E7 Final

Which of the following is a valid use case for using a primitive role? A When granting permission to a development project or to the development team. B When there are more than 10 users. C When creating a custom role requires more than 10 permissions. D When granting permission to a production project, or to a third-party company.

Correct Answer: A Why is this correct? This would meet Google's recommended use cases. https://cloud.google.com/iam/docs/using-iam-securely#least_privilege

Which of the following is a valid use case for Flow Logs? A Blocking instances from communicating over certain ports. B Network forensics. C Proxying SSL traffic. D Serving as a UDP relay.

Correct Answer: B Why is this correct? This is something useful because flow logs will show which IP addresses interacted with which service and when. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/1/module/238 https://cloud.google.com/vpc/docs/using-flow-logs

Your security team has been reluctant to move to the cloud because they don't have the level of network visibility they're used to. Which feature might help them to gain insights into your Google Cloud network? A Routes B Subnets C Flow logs D Firewall rules

Correct Answer: C Why is this correct? Flow logs are great for gaining insights into what's happening on a network. They provide a sample of the flows to and from instances. https://cloud.google.com/vpc/docs/using-flow-logs https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/1/module/238

You're attempting to deploy a new instance that uses the centos 7 family. You can't recall the exact name of the family. Which command could you use to determine the family names? A gcloud compute instances list B gcloud compute images show-families C gcloud compute instances show-families D gcloud compute images list

Correct Answer: D Why is this correct? Family names are an attribute of images. This would list all the images and their family names. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/4/module/238

You have an App Engine application running in us-east1. You've noticed 90% of your traffic comes from the West Coast. You'd like to change the region. What's the best way to change the App Engine region? A Use the gcloud app region set command and supply the name of the new region. B Contact Google Cloud Support and request the change. C From the console, under the App Engine page, click edit, and change the region drop-down. D Create a new project and create an App Engine instance in us-west2.

Correct Answer: D Why is this correct? There is currently no way to change the region of App Engine. https://cloud.google.com/appengine/docs/locations https://linuxacademy.com/cp/courses/lesson/course/2542/lesson/5/module/238

You're trying to provide temporary access to some files in a Cloud Storage bucket. You want to limit the time that the files are available to 10 minutes. With the fewest steps possible, what is the best way to generate a signed URL? A In the UI select the objects and click the Generate Signed URL button. B Create a service account and JSON key. Use the gsutil signurl -t 10m command and pass in the JSON key and bucket. C In the UI select the objects and click the "Sign With Key" button. D Create a service account and JSON key. Use the gsutil signurl -d 10m command and pass in the JSON key and bucket.

Correct Answer: D Why is this correct? This is a quick way to generate the URL. This will create a signed URL that will expire in 10 minutes. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/8/module/238

You're using a Pub/Sub topic to publish disparate messages from an on-premises application. You're looking for a simple way to run some code every time a message is published. What is the simplest, lowest cost, and most CPU friendly solution? A Use a scheduled task that starts an App Engine application to poll for changes. B Use a scheduled Cloud Function to check the queue every minute. C Deploy code to Compute Engine that polls for messages. D Have Pub/Sub push messages to a Cloud Function.

Correct Answer: D Why is this correct? This ticks all the boxes. Simple, low cost, CPU friendly because it's not polling. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/7/module/238

You need to help a developer install the App Engine Go extensions. However, you've forgotten the exact name of the component. Which command could you run to show all of the available options? A gcloud config list B gcloud component list C gcloud config components list D gcloud components list

Correct Answer: D Why is this correct? This will show a table of all the components, and if they are installed or not. https://linuxacademy.com/cp/courses/lesson/course/2541/lesson/3/module/238

Your coworker created a deployment for your application container. You can see the deployment under Workloads in the console. They're out for the rest of the week, and your boss needs you to complete the setup by exposing the workload. What's the easiest way to do that? A Create a new Service that points to the existing deployment. B Create a new DaemonSet. C Create a Global Load Balancer that points to the pod in the deployment. D Create a Static IP Address Resource for the Deployment.

A service is how we expose deployments. It's a persistent endpoint that we can interact with, and it will send the traffic over to the pods in the deployment. https://linuxacademy.com/cp/courses/lesson/course/2542/lesson/4/module/238 https://kubernetes.io/docs/concepts/services-networking/service/

Regarding audit logs, which of the following is a Google recommended best practice? A Export your audit logs to App Engine. B Export your audit logs to Pub/Sub. C Flush your audit logs monthly so you can more easily notice security events. D Export your audit logs to Cloud Storage and store them for a long period of time.

