PCA-QA - 71-125

Question 1

You are using a single Cloud SQL instance to serve your application from a specific zone. You want to introduce
high availability. What should you do?

Answer 1

D. Create a failover replica instance in the same region, but in a different zone

Question 2

Your company is running a stateless application on a Compute Engine instance. The application is used heavily during regular business hours and lightly outside of business hours. Users are reporting that the application is slow during peak hours. You need to optimize the application’s performance. What should you do?

Answer 2

C. Create a custom image from the existing disk. Create an instance template from the custom image. Create an autoscaled managed instance group from the instance template.

Question 3

Your web application has several VM instances running within a VPC. You want to restrict communications
between instances to only the paths and ports you authorize, but you don’t want to rely on static IP addresses or
subnets because the app can autoscale. How should you restrict communications?

Answer 3

B. Use firewall rules based on network tags attached to the compute instances

Question 4

You are using Cloud SQL as the database backend for a large CRM deployment. You want to scale as usage
increases and ensure that you don’t run out of storage, maintain 75% CPU usage cores, and keep replication lag
below 60 seconds. What are the correct steps to meet your requirements?

Answer 4

A. 1. Enable automatic storage increase for the instance. 2. Create a Stackdriver alert when CPU usage exceeds
75%, and change the instance type to reduce CPU usage. 3. Create a Stackdriver alert for replication lag, and
shard the database to reduce replication time.

Question 5

You are tasked with building an online analytical processing (OLAP) marketing analytics and reporting tool. This
requires a relational database that can operate on hundreds of terabytes of data. What is the Googlerecommended tool for such applications?

Answer 5

D. BigQuery, because it is designed for large-scale processing of tabular data

Question 6

You have deployed an application to Google Kubernetes Engine (GKE), and are using the Cloud SQL proxy
container to make the Cloud SQL database available to the services running on Kubernetes. You are notified that
the application is reporting database connection issues. Your company policies require a post- mortem. What
should you do?

Answer 6

C. In the GCP Console, navigate to Stackdriver Logging. Consult logs for (GKE) and Cloud SQL.

Question 7

Your company pushes batches of sensitive transaction data from its application server VMs to Cloud Pub/Sub for
processing and storage. What is the Google- recommended way for your application to authenticate to the
required Google Cloud services?

Answer 7

A. Ensure that VM service accounts are granted the appropriate Cloud Pub/Sub IAM roles.

Question 8

You want to establish a Compute Engine application in a single VPC across two regions. The application must
communicate over VPN to an on-premises network.
How should you deploy the VPN?

Answer 8

D. Deploy Cloud VPN Gateway in each region. Ensure that each region has at least one VPN tunnel to the onpremises peer gateway

Question 9

Your applications will be writing their logs to BigQuery for analysis. Each application should have its own table. Any
logs older than 45 days should be removed.
You want to optimize storage and follow Google-recommended practices. What should you do?

Answer 9

B. Make the tables time-partitioned, and configure the partition expiration at 45 days

Question 10

You want your Google Kubernetes Engine cluster to automatically add or remove nodes based on CPU load.
What should you do?

Answer 10

A. Configure a HorizontalPodAutoscaler with a target CPU usage. Enable the Cluster Autoscaler from the GCP Console.

Question 11

You need to develop procedures to verify resilience of disaster recovery for remote recovery using GCP. Your
production environment is hosted on-premises. You need to establish a secure, redundant connection between
your on-premises network and the GCP network.
What should you do?

Answer 11

B. Verify that Dedicated Interconnect can replicate files to GCP. Verify that Cloud VPN can establish a secure
connection between your networks if Dedicated Interconnect fails.

Question 12

Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an
All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Company Overview -
HipLocal is a community application designed to facilitate communication between people in close proximity. It is used for event planning and organizing sporting events, and for businesses to connect with their local communities. HipLocal launched recently in a few neighborhoods in Dallas and is rapidly growing into a global phenomenon. Its unique style of hyper-local community communication and business outreach is in demand around the world.

Executive Statement -
We are the number one local community app; it’s time to take our local community services global. Our venture capital investors want to see rapid growth and the same great experience for new local and virtual communities that come online, whether their members are 10 or 10000 miles away from each other.

Solution Concept -
HipLocal wants to expand their existing service, with updated functionality, in new regions to better serve their global customers. They want to hire and train a new team to support these regions in their time zones. They will need to ensure that the application scales smoothly and provides clear uptime data.

