GCP Assoc Engineeer - Flash Card Set 3

While looking at your application's source code in your private Github repo, you've noticed that a service account key has been committed to git. What steps should you take next? A. A. Delete the project and create a new one. B. B. Do nothing. Git is fine for keys if the repo is private. C. C. Revoke the key, remove the key from Git, purge the Git history to remove all traces of the file, ensure the key is added to the .gitignore file. D. D. Contact Google Cloud Support

C. C. Revoke the key, remove the key from Git, purge the Git history to remove all traces of the file, ensure the key is added to the .gitignore file. Correct answer is C as all the traces of the keys needs to removed and add the key to .gitignore file. Option A is wrong as deleting project does not remove the keys from Git. Option B is wrong as it is bad practice to store keys in Git, irrespective of private repo. Option D is wrong as Google Cloud support cannot help.

Your company wants to try out the cloud with low risk. They want to archive approximately 100 TB of their log data to the cloud and test the analytics features available to them there, while also retaining that data as a long-term disaster recovery backup. Which two steps should they take? (Choose two answers) A. A. Load logs into Google BigQuery. B. B. Load logs into Google Cloud SQL. C. C. Import logs into Google Stackdriver. D. D. Insert logs into Google Cloud Bigtable. E. E. Upload log files into Google Cloud Storage.

A. A. Load logs into Google BigQuery. E. E. Upload log files into Google Cloud Storage. Correct answers are A & E as Google Cloud Storage can provide long term archival option and BigQuery provides analytics capabilities. Option B is wrong as Cloud SQL is relational database and does not support the capacity required as well as not suitable for long term archival storage. Option C is wrong as Stackdriver is a monitoring, logging, alerting and debugging tool. It is not ideal for long term retention of data and does not provide analytics capabilities. Option D is wrong as Bigtable is a NoSQL solution and can be used for analytics. However it is ideal for data with low latency access and is expensive.

You have created a Kubernetes engine cluster named 'project-1'. You've realized that you need to change the machine type for the cluster from n1-standard-1 to n1-standard-4. What is the command to make this change? A. A. Create a new node pool in the same cluster, and migrate the workload to the new pool. B. B. gcloud container clusters resize project-1 --machine-type n1-standard-4 C. C. gcloud container clusters update project-1 --machine-type n1-standard-4 D. D. gcloud container clusters migrate project-1 --machine-type n1-standard-4

A. A. Create a new node pool in the same cluster, and migrate the workload to the new pool. Correct answer is A as the machine type for the cluster cannot be changed through commands. A new node pool with the updated machine type needs to be created and workload migrated to the new node pool. Refer GCP documentation - Kubernetes Engine - Migrating Node Pools A node pool is a subset of machines that all have the same configuration, including machine type (CPU and memory) authorization scopes. Node pools represent a subset of nodes within a cluster; a container cluster can contain one or more node pools. When you need to change the machine profile of your Compute Engine cluster, you can create a new node pool and then migrate your workloads over to the new node pool. To migrate your workloads without incurring downtime, you need to: Mark the existing node pool as unschedulable. Drain the workloads running on the existing node pool. Delete the existing node pool.

Your company plans to migrate a multi-petabyte data set to the cloud. The data set must be available 24hrs a day. Your business analysts have experience only with using a SQL interface. How should you store the data to optimize it for ease of analysis? A. A. Load data into Google BigQuery. B. B. Insert data into Google Cloud SQL. C. C. Put flat files into Google Cloud Storage. D. D. Stream data into Google Cloud Datastore.

A. A. Load data into Google BigQuery. Correct answer is A as BigQuery is the only of these Google products that supports an SQL interface and a high enough SLA (99.9%) to make it readily available. Option B is wrong as Cloud SQL cannot support multi-petabyte data. Storage limit for Cloud SQL is 10TB Option C is wrong as Cloud Storage does not provide SQL interface. Option D is wrong as Datastore does not provide a SQL interface and is a NoSQL solution.

You've created the code for a Cloud Function that will respond to HTTP triggers and return some data in JSON format. You have the code locally; it's tested and working. Which command can you use to create the function inside Google Cloud? A. A. gcloud functions deploy B. B. gcloud function create C. C. gcloud functions create D. D. gcloud function deploy

A. A. gcloud functions deploy Correct answer is A as the code can be deployed using gcloud functions deploy command. Refer GCP documentation - Cloud Functions Deploy Deployments work by uploading an archive containing your function's source code to a Google Cloud Storage bucket. You can deploy Cloud Functions from your local machine or from your GitHub or Bitbucket source repository (via Cloud Source Repositories). Using the gcloud command-line tool, deploy your function from the directory containing your function code with thegcloud functions deploy command: gcloud functions deploy NAME --runtime RUNTIME TRIGGER [FLAGS...]

Your company hosts multiple applications on Compute Engine instances. They want the instances to be resilient to any instance crashes or system termination. How would you configure the instances? A. A. Set automaticRestart availability policy to true B. B. Set automaticRestart availability policy to false C. C. Set onHostMaintenance availability policy to migrate instances D. D. Set onHostMaintenance availability policy to terminate instances

A. A. Set automaticRestart availability policy to true Correct answer is A as automaticRestart availability policy determines how the instance reacts to the crashes and system termination and should be set to true to restart the instance. Refer GCP documentation - Instance Scheduling Options A VM instance's availability policy determines how it behaves when an event occurs that requires Google to move your VM to a different host machine. For example, you can choose to keep your VM instances running while Compute Engine live migrates them to another host or you can choose to terminate your instances instead. You can update an instance's availability policy at any time to control how you want your VM instances to behave. You can change an instance's availability policy by configuring the following two settings: The VM instance's maintenance behavior, which determines whether the instance is live migrated or terminated when there is a maintenance event. The instance's restart behavior, which determines whether the instance automatically restarts if it crashes or gets terminated. The default maintenance behavior for instances is to live migrate, but you can change the behavior to terminate your instance during maintenance events instead. Configure an instance's maintenance behavior and automatic restart setting using the onHostMaintenance and automaticRestart properties. All instances are configured with default values unless you explicitly specify otherwise. onHostMaintenance: Determines the behavior when a maintenance event occurs that might cause your instance to reboot. [Default] migrate, which causes Compute Engine to live migrate an instance when there is a maintenance event. terminate, which terminates an instance instead of migrating it. automaticRestart: Determines the behavior when an instance crashes or is terminated by the system. [Default] true, so Compute Engine restarts an instance if the instance crashes or is terminated. false, so Compute Engine does not restart an instance if the instance crashes or is terminated. Option B is wrong as automaticRestart availability policy should be set to true. Options C & D are wrong as the onHostMaintenance does not apply to crashes or system termination.

You have a project using BigQuery. You want to list all BigQuery jobs for that project. You want to set this project as the default for the bq command-line tool. What should you do? A. A. Use "gcloud config set project" to set the default project B. B. Use "bq config set project" to set the default project. C. C. Use "gcloud generate config-url" to generate a URL to the Google Cloud Platform Console to set the default project. D. D. Use "bq generate config-url" to generate a URL to the Google Cloud Platform Console to set the default project.

A. A. Use "gcloud config set project" to set the default project Correct answer is A as you need to use gcloud to manage the config/defaults. Refer GCP documentation - Cloud SDK Config Set --project=<var>PROJECT_ID</var>The Google Cloud Platform project name to use for this invocation. If omitted, then the current project is assumed; the current project can be listed using gcloud config list --format='text(core.project)' and can be set using gcloud config set project PROJECTID. Overrides the default core/project property value for this command invocation. Option B is wrong as the bq command-line tool assumes the gcloud configuration settings and can't be set through BigQuery. Option C is wrong as entering this command will not achieve the desired result and will generate an error. Option D is wrong as entering this command will not achieve the desired result and will generate an error.

You have a Kubernetes cluster with 1 node-pool. The cluster receives a lot of traffic and needs to grow. You decide to add a node. What should you do? A. A. Use "gcloud container clusters resize" with the desired number of nodes. B. B. Use "kubectl container clusters resize" with the desired number of nodes. C. C. Edit the managed instance group of the cluster and increase the number of VMs by 1. D. D. Edit the managed instance group of the cluster and enable autoscaling.

