PCA Topics Flashcards

Question 1

Q

What is a GCP Service that handles streaming and batch data?

Answer

A

Cloud DataFlow

Question 2

Q

What does DLP stand for and how is it used?

Answer

A

Data Loss Prevention and it is used to sanitize data and remove sensitive information

Question 3

Q

App Engine is what type of service?

Answer

A

PAAS Platform as a Service

Question 4

Q

Compute Engine (GCE) is what type of service?

Answer

A

IAAS Infrastructure as a Service

Question 5

Q

What are the FireStore Components?

Answer

A

FieldCollection GroupDocumentDocument ID

Question 6

Q

What are the Cloud DataStore Components?

Answer

A

KindEntityPropertyKey

Question 7

Q

If a Compute Engine Application exists in a single VPC across three regions and your application must communicate over VPN to your company’s on-premise network then how many VPN Gateways are required?

Answer

A

3 Cloud VPN gateways are required. Cloud VPN Gateways are bound to a single region.Create a Cloud VPN Gateway in each region

Question 8

Q

What type of migration model does Dress4Win state in their business requirements?

Answer

A

Lift and Shift

Question 9

Q

What are the 5 sequential steps for cloud migration?

Answer

A

1 Assess2 Pilot3 Move Data4 Move Applications5 Cloudify & Optimize

Question 10

Q

Dynamic Routing uses a _________ to automatically discover new subnet routes

Answer

A

Cloud Router

Question 11

Q

The 4 layers of the GCP Cloud Resource Hierarchy

Answer

A

1 Organization2 Folders3 Projects4 Resources

Question 12

Q

Which network interconnect method connects your network to a GCP VPC over a public internet encrypted tunnel?

Answer

A

Cloud VPN

Question 13

Q

Command to create a new storage bucket

Answer

A

gsutil mb -l {location} -c {storage class} gs://BucketName

Question 14

Q

Cloud Router uses this protocol to handle dynamic routing between locations

Answer

A

BGP Border Gateway Protocol

Question 15

Q

Where can you export Stackdriver logs to (not counting customer locations)

Answer

A

1 Cloud Storage2 Cloud Pub/Sub3 BigQuery

Question 16

Q

What is the max speed of a single Cloud VPN tunnel (non-peered)

Question 17

Q

Every load balancer must have a ___ and a ____

Answer

A

Frontend || Backend

Question 18

Q

Role necessary to link a project to a billing account

Answer

A

Billing Account User

Question 19

Q

How many VPN tunnels can you create in a single Cloud VPN gateway

Question 20

Q

What is the default, implied status of all egress traffic in a VPC firewall

Answer

A

Allow All

Question 21

Q

Google Cloud Storage holds what type of data?

Answer

A

Unstructured

Question 22

Q

This service is required to setup dynamic routing over a Cloud VPN Service

Answer

A

Cloud Router

Question 23

Q

Where does Cloud Dataaprep load data from?

Answer

A

Cloud Storage and BigQuery

Question 24

Q

The two methods of permissions for Google Cloud Storage

Answer

A

1 IAM: Identity and Access management2 ACL: Access control list

Question 25

Q

This database service is ideal for low-latency storage of time-series data

Answer

A

Cloud BigTable

Question 26

Q

Relational Databases

Answer

A

Cloud SQLCloud Spanner

Question 27

Q

Non-Relational Databases

Answer

A

Cloud DataStoreCloud FireStoreCloud BigTable

Question 28

Q

DataWareHouse

Question 29

Q

This managed database is a no-ops petabyte-scale data warehouse that queries data in standard SQL Format

Answer

A

Big Query

Question 30

Q

Retention period for data access logs

Question 31

Q

______ Roles apply to the entire project.

Answer

A

Primitive

Question 32

Q

An HTTP load balancer can forward traffic by ____ and ____

Answer

A

location content

Question 33

Q

Which GCP load balancers are multi-regional in scope?

Answer

A

1 HTTP Load Balancer2 TCP Proxy3 SSL Proxy

Question 34

Q

VPC subnets can exist in more than one _____

Answer

A

zone (in the same region)

Question 35

Q

Which connection protocol does the Cloud VPN service use?

Question 36

Q

This IAM member allows public/anonymous access to a resource

Question 37

Q

Google account type for members of an organization WITHOUT access to Google apps

Answer

A

Cloud Identity Domain

Question 38

Q

What type of managed database is ideal for web and mobile applications?

Answer

A

Cloud DataStore

Question 39

Q

More lightweight container image option to run on GKE

Answer

A

Alpine Linux

Question 40

Q

The name for the modular components of a Cloud Deployment Manager Configuration

Answer

A

Templates

Question 41

Q

GCP Service for Providing a ‘single pane of glass’ for monitoring resources and alerts across projects in AWS

Answer

A

StackDriver Monitoring

Question 42

Q

VPC firewall rules are applied on a per-instance basis

Question 43

Q

What layer of the Cloud Resource Hierarchy are chargeable resources hosted in?

Question 44

Q

Which networking interconnect option connects your business directly to Google, but not directly to GCP VPC?

Question 45

Q

The 3 Primitive Roles and the types of access they give:

Answer

A

1 Owner: Full Project Access (Billing and Assigning IAM Roles)2 Editor: Full Access minus- Billing and IAM access3 Viewer: View only

Question 46

Q

Google account type for a collection of individual Google Accounts

Answer

A

Google Groups

Question 47

Q

When to use Dataproc over Data Flow

Answer

A

When using Hadoop/Spark workflows

Question 48

Q

Another term for mapping Cloud Identity to Active Directory to duplicate account information.

Answer

A

Federation

Question 49

Q

What is a pod on GKE?

Answer

A

Smallest deployable unit. Contains one or more containers that run on nodes

Question 50

Q

The three IAM Role Types

Answer

A

1 Primitive2 Predefined3 Custom

Question 51

Q

Two format options for Cloud Deployment Manager template files

Answer

A

JinjaPython

Question 52

Q

The five (non-beta) Stackdriver services

Answer

A

1). Logging2). Trace3). Monitoring4). Error Reporting5). Debug

Question 53

Q

Cloud Storage can act as a block-level SAN replacement (True/False)

Answer

A

False; you would need to use a persistent disk for a direct SAN replacement

Question 54

Q

The two Memcache service levels

Answer

A

1 Dedicated2 Shared

Question 55

Q

GCP service for asynchronous messaging, used for streaming data ingest

Answer

A

Cloud Pub/Sub

Question 56

Q

In a Shared VPC network, the ____ project hosts the VPC components, and the ___ project uses hosted VPC resources

Answer

A

HostService

Question 57

Q

This managed database is ideal for NoSQL purposes, is NoOps in setup/maintenance, and is ideal for mobile save game state

Answer

A

Cloud DataStore

Question 58

Q

What is a service account?

Answer

A

1 Assigned to an application or a server2 Authenticated with a service account key3 Both a member and a resource

Question 59

Q

How to easily apply VPC firewall rules to individual instances instead of the entire network

Answer

A

Network Tags

Question 60

Q

Admin Activity Logs are ____ by default

Question 61

Q

When are un-managed instance groups useful?

Answer

A

Migrating grouped servers to the cloud with minimal disruption in workflow

Question 62

Q

____ provides a direct physical connection to connect your on-premises network to a Google Cloud VPC network.

Answer

A

Cloud Interconnect

Question 63

Q

How to optimize your CDN cache performance:

Answer

A

Configure Cache Hit Ratio

Question 64

Q

Collection of statements that define who has access to what resource on GCP

Answer

A

IAM Policy

Answer 55

A

Google Cloud Storage Fuse (gcs-fuse)

Answer 56

A

Instance Template

Answer 57

A

Compute Engine

Answer 58

A

1) Internal 2) Network3) HTTP(s)4) TCP Proxy5) SSL Proxy

Answer 59

A

No configuration necessary

Answer 60

A

Relational (SQL) || Non-Relational (NoSQL)

Answer 61

A

A filter to select log entriesA destination to export filtered logsSink: Select which filtered logs to send to which destination

Answer 62

A

YAML format

Answer 63

A

Cloud DataFlow

Answer 64

A

Local SSD

Answer 65

A

1 Cloud Storage 2 Big Query

Answer 66

A

Protection of unexpected spikes in resource usagePrevent runaway consumption due to error or malicious intent

Answer 67

A

1 Failing Health Check2 Configure the firewall to allow proper access to instance group VM’s (subnet, tag) from load balancer IP

