Cymbal Direct has created a proof of concept for a social integration service that highlights images of its

products from social media. The proof of concept is a monolithic application running on a single SuSE
Linux virtual machine (VM). The current version requires increasing the VM’s CPU and RAM in order to
scale. You would like to refactor the VM so that you can scale out instead of scaling up. What should you
do?

• Move the existing codebase and VM provisioning scripts to git, and attach external persistent
volumes to the VMs.
• Make sure that the application declares any dependent requirements in a requirements.txt or
equivalent statement so that they can be referenced in a startup script. Specify the startup
script in a managed instance group template, and use an autoscaling policy.
• Make sure that the application declares any dependent requirements in a requirements.txt or
equivalent statement so that they can be referenced in a startup script, and attach external
persistent volumes to the VMs.
• Use containers instead of VMs, and use a GKE autoscaling deployment.

For this question, refer to the Helicopter Racing League (HRL) case study. HRL is looking for a cost-
effective approach for storing their race data such as telemetry. They want to keep all historical records,
train models using only the previous season's data, and plan for data growth in terms of volume and
information collected. You need to propose a data solution. Considering HRL business requirements and
the goals expressed by CEO S. Hawke, what should you do?

• Use Firestore for its scalable and flexible document-based database. Use collections to
aggregate race data by season and event.
• Use Cloud Spanner for its scalability and ability to version schemas with zero downtime. Split
race data using season as a primary key.
• Use BigQuery for its scalability and ability to add columns to a schema. Partition race data based
on season.
• Use Cloud SQL for its ability to automatically manage storage increases and compatibility with
MySQL. Use separate database instances for each season.

For this question, refer to the Helicopter Racing League (HRL) case study. A recent finance audit of cloud
infrastructure noted an exceptionally high number of Compute Engine instances are allocated to do
video encoding and transcoding. You suspect that these Virtual Machines are zombie machines that
were not deleted after their workloads completed. You need to quickly get a list of which VM instances
are idle. What should you do?

• Log into each Compute Engine instance and collect disk, CPU, memory, and network usage
statistics for analysis.
• Use the gcloud compute instances list to list the virtual machine instances that have the idle:
true label set.
• Use the gcloud recommender command to list the idle virtual machine instances.
 • From the Google Console, identify which Compute Engine instances in the managed instance
groups are no longer responding to health check probes.

For this question, refer to the Helicopter Racing League (HRL) case study. Your team is in charge of
creating a payment card data vault for card numbers used to bill tens of thousands of viewers,
merchandise consumers, and season ticket holders. You need to implement a custom card tokenization
service that meets the following requirements: - It must provide low latency at minimal cost. - It must be
able to identify duplicate credit cards and must not store plaintext card numbers. - It should support
annual key rotation. Which storage approach should you adopt for your tokenization service?

• Store the card data in Secret Manager after running a query to identify duplicates.
• Encrypt the card data with a deterministic algorithm stored in Firestore using Datastore mode.
→ fastest
• Encrypt the card data with a deterministic algorithm and shard it across multiple Memorystore
instances.
• Use column-level encryption to store the data in Cloud SQL.

Cymbal Direct must meet compliance requirements. You need to ensure that employees with valid
accounts cannot access their VPC network from locations outside of its secure corporate network,
including from home. You also want a high degree of visibility into network traffic for auditing and
forensics purposes. What should you do?

• Ensure that all users install Cloud VPN. Enable VPC Flow Logs for the networks you need to
monitor.
• Enable VPC Service Controls, define a network perimeter to restrict access to authorized
networks, and enable VPC Flow Logs for the networks you need to monitor.
• Enable Identity-Aware Proxy (IAP) to allow users to access services securely. Use Google Cloud’s
operations suite to view audit logs for the networks you need to monitor.
• Enable VPC Service Controls, and use Google Cloud’s operations suite to view audit logs for the
networks you need to monitor.

You are working with a client who has built a secure messaging application. The application is open
source and consists of two components. The first component is a web app, written in Go, which is used
to register an account and authorize the user’s IP address. The second is an encrypted chat protocol that
uses TCP to talk to the backend chat servers running Debian. If the client's IP address doesn't match the
registered IP address, the application is designed to terminate their session. The number of clients using
the service varies greatly based on time of day, and the client wants to be able to easily scale as needed.
What should you do?

