Attempt 2

All knowledge areas

All questions
Question 1: Correct
Your company has a complicated billing structure for GCP projects. You would like
to set up multiple configurations for use with the command line interface. What
command would you use to create those?

gcloud configurations create

gcloud config configurations create

(Correct)

gcloud configurations set

gcloud config configurations set

Explanation
The correct command is gcloud config configurations create. Gcloud configurations
crae, gcloud config configurations set, and gcloud configurations set are not valid
gcloud commands to create configurations. For more information, see
https://cloud.google.com/sdk/gcloud/reference/config/configurations/create.
Question 2: Correct
You have a Cloud Datastore database that you would like to backup. You'd like to
issue a command and have it return immediately while the backup runs in the
background. You want the backup file to be stored in a Cloud Storage bucket
named my-datastore-backup. What command would you use?


 gcloud datastore backup gs://my-datastore-backup

gcloud datastore export gs://my-datastore-backup

gcloud datastore export gs://my-datastore-backup --async

(Correct)

gsutil datastore export gs://my-datastore-backup --async

Explanation
The correct command is gcloud datastore export gs://my-datastore-backup --async.
Export, not backup, is the datastore command to save data to a Cloud Storage bucket.
Gsutil is used to manage Cloud Storage, not Cloud Datastore. For more information, see
https://cloud.google.com/datastore/docs/export-import-entities.
Question 3: Correct
The CFO of you company feels you are spending too much on BigQuery. You
determine that a few long running queries are costing more than they should. You
would like to experiment with different ways of writing these queries. You'd like
to know the estimated cost of running each query without actually running them.
How could you do this?

Use the Pricing Calculator

Use the --estimate-cost option with the bq command

 

Use the --dry-run option with a bq query command

(Correct)

Use the --estimate-cost with the gcloud command

Explanation
The correct answer is to use the --dry-run option with the bq select command. The
Pricing Calculator can give you an estimate of aggregate costs based on storage and
amount of data queried but it does not provide estimates of a the cost of running a
specific query. There is no --estimate-cost option with either the bq or gcloud
command. For more information, see
https://cloud.google.com/bigquery/docs/estimate-costs.
Question 4: Correct
Kubernetes Engine collects application logs by default when the log data is written
where?

STDERR

(Correct)

STDOUT

(Correct)

SYSERR
 

SYSLOG

Explanation
Kubernetes Engine collects log data written to standard output (STDOUT) and standard
error (STDERR). For more information, see
https://cloud.google.com/blog/products/management-tools/using-logging-your-apps-
running-kubernetes-engine.
Question 5: Incorrect
An auditor is reviewing your GCP use. They have asked for access to any audit logs
available in GCP. What audit logs are available for each project, folder, and
organization?

System Event

(Correct)

Data Access

(Correct)

Policy Access

Performance Metrics

User Login
 

Admin Activity

(Correct)

Explanation
Cloud Audit Logs maintain three audit logs: Admin Activity logs, Data Access logs, and
System Event logs. There is no such thing as a Policy Access log, a User Login log, or a
Performance Metric log in GCP Audit Logs. For more information, see
https://cloud.google.com/logging/docs/audit.
Question 6: Correct
A client of yours has a Python 3 application that usually has very little load but
sometimes experiences sudden and extreme spikes in traffic. They want to run it in
GCP but they want to keep costs as low as possible. They also want to minimize
management overhead. What service would you recommend?

Kubernetes Engine

Compute Engine

App Engine

(Correct)

Cloud Functions

Explanation
App Engine is designed for applications written in supported languages, including
Python 3, that need to run at low cost, and need to scale in response to rapid increases
in load. App Engine is a managed service and as such minimizes operational overhead .
Compute Engine and Kubernetes Engine both require more management overhead.
Cloud Functions are used to respond to events in GCP, not to execute a continually
running application. For more information, see
https://cloud.google.com/appengine/docs/standard.
Question 7: Correct
A group of developers are creating a multi-tiered application. Each tier is in its
own project. The developer would like to work with a common VPC network. What
would you use to implement this?

Create routes between subnets of each project

Create a VPN between projects

Create a shared VPC

(Correct)

Create firewall rules to load balance traffic between each project's subnets.