Answer 68

A

(2) environments different storage for each service1 Game BackEnd on Google Cloud Compute Engine (GCE)2 Analytics

Answer 69

A

Cloud Datastore - NoSQL transactional database - perfect for game user-profiles and game states

Answer 70

A

Store in BigQuery BigQuery vs BigTableBigQuery a lot more managedNo requirement for low latency analytics response time (Big Table)BigQuery has a response measured in seconds, scales efficientlyBigQuery reading from BigTable possible response as well

Answer 71

A

1 HTTP Load Balancer- Automatically scales to meet demand2 Managed Instance Groups - also auto-scales3 Pub/Sub - Buffers late/slow data

Answer 72

A

Managed Instance groups with custom images

Answer 73

A

Connect services (stackdriver logs metrics, gce game serverss) with Pub/SubProcess with DataFlow

Answer 74

A

Pub/Sub: Scales and Buffers messagesDataFlow: Accounts for late/out of order data

Answer 75

A

BigQuery - SQL Queries against data

Answer 76

A

Upload to Cloud StorageProcess via DataFlow

Answer 77

A

DataCenter&raquo_space; GCPMySQL&raquo_space; Cloud SQL (Lift . Shift)5TB&raquo_space; 10 TB Size LimitSingle Region - no global footprint requirementMigration - 1 Create replica server managed by Cloud SQL2 Once replica is synced: Update applications to point to replica3 Promote replica to stand-alone instance

Answer 78

A

Two options1) Run Redis server on Compute Engine2) Use new Memorystore managed Redis database

Answer 79

A

The existing environment has lots of idle time- Managed instance groups - autoscaling using custom machine types (Fits Lift . Shift)Alternatively - can re-architect for GKE/GAE for microservices deployments for future phases

Answer 80

A

Cloud Dataproc connecting to Cloud Storage

Answer 81

A

Pub/Sub likely replacementCan also deploy same environment on Compute engine instance group (lift and shift)

Answer 82

A

No managed service equivalentsUse GCE instances - custom machine typesThink about using the Market Place as well

Answer 83

A

SAN/iSCSI requires block storagePersistent disks working in a SAN Cluster

Answer 84

A

Cloud Storage - direct replacementInfinite scale in a single bucketPersistent also an option

Answer 85

A

Convert to 100% cellular connectivity

Answer 86

A

Share insights with Data Studio

Answer 87

A

-Share insights with Data Studio-BigQuery / ML analytics to predict customer needs-Tech lead will enable partnerships

Answer 88

A

Multi-regional/global services

Answer 89

A

Regular BigQuery Exports to Cloud Storage

Answer 90

A

Cloud Endpoints - manage and protect APIs- Cloud IoT Core - also managed security- Customer supplied encryption keys

Answer 91

A

Cloud dataflow - transform incoming streaming data to the preferred format- Alternatively, stage in Cloud Storage, clean with Cloud Dataprep, and run job backed by DataFlow into BigQuery

Answer 92

A

Pair BigQuery with machine learning services for predictive analytics

Answer 93

A

Customer-supplied encryption keys

Answer 94

A

Customer-managed encryption keys

Answer 95

A

use a .boto configuration file to supply the customer_managed encryption key, then use gsutil to upload the files

Answer 96

A

Cloud Armor

Answer 97

A

Private Google Access

Answer 98

A

CSEK Custome Service Encryption key for authentication

Answer 99

A

List of Bindings

Answer 100

A

Shared VPC Admin Role

Answer 101

A

Managed Instance Group on Compute Engine

Answer 102

A

GKE Google Container Engine is the older naming convention of the container orchestration Google Kubernetes

Answer 103

A

Unauthorized

Answer 104

A

Update the existing Kubernetes Engine Cluster with the following command; “gcloud container clusters update CLUSTER_NAME –enable-autoscaling –min-nodes=1 –max-nodes=10”

Answer 105

A

1) Use source code security analyzers as part of the CI/CD pipeline2). Run a vulnerability security scanner as part of your continuous-integration - delivery (CI/CD) pipeline

Answer 106

A

1). Each subnet can span at least 2 Availability Zones to provide a high-availability environment.2). By default, all subnets can route between each other, whether they are private or public

Answer 107

A

Capacity planning, utilization measurement, data center expansion

Answer 108

A

Use a cron job to schedule your application to backup the database to another persistent disk.

Answer 109

A

Load the data from Cloud Storage to BigQuery and run queries on BigQuery

Answer 110

A

Use an automation tool, such as Jenkins

Answer 111

A

1). Avoid SELECT * Query only the columns that you need2). Use the –dry_run flag in the CLI before running queries, preview them to estimate costs3). If possible, partition your BigQuery tables by date

Answer 112

A

Grant the operations team access to use Google Cloud Shell

Answer 113

A

Recommend that Dress4Win deploy into production with the smallest instances available, monitor them over time, and scale the machine type up until the desired performance is reached.

Answer 114

A

Cloud Build

Answer 115

A

Cloud Load Balancing

Answer 116

A

1). External HTTP(S) Load Balancing2). Internal HTTP(S) Load Balancing3). Traffic Director

Answer 117

A

Federate authentication via SAML 2.0 to the existing Identity Provider

Answer 118

A

Run your script on a new virtual machine with the BigQuery access scope enable.”The error is most like caused by the access scope issue. When a new instance is created you have the Compute Engine default service account but most services like access including BigQuery is not enabled.”

Answer 119

A

Monitoring, Logging, Debug, Error Report

Answer 120

A

Create a new Google Group and add all users to the group. Use “gcloud projects add-iam-policy-binding” with the Project Viewer role and Group email address

Answer 121

A

Digitally sign each timestamp and log entry and store the signature. “To verify the authenticity of your logs if they are tampered or forged, you can use certain algorithms to generate digest by hashing each timestamp or log entry and then digitally sign the digest with a private key to generate a signature. Anybody with your public key can verify that signature to confirm that it was made with your private key and they can tell if the timestamp or log entry was modified. You can put the signature files into a folder separate from the log files. This separation enables you to enforce granular security policies.

Answer 122

A

Managed Instance Group with Auto Scaling enabled, Cloud Datastore BigQuery, DataFlow1. Dynamically scale up or down based on game activity (Managed Instance Group w/ Autoscaling)2. Connect to a transactional database service to manage user profiles and game state (Cloud Datastore because Cloud Datastore is good for user profiles that deliver a customized experience based on the user’s past activities and preferences(gaming).3. Store game activity in a time-series database server for future analysis (BigQuery is good for time-series data unless it is specified for ‘low-latency’, BigTable would be a better fit4. As the system scales, ensure that data is not lost due to processing backlogs (Dataflow can handle late-arriving data and out of order data)5. Run hardened Linux distro (Managed Instance Group with Hardened Linux Distribution)

Answer 123

A

Each subnetwork controls the IP address range used for instances that are allocated to that subnetwork

Answer 124

A

gsutil -m cp -r dir gs://my-bucket

Answer 125

A

Use parallel uploads to break the file into smaller chunks then transfer it simultaneously.gsutil -o GSUtil:parallel_composite_upload_threshold=150M cp bigfile gs:///yourbucket

Answer 126

A

The -R and -r options are synonymous. It causes directories, buckets, and bucket subdirectories to be copied recursively.

Answer 127

A

1). Cloud Deployment Manager only supports the automation of Google Cloud Resources. 2). Cloud Deployment Manager can be used to permanently delete cloud resources

Answer 128

A

Use the on-premises scanners to conduct penetration testing on the cloud environments routing traffic over the public internet.

Answer 129

A

Tests should include directly testing the Google Cloud Platform (GCP) Infrastructure

Answer 130

A

Use Google Cloud Regional Storage for the first 30 days, and then move to Coldline Storage.

Answer 131

A

In the Cloud Platform Console, increase the size of the persistent disk and use the resize2fs command in Linux.

Answer 132

A

gcloud compute disks resize [DISK_NAME] –size [DISK_SIZE]

Answer 133

A

Persistent DiskSAN data uses block storage, which will map directly to a persistent disk on GCP for equivalent storage.

Answer 134

A

Persistent Disk

Answer 135

A

Persistent Disk or Cloud Storage

Answer 136

A

Cloud Pub/Sub for capturing the writes and draining the queue to write to the database.

Answer 137

A

They should add additional unit tests and production scale load tests on their cloud staging environment

Answer 138

A

1). Identify whether a live migration event of the failed server occurred, using the activity log. 2). Use gcloud or Cloud Console to connect to the serial console and observe the logs3). Adjust the Google Stackdriver timeline to match the failure time and observe the batch server metrics.