• Deploy the web application using the App Engine standard environment using a global external
HTTP(S) load balancer and a network endpoint group. Use an unmanaged instance group for
 the backend chat servers. Use an external network load balancer to load-balance traffic across
the backend chat servers.
• Deploy the web application using the App Engine flexible environment using a global external
HTTP(S) load balancer and a network endpoint group. Use an unmanaged instance group for
the backend chat servers. Use an external network load balancer to load-balance traffic across
the backend chat servers.
• Deploy the web application using the App Engine standard environment using a global external
HTTP(S) load balancer and a network endpoint group. Use a managed instance group for the
backend chat servers. Use a global SSL proxy load balancer to load-balance traffic across the
backend chat servers.
• Deploy the web application using the App Engine standard environment with a global external
HTTP(S) load balancer and a network endpoint group. Use a managed instance group for the
backend chat servers. Use an external network load balancer to load-balance traffic across the
backend chat servers.

Cymbal Direct's user account management app allows users to delete their accounts whenever they like.
Cymbal Direct also has a very generous 60-day return policy for users. The customer service team wants
to make sure that they can still refund or replace items for a customer even if the customer’s account
has been deleted.

• Temporarily disable the account for 30 days. Export account information to Cloud Storage, and
enable lifecycle management to delete the data in 60 days.
• Ensure that the user clearly understands that after they delete their account, all their
information will also be deleted. Remind them to download a copy of their order history and
account information before deleting their account. Have the support agent copy any open or
recent orders to a shared spreadsheet.
• Restore a previous copy of the user information database from a snapshot. Have a database
administrator capture needed information about the customer.
• Disable the account. Export account information to Cloud Storage. Have the customer service
team permanently delete the data after 30 days.

Cymbal Direct wants to create a pipeline to automate the building of new application releases. What
sequence of steps should you use?

• Set up a source code repository. Run unit tests. Check in code. Deploy. Build a Docker container.
• Check in code. Set up a source code repository. Run unit tests. Deploy. Build a Docker container.
• Set up a source code repository. Check in code. Run unit tests. Build a Docker container.
Deploy.
• Run unit tests. Deploy. Build a Docker container. Check in code. Set up a source code repository.
Your existing application runs on Ubuntu Linux VMs in an on-premises hypervisor. You want to deploy
the application to Google Cloud with minimal refactoring. What should you do?

• Set up a Google Kubernetes Engine (GKE) cluster, and then create a deployment with an
autoscaler.
• Isolate the core features that the application provides. Use Cloud Run to deploy each feature
independently as a microservice.
• Use X or Partner Interconnect to connect the on-premises network where your application is
running to your VPC. Configure an endpoint for a global external HTTP(S) load balancer that
connects to the existing VMs.
• Write Terraform scripts to deploy the application as Compute Engine instances.

Cymbal Direct needs to use a tool to deploy its infrastructure. You want something that allows for
repeatable deployment processes, uses a declarative language, and allows parallel deployment. You also
want to deploy infrastructure as code on Google Cloud and other cloud providers. What should you do?

• Automate the deployment with Terraform scripts.

• Automate the deployment using scripts containing gcloud commands.
• Use Google Kubernetes Engine (GKE) to create deployments and manifests for your
applications.
• Develop in Docker containers for portability and ease of deployment.

Cymbal Direct wants to allow partners to make orders programmatically, without having to speak on the
phone with an agent. What should you consider when designing the API?

• The API backend should be loosely coupled. Clients should not be required to know too many
details of the services they use. REST APIs using gRPC should be used for all external APIs.
• The API backend should be tightly coupled. Clients should know a significant amount about the
services they use. REST APIs using gRPC should be used for all external APIs.
• The API backend should be loosely coupled. Clients should not be required to know too many
details of the services they use. For REST APIs, HTTP(S) is the most common protocol.
• The API backend should be tightly coupled. Clients should know a significant amount about the
services they use. For REST APIs, HTTP(S) is the most common protocol used.

Cymbal Direct wants a layered approach to security when setting up Compute Engine instances. What
are some options you could use to make your Compute Engine instances more secure?