Explanation
A shared VPC allows projects to share a common VPC network. VPNs are used to link
VPCs to on premises networks. Routes and firewall rules are not sufficient for
implementing a common VPC. Firewall rules are not used to load balance, they are used
to control the ingress and egress of traffic on a network. For more information, see
https://cloud.google.com/vpc/docs/shared-vpc and
https://cloud.google.com/composer/docs/how-to/managing/configuring-shared-vpc.
Question 8: Correct
To avoid potentially violating a regulation, your company has determined that it
will only use GCP resources in North America. How would you ensure no resources
are created outside of North America?

Create a policy at the folder level of the resource hierarchy that includes a
constraint using a Resource Location Restriction.

Create a data lifecycle management policy that prevents data from being
saved outside of North America.

Create an Cloud Audit policy that prevents users from creating resources
outside of North America.

Create a policy at the organization level of the resource hierarchy that

includes a constraint using a Resource Location Restriction.

(Correct)

Explanation
Constraints are the standard way to restrict where resources can be created and
applying policies with constraints will enforce those constraints for all resources in the
organization. If the policy were applied at the folder level, it would have to be applied
for all folders and that is not as efficient as applying at the organization level. There is
no such thing as a Cloud Audit policy. For more information, see
https://cloud.google.com/resource-manager/docs/organization-policy/defining-
locations.
Question 9: Correct
A large enterprise has created multiple organizations in GCP. They would like to
connect the VPC networks across organizations. What should they do?
 

Implement a VPN between VPCs

Implement VPC Network Peering between VPCs

(Correct)

Define firewall rules to allow egress traffic to other VPC networks

Implement a Shared VPC

Explanation
Since the connected networks are in different organizations, they must use VPC Network
Peering. VPC sharing is only available within a single organization. Firewall rule changes
may be needed, but that is not sufficient. VPNs are used to connect GCP networks with
on premises networks. For more information, see
https://cloud.google.com/vpc/docs/vpc-peering.
Question 10: Correct
You have created a target pool with instances in two zones which are in the same
region. The target pool is not functioning correctly. What could be the cause of
the problem?

The target pool is missing a health check.

(Correct)


 The target pool is not sending logs to Cloud Logging.

The target pool nodes are configured with different memory specifications

The target pool is not sending metrics to Cloud Monitoring.

Explanation
Target pools must have a health check to function properly. Nodes can be in different
zones but must be in the same region. Cloud Monitoring and Cloud Logging are useful
but they are not required for the target pool to function properly. Nodes in a pool have
the same configuration. For more information, see https://cloud.google.com/load-
balancing/docs/target-pools.
Question 11: Correct
The contents of the a Cloud Storage bucket called free-photos-gcp are currently
stored in multiregional storage class. You want to change the storage class to
nearline. What command would you use?

gsutil migrate -s nearline gs://free-photos-gcp

gsutil rewrite -s nearline gs://free-photos-gcp

(Correct)

gsutil migrate --from multiregional --to nearline gs://free-photos-gcp


 gsutil rewrite -from multiregional --to nearline gs://free-photos-gcp

Explanation
The correct command for changing the storage class is gsutil rewrite with the target
storage class and bucket specified. Gsutil migrate is not a valid command. There is no
need to specify the parameters -from or -to. For more information, see
https://cloud.google.com/storage/docs/gsutil/commands/rewrite.
Question 12: Correct
Your organization has created multiple folders, one for each department. In each
folder, departments have one or more projects. What would you expect resources
within the folder to share?

IAM policies

(Correct)

Permissions

Service accounts

IAM roles

Explanation
Folders are used to group resources that share common IAM policies. Service accounts
are specific to a set of operating requirements within a project. Permissions are
associated with roles but not directly with folders. IAM roles are granted to identities,
not folders. For more information, see
https://cloud.google.com/resource-manager/docs/creating-managing-folders.
Question 13: Correct
You are using HTTP(S) Load Balancing for a Web application that has several
services. Depending on the URL specified by a user, requests are routed to
different backend services. What would you use to specify how those request
should be routed?