A. A. Use "gcloud container clusters resize" with the desired number of nodes. Correct answer is A as the kubernetes cluster can be resized using the gcloud command. Refer GCP documentation - Resizing Kubernetes Cluster gcloud container clusters resize <var>[CLUSTER_NAME]</var> --node-pool <var>[POOL_NAME]</var> \ --size <var>[SIZE]</var> Option B is wrong as kubernetes cluster cannot be resized using the kubectl command Options C & D are wrong as the managed instance groups should be changed manually.

You need to have a backup/rollback plan in place for your application that is distributed across a large managed instance group. What is the preferred method for doing so? A. A. Use the Rolling Update feature to deploy/roll back versions with different managed instance group templates. B. B. Use the managed instance group snapshot function that is included in Compute Engine. C. C. Have each instance write critical application data to a Cloud Storage bucket. D. D. Schedule a cron job to take snapshots of each instance in the group.

A. A. Use the Rolling Update feature to deploy/roll back versions with different managed instance group templates. Correct answer is A as rolling update helps to apply the update on a controlled number of instances to maintain high availability and ability to rollback in case of any issues. Refer GCP documentation - Updating Managed Instance Groups A managed instance group contains one or more virtual machine instances that are controlled using an instance template. To update instances in a managed instance group, you can make update requests to the group as a whole, using the Managed Instance Group Updater feature. The Managed Instance Group Updater allows you to easily deploy new versions of software to instances in your managed instance groups, while controlling the speed of deployment, the level of disruption to your service, and the scope of the update. The Updater offers two primary advantages: The rollout of an update happens automatically to your specifications, without the need for additional user input after the initial request. You can perform partial rollouts which allows for canary testing. By allowing new software to be deployed inside an existing managed instance group, there is no need for you to reconfigure the instance group or reconnect load balancing, autoscaling, or autohealing each time new version of software is rolled out. Without the Updater, new software versions must be deployed either by creating a new managed instance group with a new software version, requiring additional set up each time, or through a manual, user-initiated, instance-by-instance recreate. Both of these approaches require significant manual steps throughout the process. A rolling update is an update that is gradually applied to all instances in an instance group until all instances have been updated. You can control various aspects of a rolling update, such as how many instances can be taken offline for the update, how long to wait between updating instances, whether the update affects all or just a portion of instances, and so on. Options B, C & D are wrong as the key for scaling is to create stateless, disposable VMs to be able scale and have seamless deployment.

You've been tasked with getting all of only the operations team's public SSH keys onto to a specific Bastion host instance of a particular project. Currently Project wide access has already been granted to all the instances within the projects. With the fewest steps possible, how do you block or override the project level access on the Bastion host? A. A. Use the gcloud compute instances add-metadata [INSTANCE_NAME] --metadata block-project-ssh-keys=TRUE command to block the access B. B. Use the gcloud compute instances add-metadata [INSTANCE_NAME] --metadata block-project-ssh-keys=FALSE command to block the access. C. C. Use the gcloud compute project-info add-metadata [INSTANCE_NAME] --metadata block-project-ssh-keys=FALSE command to block the access. D. D. Project wide SSH access cannot be overridden or blocked and needs to be removed.

A. A. Use the gcloud compute instances add-metadata [INSTANCE_NAME] --metadata block-project-ssh-keys=TRUE command to block the access Correct answer is A as the project wide SSH access can be blocked by using the --metadata block-project-ssh-keys=TRUE Refer GCP documentation - Compute Block Project Keys If you need your instance to ignore project-wide public SSH keys and use only the instance-level keys, you can block project-wide public SSH keys from the instance. This will only allow users whose public SSH key is stored in instance-level metadata to access the instance. If you want your instance to use both project-wide and instance-level public SSH keys, set the instance metadata to allow project-wide SSH keys. This will allow any user whose public SSH key is stored in project-wide or instance-level metadata to access the instance. gcloud compute instances add-metadata [INSTANCE_NAME] --metadata block-project-ssh-keys=TRUE Option B is wrong as the --metadata block-project-ssh-keys parameter needs to be set to TRUE Option C is wrong as the command needs to be execute at the instance level. Option D is wrong as project wide SSH key access can be blocked.

Your application has a large international audience and runs stateless virtual machines within a managed instance group across multiple locations. One feature of the application lets users upload files and share them with other users. Files must be available for 30 days; after that, they are removed from the system entirely. Which storage solution should you choose? A. A. A Cloud Datastore database. B. B. A multi-regional Cloud Storage bucket. C. C. Persistent SSD on virtual machine instances. D. D. A managed instance group of Filestore servers.

B. B. A multi-regional Cloud Storage bucket. Correct answer is B as the key storage requirements is it being global, allow lifecycle management and sharing capability. Cloud Storage is an ideal choice as it can be configured to be multi-regional, have lifecycle management rules to auto delete the files after 30 days and share them with others. Option A is wrong Datastore is a NoSQL solution and not ideal for unstructured data. Option C is wrong as SSD disks are ephemeral storage option for virtual machines. Option D is wrong as disks are regional and not ideal storage option for content that needs to be shared.

You've created a bucket to store some data archives for compliance. The data isn't likely to need to be viewed. However, you need to store it for at least 7 years. What is the best default storage class? A. A. Multi-regional B. B. Coldline C. C. Regional D. D. Nearline

B. B. Coldline Correct answer is B as Coldline storage is an ideal solution for archival of infrequently accessed data at low cost. Refer GCP documentation - Cloud Storage Classes Google Cloud Storage Coldline is a very-low-cost, highly durable storage service for data archiving, online backup, and disaster recovery. Unlike other "cold" storage services, your data is available within milliseconds, not hours or days. Coldline Storage is the best choice for data that you plan to access at most once a year, due to its slightly lower availability, 90-day minimum storage duration, costs for data access, and higher per-operation costs. For example: Cold Data Storage - Infrequently accessed data, such as data stored for legal or regulatory reasons, can be stored at low cost as Coldline Storage, and be available when you need it. Disaster recovery - In the event of a disaster recovery event, recovery time is key. Cloud Storage provides low latency access to data stored as Coldline Storage. The geo-redundancy of Coldline Storage data is determined by the type of location in which it is stored: Coldline Storage data stored in multi-regional locations is redundant across multiple regions, providing higher availability than Coldline Storage data stored in regional locations. Options A, C & D are wrong as they are not suited for archival data.

Your organization requires that metrics from all applications be retained for 5 years for future analysis in possible legal proceedings. Which approach should you use? A. A. Grant the security team access to the logs in each Project B. B. Configure Stackdriver Monitoring for all Projects, and export to BigQuery C. C. Configure Stackdriver Monitoring for all Projects with the default retention policies D. D. Configure Stackdriver Monitoring for all Projects, and export to Google Cloud Storage

B. B. Configure Stackdriver Monitoring for all Projects, and export to BigQuery Correct answer is B as Stackdriver monitoring metrics can be exported to BigQuery or Google Cloud Storage. However as the need is for future analysis, BigQuery is a better option. Refer GCP documentation - Stackdriver Stackdriver Logging provides you with the ability to filter, search, and view logs from your cloud and open source application services. Allows you to define metrics based on log contents that are incorporated into dashboards and alerts. Enables you to export logs to BigQuery, Google Cloud Storage, and Pub/Sub. Option A is wrong as project logs are maintained in Stackdriver and it has limited data retention capability. Option C is wrong as Stackdriver cannot retain data for 5 year. Refer Stackdriver data retention Option D is wrong as Google Cloud Storage does not provide analytics capability.

Your company wants to track whether someone is present in a meeting room reserved for a scheduled meeting. There are 1000 meeting rooms across 5 offices on 3 continents. Each room is equipped with a motion sensor that reports its status every second. The data from the motion detector includes only a sensor ID and several different discrete items of information. Analysts will use this data, together with information about account owners and office locations. Which database type should you use? A. A. Flat file B. B. NoSQL C. C. Relational D. D. Blobstore

B. B. NoSQL Correct answer is B as NoSQL like Bigtable and Datastore solution is an ideal solution to store sensor ID and several different discrete items of information. It also provides an ability to join with other data. Datastore can also be configured to store data in multi-region locations. Refer GCP documentation - Storage Options Option A is wrong as flat file is not an ideal storage option. It is not scalable. Option C is wrong as relational database like Cloud SQL is not an ideal solution to store schema less data. Option D is wrong as blob storage like Cloud Storage is not an ideal solution to store, analyze schema less data and join with other sources.