Answer 139

A

Mount a Local SSD volume as the backup location. After the backup is complete, use gsutil to move the backup to Google Cloud Storage.

Answer 140

A

You must create a new node pool in the same cluster and migrate the workload to the new pool.”you cannot change the machine type for an individual node pool after creation. You need to create a new node pool and migrate your workload over”

Answer 141

A

Squid Proxy

Answer 142

A

Google Cloud Bigtable- A scalable, fully-managed NoSQL Wide-column database that is suitable for both real-time access and analytics workloads- Low-latency read/write access- High-throughput analytics

Answer 143

A

Cloud Pub/Sub, Cloud Dataflow, BigQuery

Answer 144

A

1). Create deployments using Deployment manager2). Use Labels for your Resources3). Organize Resources according to your standard and setup/reuse configurations and templates4). Use references, template properties, and outputs

Answer 145

A

Custom Image, Regional SSD persistent disks, and daily snapshots stored to Cloud Storage

Answer 146

A

1) gcloud app services set-traffic myapp-b splits 1=.5 2=.5 by cookie2) Add warmup and issue; gcloud app services set-traffic myapp-a –splits 2=1 –migrate

Answer 147

A

1) Session Affinity2) Websocket

Answer 148

A

“Use Cloud Task and define an appropriate worker server”

Answer 149

A

Use the Retry failure option

Answer 150

A

1) A Global default VPC2). A route for Internet connection and a route for each subnet/region3). A set of firewall, with incoming traffic from outside networks that are blocked

Answer 151

A

1). You cannot create a VM2) You are free to create Cloud Functions3) You may create a Storage BuckedAny compute operations require a networkServerless technologies are free from infrastructure. So no server NO NETWORK

Answer 152

A

Bastion host

Answer 153

A

Bastion Hosts

Answer 154

A

VISION API

Answer 155

A

1). In the cluster, the nodes will be assigned on internal RFC 1918 IP addresses only2). Use Service Accounts and store the keys as a Kubernetes secret3). Use WorkLoad identity

Answer 156

A

Workload Identity

Answer 157

A

StackDriver Debugger

Answer 158

A

1) Is it possible to create separate budgets for projects and resources?2) Is it possible to have notifications?3) Is there a way to have a programmatic interface?

Answer 159

A

Use Stackdriver Logs and set up a metricYOu can set a metric that accurately identifies the log lines related to queries. You can also create an alert that can promptly alert you when the problem is displayed, so you can review all the related logs and information at the right time.

Answer 160

A

Use Cloud SQL mySQL Service- Setup a Pod for the Application Server and start using Cloud Build- Us DB Server with high availability

Answer 161

A

Prepare a custom image of the DB server stopping the instance- Configure replication between your on-premises database server and the Cloud DB- Setup the Cloud VPN and DNS

Answer 162

A

Pub/Sub- Cloud Dataflow- Cloud Storage- Big Query

Answer 163

A

Google Cloud Bigtable- The reason is the data is in IoT nature and it will be used for analytics.

Answer 164

A

The data from both snapshots 3 and 4 necessary for continuance are transferred to snapshot 5

Answer 165

A

the encryption key is used to encrypt the object’s data- the encryption key is used to encrypt the object’s CRC32C checksum- the encryption key is used to encrypt the object’s MD5 hash”The remaining metadata for the object, including the object’s name, is encrypted using standard server-side keys.

Answer 166

A

compute.images.useReadOnly (permission)

Answer 167

A

roles/compute.imageUser (role)

Answer 168

A

roles/compute.StorageAdmin (role)

Answer 169

A

roles/compute.snapshots.useReadOnly (permission)

Answer 170

A

roles/compute.StorageAdmin (role)

Answer 171

A

compute.disks.useReadOnly (permission)

Answer 172

A

Create snapshots, turn the snapshot into a custom image, and share the image across projects- Create snapshots and share them to other projects

Answer 173

A

Google Cloud Dedicated Interconnect- Google Cloud Partner Interconnect”The database is 4TB, and large updates are frequent” makes DI/PI a suitable solution”

Answer 174

A

Fetch the data from Bigquery and create one more pipeline, clean data from DataFlow and send it back to BigQuery

Answer 175

A

Create a service account. - Grant the Service Account User Permission to the employees who needs to start the job. Also, provide “Compute Instance Admin” permission to that service account.

Answer 176

A

Go to the “Query history” it has information about what a user has run what query.

Answer 177

A

Cloud IoT Core receives data from IoT devices, Cloud IoT core transforms and redirects requests to a Cloud Pub/Subtopic. After the data is stored in Cloud Pub/Sub, it is retrieved by a streaming job running in Cloud Dataflow that transforms the data and sends it to Big Query for analysisCloud IoT&raquo_space; Cloud Pub/Sub&raquo_space; Cloud Dataflow&raquo_space; BigQuery

Answer 178

A

Generate a signed URL to the Stackdriver export destination for auditors to access- Export audit logs to Cloud Storage via an export sink

Answer 179

A

Cloud Pub/Sub - Cloud Dataflow - BigQuery

Answer 180

A

VPC Service Controls

Answer 181

A

Instrument the load-testing tool and the target services with detailed logging metrics collection- Create a separate Google Cloud Project to use for the load-testing environment- Ensure that the load tests validate the performance of Cloud Bigtable

Answer 182

A

Use source code security analyzers as part of the CI/CD pipeline. - Run a vulnerability security scanner as part of your continuous-integration / continuous - delivery (CI/CD) pipeline.

Answer 183

A

Use a cron job to schedule your application to backup the database to another persistent disk

Answer 184

A

Directly transfer the files to a different “Google Cloud Regional bucket” location in US, EU, and Asia using Google APIs over HTTP(S). Run the ETL process to retrieve the data from each Regional Bucket.

Answer 185

A

Utilize Cloud Pub/Sub to collect the inbound sensor data, analyze the data with DataFlow and save the results to BigQuery– BigQuery = Data mining features

Answer 186

A

Use Storage Transfer Service to transfer the offsite backup files to a Cloud Storage Nearline storage bucket as a final destination”Regular data transfers, so you should use the storage transfer service”“Transfer appliance more for one -time bulk”

Answer 187

A

1 - Enable the automatic storage increase feature for your Cloud SQL instance. 2 - Create an alert in Stackdriver when CPU usage exceeds 80% and change the instance type reduce CPU usage3 - Create an alert in Stackdriver for replication lag and <b>shard the database</b> to reduce replication time.

Answer 188

A

Rollback to a previous version of your app using the version management feature in App EngineUse Stackdriver Trace and Logging to troubleshoot latency issues with you website and diagnose in a testing environment

Answer 189

A

Transfer from an on-premises location to Google Cloud Storage– Transfer from AWS S3 bucket to Google Cloud Storage bucket. - Transfer from publicly-available web resource to Google Cloud Storage bucket.

Answer 190

A

bigquery.transers.update- bigquery.datasets.update

Answer 191

A

bigquery.admin- bigquery.transfers.update- bigquery.datasets.update

Answer 192

A

Too Many Requests

Answer 193

A

–preemptible

Answer 194

A

Under Management&raquo_space;> Metadata enter in “shutdown-script-url” &laquo_space;and then for the value use a url cloud bucket name for best practicegs://learning-gcp-229815/shutdown.sh

Answer 195

A

Create deployments using Deployment Manager- Use Labels for your Resources- Organize Resources according to your standard and setup/reuse configurations and templates- Use References, template properties, and outputs

Answer 196

A

Service Accounts related to your applications- Service Accounts related to your VMs- Service Accounts related to your K8s Clusters

Answer 197

A

User Profiles- Game State- A scalable, fully-managed NoSQL document Database for your web and mobile applications

Answer 198

A

High-throughput analytics- Native time series- Geospatial datasets- Low-latency read/write access

Answer 199

A

Recovery Time Objective- Maximum acceptable length of time that your application can be offline

Answer 200

A

Recovery Point Objective- Maximum acceptable length of time during which data might be lost from your application due to a major incident

Answer 201

A

Go to Query history it has information about which user has run what query.

