Google Google Certifications ASSOCIATE-CLOUD-ENGINEER Questions & Answers

• Question 41:

  You have been asked to set up Object Lifecycle Management for objects stored in storage buckets. The objects are written once and accessed frequently for 30 days. After 30 days, the objects are not read again unless there is a special need. The object should be kept for three years, and you need to minimize cost. What should you do?

  A. Set up a policy that uses Nearline storage for 30 days and then moves to Archive storage for three years.

  B. Set up a policy that uses Standard storage for 30 days and then moves to Archive storage for three years.

  C. Set up a policy that uses Nearline storage for 30 days, then moves the Coldline for one year, and then moves to Archive storage for two years.

  D. Set up a policy that uses Standard storage for 30 days, then moves to Coldline for one year, and then moves to Archive storage for two years.

  Correct Answer: B

  Correct Answer is (B):

  The key to understand the requirement is : "The objects are written once and accessed frequently for 30 days"

  Standard Storage

  Standard Storage is best for data that is frequently accessed ("hot" data) and/or stored for only brief periods of time.

  Archive Storage

  Archive Storage is the lowest-cost, highly durable storage service for data archiving, online backup, and disaster recovery. Unlike the "coldest" storage services offered by other Cloud providers, your data is available within milliseconds, not

  hours or days. Archive Storage is the best choice for data that you plan to access less than once a year.

  https://cloud.google.com/storage/docs/storage-classes#standard

• Question 42:

  You have created a code snippet that should be triggered whenever a new file is uploaded to a Cloud Storage bucket. You want to deploy this code snippet. What should you do?

  A. Use App Engine and configure Cloud Scheduler to trigger the application using Pub/Sub.

  B. Use Cloud Functions and configure the bucket as a trigger resource.

  C. Use Google Kubernetes Engine and configure a CronJob to trigger the application using Pub/Sub.

  D. Use Dataflow as a batch job, and configure the bucket as a data source.

  Correct Answer: B

  Correct Answer is (B):

  Google Cloud Storage Triggers

  Cloud Functions can respond to change notifications emerging from Google Cloud Storage. These notifications can be configured to trigger in response to various events inside a bucket--object creation, deletion, archiving and metadata

  updates.

  Note: Cloud Functions can only be triggered by Cloud Storage buckets in the same Google Cloud Platform project.

  Event types

  Cloud Storage events used by Cloud Functions are based on Cloud Pub/Sub Notifications for Google Cloud Storage and can be configured in a similar way.

  Supported trigger type values are:

  google.storage.object.finalize

  google.storage.object.delete

  google.storage.object.archive

  google.storage.object.metadataUpdate

  Object Finalize

  Trigger type value: google.storage.object.finalize

  This event is sent when a new object is created (or an existing object is overwritten, and a new generation of that object is created) in the bucket.

  https://cloud.google.com/functions/docs/calling/storage#event_types

• Question 43:

  Your company runs its Linux workloads on Compute Engine instances. Your company will be working with a new operations partner that does not use Google Accounts. You need to grant access to the instances to your operations partner so they can maintain the installed tooling. What should you do?

  A. Enable Cloud IAP for the Compute Engine instances, and add the operations partner as a Cloud IAP Tunnel User.

  B. Tag all the instances with the same network tag. Create a firewall rule in the VPC to grant TCP access on port 22 for traffic from the operations partner to instances with the network tag.

  C. Set up Cloud VPN between your Google Cloud VPC and the internal network of the operations partner.

  D. Ask the operations partner to generate SSH key pairs, and add the public keys to the VM instances.

  Correct Answer: A

  A is the correct answer,

  IAP controls access to your App Engine apps and Compute Engine VMs running on Google Cloud. It leverages user identity and the context of a request to determine if a user should be allowed access. IAP is a building block toward

  BeyondCorp, an enterprise security model that enables employees to work from untrusted networks without using a VPN.

  By default, IAP uses Google identities and IAM. By leveraging Identity Platform instead, you can authenticate users with a wide range of external identity providers, such as:

  Email/password

  OAuth (Google, Facebook, Twitter, GitHub, Microsoft, etc.)