Audit logs should always be backed up and stored securely for as long as is practical. https://cloud.google.com/iam/docs/using-iam-securely

You've created a bucket to store some data archives for compliance. The data isn't likely to need to be viewed. However, you need to store it for at least 7 years. What is the best default storage class? A Multi-regional B Coldline C Regional D Nearline

Coldline storage is an ideal storage class for archives. https://linuxacademy.com/cp/courses/lesson/course/2543/lesson/1/module/238

You've seen some errors in the logs for a specific Deployment. You've narrowed the issue down to the Pod named "ad-generator" that is throwing the errors. Your engineers aren't able to reproduce the error in any other environment. They've told you that if they could just "connect into the container" for 5 minutes, they could figure out the root cause. What steps would allow them to run commands against the container? A Use the kubectl exec -it ad-generator -- /bin/bash command to run a shell on that container. B Use the kubectl exec -it -- /bin/bash command to run a shell on that container. C Use the kubectl run command to run a shell on that container. D Use the kubectl run ad-generator /bin/bash command to run a shell on that container.

Correct Answer: A Why is this correct? Assuming the container has the bash binary installed, this will work. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/6/module/238

You've been trying to deploy a container to Kubernetes; however, kubectl doesn't seem to be able to connect to the cluster. Of the following, what is the most likely cause and how can you fix it? A The kubeconfig is missing the credentials. Run the gcloud container clusters get-credentials command. B The firewall rules are preventing the connection. Open up the firewall rules to allow traffic to port 1337. C The kubeconfig is missing the credentials. Run the gcloud container clusters auth login command. D The firewall rules are preventing the connection. Open up the firewall rules to allow traffic to port 3682.

Correct Answer: A Why is this correct? Kubectl doesn't know about a cluster. Using this command, you can get the cluster credentials and save them locally. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/4/module/238

You're about to deploy your team's App Engine application. They're using the Go runtime with a Standard Environment. Which command should you use to deploy the application? A gcloud app deploy app.yaml B gcloud app-engine apply app.yaml C gcloud app apply app.yaml D gcloud app-engine deploy app.yaml

Correct Answer: A Why is this correct? Memorizing command on the CLI is boring, so well done! The configuration is contained in the app.yaml for most runtimes. Java uses app.xml. The command will also work without specifying the file if it's in the current working directory. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/8/module/238

Your developers have created an application that needs to be able to make calls to Cloud Storage and BigQuery. The code is going to run inside a container and will run on Kubernetes Engine and on-premises. What's the best way for them to authenticate to the Google Cloud services? thumb_upthumb_down A Create a service account, grant it the least viable privileges to the required services, generate and download a key. Use the key to authenticate inside the application. B Use the default service account for App Engine which already has the required permissions. C Use the default service account for Compute Engine which already has the required permissions. D Create a service account, with editor permissions, generate and download a key. Use the key to authenticate inside the application.

Correct Answer: A Why is this correct? Service accounts are used for this very reason. Care needs to be taken with the key. However, this will work. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/3/module/238

You're deploying an application to a Compute Engine instance, and it's going to need to make calls to read from Cloud Storage and Bigtable. You want to make sure you're following the principle of least privilege. This Compute Engine instance is the only instance in this project. What's the easiest way to ensure the code can authenticate to the required Google Cloud APIs? A Use the default Compute Engine service account and set its scopes. Let the code find the default service account using "Application Default Credentials". B Create a new service account and key with the required limited permissions. Set the instance to use the new service account. Edit the code to use the service account key. C Create a new user account with the required roles. Store the credentials in Cloud Key Management Service and download them to the instance in code. D Register the application with the Binary Registration Service and apply the required roles.

Correct Answer: A Why is this correct? Simple and effective. https://cloud.google.com/docs/authentication/production

You're deploying an application to a Compute Engine instance, and it's going to need to make calls to read from Cloud Storage and Bigtable. You want to make sure you're following the principle of least privilege. This Compute Engine instance is the only instance in this project. What's the easiest way to ensure the code can authenticate to the required Google Cloud APIs? thumb_upthumb_down A Use the default Compute Engine service account and set its scopes. Let the code find the default service account using "Application Default Credentials". B Create a new service account and key with the required limited permissions. Set the instance to use the new service account. Edit the code to use the service account key. C Create a new user account with the required roles. Store the credentials in Cloud Key Management Service and download them to the instance in code. D Register the application with the Binary Registration Service and apply the required roles.

Correct Answer: A Why is this correct? Simple and effective. https://cloud.google.com/docs/authentication/production

A few members of the dev team have been talking about testing a Google Cloud API they've never used before. They're curious to see what parameters are required and what the results of the API call will look like. They've asked you to set up a new project, grant them access, enable the API, and let them know when it's ready. What's the most efficient way to help the developers test the new API? A Direct them to the API Explorer. B Follow the developer's recommendation and set up a new project, grant them access, and enable the API. C Help them to set up the Cloud SDK and use the gcloud command. D Enable the API inside an existing project and grant them permissions.