Your company has reserved a monthly budget for your project. You want to be informed automatically of your project spend so that you can take action when you approach the limit. What should you do? A. A. Link a credit card with a monthly limit equal to your budget. B. B. Create a budget alert for desired percentages such as 50%, 90%, and 100% of your total monthly budget. C. C. In App Engine Settings, set a daily budget at the rate of 1/30 of your monthly budget. D. D. In the GCP Console, configure billing export to BigQuery. Create a saved view that queries your total spend.

B. B. Create a budget alert for desired percentages such as 50%, 90%, and 100% of your total monthly budget. Correct answer is B as Budget Alerts allow you configure thresholds and if crossed alerts are automatically triggered. Refer GCP documentation - Billing Budgets Alerts To help you with project planning and controlling costs, you can set a budget alert. Setting a budget alert lets you track how your spend is growing toward a particular amount. You can apply budget alerts to either a billing account or a project, and you can set the budget alert at a specific amount or match it to the previous month's spend. The alerts will be sent to billing administrators and billing account users when spending exceeds a percentage of your budget. Option A is wrong as linked card does not alert. The charges would still increase as per the usage. Option C is wrong as App Engine does not have budget settings. Option D is wrong as the solution would not trigger automatic alerts and the checks would not be immediate as well.

Your data team is working on some new machine learning models. They are generating several output files per day that they want to store in a regional bucket. They focus on the output files from the last month. The output files older than a month needs to be cleaned up. With the fewest steps possible, what's the best way to implement the solution? A. A. Create a lifecycle policy to switch the objects older than a month to Coldline storage. B. B. Create a lifecycle policy to delete the objects older than a month. C. C. Create a Cloud Function triggered when objects are added to a bucket. Look at the date on all the files and delete it, if it's older than a month. D. D. Create a Cloud Function triggered when objects are added to a bucket. Look at the date on all the files and move it to Coldline storage if it's older than a month.

B. B. Create a lifecycle policy to delete the objects older than a month. Correct answer is B as the files are not needed anymore they can be deleted and need not be stored. The transition of the object can be handled easily using Object Lifecycle Management. Refer GCP documentation - Cloud Storage Lifecycle Management You can assign a lifecycle management configuration to a bucket. The configuration contains a set of rules which apply to current and future objects in the bucket. When an object meets the criteria of one of the rules, Cloud Storage automatically performs a specified action on the object. Here are some example use cases: Downgrade the storage class of objects older than 365 days to Coldline Storage. Delete objects created before January 1, 2013. Keep only the 3 most recent versions of each object in a bucket with versioning enabled. Option A is wrong as the files are not needed anymore they can be deleted. Options C & D are wrong as the transition can be handled easily using Object Lifecycle management.

A recent software update to a static e-commerce website running on Google Cloud has caused the website to crash for several hours. The CTO decides that all critical changes must now have a back-out/roll-back plan. The website is deployed Cloud Storage and critical changes are frequent. Which action should you take to implement the back-out/roll-back plan? A. A. Create a Nearline copy for the website static data files stored in Google Cloud Storage. B. B. Enable object versioning on the website's static data files stored in Google Cloud Storage. C. C. Enable Google Cloud Deployment Manager (CDM) on the project, and define each change with a new CDM template. D. D. Create a snapshot of each VM prior to an update, and recover the VM from the snapshot in case of a new version failure.

B. B. Enable object versioning on the website's static data files stored in Google Cloud Storage. Correct answers are B as this is a seamless way to ensure the last known good version of the static content is always available. Option A is wrong as this copy process is unreliable and makes it tricky to keep things in sync, it also doesn't provide a way to rollback once a bad version of the data has been written to the copy. Option C is wrong as this would add a great deal of overhead to the process and would cause conflicts in association between different Deployment Manager deployments which could lead to unexpected behavior if an old version is changed. Option D is wrong as this approach doesn't scale well, there is a lot of management work involved.

Your finance team is working with the engineering team to try and determine your spending for each service by day and month across all projects used by the billing account. What is the easiest and most flexible way to aggregate and analyze the data? A. A. Export the data for the billing account(s) involved to a JSON File; use a Cloud Function to listen for a new file in the Storage bucket; code the function to analyze the service data for the desired projects, by day and month. B. B. Export the data for the billing account(s) involved to BigQuery; then use BigQuery to analyze the service data for the desired projects, by day and month. C. C. Export the data for the billing account(s) to File, import the files into a SQL database; and then use BigQuery to analyze the service data for the desired projects, by day and month. D. D. Use the built-in reports, which already show this data.

B. B. Export the data for the billing account(s) involved to BigQuery; then use BigQuery to analyze the service data for the desired projects, by day and month. Correct answer is B as the billing data can be exported to BigQuery for running daily and monthly to calculate spending across services. Refer GCP documentation - Cloud Billing Export to BigQuery Tools for monitoring, analyzing and optimizing cost have become an important part of managing development. Billing export to BigQuery enables you to export your daily usage and cost estimates automatically throughout the day to a BigQuery dataset you specify. You can then access your billing data from BigQuery. You can also use this export method to export data to a JSON file. Options A & C are wrong as they are not easy and flexible. Option D is wrong as there are no built-in reports.

You have created an App engine application in the development environment. The testing for the application has been successful. You want to move the application to production environment. How can you deploy the application with minimal steps? A. A. Activate the production config, perform app engine deploy B. B. Perform app engine deploy using the --project parameter C. C. Clone the app engine application to the production environment D. D. Change the project parameter in app.yaml and redeploy

B. B. Perform app engine deploy using the --project parameter Correct answer is B as the gcloud app deploy allows the --project parameter to be passed to override the project that the app engine application needs to be deployed to. Refer GCP documentation - Cloud SDK -project=PROJECT_ID The Google Cloud Platform project name to use for this invocation. If omitted, then the current project is assumed; the current project can be listed using gcloud config list --format='text(core.project)'and can be set using gcloud config set project PROJECTID. Overrides the default core/projectproperty value for this command invocation. Option A is wrong as it is a two step process, although a valid solution Option C is wrong as Clone of the application is possile Option D is wrong app.yaml does not control the project it is deployed to.

Your company has deployed their application on managed instance groups, which is served through a network load balancer. They want to enable health checks for the instances. How do you configure the health checks? A. A. Perform the health check using HTTPS by hosting a basic web server B. B. Perform the health check using HTTP by hosting a basic web server C. C. Perform the health check using TCP D. D. Update Managed Instance groups to send a periodic ping to the network load balancer

B. B. Perform the health check using HTTP by hosting a basic web server Correct answer is B as Network Load Balancer does not support TCP health checks and hence HTTP health checks need to be performed. You can run a basic web server on each instance for health checks. Refer GCP documentation - Network Load Balancer Health Checks Health checks ensure that Compute Engine forwards new connections only to instances that are up and ready to receive them. Compute Engine sends health check requests to each instance at the specified frequency; once an instance exceeds its allowed number of health check failures, it is no longer considered an eligible instance for receiving new traffic. Existing connections will not be actively terminated which allows instances to shut down gracefully and to close TCP connections. The health checker continues to query unhealthy instances, and returns an instance to the pool when the specified number of successful checks is met. If all instances are marked as UNHEALTHY, the load balancer directs new traffic to all existing instances. Network Load Balancing relies on legacy HTTP Health checks for determining instance health. Even if your service does not use HTTP, you'll need to at least run a basic web server on each instance that the health check system can query. Option A is wrong as the traffic is not secured, HTTPS health checks are not needed. Option C is wrong as Network Load Balancer does not support TCP health checks. Option D is wrong as instances do not need to send any traffic to Network Load Balancer.

You write a Python script to connect to Google BigQuery from a Google Compute Engine virtual machine. The script is printing errors that it cannot connect to BigQuery. What should you do to fix the script? A. A. Install the latest BigQuery API client library for Python B. B. Run your script on a new virtual machine with the BigQuery access scope enabled C. C. Create a new service account with BigQuery access and execute your script with that user D. D. Install the bq component for gcloud with the command gcloud components install bq.