  SAML

  OIDC

  Phone number

  Custom

  Anonymous

  This is useful if your application is already using an external authentication system, and migrating your users to Google accounts is impractical.

• Question 44:

  You are working with a user to set up an application in a new VPC behind a firewall. The user is concerned about data egress. You want to configure the fewest open egress ports. What should you do?

  A. Set up a low-priority (65534) rule that blocks all egress and a high-priority rule (1000) that allows only the appropriate ports.

  B. Set up a high-priority (1000) rule that pairs both ingress and egress ports.

  C. Set up a high-priority (1000) rule that blocks all egress and a low-priority (65534) rule that allows only the appropriate ports.

  D. Set up a high-priority (1000) rule to allow the appropriate ports.

  Correct Answer: A

  Implied rules Every VPC network has two implied firewall rules. These rules exist, but are not shown in the Cloud Console: Implied allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination, except for traffic blocked by Google Cloud. A higher priority firewall rule may restrict outbound access. Internet access is allowed if no other firewall rules deny outbound traffic and if the instance has an external IP address or uses a Cloud NAT instance. For more information, see Internet access requirements. Implied deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them. A higher priority rule might allow incoming access. The default network includes some additional rules that override this one, allowing certain types of incoming connections. https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules

• Question 45:

  You have a batch workload that runs every night and uses a large number of virtual machines (VMs). It is fault-tolerant and can tolerate some of the VMs being terminated. The current cost of VMs is too high. What should you do?

  A. Run a test using simulated maintenance events. If the test is successful, use preemptible N1 Standard VMs when running future jobs.

  B. Run a test using simulated maintenance events. If the test is successful, use N1 Standard VMs when running future jobs.

  C. Run a test using a managed instance group. If the test is successful, use N1 Standard VMs in the managed instance group when running future jobs.

  D. Run a test using N1 standard VMs instead of N2. If the test is successful, use N1 Standard VMs when running future jobs.

  Correct Answer: A

  Creating and starting a preemptible VM instance This page explains how to create and use a preemptible virtual machine (VM) instance. A preemptible instance is an instance you can create and run at a much lower price than normal instances. However, Compute Engine might terminate (preempt) these instances if it requires access to those resources for other tasks. Preemptible instances will always terminate after 24 hours. To learn more about preemptible instances, read the preemptible instances documentation.

  Preemptible instances are recommended only for fault-tolerant applications that can withstand instance preemptions. Make sure your application can handle preemptions before you decide to create a preemptible instance. To understand the risks and value of preemptible instances, read the preemptible instances documentation.

  https://cloud.google.com/compute/docs/instances/create-start-preemptible-instance

• Question 46:

  A colleague handed over a Google Cloud Platform project for you to maintain. As part of a security checkup, you want to review who has been granted the Project Owner role. What should you do?

  A. In the console, validate which SSH keys have been stored as project-wide keys.

  B. Navigate to Identity-Aware Proxy and check the permissions for these resources.

  C. Enable Audit Logs on the IAM and admin page for all resources, and validate the results.

  D. Use the command gcloud projects get-iam-policy to view the current role assignments.

  Correct Answer: D

  Correct Answer is (D):

  A simple approach would be to use the command flags available when listing all the IAM policy for a given project. For instance, the following command:

  `gcloud projects get-iam-policy $PROJECT_ID --flatten="bindings[].members" --format="table(bindings.members)" --filter="bindings.role:roles/owner"`

  outputs all the users and service accounts associated with the role `roles/owner' in the project in question.

  https://groups.google.com/g/google-cloud-dev/c/Z6sZs7TvygQ?pli=1

• Question 47:

  You are running multiple VPC-native Google Kubernetes Engine clusters in the same subnet. The IPs available for the nodes are exhausted, and you want to ensure that the clusters can grow in nodes when needed. What should you do?