Answer 202

A

Cloud Spanner

Answer 203

A

Stackdriver Logging + BigQuery

Answer 204

A

Check Firewall rule(s)

Answer 205

A

App Engine Standard

Answer 206

A

Access Scope (Default Service Account) OR IAM (Custom Service Account)

Answer 207

A

Regional managed groups

Answer 208

A

Balancing workloads in network clusters- Refreshing distributed caches- Implementing asynchronous workflows

Answer 209

A

Minimizes interruption for users- New connections to the instance are prevented- Instance preserves existing sessions until they end OR a designate timeout is reached (1 to 3600 seconds)

Answer 210

A

Sub-hour billing (Billed for 10 minutes and thereafter every minute on VMs)- Sustained-use discounts- Compute Engine custom machine types

Answer 211

A

A startup script is specified through the metadata server

Answer 212

A

Managed Instance Group (Zonal)- Managed Instance Group (Regional)

Answer 213

A

global forwarding rule

Answer 214

A

Exposes an API for front-end client for mobile or web-application to make use of cloud-based application services- Frees developers from writing a wrapper to access App Engine resources from a mobile or web client

Answer 215

A

Repeatable Deployment Process, Declarative Language, Parallel Deployment, Schema Files

Answer 216

A

Project ID

Answer 217

A

Query Traffic

Answer 218

A

Deployment

Answer 219

A

Continuous delivery

Answer 220

A

Automate Software Releases- Improve Developer Productivity- Find Bugs Quicker

Answer 221

A

It would take more than 1 week to transfer data- If you have more than 60TB of data

Answer 222

A

“5 Whys”

Answer 223

A

Cloud SQL is limited to a maximum of 10 TB of data processing- Cloud SQL will scale up to 4,000 concurrent connections.

Answer 224

A

Service Isolation/Project Isolation

Answer 225

A

12 Factor Design

Answer 226

A

Making Design Choices- Testing and Validation- Monitoring

Answer 227

A

12 Factor Design

Answer 228

A

Management overhead- Isolation- Resource overhead

Answer 229

A

User personas

Answer 230

A

Capture all operating data, train machine learning models that identify ideal operations, and “run locally” to make operational adjustments automatically

Answer 231

A

Use a single Organization with a Folder for each department. This is the best structure to use. One single organization for the entire company. Organize departments inside folders inside of the single organization. You can then apply a single IAM policy to the single department folder, which will be applied to any projects or subfolders inside of it.

Answer 232

A

Shared VPC AdminOrganization level roleConfigure Shared VPCAssociate service projects with host projectsGrant Network User Role

Answer 233

A

NetworkUserProject level roleCreate resources to use shared VPCDiscover shared VPC assetsRequires project admin role (Project Owner, Editor, Compute Engine Admin)

Answer 234

A

Compute Engine Image User roleExample: User in Project A wants to use images from Project B User in Project A must have Compute Engine Image User role granted for project BRole grants access to all images in projectFor managed instance groups, Project A service account must be granted role to Project B

Answer 235

A

gcloud config set project

Answer 236

A

gcloud projects get-iam-policy (project_id) > [filename].yaml

Answer 237

A

gcloud projects set-iam-policy (project_id) [filename].yaml

Answer 238

A

gcloud projects add-iam-policy-binding (project_id) –member user:bob@gmail.com –role roles/editor

Answer 239

A

gcloud config set compute/region us-central1

Answer 240

A

gcloud config set compute/zone us-central1-a

Answer 241

A

Append metadata to the file body. Compress individual files. Name files with a random prefix pattern. Save files to one bucket.

Answer 242

A

As a cloud architect, your goal is to assess a business objective at hand and distil the needs into business requirements and technical requirements. You’ll then use those requirements to architect a solution. You won’t always get all the requirements laid out so easily, and oftentimes you’ll spend hours upon hours diving into meetings with various stakeholders to gather pieces of data that start to formulate the building blocks of the solution. You’ll also need to be aware of future technical and strategic implications, ensuring that you’re building a solution that won’t encounter any major roadblocks.

A cloud architect would approach designing a solution in a very similar way that a software architect would: Schedule your scoping meetings. Gather your requirements—business requirements and technical requirements. Do some research for more nuanced requirements and understand the constraints of the system. Put together a high-level design diagram. Work through the high-level design and then break it down into deeper design diagrams. Ensure that you’re aligned with business and technology stakeholders along the way. Work toward a final draft and get the necessary approvals if you’re not the accountable stakeholder.

Then you’ve got a reference architecture that your development teams can use to begin building. You’ll probably want to reuse this pattern for similar use cases and continually refine it. You should also have a solid understanding of Agile best practices and the overall software development life cycle, understanding how code gets built and the various deployment methods (such as blue-green deployments, canary deployments, continuous integration/continuous delivery [CI/CD] deployment).

Answer 243

A

Functional requirements The “what”—What is the system supposed to do? For example, my system needs to extract data from this API and load it into a storage bucket.

*Nonfunctional requirements The “How”—How should my system perform? What are the constraints? For example, my system needs to transform the data to a certain format before it’s loaded, or it needs to process at least X amount of data objects per second.

Answer 244

A

Operational excellence is the principle of building a foundation that successfully enables reliability across your infrastructure by efficiently running, managing, and monitoring systems that deliver business value. Three key strategies drive this principle:

Automating build, test, and deployment by using continuous integration and continuous deployment pipelines. This enables customers to programmatically do rapid deployment and iterations based on a continuous feedback loop.
Monitoring business objective metrics by defining, measuring, and alerting on key metrics. Data needs to be measured and output to your business leaders to give insight into where they have the competitive edge and where they can further optimize or reassess.

Conducting disaster recovery testing proactively and periodically. Disaster can strike a company in so many different ways, often causing financial and reputational business harm. This is overlooked too many times by customers until disaster strikes and ends up costing them exponentially more than it would cost had they been prepared.

Answer 245

A

Security, Privacy, and Compliance
It is critical for any customer doing business in the cloud to ensure their intellectual property is protected and their customers are safe from malicious activity. This is a core principle of Google’s system design. Four key strategies drive this principle:

Implementing least privileges with identity and authorization controls. Centralizing your identity management system and designing your access management structure in a way that allows users to do only what they’re intended to do, while ensuring nonrepudiation (a user cannot deny their activity) and audit logs that are available to be consumed by automated and manual detection mechanisms.
Building a layered security approach. Also known as defense-in-depth, this involves the implementation of a variety of security controls at each level of the infrastructure and applications designed on top of the infrastructure. The idea is to assume that any security control can be breached, and when it is breached, several other layers of defense are available to protect intellectual property.
Automating deployment of sensitive tasks. Humans continue to be the weakest link in performance and security of administrative tasks. By automating the deployment of these tasks, you can eliminate the dependency on humans.
Implementing security monitoring. Part of a strong security model is to prevent, detect, and respond to malicious activity. By implementing automated tools to monitor your infrastructure, you can gather data to continue protecting your weak points and prevent malicious activity from occurring in your environment and harming your business.

Answer 246

A

Reliability
Google sees reliability as the most important feature of any application. Without reliability, users begin to churn (stop using the product). Google suggests 15 strategies to achieve reliability; here are three key ones:

Reliability is defined by the user. Many data points can encompass all sorts of important factors in your workload, but truly measuring using key performance indicators (KPIs) requires an understanding of user actions, and the metrics define the success of those actions for reliability.
Use sufficient reliability. There’s no need to overinvest in reliability if you’re meeting user satisfaction. Figure out what sort of availability keeps your users happy and retained, and ensure that you continually assess reliability as your infrastructure grows.
Create redundancy. Always assume that if you depend on a single point to provide a function, that point can and will fail someday. When building your infrastructure and applications, always try to leverage resource redundancy across resources that can fail independently.

Answer 247

A

Performance and Cost Optimization
Managing the performance of your applications and the associated costs is a balancing act, as highly performant environments often end up costing more to maintain. Understanding where you’ve met your minimum performance requirements and where you need to optimize cost is an important principle for system design. These three strategies are relevant here:

Evaluate performance requirements. Determine the minimum performance you need from your applications.
Use scalable design patterns. Leverage automatically scaling products and services where applicable to minimize cost to what is necessary.
Identify and implement cost-saving approaches. Understand the priority of each of your services with respect to its application to your business objectives. Use these priorities to optimize for service availability and cost.

Answer 248

A

Pub/Sub is a global service, and its contract agreements state that, because of its global availability, if a region goes down, Pub/Sub will route data through other regions to maintain its high availability. This conflicts with your GDPR compliance requirements, so you may want to choose Kafka in this case, which offers you more control over the architecture versus a managed service. (Note that I threw a curveball here, because Pub/Sub now supports controlling where your message data is stored.)