Correct Answer: A Why is this correct? The API Explorer is likely the fastest and easiest way to test out an API. It doesn't require all of the additional effort that goes along with setting up APIs for production environments. https://linuxacademy.com/cp/courses/lesson/course/2531/lesson/5/module/238

Your developers are trying to connect to an Ubuntu server over SSH to diagnose some errors. However, the connection times out. Which command should help solve the problem? A gcloud compute firewall-rules create "open-ssh" --network $NETWORK --allow tcp:22 B gcloud compute firewall-rules create "open-ssh" C gcloud compute firewall-rules create "open-ssh" --network $NETWORK --deny tcp:22 D gcloud compute firewall-rules create "open-ssh" --network $NETWORK --allow tcp:3389

Correct Answer: A Why is this correct? The assumption here is that port 22 for ssh is blocked by the firewall. This will open it up to the world. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/1/module/238

You're using Deployment Manager to deploy your application to an autoscaled, managed instance group on Compute Engine. The application is a single binary, What is the fastest way to get the binary onto the instance, without introducing undue complexity? thumb_upthumb_down A When creating the instance template use the startup script metadata key to bootstrap the application. B Use a "golden image" that contains everything you need. C When creating the instance template, use the startup script metadata key to install Ansible. Have the instance run the play-book at startup to install the application. D Once the instance starts up, connect over SSH and install the application.

Correct Answer: A Why is this correct? The startup script is a simple way to get your application bootstrapped without adding more tooling. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/6/module/238

You've been asked to add a new IAM member and grant them access to run some queries on BigQuery. Considering the principle of least privilege, which role should you assign? thumb_upthumb_down A roles/bigquery.dataViewer and roles/bigquery.jobUser B Project Editor C roles/bigquery.admin D roles/bigquery.dataOwner

Correct Answer: A Why is this correct? These should give enough access to run queries. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/3/module/238

You've created the code for a Cloud Function that will respond to HTTP triggers and return some data in JSON format. You have the code locally, it's tested and working. Which command can you use to create the function inside Google Cloud? thumb_upthumb_down A gcloud functions deploy B gcloud function create C gcloud functions create D gcloud function deploy

Correct Answer: A Why is this correct? This command creates and deploys. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/7/module/238

Your developers have been thoroughly logging everything that happens in the API. The API allows end users to request the data as JSON, XML, CSV, and XLS. Supporting all of these formats is taking a lot of developer effort. Management would like to start tracking which options are used over the next month. Without modifying the code, what's the fastest way to be able to report on this data at the end of the month? thumb_upthumb_down A Create a custom counter logging metric that uses a regex to extract the data format into a label. At the end of the month, use the metric viewer to see the group by the label. B Create a log sink that filters for rows that mention the data format. Export that to BigQuery, and run a query at the end of the month. C Create a custom monitoring metric in code and edit the API code to set the metric each time the API is called. D Export the logs to excel, and search for the different fields.

Correct Answer: A Why is this correct? This is a simple solution that only requires the metric to be created, and then Stackdriver will track each occurrence. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/10/module/238

You're attempting to set up a File based Billing Export. Which of the following components are required? thumb_upthumb_down A A Cloud Storage bucket. B A BigQuery dataset. C A report prefix. D A Budget and at least one alert.

Correct Answer: A Why is this correct? This is required in order to have a location for the files to be exported to. https://linuxacademy.com/cp/courses/lesson/course/2540/lesson/3/module/238 Correct Answer: C Why is this correct? This is the portion of the file name that's appended to each file. https://linuxacademy.com/cp/courses/lesson/course/2540/lesson/3/module/238

You need to create a new development Kubernetes cluster with 4 nodes. The cluster will be named linux-academy-dev-cluster. Which of the following truncated commands will create a cluster? A gcloud container clusters create linux-academy-dev-cluster --num-nodes 4 B kubectl clusters create linux-academy-dev-cluster 4 C kubectl clusters create linux-academy-dev-cluster --num-nodes 4 D gcloud container clusters create linux-academy-dev-cluster 4

Correct Answer: A Why is this correct? This is the correct start of the command. There are some additional flags. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/3/module/238

While looking at your application's source code in your private Github repo, you've noticed that a service account key has been committed to git. What steps should you take next? A Revoke the key, remove the key from Git, purge the Git history to remove all traces of the file, ensure the key is added to the .gitignore file. B Delete the project and create a new one. C Do nothing. Git is fine for keys if the repo is private. D Contact Google Cloud Support

Correct Answer: A Why is this correct? This should do it. This is pretty common, so if it happens to you, don't beat yourself up about it. Just take steps to ensure it doesn't happen in the future. :) https://cloud.google.com/iam/docs/creating-managing-service-account-keys#deleting_service_account_keys https://help.github.com/articles/removing-sensitive-data-from-a-repository/

You have a 20 GB file that you need to securely share with some contractors. They need it as fast as possible. Which steps would get them the file quickly and securely? A Using composite objects and parallel uploads to upload the file to Cloud Storage quickly. Then generate a signed URL and securely share it with the contractors. B Set up a VPC with a custom subnet. Create a subnet tunnel. Upload the file to a network share. Grant the contractors temporary access. C Upload the file to Bigtable using the bulk data import tool. Then provide the contractors with read access to the database. D Upload the file to Cloud Storage. Grant the allAuthenticated users token view permissions.