Firewall rules

Traces

URL maps

(Correct)

Routes

Explanation
URL maps specify direct requests to particular services. Routes are used to specify paths
to destination IP addresses outside a subnet. Firewall rules control the flow of traffic on
a network. Traces are used to understand performance characteristics of services in a
distributed system. For more information, see https://cloud.google.com/load-
balancing/docs/url-map.
Question 14: Correct
You have just created a custom mode network using the command: gcloud
compute networks create. You want to eventually deploy instances in multiple
regions. What is the next thing you should do?

Create firewall rules to load balance traffic

 

Create subnets in all regions

Create subnets in regions where you plan to deploy instances

(Correct)

Create a VPN between the custom model network and other networks in the
VPC.

Explanation
After creating a custom mode network, you will need to create subnets in regions where
instances will be deployed. You do not have to create subnets in all regions but an
instance cannot be deployed to a region without a subnet. Firewalls are used to control
the ingress and egress of data, they are not used to load balance. VPNs are used to
provide connectivity between Google Cloud and outside networks, such as an on
premises network. For more information, see https://cloud.google.com/vpc/docs/using-
vpc and https://cloud.google.com/sdk/gcloud/reference/compute/networks/subnets/
create.
Question 15: Correct
You want to clone a persistent disk. What characteristics of the source and cloned
disk must be the same?

Zone

(Correct)

Region
 (Correct)

disk type

(Correct)

Size

Explanation
The source and cloned disk must be in the same zone and region and must be of the
same type. The size of the clone must be at least the size of the source disk but does not
need to be the same. For more information, see
https://cloud.google.com/compute/docs/disks/create-snapshots.
Question 16: Correct
A photographer wants to share images they have stored in a Cloud Storage bucket
called free-photos-on-gcp. What command would you use to allow all users to
read these files?

gsutil ch allUsers:Viewer gs://free-photos-on-gcp

gsutil iam ch allUsers:objectViewer gs://free-photos-on-gcp

(Correct)

gcloud iam ch allUsers:Viewer gs://free-photos-on-gcp


 gcloud ch allUsers:objectViewer gs://free-photos-on-gcp

Explanation
The correct command is gsutil iam ch allUsers:objectViewer gs://free-photos-on-gcp.
Gsutil is used with Cloud Storage, not gcloud so the gcloud ch option is incorrect. The
term objectViewer is the correct way to grant read access to objects in a bucket. For
more information, see https://cloud.google.com/storage/docs/gsutil/commands/iam.
Question 17: Correct
A data warehouse administrator is trying to load data from Cloud Storage to
BigQuery. What permissions will they need?

bigquery.tables.create

(Correct)

bigquery.jobs.create

(Correct)

bigquery.tables.list

bigquery.jobs.list

bigquery.tables.updateData

(Correct)

Explanation
To load data, an identity must have bigquery.tables.create, bigquery.tables.updateData,
and bigquery.jobs.create. bigquery.tables.list is needed to list tables and metadata on
tables. For more information, see https://cloud.google.com/bigquery/docs/batch-
loading-data and https://cloud.google.com/bigquery/docs/access-control.
Question 18: Correct
Your company has an on premises Hadoop cluster that is to be migrated to Google
Cloud. The CFO wants to minimize operational overhead. What GCP service would
you recommend?

Cloud Dataflow

Bigtable

Cloud Pub/Sub

Cloud Dataproc

(Correct)

Explanation
Cloud Dataproc is a managed Spark/Hadoop service that can be used to migrate
Hadoop clusters GCP. Cloud Pub/Sub is a queuing service that is used to ingest data
and store it until it can be processed. Bigtable is a NoSQL database, not a queueing
service. Cloud Dataflow is a stream and batch processing service, not a queueing service.
For more information, see https://cloud.google.com/dataproc/docs/how-to.
Question 19: Correct
A Cloud Storage user wants to rename several files in a bucket. What command
should they use?


 gsutil rn

gsutil rename

gsutil mv

(Correct)

gsutil cp

Explanation
To rename a file in cloud storage, use the move command gsutil mv. Gsutil cp will copy
files, not rename them. Gsutil rewrite and gsutil rn are not a valid command. For more
information, see https://cloud.google.com/storage/docs/gsutil/commands/mv.
Question 20: Correct
You will be running an application that requires high levels of security. You want
to ensure the application does not run on a server that has been compromised by
a rootkit or other kernel-level malware. What kind of virtual machine would you
use?