Existing Technical Environment -
HipLocal’s environment is a mix of on-premises hardware and infrastructure running in Google Cloud Platform. The HipLocal team understands their application well, but has limited experience in global scale applications. Their existing technical environment is as follows:
* Existing APIs run on Compute Engine virtual machine instances hosted in GCP.
* State is stored in a single instance MySQL database in GCP.
* Data is exported to an on-premises Teradata/Vertica data warehouse.
* Data analytics is performed in an on-premises Hadoop environment.
* The application has no logging.
* There are basic indicators of uptime; alerts are frequently fired when the APIs are unresponsive.

Business Requirements -
HipLocal’s investors want to expand their footprint and support the increase in demand they are seeing. Their requirements are:
* Expand availability of the application to new regions.
* Increase the number of concurrent users that can be supported.
* Ensure a consistent experience for users when they travel to different regions.
* Obtain user activity metrics to better understand how to monetize their product.
* Ensure compliance with regulations in the new regions (for example, GDPR).
* Reduce infrastructure management time and cost.
* Adopt the Google-recommended practices for cloud computing.

Technical Requirements -
* The application and backend must provide usage metrics and monitoring.
* APIs require strong authentication and authorization.
* Logging must be increased, and data should be stored in a cloud analytics platform.
* Move to serverless architecture to facilitate elastic scaling.
* Provide authorized access to internal apps in a secure manner.
HipLocal is configuring their access controls.
Which firewall configuration should they implement?

Answer 12

C. Allow traffic on port 443 for a specific tag.

Question 13

Your customer wants to do resilience testing of their authentication layer. This consists of a regional managed instance group serving a public REST API that reads from and writes to a Cloud SQL instance.
What should you do?

Answer 13

C. Schedule a disaster simulation exercise during which you can shut off all VMs in a zone to see how your application behaves.

Question 14

Your BigQuery project has several users. For audit purposes, you need to see how many queries each user ran in the last month. What should you do?

Answer 14

D. Use Cloud Audit Logging to view Cloud Audit Logs, and create a filter on the query operation to get the required information.

Question 15

You want to automate the creation of a managed instance group. The VMs have many OS package dependencies.
You want to minimize the startup time for new
VMs in the instance group.
What should you do?

Answer 15

B. Create a custom VM image with all OS package dependencies. Use Deployment Manager to create the managed instance group with the VM image.

Question 16

Your company captures all web traffic data in Google Analytics 360 and stores it in BigQuery. Each country has its
own dataset. Each dataset has multiple tables.
You want analysts from each country to be able to see and query only the data for their respective countries.
How should you configure the access rights?

Answer 16

A. Create a group per country. Add analysts to their respective country-groups. Create a single group ‘all_analysts’, and add all country-groups as members. Grant the ‘all_analysts’ group the IAM role of BigQuery jobUser. Share the appropriate dataset with view access with each respective analyst country-group.

Question 17

You have been engaged by your client to lead the migration of their application infrastructure to GCP. One of their current problems is that the on-premises high performance SAN is requiring frequent and expensive upgrades to keep up with the variety of workloads that are identified as follows: 20 TB of log archives retained for legal reasons; 500 GB of VM boot/data volumes and templates; 500 GB of image thumbnails; 200 GB of customer session state data that allows customers to restart sessions even if off-line for several days.
Which of the following best reflects your recommendations for a cost-effective storage allocation?

Answer 17

B. Memcache backed by Cloud Datastore for the customer session state data. Lifecycle-managed Cloud Storage for log archives, thumbnails, and VM boot/data volumes.

Question 18

Your web application uses Google Kubernetes Engine to manage several workloads. One workload requires a consistent set of hostnames even after pod scaling and relaunches.
Which feature of Kubernetes should you use to accomplish this?

Answer 18

A. StatefulSets

Question 19

You are using Cloud CDN to deliver static HTTP(S) website content hosted on a Compute Engine instance group. You want to improve the cache hit ratio.
What should you do?

Answer 19

A. Customize the cache keys to omit the protocol from the key

Question 20

Your architecture calls for the centralized collection of all admin activity and VM system logs within your project.
How should you collect these logs from both VMs and services?

Answer 20

B. Stackdriver automatically collects admin activity logs for most services. The Stackdriver Logging agent must
be installed on each instance to collect system logs.