Correct Answer: A Why is this correct? This will allow you to upload the file quickly by breaking it into smaller chunks and uploading them at the same time. The signed URL allows for secure temporary access to the object. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/8/module/238

You're attempting to set the default Compute Engine zone with the Cloud SDK. Which of the following commands would work? thumb_upthumb_down A gcloud config set compute/zone us-east1-c B gcloud set compute\zone us-east1 C gcloud set compute/zone us-east1 D gcloud config set compute\zone us-east1

Correct Answer: A Why is this correct? This will work perfectly! Well done! :D https://linuxacademy.com/cp/courses/lesson/course/2541/lesson/2

You're attempting to remove the zone property from the Compute Engine service, that was set with the incorrect value. Which command would accomplish your task? A gcloud config unset compute/zone B gcloud config unset zone C gcloud config configurations unset compute/zone D gcloud unset compute/zone

Correct Answer: A Why is this correct? This would indeed unset the zone for compute engine. https://linuxacademy.com/cp/courses/lesson/course/2541/lesson/3/module/238

Your finance team is working with the engineering team to try and determine your spending for each service by day and month across all projects used by the billing account. What is the easiest and most flexible way to aggregate and analyze the data? A Export the data for the billing account(s) involved to BigQuery; then use BigQuery to analyze the service data for the desired projects, by day and month. B Export the data for the billing account(s) involved to a JSON File; use a Cloud Function to listen for a new file in the Storage bucket; code the function to analyze the service data for the desired projects, by day and month. C Export the data for the billing account(s) to File, import the files into a SQL database; then use BigQuery to analyze the service data for the desired projects, by day and month. D Use the built-in reports which already show this data.

Correct Answer: A Why is this correct? You can export the data from the Billing Account to BigQuery. This will give you the data for all of the projects. Then you can start querying the data for patterns. https://linuxacademy.com/cp/courses/lesson/course/2540/lesson/3/module/238

. You're working on setting up a cluster of virtual machines with GPUs to perform some 3D rendering for a customer. They're on a limited budget and are looking for ways to save money. What is the best solution for implementing this? A Use an unmanaged instance group with preemptible instances. B Use an autoscaled managed instance group using preemptible instances. C Use App Engine with Flexible Environments. D Use App Engine with Standard Environments.

Correct Answer: B Why is this correct? An autoscaled managed instance group will make it easy to have instances added automatically. Using a preemptible instance will save cost. https://linuxacademy.com/cp/courses/lesson/course/2542/lesson/2/module/238

You have a simple web application that you're trying to deploy in a secure and inexpensive way. The application is running inside a Docker container on port 8080. Once the application is initially deployed, the developers are going to take ownership of future deployments. What is the best option for running the application? A Use an App Engine Standard Environment. B Use an App Engine Flexible Environment. C Use an on-premises Kubernetes cluster. D Use Kubernetes Engine.

Correct Answer: B Why is this correct? Flexible environments are able to use a Dockerfile to create custom runtimes. They specifically run on port 8080. https://cloud.google.com/appengine/docs/flexible/custom-runtimes/build

You've uploaded some static web assets to a public storage bucket for the developers. However, they're not able to see them in the browser due to what they called "CORS errors". What's the easiest way to resolve the errors for the developers? thumb_upthumb_down A Advise the developers to adjust the CORS configuration inside their code. B Use the gsutil cors set command to set the CORS configuration on the bucket. C Use the gsutil set cors command to set the CORS configuration on the bucket. D Use the gsutil set cors command to set the CORS configuration on the object.

Correct Answer: B Why is this correct? This is correct. You can set the CORS configuration on the bucket allowing the objects to be viewable from the required domains. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/2/module/238 https://cloud.google.com/storage/docs/cross-origin

30 minutes ago you created a log sink that exports all of your project audit logs to Cloud Storage. You can see in the log viewer that there are new records. However, you're not seeing them in your Storage Bucket. What is the most likely cause? A Cloud Storage isn't a supported destination. B Each log sink destination has its own time window for saving the data. C The Cloud Storage Bucket doesn't have the correct permissions. D You forgot to enable the sink inside the Cloud Storage UI.