Preemptible VM

GPU-enabled VM

Hardened VM
 

Shielded VM

(Correct)

Explanation
Shielded VMs are hardened virtual machines that use Secure Boot, virtual trusted
platform module enabled Measured Boot, and integrity monitoring. Preemptible VMs
can be taken back by Google at any time but cost significantly less than standard prices.
Hardened VM is not a valid option in Compute Engine. GPU-enabled VMs can improve
the performance of compute intensive applications, such as training machine learning
models. For more information, see
https://cloud.google.com/security/shielded-cloud/shielded-vm.
Question 21: Correct
A manager in your company is having trouble tracking the use and cost of
resources across several projects. In particular, they do not know which resources
are created by different teams they manage. What would you suggest the
manager use to help better understand which resources are used by which team?

Labels

(Correct)

Audit logs

IAM policies

Trace logs
Explanation
Labels are key-value pairs attached to resources and used to manage them. The
manager could use a key-value pair with the key 'team-name' and the value the name of
the team that created the resource. Audit logs do not necessarily have the names of
teams that own a resource. Traces are used for performance monitoring and analysis.
IAM policies are used to control access to resources, not to track which team created
them. For more information, see
https://cloud.google.com/resource-manager/docs/creating-managing-labels.
Question 22: Correct
You will be creating a GKE cluster and want to use Cloud Operations for GKE
instead of legacy monitoring and logging. If you create the cluster using a gcloud
container clusters create command, what parameter would you specify to
explicitly enable Cloud Operations for GKE?

--enable-stackdriver-kubernetes

(Correct)

--enable-gke-monitor

--enable-cloud-operations

--disable-legacy-monitoring

Explanation
The correct way to enable Cloud Operations for GKE is to use the parameter --enable-
stackdriver-kubernetes. The other options are not valid parameter names. For more
information, see
https://cloud.google.com/sdk/gcloud/reference/container/clusters/create.
Question 23: Correct
Your organization has created multiple projects in several folders. You have been
assigned to manage them and want to get descriptive information about each
project. What command would you use to get metadata about a project?

gcloud describe projects <PROJECT_ID>

gcloud projects describe <PROJECT_ID>

(Correct)

gcloud describe projects <PROJECT_NAME>

gcloud projects describe <PROJECT_NAME>

Explanation
The correct command is 'gcloud projects describe <PROJECT_ID'>. 'gcloud projects
describe <PROJECT_NAME>' is incorrect because PROJECT_NAME is not used in this
command. 'gcloud describe projects' is wrong because 'describe' and 'projects' are in
the wrong order in the command. 'gcloud describe project <PROJECT_NAME>' is
incorrect because it uses PROJECT_NAME instead of PROJECT_ID. For more information,
see https://cloud.google.com/sdk/gcloud/reference/projects/describe.
Question 24: Correct
A startup is implementing an IoT application that will ingest data at high speeds.
The architect for the startup has decided that data should be ingested in a queue
that can store the data until the processing application is able to process it. The
architect also wants to use a managed service in Google Cloud. What service
would you recommend?


 Cloud Dataflow

Cloud Dataproc

Bigtable

Cloud Pub/Sub

(Correct)

Explanation
Cloud Pub/Sub is a queuing service that is used to ingest data and store it until it can be
processed. Bigtable is a NoSQL database, not a queueing service. Cloud Dataflow is a
stream and batch processing service, not a queueing service. Cloud Dataproc is a
managed Spark/Hadoop service. For more information, see
https://cloud.google.com/pubsub/docs/overview.
Question 25: Correct
You want to use Cloud Identity to create identities. You have received a
verification record for your domain. Where would you add that record?