B. B. Run your script on a new virtual machine with the BigQuery access scope enabled Correct answer is B as by default an instance is associated with default service account and default access scope, neither of which provides an access to BigQuery. While Service account is the recommended approach and Access scope are legacy, access scope still need to granted to the instance for applications to access the services. So enabling only the Service Account with role would not enable the script to access BigQuery. Refer GCP documentation - Service Account When you set up an instance to run as a service account, you determine the level of access the service account has by the IAM roles you grant to the service account. If the service account has no IAM roles, then no API methods can be run by the service account on that instance. Furthermore, an instance's access scopes determine the default OAuth scopes for requests made through the gcloudtool and client libraries on the instance. As a result, access scopes potentially further limit access to API methods when authenticating through OAuth. However, they do not extend to other authentication protocols like gRPC. The best practice is to set the full cloud-platform access scope on the instance, then securely limit the service account's access using IAM roles. Essentially: IAM restricts access to APIs based on the IAM roles that are granted to the service account. Access scopes potentially further limit access to API methods when authenticating through OAuth. You must set access scopes on the instance to authorize access. While a service account's access level is determined by the IAM roles granted to the service account, an instance's access scopes determine the default OAuth scopes for requests made through the gcloud tool and client libraries on the instance. As a result, access scopes potentially further limit access to API methods when authenticating through OAuth. Option A is wrong as it is an issue with connectivity to BigQuery and not a client version mismatch issue. Option C is wrong as adding a service account would not work without having the access granted through access scope. Option D is wrong as bq command is installed by default and not needed with the python client. It is for direct command line interaction with BigQuery.

You've been trying to deploy a container to Kubernetes; however, kubectl doesn't seem to be able to connect to the cluster. Of the following, what is the most likely cause and how can you fix it? A. A. The firewall rules are preventing the connection. Open up the firewall rules to allow traffic to port 1337. B. B. The kubeconfig is missing the credentials. Run the gcloud container clusters get-credentials command. C. C. The kubeconfig is missing the credentials. Run the gcloud container clusters auth login command. D. D. The firewall rules are preventing the connection. Open up the firewall rules to allow traffic to port 3682.

B. B. The kubeconfig is missing the credentials. Run the gcloud container clusters get-credentials command. Correct answer is B as the connection is refused, the context needs to be set using the gcloud container clusters get-credentials command Refer GCP documentation - Kubernetes Engine Troubleshooting kubectl commands return "connection refused" error Set the cluster context with the following command: gcloud container clusters get-credentials [CLUSTER_NAME] If you are unsure of what to enter for CLUSTER_NAME, use the following command to list your clusters: gcloud container clusters list Options A & D are wrong as only SSH access is required and it is automatically added. Option C is wrong as auth login would be needed if the Resource was not found.

Your company plans to archive data to Cloud Storage, which would be needed only in case of any compliance issues, or Audits. What is the command for creating the storage bucket with rare access and named 'archive_bucket'? A. A. gsutil rm -coldline gs://archive_bucket B. B. gsutil mb -c coldline gs://archive_bucket C. C. gsutil mb -c nearline gs://archive_bucket D. D. gsutil mb gs://archive_bucket

B. B. gsutil mb -c coldline gs://archive_bucket Correct answer is B as the data would be rarely accessed, Coldline is an ideal storage class. Also gsutil needs -c parameter to pass the class. Refer GCP documentation - Storage Classes Coldline - Data you expect to access infrequently (i.e., no more than once per year). Typically this is for disaster recovery, or data that is archived and may or may not be needed at some future time Option A is wrong as rm is the wrong parameter and removes the data. Option C is wrong as Nearline is not suited for data that needs rare access. Option D is wrong as by default, gsutil would create a regional bucket.

You need to take streaming data from thousands of Internet of Things (IoT) devices, ingest it, run it through a processing pipeline, and store it for analysis. You want to run SQL queries against your data for analysis. What services in which order should you use for this task? A. A. Cloud Dataflow, Cloud Pub/Sub, BigQuery B. B. Cloud Pub/Sub, Cloud Dataflow, Cloud Dataproc C. C. Cloud Pub/Sub, Cloud Dataflow, BigQuery D. D. App Engine, Cloud Dataflow, BigQuery

C. C. Cloud Pub/Sub, Cloud Dataflow, BigQuery Correct answer is C as the need to ingest it, transform and store the Cloud Pub/Sub, Cloud Dataflow, BigQuery is ideal stack to handle the IoT data. Refer GCP documentation - IoT Google Cloud Pub/Sub provides a globally durable message ingestion service. By creating topics for streams or channels, you can enable different components of your application to subscribe to specific streams of data without needing to construct subscriber-specific channels on each device. Cloud Pub/Sub also natively connects to other Cloud Platform services, helping you to connect ingestion, data pipelines, and storage systems. Google Cloud Dataflow provides the open Apache Beam programming model as a managed service for processing data in multiple ways, including batch operations, extract-transform-load (ETL) patterns, and continuous, streaming computation. Cloud Dataflow can be particularly useful for managing the high-volume data processing pipelines required for IoT scenarios. Cloud Dataflow is also designed to integrate seamlessly with the other Cloud Platform services you choose for your pipeline. Google BigQuery provides a fully managed data warehouse with a familiar SQL interface, so you can store your IoT data alongside any of your other enterprise analytics and logs. The performance and cost of BigQuery means you might keep your valuable data longer, instead of deleting it just to save disk space. Sample Arch - Mobile Gaming Analysis Telemetry Option A is wrong as the stack is correct, however the order is not correct. Option B is wrong as Dataproc is not an ideal tool for analysis. Cloud Dataproc is a fast, easy-to-use, fully-managed cloud service for running Apache Spark and Apache Hadoop clusters in a simpler, more cost-efficient way. Option D is wrong as App Engine is not an ideal ingestion tool to handle IoT data.

You're deploying an application to a Compute Engine instance, and it's going to need to make calls to read from Cloud Storage and Bigtable. You want to make sure you're following the principle of least privilege. What's the easiest way to ensure the code can authenticate to the required Google Cloud APIs? A. A. Create a new user account with the required roles. Store the credentials in Cloud Key Management Service and download them to the instance in code. B. B. Use the default Compute Engine service account and set its scopes. Let the code find the default service account using "Application Default Credentials". C. C. Create a new service account and key with the required limited permissions. Set the instance to use the new service account. Edit the code to use the service account key. D. D. Register the application with the Binary Registration Service and apply the required roles.

C. C. Create a new service account and key with the required limited permissions. Set the instance to use the new service account. Edit the code to use the service account key. Correct answer is C as the best practice is to use a Service Account to grant the application the required access. Refer GCP documentation - Service Accounts A service account is a special type of Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved. A service account is a special type of Google account that represents a Google Cloud service identity or app rather than an individual user. Like users and groups, service accounts can be assigned IAM roles to grant access to specific resources. Service accounts authenticate with a key rather than a password. Google manages and rotates the service account keys for code running on GCP. We recommend that you use service accounts for server-to-server interactions. Option A is wrong as it is not the recommended approach Option B is wrong as the default Service Account does not have the required permissions. Option D is wrong as there is Binary Registration service.

Your security team has asked you to present them some numbers based on the logs that are exported to BigQuery. Due to the team structure, your manager has asked you to determine how much the query will cost. What's the best way to determine the cost? A. A. It's not possible to estimate the cost of a query. B. B. Create the query and execute the query in "cost estimation mode" C. C. Create the query and use the --dry_run option to determine the amount of data read, and then use the price calculator to determine the cost. D. D. Use the BigQuery index viewer to determine how many records you'll be reading.

C. C. Create the query and use the --dry_run option to determine the amount of data read, and then use the price calculator to determine the cost. Correct answer is C as the --dry-run option can be used to price your queries before they are actually fired. The Query returns the bytes read, which can then be used with the Pricing Calculator to estimate the query cost. Refer GCP documentation - BigQuery Best Practices Price your queries before running them Best practice: Before running queries, preview them to estimate costs. Queries are billed according to the number of bytes read. To estimate costs before running a query use: The query validator in the GCP Console or the classic web UI The --dry_run flag in the CLI The dryRun parameter when submitting a query job using the API The Google Cloud Platform Pricing Calculator Options A, B & D are wrong as they are not valid options.