Correct Answer: B Why is this correct? This is true. Cloud Storage can take a couple hours to persist the data. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/10/module/238

You're working on creating a script that can extract the IP address of a Kubernetes Service. Your coworker sent you a code snippet that they had saved. Which one is the best starting point for your code? thumb_upthumb_down A kubectl get svc -o filtered-json='{.items[*].status.loadBalancer.ingress[0].ip}' B kubectl get svc -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' C kubectl get svc -o html D kubectl get svc

Correct Answer: B Why is this correct? This uses the JSON path output to zero in on the property you need. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/8/module/238

You've created a Pod using the kubectl run command. Now you're attempting to remove the Pod, and it keeps being recreated. Which command might help you as you attempt to remove the pod? A gcloud container describe pods B kubectl get deployments C kubectl get secrets D kubectl get pods

Correct Answer: B Why is this correct? This would help to see the name of the deployment that the pod is running under so that you can delete the deployment. Video for reference: Managing Kubernetes Engine Resources

Your data team is working on some new machine learning models. They're generating several files per day that they want to store in a regional bucket. Most of their work involves files from the last week, however sometimes they must access older files. With the fewest steps possible, what's the best way to lower the storage costs? thumb_upthumb_down A Create a Cloud Function triggered when objects are added to a bucket. Look at the date on all the files and move it to coldline storage if it's older than a week. B Create a lifecycle policy to switch the objects older than a week to nearline storage. C Create a lifecycle policy to switch the objects older than a week to coldline storage. D Create a Cloud Function triggered when objects are added to a bucket. Look at the date on all the files and move it to nearline storage if it's older than a week.

Correct Answer: B Why is this correct? This would work well, it would save them money on storage, and still be accessible if they need to access the files. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/8/module/238 Since they "mostly" focus on newer files, that means they sometimes need to access the old files. Coldline isn't the best option in this case.

Your team has chosen to use Deployment Manager to create the Compute Engine infrastructure for your application. You've already run the gcloud deployment-manager deployments create command to create the deployment. You've updated 2 resources in the template and need to deploy the change. What command should you use? A gcloud deployment-manager resources apply B gcloud deployment-manager deployments update C gcloud deployment-manager resources update D gcloud deployment-manager deployments apply

Correct Answer: B Why is this correct? Well done! This will update the deployment https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/5/module/238

Your security team has asked you to present them some numbers based on the logs that are exported to BigQuery. Due to the team structure, your manager has asked you to determine how much the query will cost. What's the best way to determine the cost? A It's not possible to estimate the cost of a query. B Create the query and execute the query in "cost estimation mode" C Create the query and use the dry-run option to determine the amount of data read, then use the price calculator to determine the cost. D Use the BigQuery index viewer to determine how many records you'll be reading.

Correct Answer: C Why is this correct? BigQuery is billed based on the amount of data read. The dry-run flag is used to determine how many bytes are going to be read. https://linuxacademy.com/cp/courses/lesson/course/2543/lesson/1/module/238

You're attempting to install the kubectl component on an Ubuntu server, though, you're getting an error. The error indicates that the component manager is disabled. What is the most likely cause for the error? A The Cloud SDK was not installed with root permissions. B The Cloud SDK is running inside a Docker container. C The Cloud SDK was installed using apt. D The Cloud SDK is using the wrong configuration.

Correct Answer: C Why is this correct? If you use a package manager (Apt or Yum) to install the SDK, then you can't use the built-in component manager to install or remove components. Lecture: Installing the Cloud SDK

Your boss has asked you to onboard a new user and provide them with access to their team's project. What set of steps best describes what needs to happen? A Add them as a member of the project, grant them the required roles, and sync the user back to G Suite. B Add the user inside of G Suite, create a user group inside of GCP IAM settings, and add them to that user group. C Add the user inside of G Suite, add them as a member of the project, and grant them the required roles. D Add the user inside of G Suite; sync from G Suite to the Active Directory using the Directory Sync util; add them as a member and grant them the required roles.

Correct Answer: C Why is this correct? This assumes that the company is using G Suite. Given that, this set of steps would work well. https://linuxacademy.com/cp/courses/lesson/course/2531/lesson/4/module/238

Your team needs to set up a new Jenkins instance as quickly as possible. What's the best way to get it up-and-running? thumb_upthumb_down A Use Google's Managed Jenkins Service. B Deploy the jar file to a Compute Engine instance. C Search the marketplace for Jenkins and install with Cloud Launcher. D Create a Deployment Manager template and deploy it.

Correct Answer: C Why is this correct? This is a simple way to install common software. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/9/module/238

You've found that your Linux server keeps running low on memory. It's currently using 8 Gigs of memory, and you want to increase it to 16. What is the simplest way to do that? thumb_upthumb_down A Use the gcloud compute add-memory command to increase the memory. B Use the Linux memincr command to increase the memory. C Stop the instance and change the machine type. D Create a new instance with the correct amount of memory.

Correct Answer: C Why is this correct? This is a valid way to change the memory of an instance. https://linuxacademy.com/cp/courses/lesson/course/2548/lesson/3/module/238

You have several users who need access to some very specific Google Cloud functionality. You'd like to follow the principle of least privilege. What's the best way to ensure these users can list Cloud Storage buckets, list BigQuery jobs, and list compute disks? thumb_upthumb_down A Add the users to a group, apply the Cloud Storage Bucket Viewer, BigQuery Job User, and Compute User predefined roles. B Use the Cloud Storage Bucket Viewer, BigQuery Job User, and Compute User predefined roles. C Create a custom role for this job role, add the required permissions, and add the users to the role. D Add the users to the viewer role.