In IAM settings for each identity

In the metadata of each resource created in your organization

In the billing account for your organization

 

In the domain's DNS setting

(Correct)

Explanation
Cloud Identity provides domain verification records, which are added to DNS settings
for the domain. IAM is used to control access granted to identities, it is not a place to
manage domains. The billing account is used for payment tracking, it is not a place to
manage domains. Resources do have metadata, but that metadata is not used to
manage domains. For more information on verifying domains, see
https://cloud.google.com/identity/docs/verify-domain.
Question 26: Correct
You have deployed a sole tenant node in Compute Engine. How will this restrict
what VMs run on that node.

Only one VM will run on that node.

Only VMs from the same organization will run on that node.

Only VMs using the same operating system will run on that node.

Only VMs from the same project will run on the node.

(Correct)

Explanation
On a sole tenant node, only VMs from the same project will run on that node. They do
not need to use the same operating system. Sole tenant nodes are not restricted to a
single VM. VMs from the same organization but different projects will not run on the
same sole tenant instance. For more information, see
https://cloud.google.com/compute/docs/nodes/sole-tenant-nodes.
Question 27: Correct
As a developer using GCP, you will need to set up a local development
environment. You will want to authorize the use of gcloud commands to access
resources. What commands could you use to authorize access?

gcloud config login

gcloud init

(Correct)

gcloud auth login

(Correct)

gcloud login

Explanation
Gcloud init will authorize access and perform other common setup steps. Gcloud auth
login will authorize access only. Gcloud login and gcloud config login are not valid
commands. For more information, see https://cloud.google.com/sdk/docs/initializing.
Question 28: Correct
You are creating a set of virtual machines in Compute Engine. GCP will
automatically assign an IP address to each. What type of IP address will be
assigned?
 

Regional internal address

(Correct)

Global external address

Regional external address

Global internal address

Explanation
GCP assigns regional internal IP addresses for VM instances, including GKE pods, nodes,
and services. They are also used for Internal TCP/UDP Load Balancing and Internal
HTTP(S) Load Balancing. For more information, see
https://cloud.google.com/compute/docs/ip-addresses.
Question 29: Correct
You want to run a Kubernetes cluster for a high availability set of applications.
What type of cluster would you use?

Multi-regional

Regional

(Correct)
 

Single zone

Multi-zonal

Explanation
Regional clusters have replicas of the control plane while single zone and multi-zonal
clusters have only one control plane. There is no such thing as multi-regional cluster. For
more information, see https://cloud.google.com/blog/products/containers-
kubernetes/best-practices-for-creating-a-highly-available-gke-cluster.
Question 30: Correct
You have created a set of firewall rules to control ingress and egress traffic to a
network. Traffic that you intended to allow to leave the network appears to be
blocked. What could you do to get information to help you diagnose the problem?

Enable firewall rule logging for each of the firewall rules

(Correct)

Enable Cloud Trace of each firewall rule

Use Cloud Debugger to debug the firewall rules

Enable Cloud Monitoring of each firewall rule

Explanation
Firewall rule logging can be enabled for each firewall rule. Each time the rule is applied
to allow or deny traffic, a connection record is created. Connection records can be
viewed in Cloud Logging. Cloud Monitoring is used for collecting and view metrics on
resource performance. Cloud Trace is used to understand performance in distributed
systems. Cloud Debugger is used by developers to identify and correct errors in code.
For more information, see https://cloud.google.com/vpc/docs/firewall-rules-logging.
Question 31: Correct
An application running in Compute Engine sometimes gets spikes in load. You
want to add instances automatically when load increases significantly and plan to
use managed instance groups. What would you need to create in order to
automatically scale the cluster?

Load balancer

Persistent Disk

Instance template

(Correct)

Snapshot

Explanation
An instance template is needed to enable Compute Engine to automatically add
instances to a managed instance group. Snapshots are not required to add instances to
a managed instance group. Persistent disks are not needed to control the addition of
nodes to a managed instance group. Load balancers are used with managed instance
groups but are not the thing that automatically adds nodes to the managed instance
group. For more information, see https://cloud.google.com/compute/docs/instance-
groups/creating-groups-of-managed-instances.
Question 32: Correct
During an audit, auditors determined that there are insufficient access controls on
Cloud Storage buckets. The auditors recommend you use uniform bucket-level
access. After applying uniform bucket-level access some users that had access to
objects in buckets no longer have access. What could be the cause?

