
structure your Google Cloud environment for minimal maintenance and maximum overview of
IAM permissions as each department’s projects start and end. You want to follow Google-recommended practices.
What should you do?

Answer 21

B. Create a Google Group per department and add all department members to their respective groups. Create a folder per department and grant the respective group the required IAM permissions at the folder level. Add the projects under the respective folders.

Question 22

Your company has an application running as a Deployment in a Google Kubernetes Engine (GKE) cluster. You have separate clusters for development, staging, and production. You have discovered that the team is able to deploy a Docker image to the production cluster without first testing the deployment in development and then staging. You want to allow the team to have autonomy but want to prevent this from happening. You want a Google Cloud solution that can be implemented quickly with minimal effort. What should you do?

Answer 22

C. Configure binary authorization policies for the development, staging, and production clusters. Create attestations as part of the continuous integration pipeline.

Question 23

Your company wants to migrate their 10-TB on-premises database export into Cloud Storage. You want to minimize the time it takes to complete this activity, the overall cost, and database load. The bandwidth between the on-premises environment and Google Cloud is 1 Gbps. You want to follow Google-recommended practices. What should you do?

Answer 23

B. Use the Data Transfer appliance to perform an offline migration.

Question 24

Your company has an enterprise application running on Compute Engine that requires high availability and high performance. The application has been deployed on two instances in two zones in the same region in active-passive mode. The application writes data to a persistent disk. In the case of a single zone outage, that data should be immediately made available to the other instance in the other zone. You want to maximize performance while minimizing downtime and data loss.
What should you do?

Answer 24

C. 1. Attach a regional SSD persistent disk to the first instance. 2. In case of a zone outage, force-attach the disk to the other instance.

Question 25

You are designing a Data Warehouse on Google Cloud and want to store sensitive data in BigQuery. Your company requires you to generate the encryption keys outside of Google Cloud. You need to implement a solution. What should you do?

Answer 25

D. Import a key in Cloud KMS. Create a dataset in BigQuery using the customer-supplied key option and select the created key.

Question 26

Your organization has stored sensitive data in a Cloud Storage bucket. For regulatory reasons, your company must be able to rotate the encryption key used to encrypt the data in the bucket. The data will be processed in Dataproc. You want to follow Google-recommended practices for security. What should you do?

Answer 26

B. Create a key with Cloud Key Management Service (KMS). Set the encryption key on the bucket to the Cloud
KMS key.

Question 27

Your team needs to create a Google Kubernetes Engine (GKE) cluster to host a newly built application that requires access to third-party services on the internet.
Your company does not allow any Compute Engine instance to have a public IP address on Google Cloud. You need to create a deployment strategy that adheres to these guidelines. What should you do?

Answer 27

A. Configure the GKE cluster as a private cluster, and configure Cloud NAT Gateway for the cluster subnet.
.

Question 28

Your company has a support ticketing solution that uses App Engine Standard. The project that contains the App
Engine application already has a Virtual Private
Cloud (VPC) network fully connected to the company’s on-premises environment through a Cloud VPN tunnel. You
want to enable the App Engine application to communicate with a database that is running in the company’s onpremises environment. What should you do?

Answer 28

D. Configure serverless VPC access.

Question 29

Your company is planning to upload several important files to Cloud Storage. After the upload is completed, they
want to verify that the uploaded content is identical to what they have on-premises. You want to minimize the cost
and effort of performing this check. What should you do?

Answer 29

D. 1. Use gsutil -m to upload the files to Cloud Storage. 2. Use gsutil hash -c FILE_NAME to generate CRC32C
hashes of all on-premises files. 3. Use gsutil ls -L gs://[YOUR_BUCKET_NAME] to collect CRC32C hashes of the
uploaded files. 4. Compare the hashes.

Question 30

You have deployed an application on Anthos clusters (formerly Anthos GKE). According to the SRE practices at
your company, you need to be alerted if request latency is above a certain threshold for a specified amount of time.
What should you do?

Answer 30

A. Install Anthos Service Mesh on your cluster. Use the Google Cloud Console to define a Service Level
Objective (SLO), and create an alerting policy based on this SLO.

Question 31

Your company has a stateless web API that performs scientific calculations. The web API runs on a single Google
Kubernetes Engine (GKE) cluster. The cluster is currently deployed in us-central1. Your company has expanded to
offer your API to customers in Asia. You want to reduce the latency for users in Asia.
What should you do?

Answer 31

C. Create a second GKE cluster in asia-southeast1, and use kubemci to create a global HTTP(s) load balancer.

Question 32

You are migrating third-party applications from optimized on-premises virtual machines to Google Cloud. You are
unsure about the optimum CPU and memory options. The applications have a consistent usage pattern across
multiple weeks. You want to optimize resource usage for the lowest cost. What should you do?