Question 21

You have an App Engine application that needs to be updated. You want to test the update with production traffic before replacing the current application version.
What should you do?

Answer 21

B. Deploy the update as a new version in the App Engine application, and split traffic between the new and current versions.

Question 22

All Compute Engine instances in your VPC should be able to connect to an Active Directory server on specific ports. Any other traffic emerging from your instances is not allowed. You want to enforce this using VPC firewall rules.
How should you configure the firewall rules?

Answer 22

A. Create an egress rule with priority 1000 to deny all traffic for all instances. Create another egress rule with priority 100 to allow the Active Directory traffic for all instances.

Question 23

Your customer runs a web service used by e-commerce sites to offer product recommendations to users. The
company has begun experimenting with a machine learning model on Google Cloud Platform to improve the
quality of results.
What should the customer do to improve their model’s results over time?

Answer 23

D. Save a history of recommendations and results of the recommendations in BigQuery, to be used as training
data

Question 24

A development team at your company has created a dockerized HTTPS web application. You need to deploy the application on Google Kubernetes Engine (GKE) and make sure that the application scales automatically.
How should you deploy to GKE?

Answer 24

A. Use the Horizontal Pod Autoscaler and enable cluster autoscaling. Use an Ingress resource to load-balance the HTTPS traffic.

Question 25

You need to design a solution for global load balancing based on the URL path being requested. You need to ensure operations reliability and end-to-end in- transit encryption based on Google best practices.
What should you do?

Answer 25

B. Create an HTTPS load balancer with URL Maps.

Question 26

You have an application that makes HTTP requests to Cloud Storage. Occasionally the requests fail with HTTP status codes of 5xx and 429.
How should you handle these types of errors?

Answer 26

B. Implement retry logic using a truncated exponential backoff strategy

Question 27

You need to develop procedures to test a disaster plan for a mission-critical application. You want to use Google-recommended practices and native capabilities within GCP.
What should you do?

Answer 27

B. Use Deployment Manager to automate service provisioning. Use Stackdriver to monitor and debug your tests.

Question 28

Your company creates rendering software which users can download from the company website. Your company has customers all over the world. You want to minimize latency for all your customers. You want to follow Google-recommended practices.
How should you store the files?

Answer 28

D. Save the files in multiple Multi-Regional Cloud Storage buckets, one bucket per multi-region.

Question 29

Your company acquired a healthcare startup and must retain its customers’ medical information for up to 4 more
years, depending on when it was created. Your corporate policy is to securely retain this data, and then delete it as
soon as regulations allow.
Which approach should you take?

Answer 29

C. Store the data in Cloud Storage and use lifecycle management to delete files when they expire

Question 30

You are deploying a PHP App Engine Standard service with Cloud SQL as the backend. You want to minimize the
number of queries to the database.
What should you do?

Answer 30

A. Set the memcache service level to dedicated. Create a key from the hash of the query, and return database values from memcache before issuing a query to Cloud SQL.

Question 31

You need to ensure reliability for your application and operations by supporting reliable task scheduling for
compute on GCP. Leveraging Google best practices, what should you do?

Answer 31

B. Using the Cron service provided by App Engine, publish messages to a Cloud Pub/Sub topic. Subscribe to that topic using a message-processing utility service running on Compute Engine instances.

Question 32

Your company is building a new architecture to support its data-centric business focus. You are responsible for setting up the network. Your company’s mobile and web-facing applications will be deployed on-premises, and all data analysis will be conducted in GCP. The plan is to process and load 7 years of archived .csv files totaling 900 TB of data and then continue loading 10 TB of data daily. You currently have an existing 100-MB internet connection.
What actions will meet your company’s needs?

Answer 32

B. Lease a Transfer Appliance, upload archived files to it, and send it to Google to transfer archived data to Cloud Storage. Establish a connection with Google using a Dedicated Interconnect or Direct Peering connection and use it to upload files daily.

Question 33

You are developing a globally scaled frontend for a legacy streaming backend data API. This API expects events in
strict chronological order with no repeat data for proper processing.
Which products should you deploy to ensure guaranteed-once FIFO (first-in, first-out) delivery of data?

Answer 33

B. Cloud Pub/Sub to Cloud Dataflow

Question 34

Your company is planning to perform a lift and shift migration of their Linux RHEL 6.5+ virtual machines. The
virtual machines are running in an on-premises
VMware environment. You want to migrate them to Compute Engine following Google-recommended practices.
What should you do?

