Google Google Certifications PROFESSIONAL-CLOUD-DEVELOPER Questions & Answers

• Question 91:

  Your team develops services that run on Google Cloud. You need to build a data processing service and will use Cloud Functions. The data to be processed by the function is sensitive. You need to ensure that invocations can only happen from authorized services and follow Google-recommended best practices for securing functions. What should you do?

  A. Enable Identity-Aware Proxy in your project. Secure function access using its permissions.

  B. Create a service account with the Cloud Functions Viewer role. Use that service account to invoke the function.

  C. Create a service account with the Cloud Functions Invoker role. Use that service account to invoke the function.

  D. Create an OAuth 2.0 client ID for your calling service in the same project as the function you want to secure. Use those credentials to invoke the function.

  Correct Answer: C

  Reference: https://medium.com/google-cloud/how-to-securely-invoke-a-cloud-function- from-google-kubernetes-engine-running-on-another-gcp-79797ec2b2c6

• Question 92:

  Your application is running on Compute Engine and is showing sustained failures for a small number of requests. You have narrowed the cause down to a single Compute Engine instance, but the instance is unresponsive to SSH. What should you do next?

  A. Reboot the machine.

  B. Enable and check the serial port output.

  C. Delete the machine and create a new one.

  D. Take a snapshot of the disk and attach it to a new machine.

  Correct Answer: A

• Question 93:

  Your existing application keeps user state information in a single MySQL database. This state information is

  very user-specific and depends heavily on how long a user has been using an application.

  The MySQL

  database is causing challenges to maintain and enhance the schema for various users.

  Which storage option should you choose?

  A. Cloud SQL

  B. Cloud Storage

  C. Cloud Spanner

  D. Cloud Datastore/Firestore

  Correct Answer: A

  Reference: https://cloud.google.com/solutions/migrating-mysql-to-cloudsql-concept

• Question 94:

  You are a SaaS provider deploying dedicated blogging software to customers in your Google Kubernetes Engine (GKE) cluster. You want to configure a secure multi-tenant platform to ensure that each customer has access to only their own blog and can't affect the workloads of other customers. What should you do?

  A. Enable Application-layer Secrets on the GKE cluster to protect the cluster.

  B. Deploy a namespace per tenant and use Network Policies in each blog deployment.

  C. Use GKE Audit Logging to identify malicious containers and delete them on discovery.

  D. Build a custom image of the blogging software and use Binary Authorization to prevent untrusted image deployments.

  Correct Answer: B

  Reference: https://cloud.google.com/kubernetes-engine/docs/concepts/multitenancy- overview

• Question 95:

  You work for an organization that manages an ecommerce site. Your application is deployed behind a global HTTP(S) load balancer. You need to test a new product recommendation algorithm. You plan to use A/B testing to determine the new algorithm's effect on sales in a randomized way. How should you test this feature?

  A. Split traffic between versions using weights.

  B. Enable the new recommendation feature flag on a single instance.

  C. Mirror traffic to the new version of your application.

  D. Use HTTP header-based routing.

  Correct Answer: C

  https://cloud.google.com/load-balancing/docs/https/traffic-management- global#traffic_actions_weight-based_traffic_splitting Deploying a new version of an existing production service generally incurs some risk. Even if your tests pass in staging, you probably don't want to subject 100% of your users to the new version immediately. With traffic management, you can define percentage-based traffic splits across multiple backend services.

  For example, you can send 95% of the traffic to the previous version of your service and 5% to the new version of your service. After you've validated that the new production version works as expected, you can gradually shift the percentages until 100% of the traffic reaches the new version of your service. Traffic splitting is typically used for deploying new versions, A/B testing, service migration, and similar processes. https://cloud.google.com/traffic-director/docs/advanced-trafficmanagement#weight- based_traffic_splitting_for_safer_deployments

  https://cloud.google.com/architecture/implementing-deployment-and-testing-strategies-on- gke#split_the_traffic_2

  https://cloud.google.com/load-balancing/docs/https/traffic-management- global#traffic_actions_weight-based_traffic_splitting

• Question 96:

  You are developing an application that will be launched on Compute Engine instances into multiple distinct projects, each corresponding to the environments in your software development process (development, QA, staging, and production).