Answer 32

D. Create a Compute Engine instance with CPU and memory options similar to your application’s current onpremises virtual machine. Install the Cloud Monitoring agent, and deploy the third-party application. Run a load test with normal traffic levels on the application, and follow the Rightsizing Recommendations in the Cloud
Console.

Question 33

Your company has a Google Cloud project that uses BigQuery for data warehousing. They have a VPN tunnel
between the on-premises environment and Google
Cloud that is configured with Cloud VPN. The security team wants to avoid data exfiltration by malicious insiders,
compromised code, and accidental oversharing.
What should they do?

Answer 33

C. Configure VPC Service Controls and configure Private Google Access.

Question 34

You are working at an institution that processes medical data. You are migrating several workloads onto Google
Cloud. Company policies require all workloads to run on physically separated hardware, and workloads from
different clients must also be separated. You created a sole-tenant node group and added a node for each client.
You need to deploy the workloads on these dedicated hosts. What should you do?

Answer 34

D. Use node affinity labels based on the node name when creating Compute Engine instances in order to host
each workload on the correct node.

Question 35

Your company’s test suite is a custom C++ application that runs tests throughout each day on Linux virtual
machines. The full test suite takes several hours to complete, running on a limited number of on-premises servers
reserved for testing. Your company wants to move the testing infrastructure to the cloud, to reduce the amount of
time it takes to fully test a change to the system, while changing the tests as little as possible.
Which cloud infrastructure should you recommend?

Answer 35

B. Google Compute Engine managed instance groups with auto-scaling

Question 36

A lead software engineer tells you that his new application design uses websockets and HTTP sessions that are
not distributed across the web servers. You want to help him ensure his application will run properly on Google
Cloud Platform.
What should you do?

Answer 36

C. Meet with the cloud operations team and the engineer to discuss load balancer options

Question 37

The application reliability team at your company this added a debug feature to their backend service to send all
server events to Google Cloud Storage for eventual analysis. The event records are at least 50 KB and at most 15
MB and are expected to peak at 3,000 events per second. You want to minimize data loss.
Which process should you implement?

Answer 37

D. ¢ Append metadata to file body ¢ Compress individual files ¢ Name files with a random prefix pattern ¢ Save
files to one bucket

Question 38

A recent audit revealed that a new network was created in your GCP project. In this network, a GCE instance has an
SSH port open to the world. You want to discover this network’s origin.
What should you do?

Answer 38

C. In the Logging section of the console, specify GCE Network as the logging section. Search for the Create
Insert entry

Question 39

You want to make a copy of a production Linux virtual machine in the US-Central region. You want to manage and
replace the copy easily if there are changes on the production virtual machine. You will deploy the copy as a new
instance in a different project in the US-East region.
What steps must you take?

Answer 39

D. Create a snapshot of the root disk, create an image file in Google Cloud Storage from the snapshot, and
create a new virtual machine instance in the US-East region using the image file the root disk.

Question 40

Your company runs several databases on a single MySQL instance. They need to take backups of a specific database at regular intervals. The backup activity needs to complete as quickly as possible and cannot be allowed
to impact disk performance.
How should you configure the storage?

Answer 40

B. Mount a Local SSD volume as the backup location. After the backup is complete, use gsutil to move the
backup to Google Cloud Storage.

Question 41

You are helping the QA team to roll out a new load-testing tool to test the scalability of your primary cloud services
that run on Google Compute Engine with Cloud
Bigtable.
Which three requirements should they include? (Choose three.)

Answer 41

A. Ensure that the load tests validate the performance of Cloud Bigtable
B. Create a separate Google Cloud project to use for the load-testing environment
F. Instrument the load-testing tool and the target services with detailed logging and metrics collection

Question 42

Your customer is moving their corporate applications to Google Cloud Platform. The security team wants detailed
visibility of all projects in the organization. You provision the Google Cloud Resource Manager and set up yourself
as the org admin.
What Google Cloud Identity and Access Management (Cloud IAM) roles should you give to the security team?

Answer 42

B. Org viewer, project viewer

Question 43

Your company places a high value on being responsive and meeting customer needs quickly. Their primary
business objectives are release speed and agility. You want to reduce the chance of security errors being
accidentally introduced.
Which two actions can you take? (Choose two.)

Answer 43

B. Use source code security analyzers as part of the CI/CD pipeline
E. Run a vulnerability security scanner as part of your continuous-integration /continuous-delivery (CI/CD)
pipeline