A SysOps admin has configured a lifecycle rule on an object versioning enabled multi-regional bucket. Which of the following statement effect reflects the following lifecycle config?{ "rule": [ { "action": {"type": "Delete"}, "condition": {"age": 30, "isLive": false} }, { "action": {"type": "SetStorageClass", "storageClass": "COLDLINE"}, "condition": {"age": 365, "matchesStorageClass": "MULTI_REGIONAL"} } ] } A. A. Archive objects older than 30 days and move objects to Coldline Storage after 365 days if the storage class in Multi-regional B. B. Delete objects older than 30 days and move objects to Coldline Storage after 365 days if the storage class in Multi-regional. C. C. Delete archived objects older than 30 days and move objects to Coldline Storage after 365 days if the storage class in Multi-regional. D. D. Move objects to Coldline Storage after 365 days if the storage class in Multi-regional First rule has no effect on the bucket.

C. C. Delete archived objects older than 30 days and move objects to Coldline Storage after 365 days if the storage class in Multi-regional. Correct answer is C. First rule will delete any object if it has a age over 30 days and is not live (not the latest version). Second rule will change the storage class of the live object from multi-regional to Coldline for objects with age over 365 days. Refer GCP documentation - Object Lifecycle The following conditions are supported for a lifecycle rule: Age: This condition is satisfied when an object reaches the specified age (in days). Age is measured from the object's creation time. For example, if an object's creation time is 2019/01/10 10:00 UTC and the Age condition is 10 days, then the condition is satisfied for the object on and after 2019/01/20 10:00 UTC. This is true even if the object becomes archived through object versioning sometime after its creation. CreatedBefore: This condition is satisfied when an object is created before midnight of the specified date in UTC. IsLive: If the value is true, this lifecycle condition matches only live objects; if the value is false, it matches only archived objects. For the purposes of this condition, objects in non-versioned buckets are considered live. MatchesStorageClass: This condition is satisfied when an object in the bucket is stored as the specified storage class. Generally, if you intend to use this condition on Multi-Regional Storage or Regional Storage objects, you should also include STANDARD and DURABLE_REDUCED_AVAILABILITY in the condition to ensure all objects of similar storage class are covered. Option A is wrong as the first rule does not archive but deletes the archived objects. Option B is wrong as the first rule does not delete live objects but only archives objects. Option D is wrong as first rule applies to archived or not live objects.

You need to deploy an update to an application in Google App Engine. The update is risky, but it can only be tested in a live environment. What is the best way to introduce the update to minimize risk? A. A. Deploy the application temporarily and be prepared to pull it back if needed. B. B. Warn users that a new app version may have issues and provide a way to contact you if there are problems. C. C. Deploy a new version of the application but use traffic splitting to only direct a small number of users to the new version. D. D. Create a new project with the new app version, and then redirect users to the new version.

C. C. Deploy a new version of the application but use traffic splitting to only direct a small number of users to the new version. Correct answer is C as deploying a new version without assigning it as the default version will not create downtime for the application. Using traffic splitting allows for easily redirecting a small amount of traffic to the new version and can also be quickly reverted without application downtime. Refer GCP documentation - App Engine Splitting Traffic Traffic migration smoothly switches request routing, gradually moving traffic from the versions currently receiving traffic to one or more versions that you specify. Traffic splitting distributes a percentage of traffic to versions of your application. You can split traffic to move 100% of traffic to a single version or to route percentages of traffic to multiple versions. Splitting traffic to two or more versions allows you to conduct A/B testing between your versions and provides control over the pace when rolling out features. Option A is wrong as deploying the application version as default requires moving all traffic to the new version. This could impact all users and disable the service Option B is wrong as this is not a recommended practice and it impacts user experience. Option D is wrong as App Engine services are intended for hosting different service logic. Using different services would require manual configuration of the consumers of services to be aware of the deployment process and manage from the consumer side who is accessing which service.

Your team uses a third-party monitoring solution. They've asked you to deploy it to all nodes in your Kubernetes Engine Cluster. What's the best way to do that? A. A. Connect to each node via SSH and install the monitoring solution. B. B. Deploy the monitoring pod as a StatefulSet. C. C. Deploy the monitoring pod as a DaemonSet. D. D. Use Deployment Manager to deploy the monitoring solution.

C. C. Deploy the monitoring pod as a DaemonSet. Correct answer is C as Daemon set helps deploy applications or tools that you need to run on all the nodes. Refer GCP documentation - Kubernetes Engine Daemon Set Like other workload objects, DaemonSets manage groups of replicated Pods. However, DaemonSets attempt to adhere to a one-Pod-per-node model, either across the entire cluster or a subset of nodes. As you add nodes to a node pool, DaemonSets automatically add Pods to the new nodes as needed. DaemonSets use a Pod template, which contains aspecification for its Pods. The Pod specification determines how each Pod should look: what applications should run inside its containers, which volumes it should mount, its labels and selectors, and more. DaemonSets are useful for deploying ongoing background tasks that you need to run on all or certain nodes, and which do not require user intervention. Examples of such tasks include storage daemons like ceph, log collection daemons like fluentd, and node monitoring daemons like collectd. For example, you could have DaemonSets for each type of daemon run on all of your nodes. Alternatively, you could run multiple DaemonSets for a single type of daemon, but have them use different configurations for different hardware types and resource needs. Option A is wrong as it is not a viable option. Option B is wrong as Stateful set is useful for maintaining state. StatefulSets represent a set of [Pods] with unique, persistent identities and stable hostnames that GKE maintains regardless of where they are scheduled. The state information and other resilient data for any given StatefulSet Pod is maintained in persistent disk storage associated with the StatefulSet. Option D is wrong as Deployment manager does not control Pods.

Your company needs to create a new Kubernetes Cluster on Google Cloud Platform. They want the nodes to be configured for resiliency and high availability with no manual intervention. How should the Kubernetes cluster be configured? A. A. Enable auto-healing for the managed instance groups B. B. Enable auto-upgrades for the nodes C. C. Enable auto-repairing for the nodes D. D. Enable auto-healing for the nodes

C. C. Enable auto-repairing for the nodes Correct answer is C as the resiliency and high availability can be increased using the node auto-repair feature, which would allow Kubernetes engine to replace unhealthy nodes. Refer GCP documentation - Kubernetes Auto-Repairing GKE's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, GKE makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, GKE initiates a repair process for that node. Option A is wrong as this cannot be implemented for the Kubernetes cluster. Option B is wrong as auto-upgrades are to upgrade the node version to the latest stable Kubernetes version. Option D is wrong as there is no auto-healing feature.

You want to enable your running Google Container Engine cluster to scale as demand for your application changes. What should you do? A. A. Add additional nodes to your Container Engine cluster using the following command:gcloud container clusters resize CLUSTER_Name --size 10 B. B. Add a tag to the instances in the cluster with the following command:gcloud compute instances add-tags INSTANCE --tags --enable-autoscaling max-nodes-10 C. C. Update the existing Container Engine cluster with the following command:gcloud alpha container clusters update mycluster --enable-autoscaling --min-nodes=1 --max-nodes=10 D. D. Create a new Container Engine cluster with the following command:gcloud alpha container clusters create mycluster --enable-autoscaling --min-nodes=1 --max-nodes=10and redeploy your application

C. C. Update the existing Container Engine cluster with the following command:gcloud alpha container clusters update mycluster --enable-autoscaling --min-nodes=1 --max-nodes=10 Correct answer is C as you need to update the cluster to enable auto scaling with min and max nodes to scale as per the demand. Refer GCP documentation - Cluster Autoscaling Option A is wrong as it would only increase the nodes. Option B is wrong as the cluster needs to updated and not the instances. Option D is wrong as you do not need to create a new cluster and the existing cluster can be updated to enable auto scaling.