Answer 34

C. 1. Perform an assessment of virtual machines running in the current VMware environment. 2. Define a migration plan, prepare a Migrate for Compute Engine migration RunBook, and execute the migration

Question 35

You need to deploy an application to Google Cloud. The application receives traffic via TCP and reads and writes data to the filesystem. The application does not support horizontal scaling. The application process requires full control over the data on the file system because concurrent access causes corruption. The business is willing to accept a downtime when an incident occurs, but the application must be available 24/7 to support their business operations. You need to design the architecture of this application on Google Cloud. What should you do?

Answer 35

D. Use an unmanaged instance group with an active and standby instance in different zones, use a regional persistent disk, and use a network load balancer in front of the instances.

Question 36

Your company has an application running on multiple Compute Engine instances. You need to ensure that the application can communicate with an on-premises service that requires high throughput via internal IPs, while minimizing latency. What should you do?

Answer 36

D. Configure a Cloud Dedicated Interconnect connection between the on-premises environment and Google
Cloud.

Question 37

You are managing an application deployed on Cloud Run for Anthos, and you need to define a strategy for deploying new versions of the application. You want to evaluate the new code with a subset of production traffic to decide whether to proceed with the rollout. What should you do?

Answer 37

A. Deploy a new revision to Cloud Run with the new version. Configure traffic percentage between revisions.

Question 38

You are monitoring Google Kubernetes Engine (GKE) clusters in a Cloud Monitoring workspace. As a Site Reliability Engineer (SRE), you need to triage incidents quickly. What should you do?

Answer 38

A. Navigate the predefined dashboards in the Cloud Monitoring workspace, and then add metrics and create
alert policies.

Question 39

You are implementing a single Cloud SQL MySQL second-generation database that contains business-critical transaction data. You want to ensure that the minimum amount of data is lost in case of catastrophic failure. Which two features should you implement? (Choose two.)

Answer 39

C. Binary logging
D. Automated backups

Question 40

You are working at a sports association whose members range in age from 8 to 30. The association collects a large amount of health data, such as sustained injuries. You are storing this data in BigQuery. Current legislation requires you to delete such information upon request of the subject. You want to design a solution that can accommodate such a request. What should you do?

Answer 40

A. Use a unique identifier for each individual. Upon a deletion request, delete all rows from BigQuery with this identifier.

Question 41

Your company has announced that they will be outsourcing operations functions. You want to allow developers to easily stage new versions of a cloud-based application in the production environment and allow the outsourced operations team to autonomously promote staged versions to production. You want to minimize the operational overhead of the solution. Which Google Cloud product should you migrate to?

Answer 41

A. App Engine

Question 42

Your company is running its application workloads on Compute Engine. The applications have been deployed in
production, acceptance, and development environments. The production environment is business-critical and is
used 24/7, while the acceptance and development environments are only critical during office hours. Your CFO has
asked you to optimize these environments to achieve cost savings during idle times. What should you do?

Answer 42

B. Use Cloud Scheduler to trigger a Cloud Function that will stop the development and acceptance environments after office hours and start them just before office hours.

Question 43

You are moving an application that uses MySQL from on-premises to Google Cloud. The application will run on Compute Engine and will use Cloud SQL. You want to cut over to the Compute Engine deployment of the application with minimal downtime and no data loss to your customers. You want to migrate the application with minimal modification. You also need to determine the cutover strategy. What should you do?

Answer 43

C. 1. Set up Cloud VPN to provide private network connectivity between the Compute Engine application and the on-premises MySQL server. 2. Stop the on-premises application. 3. Start the Compute Engine application, configured to read and write to the on-premises MySQL server. 4. Create the replication configuration in Cloud SQL. 5. Configure the source database server to accept connections from the Cloud SQL replica. 6. Finalize the Cloud SQL replica configuration. 7. When replication has been completed, stop the Compute Engine application. 8. Promote the Cloud SQL replica to a standalone instance. 9. Restart the Compute Engine application, configured to read and write to the Cloud SQL standalone instance.

Question 44

Your organization has decided to restrict the use of external IP addresses on instances to only approved instances.
You want to enforce this requirement across all of your Virtual Private Clouds (VPCs). What should you do?