Correct Answer: C Why is this correct? This meets all the criteria. Using predefined roles would work, however, they'd be too permissive. https://linuxacademy.com/cp/courses/lesson/course/2531/lesson/4/module/238

Your coworker has helped you set up several configurations for gcloud. You've noticed that you're running commands against the wrong project. Being new to the company, you haven't yet memorized any of the projects. With the fewest steps possible, what's the fastest way to switch to the correct configuration? A Run gcloud configurations list followed by gcloud configurations activate. B Run gcloud config list followed by gcloud config activate. C Run gcloud config configurations list followed by gcloud config configurations activate. D Re-authenticate with the gcloud auth login command and select the correct configurations on login.

Correct Answer: C Why is this correct? This will allow you to list off the configurations and then activate the one you need. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/5/module/238

You've been running your App Engine app for a few weeks with Autoscaling, and it's been working well. However, your marketing team is planning on a massive campaign, and they expect a lot of burst traffic. How would you go about ensuring there are always 4 idle instances? A Set the min_instances property in the app.yaml, B Switch to manual scaling and use the burst_traffic_protection property to True in the app.yaml. C Set the min_idle_instances property in the app.yaml. D Switch to manual scaling and use the idle_instance_count property in the app.yaml.

Correct Answer: C Why is this correct? This will allow you to set the number of idle instances that will be available for burst traffic. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/7/module/238

Your team has some new functionality that they want to roll out slowly so they can monitor for errors. The change contains some significant changes to the user interface. You've chosen to use traffic splitting to perform a canary deployment. You're going to start by rolling out the code to 15% of your users. How should you go about setting up traffic splitting? A Deploy the new version. Split the traffic using an IP or cookie based distribution. B Use the gcloud app deploy command with the distribution flag to deploy and split the traffic in one command. C Deploy the new version using the no-promote flag. Split the traffic using cookie based distribution. D Deploy the new version using the no-promote flag. Split the traffic using a random distribution.

Correct Answer: C Why is this correct? This will work. Cookie-based will allow for a level of persistence so if a user reloads the page, they'll see the version they're supposed to. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/7/module/238

Your developers have some application metrics that they're tracking. They'd like to be able to create alerts based on these metrics. What steps need to happen in order to alert based on these metrics? thumb_upthumb_down A In the UI create a new logging metric with the required filters, edit the application code to set the metric value when needed, and create an alert in Stackdriver based on the new metric. B Add the Stackdriver monitoring and logging agent to the instances running the code. C Create a custom monitoring metric in code, edit the application code to set the metric value when needed, and create an alert in Stackdriver based on the new metric. D Create a custom monitoring metric in code, in the UI create a matching logging metric, and create an alert in Stackdriver based on the new metric.

Correct Answer: C Why is this correct? This will work. Developers can use one of Google's APIs to create and set custom metrics. Video for Reference: Monitoring and Logging

Your finance team has an official process for reviewing budget alerts. They also have their own software for tracking that data. The software does have a REST API that can be used to submit data. They've asked you to integrate their software with Google Cloud's alerts in an automated way. What is the best option for setting this up? thumb_upthumb_down A Export to BigQuery and perform daily analysis. B Export to Cloud Storage with the File export, and process the files with a daily scheduled task. C Use Pub/Sub notifications and listen for messages with a Cloud Function. D Use a bot to listen for emails from Google Cloud regarding notifications

Correct Answer: C Why is this correct? This works well because it's supported by alerts, and using Cloud Functions would allow you to run code in response to alerts. This would be easy to set up, and cost-effective. https://linuxacademy.com/cp/courses/lesson/course/2540/lesson/2/module/238

Your team has created 4 projects, one for each distinct application. You have a single budget for all of these projects. What is the best way to pay for all of these projects? A Create a Billing Account for each project. B Use an invoiced account, which will pay for all projects inside a Google Cloud account. C Use a single Billing Account linked to all 4 projects. D Use a single Billing Account linked to the Google Cloud account.

Correct Answer: C Why is this correct? This would be easy to set up and would allow all of the projects to be paid for by one Billing Account. https://linuxacademy.com/cp/courses/lesson/course/2540/lesson/1/module/238

Your development team has asked for your help. They need a simple, reproducible way to create and terminate a new Compute Engine instance so that they can automate it as a part of their CI/CD process. What is the best option for accomplishing that? A Show them how to use the Console to create and terminate instances. B Recommend that they use the REST API to develop the functionality in the language of their choosing. C Show them how to use the gcloud component of the Cloud SDK. D Show them how to use a Docker container. Then they can get rid of the need for the VM.