Answer 249

A

Least privilege and separation (or segregation) of duties are two of the building blocks of security for computing systems (it also applies to physical security) focused on access management. The principle of least privilege states that we should provision an individual user or a system account with the least amount of privileges needed to perform their job functions so that we minimize the threat surface. Separation of duties is the idea that you should separate all of the duties needed to perform a critical business function across multiple users so that in the event one user is compromised, a whole system or process is not compromised.

With the RBAC model, you define roles for your organization and your users, whether they are individuals, groups, or service accounts, and for each of these roles, you define the least amount of permissions necessary to enable the user to do their job.

Answer 250

A

Attribute-based access control (ABAC) is becoming more prevalent in the cloud, offering users the ability to allow or deny authorization to a resource based on certain conditions—such as blocking a user from accessing an application outside of work hours, or blocking access from a user in another country. You won’t see this on the exam, but leveraging ABAC will continue improving the layers of defense for your enterprise and should be considered for your most critical applications.

Answer 251

A

Entitlements refers to the process of granting users privileges and the scope of the privileges that are granted.
Privilege creep occurs when a user accumulates too many privileges over time, which violates the principle of least privilege. Privilege creep can result from a user’s various promotions, job transitions, or requests for one-time access privileges that are not removed.

Answer 252

A

Google Cloud Resource Manager is a mechanism that provides resource containers such as organizations, folders, and projects and enables you to group and hierarchically organize GCP resources into those containers. With the Cloud Resource Manager API, you are also able to programmatically manage these resource containers. Having the ability to manage all of your projects centrally is an important function for the administrators of the cloud.

Answer 253

A

Every time you interact with a resource, you’ll need to identify the project info for every single request you make. You can use either the projectId or the projectNumber field. By default, the creator of the project is granted the owner role for any newly created projects.

Answer 254

A

Mutable objects can be changed after they’ve been created. Immutable objects cannot be changed after they’ve been created. An example of a mutable object is the project resource; you can change it as you please after it’s created. An example of an immutable object is a file that is uploaded to Google Cloud Storage; once you upload the file, it cannot be changed throughout its storage lifetime.

Answer 255

A

Cloud Identity and Access Management (Cloud IAM) is an enterprise-grade access control service that enables administrators to authorize who can take actions on certain resources and what conditions must exist before they can take action.

The goal of a cloud administrator is to have full visibility and fine-grained, centrally managed, access control capabilities that span all cloud resources.

Quite often, enterprises have massively complex organizational structures with hundreds of working groups, many projects, and very intricate access control requirements. Cloud IAM gives you the ability to manage all the access policies across your organization with its built-in auditing capabilities. You can create and manage your IAM policies through the Cloud Console, the API, or the command line.

Answer 256

A

Cloud Identity is the source of truth for handling authentication by creating or synchronizing user accounts, setting up single sign-on (SSO), and leveraging 2-Step Verification (2SV), and it is managed from the Admin console at admin.google.com.

Cloud IAM handles access management, including creating and managing all the roles for your applications and environments, following the role-based access control (RBAC) model.

Answer 257

A

A member can be a Google account (human users), a service account (programmatic account for applications and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain that can access a resource. The identifier for a member is the e-mail address associated with the type of account or the domain name associated with the Google Workspace or Cloud Identity domain. It’s common to hear the term “users” used as a blanket statement to cover members. Just remember that Google Cloud refers to all of these as members, and each is treated distinctively according to the member’s appropriate title.

Answer 258

A

Google accounts are typically developers, administrators, and other users who interact with Google Cloud. Any e-mail that is associated with a Google account, including Gmail addresses, can be an identity.

Answer 259

A

*GCP-managed keys These keys are used by Google Cloud APIs such as Google App Engine, Google Cloud Storage, and Google Compute Engine. You can’t download these keys, and they’re automatically rotated approximately once a week and are used for signing for a maximum of two weeks. (I won’t get into Kubernetes here because it takes a much deeper dive with respect to key management than what this exam covers. So you can research that on your own.)

*User-managed keys These keys are created, downloadable, and managed by your users. Once these keys are deleted from a service account, you can no longer use them to authenticate. If you’re using user-managed keys, you need to think about some of the top key management requirements such as key rotation, storage, distribution, revocation, recovery, and access.

Answer 260

A

As discussed earlier, an IAM policy is a configuration that binds together one or more members and roles for the purpose of enforcing only approved access patterns through a collection of statements. These policies are represented by a Cloud IAM Policy object, which consists of a list of bindings. A binding binds a list of members to a role.

Answer 261

A

IAM Conditions is an attribute-based access control model that lets you define the conditions in which a user is able to be authorized to access a resource. Today there are a few conditions that you can implement, but GCP continues to evolve and grow this feature with new request attributes. Conditions are added to your role bindings of your Cloud IAM policy, and you use the Common Expression Language (CEL) to specify the expression in the Cloud IAM Condition.

Answer 262

A

Admin Activity audit logs These contain log entries for API calls and other administrative actions that can modify configurations or metadata of resources. Log entries are generated, for example, when a user makes a modification to an IAM policy.

Answer 263

A

Data Access audit logs These contain API calls that read the configuration or metadata of resources and user-driven API calls against user-provided resource data. The logs are disabled by default because they are large, and large means expensive. It’s highly recommended, however, that you enable these logs in your most critical environments.

Answer 264

A

System Event audit logs
These contain administrative actions that modify the configuration of resources. They’re generated by systems, not by user actions.

Answer 265

A

BeyondCorp is a zero trust access model that abstracts the authentication aspect of logging into the cloud away from the network and to the users and devices. The goal of a zero trust security access model is not to trust anything inside or outside an organization’s network perimeters and to use a higher level of scrutiny to determine whether a user is who they say they are and if they are on a safe device to access a resource. Zero trust security models are great, so learn more about them at your leisure!

Answer 266

A

An edge point of presence (POP) is a location where Google connects its network to the rest of the Internet via peering. Edge nodes, also known as content delivery network (CDN) POPs, are points at which content can be cached and served locally to end users. The user journey starts when a user opens an application built on Google’s infrastructure, and then their user request is routed to an edge network location that will provide the lowest latency. The edge network receives the request and passes it to the nearest Google data center, and the data center generates a response optimized for that user that can come from the data center, an edge POP, and edge nodes.

Answer 267

A

Since Google owns its entire network end to end, it is able to offer its customers the concept of network service tiers. Google offers two network service tiers: a default Premium network service tier and Standard network service tier.

Answer 268

A

The Premium tier is the default setting for GCP customers, offering users access to high-performance networking using Google’s entire global network, as described previously. In the Premium tier, Google uses cold potato routing, a form of network traffic routing in which Google will hold onto all network packets through the entire life cycle until they reach their destination. Once inbound traffic reaches Google’s POP, Google will use cold potato routing to hold onto packets until they reach their destination. Outbound traffic will be routed through Google’s network until it gets to an edge POP nearest to the user.

The Standard tier is a more cost-effective, lower-performance network that does not offer access to some features of Cloud networking (such as the ability to use a global load balancer) to save money. In the Standard tier, Google uses a hot potato routing method, whereby Google will offload your network traffic as fast as possible and hand it off to the public Internet to save you money.

Answer 269

A

Private Google Access enables instances without external IP addresses to access resources outside of their network inside Google Cloud. This was created to avoid security concerns for sensitive workloads where you did not want to have to assign your VM an external IP address and have it communicate over the Internet to communicate with Google Cloud’s managed services. You can extend this access through your on-premises network if you have a VPN or an interconnect setup.

Private Google Access enables you to use Google managed services across your corporate intranet without having to access the Internet and exposing your GCP resources to Internet attackers. Remember that RFC 1918 is your friend from a security perspective. The fewer public IP addresses you are dealing with, the lower your external attack surface area. Private Google Access can be used to maintain a high security posture using private IP addressing within your network, while leveraging Google services and resources that live outside it but still inside Google Cloud. Google Cloud acts as a sort of DMZ in that you can leverage these services to bring assets (such as data files into GCS, public repositories in BigQuery, Git repositories in Cloud Source Repositories, and so on) into your ecosystem without actually exposing your network to the outside world. This significantly reduces your exposure to a network attack. You don’t always need to access the Internet from your environment to keep it up-to-date. You can have the Internet come to you via Google Cloud services and then access those resources indirectly through Private Google Access.