• Use labels to allow traffic only from certain sources and ports. Turn on Secure boot and vTPM.
• Use labels to allow traffic only from certain sources and ports. Use a Compute Engine service
account.
• Use network tags to allow traffic only from certain sources and ports. Turn on Secure boot and
vTPM.
 • Use network tags to allow traffic only from certain sources and ports. Use a Compute Engine
service account.

Detail:

• Network Tags: Network tags provide granular control over network traffic entering and leaving
your instances. By assigning tags and creating firewall rules based on those tags, you can restrict
access to only authorized sources and ports. This enhances security by reducing the attack
surface.
• Secure Boot and vTPM: These features work together to safeguard the boot process and
protect the instance's firmware from unauthorized modifications. Secure boot ensures only
authorized operating systems are loaded, while vTPM (Virtual Trusted Platform Module)
encrypts sensitive data like encryption keys and ensures the platform's integrity.
• While labels can be used for organization, they don't directly control network traffic. Network
tags are more suitable for access control.
• Service accounts don't provide the network access control offered by network tags.

You have deployed your frontend web application in Kubernetes. Based on historical use, you need
three pods to handle normal demand. Occasionally your load will roughly double. A load balancer is
already in place. How could you configure your environment to efficiently meet that demand?

• Edit your pod's configuration file and change the number of replicas to six.
• Edit your deployment's configuration file and change the number of replicas to six.
• Use the "kubectl autoscale" command to change the pod's maximum number of instances to
six.
• Use the "kubectl autoscale" command to change the deployment’s maximum number of
instances to six.

Detail:

• Why not C?. kubectl Autoscale with Pods: The kubectl autoscale command likely interacts with
deployments, not individual pods. Specifying a maximum number of instances for pods wouldn't
be the correct approach.
• option D leverages the power of Horizontal Pod Autoscalers (HPA) to achieve efficient and
dynamic scaling of your frontend web application in Kubernetes.

You need to deploy a load balancer for a web-based application with multiple backends in different
regions. You want to direct traffic to the backend closest to the end user, but also to different backends
based on the URL the user is accessing. Which of the following could be used to implement this?

• The request is received by the global external HTTP(S) load balancer. A global forwarding rule
sends the request to a target proxy, which checks the URL map and selects the backend service.
The backend service sends the request to Compute Engine instance groups in multiple regions.
 • The request is matched by a URL map and then sent to a global external HTTP(S) load balancer.
A global forwarding rule sends the request to a target proxy, which selects a backend service.
The backend service sends the request to Compute Engine instance groups in multiple regions.
• The request is received by the SSL proxy load balancer, which uses a global forwarding rule to
check the URL map, then sends the request to a backend service. The request is processed by
Compute Engine instance groups in multiple regions.
• The request is matched by a URL map and then sent to a SSL proxy load balancer. A global
forwarding rule sends the request to a target proxy, which selects a backend service and sends
the request to Compute Engine instance groups in multiple regions.

In Cloud Storage, how would you store data to be accessed not more than once a month and not
needed after five years?

• Nearline class, lifecycle policy change to Coldline after 5 years

• Standard Storage class, lifecycle policy change to Coldline after 5 years
• Nearline class, lifecycle policy to delete after 5 years
• Standard Storage class, lifecycle policy to delete after 5 years

Which service is best for a multi-petabyte database for analysts that only know SQL? The database must
be available 24 x 7

• BigQuery
• Firebase
• Cloud SQL
• Cloud Storage
Which Cloud IAM roles would you assign for security auditors requiring visibility across all projects?

• Org admin, project browser

• Project owner, network admin
• Org viewer, project owner
• Org viewer, project viewer

What is the cheapest per-byte storage offered by Google Cloud?

• Cloud BigTable
• Cloud Firestore
• Cloud SQL
• Cloud Storage

Which abstraction is use to administer user access in Cloud IAM?

• Privileges, an abstraction of access rights

• Credentials, an abstraction of an authorization token
• Roles, an abstraction of job roles
• Leases, an abstraction of periodic entitlements

Regulations require encrypting data at rest. Which Google Cloud services can be used?

• Any of the managed databases

• Any GCP storage service except Cloud Filestore
• Any GCP storage service
• Any of the managed databases except BigQuery

Which storage service would you use to store large video files?

• BigQuery
• Cloud Firestore
• Cloud Storage
• Cloud Bigtable

Which storage class should be used to save logs for forensics, which will be accessed at most once a
quarter.
 • Coldline
• Nearline
• Standard
• Archive

What is the Operations Suite tool to see the latency of requests for a web application in App Engine?