Answer 44

D. Set an Organization Policy with a constraint on constraints/compute.vmExternalIpAccess. List the approved instances in the allowedValues list.

Question 45

Your company uses the Firewall Insights feature in the Google Network Intelligence Center. You have several
firewall rules applied to Compute Engine instances.
You need to evaluate the efficiency of the applied firewall ruleset. When you bring up the Firewall Insights page in
the Google Cloud Console, you notice that there are no log rows to display. What should you do to troubleshoot the
issue?

Answer 45

B. Enable Firewall Rules Logging for the firewall rules you want to monitor.

Question 46

Your company has sensitive data in Cloud Storage buckets. Data analysts have Identity Access Management (IAM) permissions to read the buckets. You want to prevent data analysts from retrieving the data in the buckets from outside the office network. What should you do?

Answer 46

A. 1. Create a VPC Service Controls perimeter that includes the projects with the buckets. 2. Create an access level with the CIDR of the office network.

Question 47

You have developed a non-critical update to your application that is running in a managed instance group, and have
created a new instance template with the update that you want to release. To prevent any possible impact to the
application, you don’t want to update any running instances. You want any new instances that are created by the
managed instance group to contain the new update. What should you do?

Answer 47

C. Start a new rolling update. Select the Proactive update mode.

Question 48

Your company is designing its application landscape on Compute Engine. Whenever a zonal outage occurs, the
application should be restored in another zone as quickly as possible with the latest application data. You need to
design the solution to meet this requirement. What should you do?

Answer 48

B. Configure the Compute Engine instances with an instance template for the application, and use a regional persistent disk for the application data. Whenever a zonal outage occurs, use the instance template to spin up the application in another zone in the same region. Use the regional persistent disk for the application data.

Question 49

Your company has just acquired another company, and you have been asked to integrate their existing Google
Cloud environment into your company’s data center. Upon investigation, you discover that some of the RFC 1918 IP
ranges being used in the new company’s Virtual Private Cloud (VPC) overlap with your data center IP space. What
should you do to enable connectivity and make sure that there are no routing conflicts when connectivity is
established?

Answer 49

A. Create a Cloud VPN connection from the new VPC to the data center, create a Cloud Router, and apply new IP addresses so there is no overlapping IP space

Question 50

You need to migrate Hadoop jobs for your company’s Data Science team without modifying the underlying
infrastructure. You want to minimize costs and infrastructure management effort. What should you do?

Answer 50

B. Create a Dataproc cluster using preemptible worker instances

Question 51

Your company has a project in Google Cloud with three Virtual Private Clouds (VPCs). There is a Compute Engine
instance on each VPC. Network subnets do not overlap and must remain separated. The network configuration is
shown below

Instance #1 is an exception and must communicate directly with both Instance #2 and Instance #3 via internal IPs.
How should you accomplish this?

Answer 51

B. Add two additional NICs to Instance #1 with the following configuration: ג€¢ NIC1 ג—‹ VPC: VPC #2 ג—‹ SUBNETWORK: subnet #2 ג€¢ NIC2 ג—‹ VPC: VPC #3 ג—‹ SUBNETWORK: subnet #3 Update firewall rules to enable traffic between instances.

Question 52

You need to deploy an application on Google Cloud that must run on a Debian Linux environment. The application requires extensive configuration in order to operate correctly. You want to ensure that you can install Debian distribution updates with minimal manual intervention whenever they become available. What should you do?

Answer 52

B. Create a Debian-based Compute Engine instance, install and configure the application, and use OS patch management to install available updates.

Question 53

You have an application that runs in Google Kubernetes Engine (GKE). Over the last 2 weeks, customers have reported that a specific part of the application returns errors very frequently. You currently have no logging or monitoring solution enabled on your GKE cluster. You want to diagnose the problem, but you have not been able to replicate the issue. You want to cause minimal disruption to the application. What should you do?

Answer 53

A. 1. Update your GKE cluster to use Cloud Operations for GKE. 2. Use the GKE Monitoring dashboard to investigate logs from affected Pods.

Question 54

You need to deploy a stateful workload on Google Cloud. The workload can scale horizontally, but each instance
needs to read and write to the same POSIX filesystem. At high load, the stateful workload needs to support up to
100 MB/s of writes. What should you do?

Answer 54

C. Create a Cloud Filestore instance and mount it in each instance.