Imagine a scenario in which you need to install software on your VMs, and the content is located in an on-premises file server, but your organization does not permit or have connectivity (VPN or Interconnect) between your Google Cloud environment and your on-premises network. Moreover, your Google environment needs to install this software securely without accessing the Internet as per security requirements. You can enable this capability securely using Private Google Access. You can establish a secure TLS session from your on-premises environment to GCS when you need to upload your files using gsutil. Then you can set up Private Google Access on the GCP project’s subnet that your VM is located on, and just use the gsutil tool to download your content to the VM from GCS on GCP. It’s like a secret backroad to Google Cloud public endpoints, and Google acts as your security guard.

Answer 270

A

Private Service Access enables you to connect to Google and third-party services that are located on other VPC networks owned by Google or third parties. So imagine a company that offers a service to you, hosted on its internal network on GCP, and you want to connect to that service without having to go over the public Internet. This is where you’d want to leverage Private Service Access. This sounds a bit more risky, but Google has many controls to ensure privacy between tenants to prevent security incidents. Still, you should assess each offering with the lens of your organization’s risk tolerance. This security model is similar to how AWS implemented a dedicated GovCloud for government agencies wanting a more secure cloud. The idea is that by never leaving the Google Cloud network and using trusted and certified third parties, you are able to leverage best-of-breed Software as a Service (SaaS) services or partner services without having to host these applications yourself in your own cloud.

Answer 271

A

Cloud Router is a managed service that dynamically exchanges routes between your VPC and your on-premises network using the Border Gateway Protocol (BGP) via a Dedicated Interconnect or Cloud VPN. This router is the foundational element of using the Cloud VPN and Cloud Interconnect.

BGP is a very complex exterior gateway path-vector routing protocol that advertises routing and reachability information among autonomous systems on the Internet. Virtually the whole Internet runs on BGP. There are two flavors of BGP you should be aware of—external BGP (eBGP) and internal BGP (iBGP).

Answer 272

A

Cloud VPN only supports up to 3 Gbps per tunnel, Partner Interconnect supports up to 10 Gbps, and Dedicated Interconnect supports up to 100 Gbps. If you get a question on the exam about speed, privacy, and connecting between on-premises to GCP—you know what to do.

Answer 273

A

When you think about the concept of prevention, detection, and response with respect to networks, you and your cloud provider both have roles to play in the shared responsibility matrix. The way you design your network, the network patterns that are risk-assessed and approved, the exceptions with mitigating controls, and all the configurations associated with it are preventative controls. Setting up your network according to best practices, as I’ve outlined in this chapter, is all preventative work—it will prevent bad behavior.

Answer 274

A

We discussed a bit about the GFE earlier in the chapter. The GFE is a smart reverse-proxy that is on a global control plane in more than 80 locations around the world, all interconnected through Google’s global network. When a user tries to access an address on Google’s infrastructure, the GFE authenticates the user and employs TLS to ensure confidentiality and integrity. The load balancing algorithm is applied at the GFE servers to find an optimal backend, and then the connections are terminated at the GFE. After the traffic is proxied and GFE has determined an optimal backend, it will leverage a gRPC call to send the request to the backend. You get DoS protection from the GFE and DDoS protection from the GLB. It’s basically a traffic cop that decides who to route where in an orderly fashion.

Answer 275

A

You use VPC firewall rules to allow or deny connections to or from your VMs based on a configuration that you specify. These rules are always enforced. In GCP, every VPC network functions as a distributed firewall, where rules are set at the network level and connections are allowed or denied on a per-instance basis. You can set rules between your instances and other networks and also between instances within your network. Firewall rules can apply to an ingress or egress connection, but not both. The only action you can take is to allow or deny. (I wish “New phone… Who dis?” was an option. That would be nice if you’re testing a rule.) You must select a VPC when you’re creating a firewall rule, because they’re distributed firewalls across VPCs. You can’t share a rule among VPC networks; you’d have to define a separate rule in other VPC networks. When it comes to shared VPC, your firewall rules are centralized and managed by the host project. Firewall rules are stateful, meaning that after a session is established, bidirectional traffic flow will be permitted.

Answer 276

A

You need to consider a few implied rules, which are firewall rules that are built in to VPC Firewall by default; you cannot change them, but if you need to make a pattern that goes against the implied rule, you can give it a higher priority and it will take precedence. Implied rules were created to prevent a default, new project from being exposed to the world. There are two rules:

*Implicit Ingress Deny This rule will deny any ingress traffic to your VPC by default. You don’t want to open up your VPC to the outside world unless you really need to!

*Implicit Egress Allow This rule will allow your instances inside your VPC to send traffic to any destination if it means Internet access criteria (that is, it has an external IP or uses NAT).

Answer 277

A

This is where VPC Service Controls come into play. They enable security administrators to define a security perimeter around managed services, such as GCS and BigQuery, to mitigate data exfiltration risks and keep data private inside of your defined perimeter. When you create this service perimeter, it effectively isolates resources of multitenant services and constrains the data from these services to fall under the enforcement boundaries that you create to protect your VPC. VPC Service Controls are awesome, but they are quite complex when you’re implementing them, so be patient and deliberate with your use case here.

Answer 278

A

Google follows a zero trust access model called BeyondCorp that shifts access controls from the network perimeter to individual users and devices, challenging users through a highly sophisticated authentication and authorization mechanism. This enables employees, contractors, and other users to work more securely from virtually anywhere in the world without the need for a traditional VPN. Identity Aware Proxy is one of the building blocks to building a zero trust model. Identity-Aware Proxy (IAP) is a mechanism to control access to your cloud-based and on-premises applications and VMs on GCP that uses identity and context to determine whether a user should be granted access.

Answer 279

A

Memory-optimized machine types are optimized for memory-intensive workloads, and they offer more memory per core than other machine types (up to 12TB of RAM). There are two families of memory-optimized machines: M1 and M2. M1 and M2 machines are optimized for ultra-high-memory workloads—think of large in-memory databases such as SAP HANA, Redis, or in-memory analytics.

Answer 280

A

Compute-optimized machine types are optimized for compute-intensive workloads. They offer more performance per core than other machine types. These machine types offer Intel Scalable processors and up to 3.8GHz of sustained all core turbo, which essentially means that the chips will be able to run all of their cores at a consistent maximum rate. There is one family of compute-optimized machine types, C2, and they’re typically used for high-performance computing, gaming, and single-threaded applications that are heavily CPU-intensive.

Answer 281

A

Shielded VMs are a security feature designed to offer a verifiable integrity of your VM instances, so that you can be sure your instances are not compromised by boot- or kernel-level malware or rootkits. These are designed for more highly sensitive workloads or for organizations that have stricter compliance requirements. Shielded VMs leverage Secure Boot, with a virtual Trusted Platform Module (vTPM), and integrity monitoring to ensure that your virtual machine has not been tampered with.

Answer 282

A

Confidential VMs are a breakthrough technology that Google Cloud developed that offers to encrypt data that is in use. This technology has never before been available to this extent. Encryption traditionally has been permitted only for data at rest or data in transit. When you’re actively using data or an application is processing data, you would have to decrypt the data in CPU and memory for your system to do anything with it. With Confidential VMs, GCE is able to work on encrypted data without having to decrypt it. This is possible by leveraging the Secure Encrypted Virtualization feature of second-generation AMD EPYC CPUs. Basically, the CPU natively encrypts and decrypts all the in-process memory. So if a bad actor were able to get a memory dump from your system, they would not be able to forensically make sense of anything.

Answer 283

A

You can create MIGs with a minimum and maximum instance count set to 1. This enables your MIG to guarantee that at all times one instance of your VM is up and running within a region. This is a very cost-effective way to enable high availability without incurring the extra costs of having to keep two or more instances running at all times.

Answer 284

A

OS Login is a mechanism to simplify SSH access management by linking your SSH users in Linux to their respective Google identities in Cloud Identity. If you aren’t using OS Login, your users will need to have separate credentials to log in to their respective VMs. You use OS Login for the same reason you’d want to use single sign-on (SSO) to simplify access management for your users. It enables you to manage the full life cycle of your Linux accounts through the governance of your Google identities. That way, you can manage identity and access management (IAM) permissions centrally through Cloud IAM, you can do automatic permission updates, and you can also import existing Linux accounts from your on-premises Active Directory and LDAP servers to ensure that they are synchronized for VMs across your environments.

You can also enable an organization policy to enforce OS Login to prevent a malicious user who does not have proper authorizations through a Google identity from getting direct SSH access to your VMs. It’s a lot more difficult to manage the full SSH key life cycle if you are manually provisioning privileged users on your VM instances.