• Debugger
• Error Reporting
• Profiler
• Trace

How to arrange a low-cost, one-way and one-time migration a 100-TB file server to Google Cloud? Data
will be frequently accessed from a single region.

• Use Transfer Appliance. Transfer to a Cloud Storage Standard bucket.

• Use Transfer Appliance. Transfer to a Cloud Storage Nearline bucket.
• Use Storage Transfer Service. Transfer to a Cloud Storage Standard bucket.
• Use Storage Transfer Service. Transfer to a Cloud Storage Coldline bucket.

Customer would like to arrange regular backups of multi-TB databases from another cloud to Google
Cloud, including monthly DR drills. What services should be used?

• Use Transfer Appliance. Transfer to Cloud Storage Nearline bucket.

• Use Transfer Appliance. Transfer to Cloud Storage Coldline bucket.
• Use Storage Transfer Service. Transfer to Cloud Storage Nearline bucket.
• Use Storage Transfer Service. Transfer to Cloud Storage Coldline bucket.

Feedback

This is correct because you will need to access your backup data monthly to test your disaster
recovery process, so you should use a Nearline bucket; also because you will be performing
ongoing, regular data transfers, so you should use Storage Transfer Service.

An application has the following data requirements. 1. It requires strongly consistent transactions. 2.
Total data will be less than 500 GB. 3. The data does not need to be streaming or real time. Which data
technology would fit these requirements?

• BigQuery
 • Cloud Bigtable
• Cloud SQL
• Memorystore

Feedback

This is correct. Cloud SQL supports strongly consistent transactions. And the size requirements
will fit with a Cloud SQL instance.

A company needs a flexible storage solution for a vast amount of time-series data that will be ingested
from millions of connected devices. What GCP service would you recommend?

• Cloud Storage
• Cloud Spanner
• BigTable
• Memorystore

GlobalBank wants to build an online transactional processing application that requires a relational
database with petabyte-scale data. What GCS storage service should they choose?

• Cloud SQL
• BigTable
• BigQuery
• Cloud Spanner

You're requested to distribute and synchronize a GCS storage bucket between multiple regions for
increased availability. What's the easiest way to do it?

• Deploy separate buckets in different regions and use "bucket-to-bucket" replication

functionality.
• Deploy separate buckets in different regions and schedule an rsync process between them.
• Deploy a single dual or multi-region bucket.
• Deploy separate buckets in different regions, then schedule backup and restore job between
them.

In order to fulfill a compliance requirement, you defined a retention policy on one of GCS buckets and
you executed "gsutil retention lock gs://BUCKET_NAME" command. You now need to modify some
objects from the bucket that did not expire yet and you get an error. How do you resolve it?

• You need to manually remove the lock from the bucket and update the policy so that the object
can be modified.
• You need to contact the GCP support to remove the lock for you.
 • You can't remove the object until they fulfill the expiration policy.
• You need to use --force parameter when executing the "gsutil rm" command.

Feedback

https://cloud.google.com/storage/docs/bucket-lock

What is a NoSQL feature that is not available in relational databases?

• Fixed schemas
• Flexible schemas
• ACID transactions
• Indexes

Which product provides a managed Hadoop cluster?

• Cloud Pub/Sub
• BigQuery
• Cloud Dataproc
• Cloud Dataflow

An existing application uses websockets. To help migrate the application to cloud you should:

• Review websocket encryption requirements with the security team.

• Redesign the application to use HTTP streaming.
• Redesign the application to use distributed sessions instead of websockets.
• Do nothing to the application. HTTP(S) load balancing natively supports websocket proxying.

The security team has locked out SSH access to production VMs. How can operations still manage the
VMs, without being able to ssh into those machines?

• Grant operations team appropriate IAM roles to manage VMs with gcloud commands
• Develop a Cloud API application for all operations actions
• Develop an application that grants temporary SSH access
• Configure a VPN to allow SSH access to VMs

How can application parts, owned by different project teams, communicate over RFC1918 addresses?

• Single project, same VPC

• Shared VPC, each team's project a service of the Shared VPC project
• Communicate over global load balancers, one per project
• Parts communicate using HTTPS