A company wants to deploy their application using Deployment Manager. However, they want to understand how the changes will affect before implementing the updated. How can the company achieve the same? A. A. Use Deployment Manager Validate Deployment feature B. B. Use Deployment Manager Dry Run feature C. C. Use Deployment Manager Preview feature D. D. Use Deployment Manager Snapshot feature

C. C. Use Deployment Manager Preview feature Correct answer is C as Deployment Manager provides the preview feature to check on what resources would be created. Refer GCP documentation - Deployment Manager Preview After you have written a configuration file, you can preview the configuration before you create a deployment. Previewing a configuration lets you see the resources that Deployment Manager would create but does not actually instantiate any actual resources. The Deployment Manager service previews the configuration by: Expanding the full configuration, including any templates. Creating a deployment and "shell" resources. You can preview your configuration by using the preview query parameter when making an insert() request. gcloud deployment-manager deployments create example-deployment --config configuration-file.yaml \ --preview

What is the command for creating a storage bucket that has once per month access and is named 'archive_bucket'? A. A. gsutil rm -coldline gs://archive_bucket B. B. gsutil mb -c coldline gs://archive_bucket C. C. gsutil mb -c nearline gs://archive_bucket D. D. gsutil mb gs://archive_bucket

C. C. gsutil mb -c nearline gs://archive_bucket Correct answer is C as the data needs to be accessed on monthly basis Nearline is an ideal storage class. Also gsutil needs -c parameter to pass the class. Refer GCP documentation - Storage Classes Nearline - Data you do not expect to access frequently (i.e., no more than once per month). Ideal for back-up and serving long-tail multimedia content. Option A is wrong as rm is the wrong parameter and removes the data. Option B is wrong as coldline is not suited for data that needs monthly access. Option D is wrong as by default, gsutil would create a regional bucket.

You've been asked to add a new IAM member and grant her access to run some queries on BigQuery. Considering the principle of least privilege, which role should you assign? A. A. roles/bigquery.dataEditor and roles/bigquery.jobUser B. B. roles/bigquery.dataViewer and roles/bigquery.user C. C. roles/bigquery.dataViewer and roles/bigquery.jobUser D. D. roles/bigquery.dataOwner and roles/bigquery.jobUser

C. C. roles/bigquery.dataViewer and roles/bigquery.jobUser Correct answer is C as the user needs to only query the data, they should have access to view the dataset and query the dataset which would provided by roles/bigquery.dataViewer and roles/bigquery.jobUser inline with the least privilege principle Refer GCP documentation - BigQuery Access Control Option A is wrong as roles/bigquery.dataEditor provides more than required privileges Option B is wrong as roles/bigquery.user provides more than required privileges Option D is wrong as roles/bigquery.dataOwner provides more than required privileges

You've been asked to add a new IAM member and grant them access to run some queries on BigQuery. Considering Google recommended best practices and the principle of least privilege, how would you assign the access? A. A. Create a custom role with roles/bigquery.dataViewer and roles/bigquery.jobUser roles; assign custom role to the users B. B. Create a custom role with roles/bigquery.dataViewer and roles/bigquery.jobUser roles; assign custom role to the group; add users to groups C. C. Assign roles/bigquery.dataViewer and roles/bigquery.jobUser roles to the users D. D. Assign roles/bigquery.dataViewer and roles/bigquery.jobUser roles to a group; add users to groups

D. D. Assign roles/bigquery.dataViewer and roles/bigquery.jobUser roles to a group; add users to groups Correct answer is D as the user would need the roles/bigquery.dataViewer and roles/bigquery.jobUser to access and query the BigQuery tables inline with the least privilege. As per google best practices it is recommended to use predefined roles and create groups to control access to multiple users with same responsibility Refer GCP documentation - IAM Best Practices Use Cloud IAM to apply the security principle of least privilege, so you grant only the necessary access to your resources. We recommend collecting users with the same responsibilities into groups and assigning Cloud IAM roles to the groups rather than to individual users. For example, you can create a "data scientist" group and assign appropriate roles to enable interaction with BigQuery and Cloud Storage. When a new data scientist joins your team, you can simply add them to the group and they will inherit the defined permissions. Options A & B are wrong as the predefined roles can be assigned directly and there is not need to create custom roles. Option C is wrong as it is recommended to create groups instead of using individual users.

An application that relies on Cloud SQL to read infrequently changing data is predicted to grow dramatically. How can you increase capacity for more read-only clients? A. A. Configure high availability on the master node B. B. Establish an external replica in the customer's data center C. C. Use backups so you can restore if there's an outage D. D. Configure read replicas.

D. D. Configure read replicas. Correct answer is D as read replicas can help handle the read traffic reducing the load from the primary database. Refer GCP documentation - Cloud SQL Replication Options Cloud SQL provides the ability to replicate a master instance to one or more read replicas. A read replica is a copy of the master that reflects changes to the master instance in almost real time. Option A is wrong as high availability is for failover and not for performance. Option B is wrong as external replica is not recommended for scaling as it needs to be maintained and the network established for replication. Option C is wrong as backups are more to restore the database in case of any outage.

You have created a Kubernetes deployment, called Deployment-A, with 3 replicas on your cluster. Another deployment, called Deployment-B, needs access to Deployment-A. You cannot expose Deployment-A outside of the cluster. What should you do? A. A. Create a Service of type NodePort for Deployment A and an Ingress Resource for that Service. Have Deployment B use the Ingress IP address. B. B. Create a Service of type LoadBalancer for Deployment A. Have Deployment B use the Service IP address. C. C. Create a Service of type LoadBalancer for Deployment A and an Ingress Resource for that Service. Have Deployment B use the Ingress IP address. D. D. Create a Service of type ClusterIP for Deployment A. Have Deployment B use the Service IP address.

D. D. Create a Service of type ClusterIP for Deployment A. Have Deployment B use the Service IP address. Correct answer is D as this exposes the service on a cluster-internal IP address. Choosing this method makes the service reachable only from within the cluster. Refer GCP documentation - Kubernetes Networking Option A is wrong as this exposes Deployment A over the public internet. Option B is wrong as LoadBalancer will expose the service publicly. Option C is wrong as this exposes the service externally using a cloud provider's load balancer, and Ingress can work only with nodeport, not LoadBalancer.

You're migrating an on-premises application to Google Cloud. The application uses a component that requires a licensing server. The license server has the IP address 10.28.0.10. You want to deploy the application without making any changes to the code or configuration. How should you go about deploying the application? A. A. Create a subnet with a CIDR range of 10.28.0.0/31. Reserve a static internal IP address of 10.28.0.10. Assign the static address to the license server instance. B. B. Create a subnet with a CIDR range of 10.28.0.0/30. Reserve a static internal IP address of 10.28.0.10. Assign the static address to the license server instance. C. C. Create a subnet with a CIDR range of 10.28.0.0/29. Reserve a static internal IP address of 10.28.0.10. Assign the static address to the license server instance. D. D. Create a subnet with a CIDR range of 10.28.0.0/28. Reserve a static internal IP address of 10.28.0.10. Assign the static address to the license server instance.

D. D. Create a subnet with a CIDR range of 10.28.0.0/28. Reserve a static internal IP address of 10.28.0.10. Assign the static address to the license server instance. Correct answer is D as only the CIDR range 10.28.0.0/28 would include the 10.28.0.10 address. It provides 16 ip addresses i.e. 10.28.0.0 to 10.28.0.15 Option A is wrong as 10.28.0.0/31 CIDR range provides 2 ip addresses i.e. 10.28.0.0 to 10.28.0.1 Option B is wrong as 10.28.0.0/30 CIDR range provides 4 ip addresses i.e. 10.28.0.0 to 10.28.0.3 Option C is wrong as 10.28.0.0/29 CIDR range provides 8 ip addresses i.e. 10.28.0.0 to 10.28.0.7

Your company has hosted their critical application on Compute Engine managed instance groups. They want the instances to be configured for resiliency and high availability with no manual intervention. How should the managed instance group be configured? A. A. Enable auto-repairing for the managed instance groups B. B. Enable auto-updating for the managed instance groups C. C. Enable auto-restarts for the managed instance groups D. D. Enable auto-healing for the managed instance groups

D. D. Enable auto-healing for the managed instance groups Correct answer is D as Managed Instance Groups provide AutoHealing feature, which performs a health check and if the application is not responding the instance is automatically recreated. Refer GCP documentation - Managed Instance Groups Autohealing — You can also set up an autohealing policy that relies on an application-based health check, which periodically verifies that your application is responding as expected on each of the MIG's instances. If an application is not responding on an instance, that instance is automatically recreated. Checking that an application responds is more precise than simply verifying that an instance is up and running. Managed instance groups maintain high availability of your applications by proactively keeping your instances available, which means in RUNNING state. A managed instance group will automatically recreate an instance that is not RUNNING. However, relying only on instance state may not be sufficient. You may want to recreate instances when an application freezes, crashes, or runs out of memory. Application-based autohealing improves application availability by relying on a health checking signal that detects application-specific issues such as freezing, crashing, or overloading. If a health check determines that an application has failed on an instance, the group automatically recreates that instance. Options A & C are wrong as these features are not available. Option B is wrong as auto-updating helps deploy new versions of software to instances in a managed instance group. The rollout of an update happens automatically based on your specifications: you can control the speed and scope of the update rollout in order to minimize disruptions to your application. You can optionally perform partial rollouts which allows for canary testing.