Answer 285

A

Creating, publishing, and managing APIs is quite a challenge for many organizations. If you’re in the business of creating APIs, whether internal or external, it’s not easy to govern and manage all of your API endpoints in a consistent manner. This is where using API management platforms comes in handy. Modern API management platforms offer the tools to develop, secure, publish, and manage your APIs in a consistent and often policy-based manner. API management platforms such as Apigee are fully developed platforms that will handle the full API life cycle, whereas other solutions such as Cloud Endpoints are not in parity when it comes to features and functionality.

Answer 286

A

Apigee, a Google acquisition, is a full end-to-end OpenAPI-compliant API management platform that enables you to manage the full API life cycle in any cloud, including multi- and hybrid-cloud environments. This incredibly robust product was ranked by Forrester as a leader in API management solutions in Q3 2020.

The most useful capability that Apigee offers is the fact that it is an API proxy. As a result, for API clients, it presents your business services as managed “facades” for backend services. Technically, your backend need not support HTTP, be modernized, or even understand the concept of microservices. Apigee can act as a translation layer between the modern client-facing REST API presentation layer your business is exposing to its clients and whatever new or old technologies you have lurking in the back corners of your enterprise. Furthermore, as a proxy, it can control the end-to-end security, transaction rates, access controls, and so on, for your business-exposed APIs, enabling a company to modernize its business face without necessarily having to reinvent its backend.

Answer 287

A

Cloud Endpoints is an API management platform that enables you to secure, manage, and monitor your APIs on Google Cloud.
This greatly simplifies the need to manage all of your APIs manually in Google Cloud. You can build all of your API documentation in a developer-accessible portal.
With Cloud Endpoints, you can leverage three communications protocols——OpenAPI, gRPC, or Cloud Endpoints Frameworks for App Engine standard environments. This offering gives your development teams the ability to focus on developing their APIs instead of building custom frameworks.

Answer 288

A

APIs expose application logic and sensitive data by their intended design, and this continues to become a target for attackers. Products such as Apigee and Cloud Endpoints can prevent a lot of these flaws by default or provide you the ability to configure your APIs in a consistent, secure manner.

Answer 289

A

Here are some recommendations to leverage when you’re thinking about securing your APIs:

Classify your APIs and design a reference architecture for the required controls and approved patterns based on the classification of the API. For example, you can have public-facing APIs, internal APIs, and partner-facing APIs, each with a different level of security controls.
Implement rate limiting to prevent denial-of-service attacks.
Be aware of excessive data exposure, and think about how you can filter unnecessary data before it’s displayed back to the end user of the API.
Use a common configuration and monitor your APIs for security misconfigurations.
Validate your inputs—ensure that your API is not the subject of injection flaws, such as SQL injections, to avoid malicious code being executed by an attacker.

Answer 290

A

Block storage refers to a data system in which the data is broken up into blocks and then stored across a distributed system to maximize efficiency. These storage blocks get unique identifiers so that they can be referenced in order to piece the data back together. Block storage systems are great when you need to retrieve and manipulate data quickly through a layer of abstraction (such as an operating system) that is responsible for accessing the data points across the blocks. The downside to block storage, however, is that because your data is split and chunked across blocks, there is no ability to leverage metadata.

Answer 291

A

Object storage refers to a data system with a flat structure that contains objects, and within objects are data, metadata, and a unique identifier. This type of storage is very versatile, enabling you to store massive amounts of unstructured data and still maintain simple data accessibility. You can use object storage for anything—unstructured data, large data sets, you name it. However, because of the nature of this flat system, you’ll need to manage your metadata effectively to be able to keep your objects accessible. In Google Cloud, object storage is associated with technologies such as Google Cloud Storage.

Answer 292

A

BigQuery datasets are top-level containers that are used to organize and control access to tables and views. As you can imagine, tables consist of rows and columns of data records. Like other databases, each table is defined by a table schema, which should be created in the most efficient way. Views are virtual tables defined by a query. You can create authorized views to share query results with only a particular set of users and groups without giving them access to the tables directly.

Answer 293

A

Publisher The client that creates messages and publishes them to a specific topic
Message The data that moves through Pub/Sub
Topic A named resource that represents a feed of messages
Subscription A named resource that receives all specified messages on a topic
Subscriber The client that receives messages from a subscription

Answer 294

A

To counter the lack of CSEK’s growth, Google launched a new service, External Key Manager (EKM), a service that enables organizations to supply their own keys through a supported external key management partner to protect their data in the cloud. With EKM, your keys are not stored in Google; they are stored at a third party, and you would typically own and control their location, distribution, access, and management. It’s a pretty new service that is going to take some time before it’s supported across the spectrum, but EKM is the most promising solution to customers that need to fully own their encryption keys. In my opinion, you should either use default encryption or EKM and nothing in between. But it’s going to take some time before the product is fully mature and compatible.

Answer 295

A

If you need SQL queries via an OLTP system, use Cloud Spanner or Cloud SQL.
If you need interactive querying via an OLAP system, use BigQuery.
If you need a strong NoSQL database for analytical workloads such as time-series data and IoT data, use Bigtable.
If you need to store structured data in a document database with support for ACID transactions and SQL-like queries, use Cloud Firestore.
If you need in-memory data storage, use Memorystore.

Answer 296

A

The philosophy of DevOps challenges decades of software development, where the people, process, and technology were built on longstanding belief systems based on clearly defined roles for developers, QA, and operations teams, and a rigid structure around the deployment process. Traditional software development uses a factory model of moving work through a conveyor belt of roles (processes), which produces a consistent level of quality as an output. This has frequently proved to be a false axiom, however, as the individuals involved were often the reason why processes either succeeded or failed.

Answer 297

A

*Reduce organizational silos

*Accept failure as normal

*Implement gradual changes

*Leverage tooling and automation

*Measure everything

Answer 298

A

IaC is the practice of writing the elements of your infrastructure in code form, which can be interpreted by tools such as Terraform, Ansible, and Google Deployment Manager. You’re basically treating your infrastructure as you would treat your software—with clear code, source code repositories, approved patterns and strong change management, misconfiguration detection and prevention, and rapid deployment.

Answer 299

A

Having the ability to spin up any scale infrastructure by deploying a template speeds up the entire task of deploying infrastructure by an unmatched margin.

*Managing configurations for thousands of servers, services, and beyond can and will always lead to humans making errors and misconfigurations, which could cause a whole slew of issues for your applications, from operational issues to security issues. Using IaC enables you to centrally manage these configurations, scan them for deviances, and govern them centrally.

*Eliminating the need to manually provision new servers and services minimizes the time to deploy your applications. By using IaC, if your application goes through a massive iteration and you need to attach a new database, Pub/Sub sink, or VMs, you can modify your templates rather than having to plan to perform these activities as part of your deployment.

*Freeing up development time for your team to focus on building, testing, and managing your applications, rather than constantly provisioning infrastructure manually, saves money.

*Stop looking at infrastructure as immutable. For high-velocity IT development teams to work as efficiently as possible, give them their own temporary environments to test their new code. Then destroy the environment when they are done. The whole point of public cloud is on-demand infrastructure. This can be achieved only via automation and IaC.

Answer 300

A

Blue-green deployment involves creating two identical environments—a blue environment and green environment—so that when a release is deployed to one environment, the other environment can be held as a reserve. The idea is that you can deploy the release to one environment and switch all your users over to the new release, while still maintaining your old environment in case you need to fall back to it, without having to do a full rollback. As you can imagine, the infrastructure costs double, and if the application footprint is too large, this is not always a feasible deployment strategy.

Answer 301

A

In a rolling deployment, you maintain one production environment that may consist of many servers with a load balancer in front of them. When you deploy your application, you stagger the deployment across servers, so that some servers run the new application version and others continue to host the old version. This enables you to test real-life traffic and load and potentially identify issues before the application is fully deployed. If you do have an issue, you can just divert all of your users to the servers that do not have the latest release (rather than having to roll back servers entirely). This can be a complicated process, especially around major changes, because the support team managing your application will have to understand how to troubleshoot both users on the older versions as well as users who’ve been routed to the new version.

Answer 302

A

Canary deployment involves making the new release available to a subset of users before other users. It is similar to a rolling deployment in the sense that some of your users will get access to the new release before others. But in the canary deployment, you’re targeting users, not servers. Your infrastructure costs will be higher with this type of deployment because you are maintaining two sets of infrastructure, though your usage on the infrastructure where you target your canary users probably won’t be too high if your application is designed to scale on demand?