Correct Answer: C Why is this correct? This would work well. It's simple to use, reproducible, and will work cross-platform. https://linuxacademy.com/cp/courses/lesson/course/2541/lesson/1/module/238

You've created a new firewall rule to allow incoming traffic on port 22, using a target tag of "dev-ssh". You tried to connect to one of your instances, and you're still unable to connect. What steps do you need to take to resolve the problem? A Run the gcloud firewall-rules refresh command. B Use source tags in place of the target tags. C Reboot the instances for the firewall rule to take effect. D Apply a network tag of "dev-ssh" to the instance you're trying to connect into and test again.

Correct Answer: D Why is this correct? A target tag looks for instances with a matching network tag. If you haven't applied the tag to the network, you'll be unable to connect, unless another rule opens the port. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/2/module/238

You have a Linux server running on a custom network. There's an allow firewall rule with an IP filter of 0.0.0.0/0 with a protocol/port of tcp:22. The logs on the instance show a constant stream of attempts from different IP addresses, trying to connect via SSH. You suspect this is a brute force attack. How might you change the firewall rule to stop this from happening and still enable access for legit users? A Stop the instance. B Deny all traffic to port 22. C Change the port that SSH is running on in the instance and change the port number in the firewall rule. D Change the IP address range in the filter to only allow known IP addresses

Correct Answer: D Why is this correct? By using 0.0.0.0/0, you're opening the port to the internet. By whitelisting known IP addresses, it will block anyone not on the list. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/1/module/238

Your team is developing a product catalog that allows end users to search and filter. The full catalog of products consists of about 500 products. The team doesn't have any experience with SQL, or schema migrations, so they're considering a NoSQL option. Which database service would work best? thumb_upthumb_down A Cloud SQL B Cloud Memorystore C Bigtable D Cloud Datastore

Correct Answer: D Why is this correct? Datastore can be queried, it's fully managed, and is a great option for catalog based applications. Datastore also supports a basic query/filter syntax. https://linuxacademy.com/cp/courses/lesson/course/2543/lesson/1/module/238

You have 3 Cloud Storage buckets that all store sensitive data. Which grantees should you audit to ensure that these buckets are not public? A allUsers B allAuthenticatedUsers C publicUsers D allUsers and allAuthenticatedUsers

Correct Answer: D Why is this correct? Either of these tokens represents public users. allAuthenticatedUsers represents a user with a Google account. They don't need to be part of your organization. Neither token should be used to grant permissions unless the bucket is truly public. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/8/module/238

What's the easiest way to ensure that the nodes in your Kubernetes cluster are always up-to-date with the latest stable version of Kubernetes? A Opt into the Kubernetes Node Update program from the quotas page. B Run the kubectl nodes update command. C Run the kubectl nodes upgrade command. D Enable the automatic node upgrades setting.

Correct Answer: D Why is this correct? In the UI this is just a checkbox. On the CLI, you can use --enable-autoupgrade. https://linuxacademy.com/cp/courses/lesson/course/2542/lesson/4/module/238

Your team has been working on building a web application. The plan is to deploy to Kubernetes. You currently have a Dockerfile that works locally. How can you get the application deployed to Kubernetes? A Use kubectl to push the convert the Dockerfile into a deployment. B Use docker to create a container image, save the image to Cloud Storage, deploy the uploaded image to Kubernetes with kubectl. C Use kubectl apply to push the Dockerfile to Kubernetes. D Use docker to create a container image, push it to the Google Container Registry, deploy the uploaded image to Kubernetes with kubectl.

Correct Answer: D Why is this correct? Kubernetes works with container images, not Dockerfiles, and the images need to be in an accessible Container Registry. So this will work. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/4/module/238

Your team is working on designing an IoT solution. There are thousands of devices that need to send periodic time series data for processing. Which services should be used to ingest and store the data? A Pub/Sub, Datastore B Pub/Sub, Dataproc C Dataproc, Bigtable D Pub/Sub, Bigtable

Correct Answer: D Why is this correct? Pub/Sub is able to handle the ingestion, and Bigtable is a great solution for time series data. https://cloud.google.com/pubsub/ https://cloud.google.com/bigtable/docs/

You're running an n-tier application on Compute Engine with an Apache web server serving up web requests. You want to consolidate all of your logging into Stackdriver. What's the best approach to get the Apache logs into Stackdriver? A Create a log sink and export it to Stackdriver. B Stackdriver logs application data from all instances by default. C Enable Stackdriver monitoring when creating the instance. D Install the Stackdriver monitoring and logging agents on the instance.

Correct Answer: D Why is this correct? The agents know how to collect monitoring and logging data from Apache. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/10/module/238

You're attempting to run the following command on your coworker's computer, and it throws an error "Invalid choice 'alpha'": $ gcloud alpha cloud-shell scp --help What is the most likely reason for this error? A The cloud-shell command was moved from alpha to beta. B The user account doesn't have permission to execute alpha commands. C The project property is set to the wrong project. D The alpha component isn't installed.