You want to create a new role for your colleagues that will apply to all current and future projects created in your organization. The role should have the permissions of the BigQuery Job User and Cloud Bigtable User roles. You want to follow Google's recommended practices. How should you create the new role? A. A. Use gcloud iam combine-roles --global to combine the 2 roles into a new custom role. B. B. For one of your projects, in the Google Cloud Platform Console under Roles, select both roles and combine them into a new custom role. Use gcloud iam promote-role to promote the role from a project role to an organization role. C. C. For all projects, in the Google Cloud Platform Console under Roles, select both roles and combine them into a new custom role. D. D. For your organization, in the Google Cloud Platform Console under Roles, select both roles and combine them into a new custom role.

D. D. For your organization, in the Google Cloud Platform Console under Roles, select both roles and combine them into a new custom role. Correct answer is D as this creates a new role with the combined permissions on the organization level. Option A is wrong as this does not create a new role. Option B is wrong as gcloud cannot promote a role to org level. Option C is wrong as it's recommended to define the role on the organization level. Also, the role will not be applied on new projects.

You have installed an SQL server on a windows instance. You want to connect to the instance. What steps should you follow to connect to the instance with fewest steps? A. A. Generate Windows user and password. Check security group for 3389 firewall rule. Use RDP option from GCP Console to connect B. B. Generate Windows password. Check security group for 22 firewall rule. Use RDP option from GCP Console to connect C. C. Generate Windows user and password. Check security group for 22 firewall rule. Install RDP Client to connect D. D. Generate Windows password. Check security group for 3389 firewall rule. Install RDP Client to connect

D. D. Generate Windows password. Check security group for 3389 firewall rule. Install RDP Client to connect Correct answer is D as connecting to Windows instance involves installation of the RDP client. GCP does not provide RDP client and it needs to be installed. Generate Windows instance password to connect to the instance and the RDP port is 3389 Refer GCP documentation - Windows Connecting to Instance Options A & B are wrong as you need an external client and connect connect directly from GCP console. Options B & C are wrong as 22 port is for SSH.

Your development team has asked you to set up load balancer with SSL termination. The website would be using HTTPS protocol. Which load balancer should you use? A. A. SSL proxy B. B. HTTP load balancer C. C. TCP proxy D. D. HTTPS load balancer

D. D. HTTPS load balancer Correct answer is D as HTTPS load balancer supports the HTTPS traffic with the SSL termination ability. Refer GCP documentation - Choosing Load Balancer An HTTPS load balancer has the same basic structure as an HTTP load balancer (described above), but differs in the following ways: An HTTPS load balancer uses a target HTTPS proxy instead of a target HTTP proxy. An HTTPS load balancer requires at least one signed SSL certificate installed on the target HTTPS proxy for the load balancer. You can use Google-managed or self-managed SSL certificates. The client SSL session terminates at the load balancer. HTTPS load balancers support the QUIC transport layer protocol. Option A is wrong as SSL proxy is not recommended for HTTPS traffic. Google Cloud SSL Proxy Load Balancing terminates user SSL (TLS) connections at the load balancing layer, then balances the connections across your instances using the SSL or TCP protocols. Cloud SSL proxy is intended for non-HTTP(S) traffic. For HTTP(S) traffic, HTTP(S) load balancing is recommended instead. SSL Proxy Load Balancing supports both IPv4 and IPv6 addresses for client traffic. Client IPv6 requests are terminated at the load balancing layer, then proxied over IPv4 to your backends. Option B is wrong as HTTP load balancer does not support SSL termination. Option C is wrong as TCP proxy does not support SSL offload and not recommended for HTTP/S traffic.

Your company wants to reduce cost on infrequently accessed data by moving it to the cloud. The data will still be accessed approximately once a month to refresh historical charts. In addition, data older than 5 years needs to be archived for 5 years for compliance reasons. How should you store and manage the data? A. A. In Google Cloud Storage and stored in a Multi-Regional bucket. Set an Object Lifecycle Management policy to delete data older than 5 years. B. B. In Google Cloud Storage and stored in a Multi-Regional bucket. Set an Object Lifecycle Management policy to change the storage class to Coldline for data older than 5 years. C. C. In Google Cloud Storage and stored in a Nearline bucket. Set an Object Lifecycle Management policy to delete data older than 5 years. D. D. In Google Cloud Storage and stored in a Nearline bucket. Set an Object Lifecycle Management policy to change the storage class to Coldline for data older than 5 years.

D. D. In Google Cloud Storage and stored in a Nearline bucket. Set an Object Lifecycle Management policy to change the storage class to Coldline for data older than 5 years. Correct answer is D as the access pattern fits Nearline storage class requirements and Nearline is a more cost-effective storage approach than Multi-Regional. The object lifecycle management policy to move data to Coldline is ideal for archival. Refer GCP documentation - Cloud Storage - Storage Classes Options A & B are wrong as Multi-Regional storage class is not an ideal storage option with infrequent access. Option C is wrong as the data is required for compliance it cannot be deleted and needs to be moved to the Coldline storage.

A SysOps admin has configured a lifecycle rule on an object versioning disabled multi-regional bucket. Which of the following statement effect reflects the following lifecycle config?{ "rule": [ { "action": {"type": "Delete"}, "condition": {"age": 30, "isLive": false} }, { "action": {"type": "SetStorageClass", "storageClass": "COLDLINE"}, "condition": {"age": 365, "matchesStorageClass": "MULTI_REGIONAL"} } ] } A. A. Archive objects older than 30 days and move objects to Coldline Storage after 365 days if the storage class in Multi-regional B. B. Delete objects older than 30 days and move objects to Coldline Storage after 365 days if the storage class in Multi-regional. C. C. Delete archived objects older than 30 days and move objects to Coldline Storage after 365 days if the storage class in Multi-regional. D. D. Move objects to Coldline Storage after 365 days if the storage class in Multi-regional First rule has no effect on the bucket.

D. D. Move objects to Coldline Storage after 365 days if the storage class in Multi-regional First rule has no effect on the bucket. Correct answer is D. First rule will delete any object if it has a age over 30 days and is not live (not the latest version). However as the bucket is not versioning enabled it does not have any effect. Second rule will change the storage class of the live object from multi-regional to Coldline for objects with age over 365 days. Refer GCP documentation - Object Lifecycle The following conditions are supported for a lifecycle rule: Age: This condition is satisfied when an object reaches the specified age (in days). Age is measured from the object's creation time. For example, if an object's creation time is 2019/01/10 10:00 UTC and the Age condition is 10 days, then the condition is satisfied for the object on and after 2019/01/20 10:00 UTC. This is true even if the object becomes archived through object versioning sometime after its creation. CreatedBefore: This condition is satisfied when an object is created before midnight of the specified date in UTC. IsLive: If the value is true, this lifecycle condition matches only live objects; if the value is false, it matches only archived objects. For the purposes of this condition, objects in non-versioned buckets are considered live. MatchesStorageClass: This condition is satisfied when an object in the bucket is stored as the specified storage class. Generally, if you intend to use this condition on Multi-Regional Storage or Regional Storage objects, you should also include STANDARD and DURABLE_REDUCED_AVAILABILITY in the condition to ensure all objects of similar storage class are covered. Option A is wrong as the first rule does not archive but deletes the archived objects, but does not have any impact on a versioning disabled bucket. Option B is wrong as the first rule does not delete live objects but only archives objects. Option C is wrong as first rule does not have any impact on a versioning disabled bucket.