  The instances in each project have the same application code but a different configuration. During deployment, each instance should receive the application's configuration based on the environment it serves. You want to minimize the

  number of steps to configure this flow.

  What should you do?

  A. When creating your instances, configure a startup script using the gcloud command to determine the project name that indicates the correct environment.

  B. In each project, configure a metadata key "environment" whose value is the environment it serves. Use your deployment tool to query the instance metadata and configure the application based on the "environment" value.

  C. Deploy your chosen deployment tool on an instance in each project. Use a deployment job to retrieve the appropriate configuration file from your version control system, and apply the configuration when deploying the application on each instance.

  D. During each instance launch, configure an instance custom-metadata key named "environment" whose value is the environment the instance serves. Use your deployment tool to query the instance metadata, and configure the application based on the "environment" value.

  Correct Answer: B

  Reference: https://cloud.google.com/compute/docs/metadata/overview

• Question 97:

  You are developing a web application that contains private images and videos stored in a Cloud Storage bucket. Your users are anonymous and do not have Google Accounts. You want to use your application-specific logic to control access to the images and videos. How should you configure access?

  A. Cache each web application user's IP address to create a named IP table using Google Cloud Armor. Create a Google Cloud Armor security policy that allows users to access the backend bucket.

  B. Grant the Storage Object Viewer IAM role to allUsers. Allow users to access the bucket after authenticating through your web application.

  C. Configure Identity-Aware Proxy (IAP) to authenticate users into the web application. Allow users to access the bucket after authenticating through IAP.

  D. Generate a signed URL that grants read access to the bucket. Allow users to access the URL after authenticating through your web application.

  Correct Answer: D

  https://cloud.google.com/storage/docs/access-control/signed-urls#should-you-use

  In some scenarios, you might not want to require your users to have a Google account in order to access Cloud Storage, but you still want to control access using your application- specific logic. The typical way to address this use case is to provide a signed URL to a user, which gives the user read, write, or delete access to that resource for a limited time. You specify an expiration time when you create the signed URL. Anyone who knows the URL can access the resource until the expiration time for the URL is reached or the key used to sign the URL is rotated.

• Question 98:

  You are creating a Google Kubernetes Engine (GKE) cluster and run this command:

  

  The command fails with the error:

  

  You want to resolve the issue. What should you do?

  A. Request additional GKE quota is the GCP Console.

  B. Request additional Compute Engine quota in the GCP Console.

  C. Open a support case to request additional GKE quotA.

  D. Decouple services in the cluster, and rewrite new clusters to function with fewer cores.

  Correct Answer: A

• Question 99:

  You recently deployed your application in Google Kubernetes Engine, and now need to release a new version of your application. You need the ability to instantly roll back to the previous version in case there are issues with the new version. Which deployment model should you use?

  A. Perform a rolling deployment, and test your new application after the deployment is complete.

  B. Perform A/B testing, and test your application periodically after the new tests are implemented.

  C. Perform a blue/green deployment, and test your new application after the deployment is. complete.

  D. Perform a canary deployment, and test your new application periodically after the new version is deployed.

  Correct Answer: C

• Question 100:

  Your analytics system executes queries against a BigQuery dataset. The SQL query is executed in batch and passes the contents of a SQL file to the BigQuery CLI. Then it redirects the BigQuery CLI output to another process. However, you are getting a permission error from the BigQuery CLI when the queries are executed. You want to resolve the issue. What should you do?

  A. Grant the service account BigQuery Data Viewer and BigQuery Job User roles.

  B. Grant the service account BigQuery Data Editor and BigQuery Data Viewer roles.

  C. Create a view in BigQuery from the SQL query and SELECT* from the view in the CLI.

  D. Create a new dataset in BigQuery, and copy the source table to the new dataset Query the new dataset and table from the CLI.

  Correct Answer: B