Users do not have permissions through ACLs that allow them access to
objects in buckets. Prior to setting uniform bucket-level access, those users
had access through IAM.

Applying uniform bucket-level access removes all access privileges. No user

will have access until permissions are reset.

ACLs are removed when uniform bucket-level access is applied. ACLs must
be recreated.

Users do not have IAM permissions that allow them access to objects in
buckets. Prior to setting uniform bucket-level access, those users had access
through ACLs.

(Correct)

Explanation
Access is granted to Cloud Storage objects using IAM or access control lists (ACLs).
When uniform bucket-level access is applied, users only have access through IAM roles
and permissions. A users that could access objects before uniform bucket-level access is
applied but not after must have had access through ACLs. For more information, see
https://cloud.google.com/storage/docs/uniform-bucket-level-access.
Question 33: Correct
As a consultant to a mid-sized retailer you have been asked to help choose a
managed database platform for the company's inventory management
application. The retailer's market is limited to the Northeast United States. What
service would you recommend?

Cloud Spanner

Bigtable

Cloud SQL

(Correct)

Cloud Dataproc

Explanation
Cloud SQL is a managed relational database service suitable for regionally used
applications. Cloud Spanner is also a managed relational database but it is designed for
multi-region and global applications. BigQuery is not used for transaction processing
systems. Cloud Dataproc is a managed Spark/Hadoop service, not a relational database.
For more information, see https://cloud.google.com/sql/docs.
Question 34: Correct
A startup has created an IoT application that analyzes data from sensors deployed
on vehicles. The application depends on a database that can write large volumes of
data at low latency. The startup has used HBase in the past but want to migrate to
a managed database service. What service would you recommend?

BigQuery
 

Cloud Spanner

Bigtable

(Correct)

Cloud Dataproc

Explanation
Bigtable is a wide column database with low latency writes that is well suited for IoT
data storage. BigQuery is a data warehouse service. Cloud Dataproc is a managed
Spark/Hadoop service. Cloud Spanner is a global-scale relational database designed for
transaction processing. For more information, see
https://cloud.google.com/bigtable/docs/schema-design and
https://cloud.google.com/bigtable/docs/schema-design-steps.
Question 35: Correct
A client has asked for your advice about building a data transformation pipeline.
The pipeline will read data from Cloud Storage and Cloud Spanner, merge data
from the two sources and write the data to a BigQuery data set. The client does
not want to manage servers or other infrastructure, if possible. What GCP service
would you recommend?

Cloud Build

Compute Engine
 

Cloud Data Fusion

(Correct)

Cloud Dataprep

Explanation
Cloud Data Fusion is a managed service that is designed for building data
transformation pipelines. Compute Engine is not a managed service. Cloud Dataprep is
used to prepare data for analytics and machine learning. Cloud Build is a service for
creating container images. For more information, see https://cloud.google.com/data-
fusion/docs/how-to.
Question 36: Correct
A client of yours wants to deploy a stateless application to Kubernetes cluster. The
replication controller is named my-app-rc. The application should scale based on
CPU utilization; specifically when CPU utilization exceeds 80%. There should never
be fewer than 2 pods or more than 6. What command would you use to implement
autoscaling with these parameters?

kubectl apply rc my-app-rc --min=2 --max=6 --cpu-percent=80

kubectl autoscale rc my-app-rc --min=2 --max=6 --cpu-percent=80

(Correct)

gcloud containers apply rc my-app-rc --min=2 --max=6 --cpu-percent=80

 

gcloud containers autoscale rc my-app-rc --min=2 --max=6 --cpu-

percent=80

Explanation
The correct command is to use kubectl autoscale specifying the appropriate min, max,
and cpu percent. Specifically: kubectl autoscale rc my-app-rc --min=2 --max=6 --cpu-
percent=80. The other options are not valid commands. For more information, see
https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/.
Question 37: Correct
You have created a Kubernetes Engine cluster that will run machine learning
training processes and machine learning prediction processes. The training
processes require more CPU and memory than the prediction processes. How
would you configure the cluster to support this?

Use multiple pods with some configured for more CPU and memory.

Increase the number of deployments for the machine learning training

process.