Your team has been working on building a web application. The plan is to deploy to Kubernetes. You currently have a Dockerfile that works locally. How can you get the application deployed to Kubernetes? A. A. Use kubectl to push the convert the Dockerfile into a deployment. B. B. Use docker to create a container image, save the image to Cloud Storage, deploy the uploaded image to Kubernetes with kubectl. C. C. Use kubectl apply to push the Dockerfile to Kubernetes. D. D. Use docker to create a container image, push it to the Google Container Registry, deploy the uploaded image to Kubernetes with kubectl.

D. D. Use docker to create a container image, push it to the Google Container Registry, deploy the uploaded image to Kubernetes with kubectl. Correct answer is D as the correct steps are to create the container image and push it to Google Container Registry and deploy the image to Kubernetes with Kubectl. Refer GCP documentation - Kubernetes Engine Deploy To package and deploy your application on GKE, you must: Package your app into a Docker image Run the container locally on your machine (optional) Upload the image to a registry Create a container cluster Deploy your app to the cluster Expose your app to the Internet Scale up your deployment Deploy a new version of your app Option A is wrong as kubectl cannot convert the Dockerfile to deployment. Option B is wrong as Cloud Storage is not Docker image repository. Option C is wrong as kubectl cannot push Dockerfile to Kubernetes and it does not result into deployment.

You have data stored in a Cloud Storage dataset and also in a BigQuery dataset. You need to secure the data and provide 3 different types of access levels for your Google Cloud Platform users: administrator, read/write, and read-only. You want to follow Google-recommended practices. What should you do? A. A. Create 3 custom IAM roles with appropriate policies for the access levels needed for Cloud Storage and BigQuery. Add your users to the appropriate roles. B. B. At the Organization level, add your administrator user accounts to the Owner role, add your read/write user accounts to the Editor role, and add your read-only user accounts to the Viewer role. C. C. At the Project level, add your administrator user accounts to the Owner role, add your read/write user accounts to the Editor role, and add your read-only user accounts to the Viewer role. D. D. Use the appropriate pre-defined IAM roles for each of the access levels needed for Cloud Storage and BigQuery. Add your users to those roles for each of the services.

D. D. Use the appropriate pre-defined IAM roles for each of the access levels needed for Cloud Storage and BigQuery. Add your users to those roles for each of the services. Correct answer is D as Google best practice is to use pre-defined rules over legacy primitive and custom roles. Pre-defined roles can help grant fine grained control per service. Refer GCP documentation - IAM Overview Primitive roles: The roles historically available in the Google Cloud Platform Console will continue to work. These are the Owner, Editor, and Viewer roles. Predefined roles: Predefined roles are the Cloud IAM roles that give finer-grained access control than the primitive roles. For example, the predefined role Pub/Sub Publisher (roles/pubsub.publisher) provides access to only publish messages to a Cloud Pub/Sub topic. Custom roles: Roles that you create to tailor permissions to the needs of your organization when predefined roles don't meet your needs. What is the difference between primitive roles and predefined roles? Primitive roles are the legacy Owner, Editor, and Viewer roles. IAM provides predefined roles, which enable more granular access than the primitive roles. Grant predefined roles to identities when possible, so you only give the least amount of access necessary to access your resources. When would I use primitive roles? Use primitive roles in the following scenarios: When the GCP service does not provide a predefined role. See the predefined roles table for a list of all available predefined roles. When you want to grant broader permissions for a project. This often happens when you're granting permissions in development or test environments. When you need to allow a member to modify permissions for a project, you'll want to grant them the owner role because only owners have the permission to grant access to other users for for projects. When you work in a small team where the team members don't need granular permissions. Option A is wrong as you should use custom roles only if predefined roles are not available. Options B & C are wrong Google does not recommend using primitive roles which do not allow fine grained access control. Also primitive roles are applied at project or service resource levels

You have a managed instance group comprised of preemptible VM's. All of the VM's keep deleting and recreating themselves every minute. What is a possible cause of this behavior? A. A. Your zonal capacity is limited, causing all preemptible VM's to be shutdown to recover capacity. Try deploying your group to another zone. B. B. You have hit your instance quota for the region. C. C. Your managed instance group's VM's are toggled to only last 1 minute in preemptible settings. D. D. Your managed instance group's health check is repeatedly failing, either to a misconfigured health check or misconfigured firewall rules not allowing the health check to access the instances.

D. D. Your managed instance group's health check is repeatedly failing, either to a misconfigured health check or misconfigured firewall rules not allowing the health check to access the instances. Correct answer is D as the instances (normal or preemptible) would be terminated and relaunched if the health check fails either due to application not configured properly or the instances firewall do not allow health check to happen. Refer GCP documentation - Health Check concepts GCP provides health check systems that connect to virtual machine (VM) instances on a configurable, periodic basis. Each connection attempt is called a probe. GCP records the success or failure of each probe. Health checks and load balancers work together. Based on a configurable number of sequential successful or failed probes, GCP computes an overall health state for each VM in the load balancer. VMs that respond successfully for the configured number of times are considered healthy. VMs that fail to respond successfully for a separate number of times are unhealthy. GCP uses the overall health state of each VM to determine its eligibility for receiving new requests. In addition to being able to configure probe frequency and health state thresholds, you can configure the criteria that define a successful probe.

You need to help a developer install the App Engine Go extensions. However, you've forgotten the exact name of the component. Which command could you run to show all of the available options? A. A. gcloud config list B. B. gcloud component list C. C. gcloud config components list D. D. gcloud components list

D. D. gcloud components list Correct answer is D as gcloud components list provides the list of components with the installation status. Refer GCP documentation - Cloud SDK Components List gcloud components list - list the status of all Cloud SDK components This command lists all the available components in the Cloud SDK. For each component, the command lists the following information: Status on your local workstation: not installed, installed (and up to date), and update available (installed, but not up to date) Name of the component (a description) ID of the component (used to refer to the component in other [gcloud components] commands) Size of the component In addition, if the --show-versions flag is specified, the command lists the currently installed version (if any) and the latest available version of each individual component. Options A & C are wrong as config helps view and edit Cloud SDK properties. It does not provide components detail. Option B is wrong as it is not a valid command.

You're attempting to deploy a new instance that uses the centos 7 family. You can't recall the exact name of the family. Which command could you use to determine the family names? A. A. gcloud compute instances list B. B. gcloud compute images show-families C. C. gcloud compute instances show-families D. D. gcloud compute images list

D. D. gcloud compute images list Correct answer is D as family names are image attributes. Refer GCP documentation - Cloud SDK Compute Images List & Image Families Image families simplify the process of managing images in your project by grouping related images together and making it easy to roll forward and roll back between specific image versions. An image family always points to the latest version of an image that is not deprecated. Most public images are grouped into an image families. For example, the debian-9image family in the debian-cloud project always points to the most recent Debian 9 image. You can add your own images to an image family when you create a custom image. The image family points to the most recent image that you added to that family. Because the image family never points to a deprecated image, rolling the image family back to a previous image version is as simple as deprecating the most recent image in that family. Options A, B & C are wrong as they do not help retrieve the image family.

A user wants to install a tool on the Cloud Shell. The tool should be available across sessions. Where should the user install the tool? A. A. /bin B. B. /usr/local/bin C. C. /google/scripts D. D. ~/bin

D. D. ~/bin Correct answer is D as only HOME directory is persisted across sessions. Refer GCP documentation - Cloud Shell Cloud Shell provisions 5 GB of free persistent disk storage mounted as your $HOME directory on the virtual machine instance. This storage is on a per-user basis and is available across projects. Unlike the instance itself, this storage does not time out on inactivity. All files you store in your home directory, including installed software, scripts and user configuration files like .bashrc and .vimrc, persist between sessions. Your $HOME directory is private to you and cannot be accessed by other users.