  A. Create a new subnet in the same region as the subnet being used.

  B. Add an alias IP range to the subnet used by the GKE clusters.

  C. Create a new VPC, and set up VPC peering with the existing VPC.

  D. Expand the CIDR range of the relevant subnet for the cluster.

  Correct Answer: D

  Correct Answer is (D):

  gcloud compute networks subnets expand-ip-range NAME gcloud compute networks subnets expand-ip-range - expand the IP range of a Compute Engine subnetwork

  https://cloud.google.com/sdk/gcloud/reference/compute/networks/subnets/expand-ip-range

• Question 48:

  You have an application that uses Cloud Spanner as a database backend to keep current state information about users. Cloud Bigtable logs all events triggered by users. You export Cloud Spanner data to Cloud Storage during daily backups. One of your analysts asks you to join data from Cloud Spanner and Cloud Bigtable for specific users. You want to complete this ad hoc request as efficiently as possible. What should you do?

  A. Create a dataflow job that copies data from Cloud Bigtable and Cloud Storage for specific users.

  B. Create a dataflow job that copies data from Cloud Bigtable and Cloud Spanner for specific users.

  C. Create a Cloud Dataproc cluster that runs a Spark job to extract data from Cloud Bigtable and Cloud Storage for specific users.

  D. Create two separate BigQuery external tables on Cloud Storage and Cloud Bigtable. Use the BigQuery console to join these tables through user fields, and apply appropriate filters.

  Correct Answer: D

  D is the correct answer,

  An external data source is a data source that you can query directly from BigQuery, even though the data is not stored in BigQuery storage.

  BigQuery supports the following external data sources:

  Amazon S3

  Azure Storage

  Cloud Bigtable

  Cloud Spanner

  Cloud SQL

  Cloud Storage

  Drive

• Question 49:

  You are hosting an application from Compute Engine virtual machines (VMs) in us-central1-a. You want to adjust your design to support the failure of a single Compute Engine zone, eliminate downtime, and minimize cost. What should you do?

  A. - Create Compute Engine resources in us-central1-b.

  -Balance the load across both us-central1-a and us-central1-b.

  B. - Create a Managed Instance Group and specify us-central1-a as the zone.

  -Configure the Health Check with a short Health Interval.

  C. - Create an HTTP(S) Load Balancer.

  - Create one or more global forwarding rules to direct traffic to your VMs.

  D. - Perform regular backups of your application.

  - Create a Cloud Monitoring Alert and be notified if your application becomes unavailable.

  -Restore from backups when notified.

  Correct Answer: A

  This seems straightforward. "A" is the only answer that involves putting instances in more than one zone!

  A. Yes, creating instances in another zone and balancing the loads will fix this problem

  B. Wrong. This keeps all the instances in one zone, but the question says we want to protect against zone failures.

  C. Wrong. This keeps all the instances in one zone, but the question says we want to protect against zone failures.

  D. Wrong. This keeps all the instances in one zone, but the question says we want to protect against zone failures.

• Question 50:

  Your existing application running in Google Kubernetes Engine (GKE) consists of multiple pods running on four GKE n1-standard-2 nodes. You need to deploy additional pods requiring n2-highmem-16 nodes without any downtime. What should you do?

  A. Use gcloud container clusters upgrade. Deploy the new services.

  B. Create a new Node Pool and specify machine type n2-highmem-16. Deploy the new pods.

  C. Create a new cluster with n2-highmem-16 nodes. Redeploy the pods and delete the old cluster.

  D. Create a new cluster with both n1-standard-2 and n2-highmem-16 nodes. Redeploy the pods and delete the old cluster.

  Correct Answer: B

  B is correct answer, read below form google docs;

  This tutorial demonstrates how to migrate workloads running on a Google Kubernetes Engine (GKE) cluster to a new set of nodes within the same cluster without incurring downtime for your application. Such a migration can be useful if you

  want to migrate your workloads to nodes with a different machine type.

  Background

  A node pool is a subset of machines that all have the same configuration, including machine type (CPU and memory) authorization scopes. Node pools represent a subset of nodes within a cluster; a container cluster can contain one or more

  node pools.

  When you need to change the machine profile of your Compute Engine cluster, you can create a new node pool and then migrate your workloads over to the new node pool.

  To migrate your workloads without incurring downtime, you need to:

  Mark the existing node pool as unschedulable.

  Drain the workloads running on the existing node pool.

  Delete the existing node pool.

  https://cloud.google.com/kubernetes-engine/docs/tutorials/migrating-node-pool#creating_a_node_pool_with_large_machine_type