Correct Answer: D Why is this correct? The alpha commands are added by installing the alpha component. If it's not installed, this is the type of error you might expect. https://linuxacademy.com/cp/courses/lesson/course/2541/lesson/3/module/238

You have an autoscaled managed instance group that is set to scale based on CPU utilization of 60%. There are currently 3 instances in the instance group. You're connected to one of the instances and notice that the CPU usage is a 70%. However, the instance group isn't starting up another instance. What's the most likely reason? A The autoscaler is disabled. B The autoscaler takes 60 seconds before creating a new instance. C The load balancer doesn't recognize the instance as healthy. D The average CPU for the entire instance group is below 60%.

Correct Answer: D Why is this correct? The autoscaler averages the CPU usage of the entire group. so one instance could be higher than the usage threshold. https://linuxacademy.com/cp/courses/lesson/course/2542/lesson/3/module/238

You've setup and tested several custom roles in your development project. What is the fastest way to create the same roles for your new production project? thumb_upthumb_down A Recreate them in the new project. B Use the gcloud iam copy roles command and set the destination project. C In the UI, select the roles and click the Export button. D Use the gcloud iam roles copy command and set the destination project.

Correct Answer: D Why is this correct? This is a fast way to copy existing roles, even across projects. https://cloud.google.com/sdk/gcloud/reference/iam/roles/copy

You've uploaded some PDFs to a public bucket. When users browse to the documents, they're downloaded rather than viewed in the browser. How can we ensure that the PDFs are viewed in the browser? A This is a browser setting and not something that can be changed. B Use the gsutil set file-type pdfcommand. C Set the Content metadata for the object to "application/pdf". D Set the Content-Type metadata for the object to "application/pdf".

Correct Answer: D Why is this correct? This will ensure the browser views the object as a PDF. https://cloud.google.com/storage/docs/metadata#content-type

You're looking for the IP address of a specific instance that is running in your default zone. Which command and flag(s) could you use to return just the IP address? thumb_upthumb_down A The gcloud compute list along with the filter and format flags. B The gcloud compute list along with the o flag and jsonpath value. C The gcloud compute instances list along with the o flag and jsonpath value. D The gcloud compute instances list along with the filter and format flags.

Correct Answer: D Why is this correct? This would allow you to zero in on just the properties you want. https://linuxacademy.com/cp/courses/lesson/course/2842/lesson/4/module/238

Your billing department has asked you to help them track spending against a specific billing account. They've indicated that they prefer to use Excel to create their reports so that they don't need to learn new tools. Which export option would work best for them? thumb_upthumb_down A BigQuery Export B File Export with JSON C SQL Export D File Export with CSV E Download the monthly XLS report

Correct Answer: D Why is this correct? This would likely be the easiest option for a team that wants to stick with the familiarity of Excel. https://linuxacademy.com/cp/courses/lesson/course/2540/lesson/3/module/238

Your engineers have asked you to set up a subnet with the largest IP address range possible. Which of the following ranges would work best? thumb_upthumb_down A 0.0.0.0/0 B 10.0.0.0/32 C 192.168.0.0/16 D 10.0.0.0/8

Correct Answer: D Why is this correct? This would result in a range of 10.0.0.0 - 10.255.255.255 resulting in 16,777,214 possible addresses. https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/9/module/238

You're using Stackdriver to set up some alerts. You want to reuse your existing REST-based notification tools that your ops team has created. You want the setup to be as simple as possible to configure and maintain. Which notification option would be the best option? thumb_upthumb_down A Use a Slack bot to listen for messages posted by Google. B Send it to an email account that is being polled by a custom process that can handle the notification. C Send notifications via SMS and use a custom app to forward them to the REST API. D Webhooks

Correct Answer: D Why is this correct? Webhooks would allow you to easily send the notification to an HTTP(S) endpoint. Given the above scenario, this is the best option for something custom. https://linuxacademy.com/cp/courses/lesson/course/2531/lesson/6/module/238

You've been tasked with getting all of your team's public SSH keys onto all of the instances of a particular project. You've collected them all. With the fewest steps possible, what is the simplest way to get the keys deployed? thumb_upthumb_down A Use the gcloud compute ssh command to upload all the keys B Format all of the keys as needed and then, using the user interface, upload each key one at a time. C Add all of the keys into a file that's formatted according to the requirements. Use the gcloud compute project-info add-metadata command to upload the keys. D Add all of the keys into a file that's formatted according to the requirements. Use the gcloud compute instances add-metadata command to upload the keys to each instance

Why is this correct? This will upload the keys as project metadata which allows SSH access to the user's with uploaded keys https://linuxacademy.com/cp/courses/lesson/course/2922/lesson/3/module/238 https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys#project-wide