Answer 303

A

A/B deployment is more focused on testing different changes on end users to understand which they prefer. The idea here is to have half of your users work with version A, while the other half works with version B. It’s a way for you to understand how your customers are using your new version and derive insights from their usage patterns to drive customer happiness.

Answer 304

A

Container Registry is a private Docker repository in which you can store, manage, and secure your Docker container images. You can also perform vulnerability analysis and manage access control to the container images. With Container Registry, you can integrate your CI/CD pipelines to design fully automated Docker pipelines. When you’re using the Container Registry, you can automatically build and push images to your private registries immediately upon committing code to your source code repository tools such as Cloud Source Repositories, GitHub, or BitBucket.

Answer 305

A

Design resilient services:
standardize deployments and incorporate automation architectural standards and deploying with automation helps you standardize your builds, tests, and deployments,
Use Managed Services

Operational tools portfolio
Focus on improving operational excellence, rather than managing the tools themselves
Understanding what tools are available and how they can help you identify and resolve an issue will reduce the impact and return your applications to operations faster.

Improve your cloud operations
monitoring performance, anomaly detection, or even securing your cloud against abuse
Google Cloud operational tooling provides insights that help you understand what is happening faster and in turn, improve the efficiency of your operations

Answer 306

A

What is a webhook?
Webhooks are one of a few ways web applications can communicate with each other.

It allows you to send real-time data from one application to another whenever a given event occurs.

For example, let’s say you’ve created an application using the Foursquare API that tracks when people check into your restaurant. You ideally want to be able to greet customers by name and offer a complimentary drink when they check in.

What a webhook does is notify you any time someone checks in, so you’d be able to run any processes that you had in your application once this event is triggered.

The data is then sent over the web from the application where the event originally occurred, to the receiving application that handles the data.

Answer 307

A

This exchange of data happens over the web through a “webhook URL.”

A webhook URL is provided by the receiving application, and acts as a phone number that the other application can call when an event happens.

Only it’s more complicated than a phone number, because data about the event is sent to the webhook URL in either JSON or XML format. This is known as the “payload.”

Answer 308

A

This exchange of data happens over the web through a “webhook URL.”

A webhook URL is provided by the receiving application, and acts as a phone number that the other application can call when an event happens.

Only it’s more complicated than a phone number, because data about the event is sent to the webhook URL in either JSON or XML format. This is known as the “payload.”

Here’s an example of what a webhook URL looks like with the payload it’s carrying:

Answer 309

A

Imagine you run a membership site. Every time a customer pays you through a payment gateway like Stripe, you have to manually input their details into your membership management application. This is just so the user can log in.

This of course, quickly becomes tedious as the rate of new members increase. If only Stripe and your membership software could communicate with one another. That way anyone that pays through Stripe is automatically added as a member.

Using a webhook is one way to make this happen.

Let’s assume that both Stripe and the membership management software have webhook integrations. You’d then be able to set up the Stripe integration to automatically transfer a user’s information over, each time payment is made.

Here’s an image that shows how this might work:

webhooks flow

Webhooks are an incredible tool that saves you a lot of work. And the fact that they’re so popular means that you’ll be able to integrate most of the web apps you currently use.

For example, connecting your email marketing software with other applications through a webhook can open up a lot of possibilities:

You can use a webhook to connect a payment gateway with your email marketing software so that a user gets an email whenever a payment bounces.

You can use webhooks to sync customer data in other applications. For example, if a user changes their email address you can ensure that the change is reflected in your CRM as well.

You can also use webhooks to send information about events to external databases or data warehouses like Amazon’s Redshift or Google Big Query for further analysis.

Answer 310

A

As mentioned earlier, webhooks are just one of the ways that different applications use to communicate with each other, and another is through an application programming interface (API).

Their uses cases are very similar but the prime difference between API and webhooks?

It’s in how they receive data.

Answer 311

A

With an API, you get data through a process known as “polling.” This is when your application periodically makes a request to an API server to check for new data.

A webhook, on the other hand, allows the provider to send (i.e “push”) data to your application as soon as an event occurs. This is why webhooks are sometimes referred to as “reverse APIs.”

APIs need to pull data from a server periodically to stay up to date, but with webhooks, the server can push this data over to you the instant something happens.

To use a real world analogy, APIs would be likened to you repeatedly calling a retailer to ask if they’ve stocked up on a brand of shoes you like.

Webhooks, would then be like asking the retailer to call you whenever they have the shoes in stock, which frees up time on both sides.

Webhooks are less resource-intensive because they save you time on constantly polling (checking) for new data.

Answer 312

A

So the question is, if webhooks are easier to set up, less resource-intensive, and faster than APIs, why use APIs at all?

Well, APIs are still popular for a number of reasons:

Not every application supports webhook integrations.
Sometimes you only want to know about the end result, rather than every event (i.e. every permutation) that’s changed an object.
Webhooks can only notify you about an event, so if you want to make a change based on new information, you’ll need an API.

A webhook payload may not contain all the data you need about an event.
So APIs are still really useful, which is why a lot of applications support both APIs and webhooks.

Bottom line is, if your goal is to transfer data between two services, webhooks are the way to go.

Answer 313

A

For connecting to internal webhooks, you can route them through Pub/Sub. Uptime checks work against private endpoints as well. See Creating custom notifications with Cloud Monitoring and Cloud Run for more information.

Answer 314

A

In the example, two monitoring alerting policies are created using Terraform: one is based on the GCE instance CPU usage_time metric and the other is based on the GCE instance disk read_bytes_count metric. Both alert policies use Cloud Monitoring Pub/Sub notification channels to send alert notifications. A Cloud Pub/Sub push subscription is configured for each Cloud Pub/Sub notification channel. The push endpoints of the Cloud Pub/Sub push subscriptions are pointed to the Cloud Run service we implement so that all the alert notifications sent to the Cloud Pub/Sub notification channels are forwarded to the Cloud Run service. The Cloud Run service is a simple Http server that transforms the incoming Cloud Pub/Sub messages into Google Chat messages and sends them to the configured Google Chat rooms via their incoming Webhook URLs.

https://cloud.google.com/blog/products/operations/write-and-deploy-cloud-monitoring-alert-notifications-to-third-party-services

Answer 315

A

You have control over which rules are applied in your security policies. You can turn off the few rules that are blocking your legacy clients. Instructions are available in how to write your own security policies:

You can configure Google Cloud Armor security policies, rules, and expressions by using the Google Cloud console, the Google Cloud CLI, or the REST API. When you use the gcloud CLI to create security policies, use the –type flag to specify whether the security policy is a backend security policy or an edge security policy.

Configure Google Cloud Armor security policies

https://cloud.google.com/armor/docs/configure-security-policies#atomic-update

Answer 316

A

You have control over which rules are applied in your security policies. You can turn off the few rules that are blocking your legacy clients. Instructions are available in how to write your own security policies:

You can configure Google Cloud Armor security policies, rules, and expressions by using the Google Cloud console, the Google Cloud CLI, or the REST API. When you use the gcloud CLI to create security policies, use the –type flag to specify whether the security policy is a backend security policy or an edge security policy.

Configure Google Cloud Armor security policies

https://cloud.google.com/armor/docs/configure-security-policies#atomic-update

Answer 317

A

You have control over which rules are applied in your security policies. You can turn off the few rules that are blocking your legacy clients. Instructions are available in how to write your own security policies:

You can configure Google Cloud Armor security policies, rules, and expressions by using the Google Cloud console, the Google Cloud CLI, or the REST API. When you use the gcloud CLI to create security policies, use the –type flag to specify whether the security policy is a backend security policy or an edge security policy.

Configure Google Cloud Armor security policies

https://cloud.google.com/armor/docs/configure-security-policies#atomic-update

Answer 318

A

So the question is, if webhooks are easier to set up, less resource-intensive, and faster than APIs, why use APIs at all?

Well, APIs are still popular for a number of reasons:

Not every application supports webhook integrations.
Sometimes you only want to know about the end result, rather than every event (i.e. every permutation) that’s changed an object.
Webhooks can only notify you about an event, so if you want to make a change based on new information, you’ll need an API.

A webhook payload may not contain all the data you need about an event.
So APIs are still really useful, which is why a lot of applications support both APIs and webhooks.

Bottom line is, if your goal is to transfer data between two services, webhooks are the way to go.

Brainscape's Knowledge GenomeTM

PCA Topics Flashcards

Brainscape's Knowledge Genome^TM