Use two node pools, one configured with more CPU and memory than the
other.

(Correct)

Increase the number of replica sets for the machine learning training
process.
Explanation
Node pools are used to configure resources for particular workloads. All nodes in a
node pool are configured the same. Replica sets and deployments do not control the
number of CPUs or amount of memory.
Question 38: Correct
A developer is trying to upload files from their local device to a Compute Engine
VM using the gcloud scp command. The copy command is failing. What would you
check to try to correct the problem?

Ensure firewall rules allow traffic to port 22 to allow SSH connections.

(Correct)

Add the identity of the developer to the administrator group for the VM.

Grant the identity the roles/compute.admin role

Grant the identity compute.admin permission

Explanation
To copy files to a VM, a firewall rule must be in place to allow traffic on port 22, the
default SSH port. Administrator privileges are not needed to upload a file so the other
three options are not correct. For more information, see
https://cloud.google.com/compute/docs/instances/transfer-files.
Question 39: Correct
The CFO of your company wants to improve an existing data warehouse by
migrating it to Google Cloud. They want to minimize operational overhead while
ensuring existing SQL tools can be used with the migrated data warehouse. What
GCP service would you recommend?
 

Cloud Spanner

Cloud SQL

Bigtable

BigQuery

(Correct)

Explanation
BigQuery is a managed, petabyte scale data warehouse, which uses SQL. Bigtable does
not support SQL. Cloud SQL and Cloud Spanner support SQL but are designed for
transaction processing, not analytical applications like data warehouses. For more
information, see https://cloud.google.com/bigquery/docs/how-to.
Question 40: Correct
A startup has an app that allows users to upload images to Cloud Storage. The
images should be analyzed as soon as possible once they are loaded. Processing
takes approximately 1 second for each image. There are periods when no images
are uploaded and other times when many images are upload in short periods of
time. What compute option would you use to process images?

Cloud Functions

(Correct)
 

Kubernetes Engine

Compute Engine

App Engine Flexible

Explanation
Cloud Functions is used to respond to events in GCP, including uploading of files in
Cloud Storage. Processing can finish within the time limits Cloud Functions must run.
Since there are periods when no images are uploaded, there is no need to have an
application running continuously and checking for new image uploads so App Engine
Flexible, Cloud Engine, and Kubernetes Engine are more than required. For more
information, see https://cloud.google.com/functions/docs/how-to.
Question 41: Correct
As a consultant to a new GCP customer, you are asked to help set up billing
accounts. What permission must an identity have in order to create a billing
account?

billing.create

roles/billing.create

billing.accounts.create
 (Correct)

roles/billing.accounts.create

Explanation
billing.accounts.create is the permission needed to create a billing account. billing.create
is not a valid permission. Roles are sets of permissions but they are not permissions
themselves so roles/billing.create and roles/billing.accounts.create are not correct
answers. For more information, see
https://cloud.google.com/billing/docs/how-to/manage-billing-account.
Question 42: Correct
You want to load balance an application that receives traffic from other resources
in the same VPC. All traffic is TCP with IPv4 addresses. What load balancer would
you recommend?

SSL Proxy Load Balancing

Network TCP/UDP Load Balancing

TCP Proxy Load Balancing

Internal TCP/UDP Load Balancing

(Correct)

Explanation
Internal TCP/UDP Load Balancing is used for internal traffic, that is not from the internet.
SSL Proxy, TCP Proxy, and Network TCP/UDP load balancing are used with external
traffic. For more information, see
https://cloud.google.com/load-balancing/docs/choosing-load-balancer.
Question 43: Correct
You want to deploy an application to a Kubernetes Engine cluster using a manifest
file called my-app.yaml. What command would you use?

gcloud deployment apply my-app.yaml

kubectl deployment apply my-app.yaml

gcloud containers deployment apply my-app.yaml

kubectl apply -f my-app.yaml

(Correct)

Explanation
The correct answer is to use the "kubectl apply -f" with the name of the deployment file.
Deployments are Kubernetes abstractions and are managed using kubectl, not gcloud.
The other options are not valid commands. For more information, see
https://kubernetes.io/docs/reference/kubectl/overview/.
Question 44: Correct
A group of data scientists need access to data stored in Cloud Bigtable. You want
to follow Google recommended best practices for security. What role would you
assign to the data scientist to allow them to read data from Bigtable?


 roles/bigtable.admin

roles/bigtable.user

roles/bigtable.reader

(Correct)

roles/bigtable.owner

Explanation
The role/bigtable.reader gives the data scientist the ability to read data but not write
data or modify the database. This follows the Principle of Least Privilege as
recommended by Google. Roles/bigtable.admin gives permissions to administer all
instances in a project, which is not needed by a data scientist. Roles/bigtable.user
provides read and write permissions but data scientist do not need read permission.
There is no predefined role called roles/bigtable.owner. For more information, see
https://cloud.google.com/bigtable/docs/access-control.
Question 45: Correct
You have a set of snapshots that you keep as backups of several persistent disks.
You want to know the source disk for each snapshot. What command would you
use to get that information?

gcloud compute snapshots describe

(Correct)


 gcloud snapshots describe

gcloud compute snapshots list

gcloud compute disk describe

Explanation
The correct command is gcloud compute snapshots describe which shows information
about the snapshot, including source disk, creation time, and size. The other options are
not valid gcloud commands. For more information, see
https://cloud.google.com/sdk/gcloud/reference/compute/snapshots/describe.
Question 46: Correct
A new team member has just created a new project in GCP. What role is
automatically granted to them when they create the project?

roles/owner

(Correct)

roles/viewer

roles/editor

roles/browser
Explanation
When you create a project, you are automatically granted the roles/owner role. The
owner role includes permissions granted by roles/editor, roles/viewer, and
roles/browser. For more information, see
https://cloud.google.com/resource-manager/docs/access-control-proj.
Question 47: Correct
Your department runs a legacy application on an on premises cluster. The nodes in
the cluster are heterogeneous. You want to migrate this cluster to Google Cloud.
What Compute Engine resource would you use?

Unmanaged instance group

(Correct)

Network load balancer

Managed instance groups (MIGs)

Autoscaler

Explanation
Heterogeneous clusters can be run on unmanaged instance groups but not managed
instance groups. Network load balancer is used to distribute workload in a cluster but it
is not an instance group itself. Autoscaler adds and removes nodes in a managed
instance group as needed. For more information, see
https://cloud.google.com/compute/docs/instance-groups/creating-groups-of-
unmanaged-instances.
Question 48: Correct
You have created a process that will run nightly. The process needs read and write
access to two Cloud Storage buckets. You do not want to use your identity to
ensure the process has sufficient privileges. How would you ensure the process can
read and write to the Cloud Storage buckets?

Create a Cloud Identity and grant it a role that provides read and write
permissions.

Create a service account and grant it a role that provides read and write
permission.

(Correct)

Create a federated identity and grant it permissions directly to enable read

and write access.

Create a service account and assign permissions directly to enable read and
write access.

Explanation
Service accounts are used to provide applications and instances with an identity that can
have roles that give the identity sufficient permission to execute operations it needs to
perform.
Question 49: Correct
A software development team is using Google Container Registry to manage
container images. You have recently joined the team and want to view metadata
about existing container images. What command would you use?

gcloud images container list

 

gcloud container list metadata

gcloud container metadata list

gcloud container images list

(Correct)

Explanation
The correct command is gcloud container images list. The other options are not valid
gcloud commands. For more information, see
https://cloud.google.com/sdk/gcloud/reference/container/images/list.
Question 50: Correct
Your company is migrating an on premises archive of files to Google Cloud. The
archived files are infrequently used but on average about once every 30 days. You
would like to minimize the cost of storage. What storage option would you
recommend?

Persistent Disks

Nearline Storage

(Correct)

Multi-regional storage
 

Coldline Storage

Explanation
Nearline Storage is a class of Cloud Storage designed for objects that will be accessed at
most once every 30 days. Coldline Storage is suitable for objects accessed at most once
per year. Multi-regional storage is best suited for objects that should have low latency
access from multiple regions. Persistent disks should not be used for archival storage.
For more information, see https://cloud.google.com/storage/docs/storage-classes.
Retake test
Continue