Google Google Certifications PROFESSIONAL-CLOUD-DEVELOPER Questions & Answers

• Question 11:

  You are trying to connect to your Google Kubernetes Engine (GKE) cluster using kubectl from Cloud Shell. You have deployed your GKE cluster with a public endpoint. From Cloud Shell, you run the following command:

  

  You notice that the kubectl commands time out without returning an error message. What is the most likely cause of this issue?

  A. Your user account does not have privileges to interact with the cluster using kubectl.

  B. Your Cloud Shell external IP address is not part of the authorized networks of the cluster.

  C. The Cloud Shell is not part of the same VPC as the GKE cluster.

  D. A VPC firewall is blocking access to the cluster's endpoint.

  Correct Answer: B

  https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#cloud_shell

  If you want to use Cloud Shell to access the cluster, you must add the public IP address of your Cloud Shell to the cluster's list of authorized networks.

• Question 12:

  You recently deployed a Go application on Google Kubernetes Engine (GKE). The operations team has noticed that the application's CPU usage is high even when there is low production traffic. The operations team has asked you to optimize your application's CPU resource consumption. You want to determine which Go functions consume the largest amount of CPU. What should you do?

  A. Deploy a Fluent Bit daemonset on the GKE cluster to log data in Cloud Logging. Analyze the logs to get insights into your application code's performance.

  B. Create a custom dashboard in Cloud Monitoring to evaluate the CPU performance metrics of your application.

  C. Connect to your GKE nodes using SSH. Run the top command on the shell to extract the CPU utilization of your application.

  D. Modify your Go application to capture profiling data. Analyze the CPU metrics of your application in flame graphs in Profiler.

  Correct Answer: D

  https://cloud.google.com/profiler/docs/about-profiler Cloud Profiler is a statistical, low-overhead profiler that continuously gathers CPU usage and memory-allocation information from your production applications. It attributes that information to the source code that generated it, helping you identify the parts of your application that are consuming the most resources, and otherwise illuminating your applications performance characteristics. https://cloud.google.com/profiler/docs

• Question 13:

  You have an application deployed in Google Kubernetes Engine (GKE). You need to update the application to make authorized requests to Google Cloud managed services. You want this to be a one-time setup, and you need to follow security best practices of auto-rotating your security keys and storing them in an encrypted store. You already created a service account with appropriate access to the Google Cloud service. What should you do next?

  A. Assign the Google Cloud service account to your GKE Pod using Workload Identity.

  B. Export the Google Cloud service account, and share it with the Pod as a Kubernetes Secret.

  C. Export the Google Cloud service account, and embed it in the source code of the application.

  D. Export the Google Cloud service account, and upload it to HashiCorp Vault to generate a dynamic service account for your application.

  Correct Answer: A

  https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity

  Applications running on GKE might need access to Google Cloud APIs such as Compute Engine API, BigQuery Storage API, or Machine Learning APIs.

  Workload Identity allows a Kubernetes service account in your GKE cluster to act as an IAM service account. Pods that use the configured Kubernetes service account automatically authenticate as the IAM service account when accessing Google Cloud APIs. Using Workload Identity allows you to assign distinct, fine-grained identities and authorization for each application in your cluster.

• Question 14:

  You manage a microservices application on Google Kubernetes Engine (GKE) using Istio. You secure the communication channels between your microservices by implementing an Istio AuthorizationPolicy, a Kubernetes NetworkPolicy, and mTLS on your GKE cluster. You discover that HTTP requests between two Pods to specific URLs fail, while other requests to other URLs succeed. What is the cause of the connection issue?

  A. A Kubernetes NetworkPolicy resource is blocking HTTP traffic between the Pods.

  B. The Pod initiating the HTTP requests is attempting to connect to the target Pod via an incorrect TCP port.

  C. The Authorization Policy of your cluster is blocking HTTP requests for specific paths within your application.

  D. The cluster has mTLS configured in permissive mode, but the Pod's sidecar proxy is sending unencrypted traffic in plain text.

  Correct Answer: C

• Question 15:

  You are building a highly available and globally accessible application that will serve static content to users. You need to configure the storage and serving components. You want to minimize management overhead and latency while maximizing reliability for users. What should you do?

  A. 1) Create a managed instance group. Replicate the static content across the virtual machines (VMs) 2) Create an external HTTP(S) load balancer. 3) Enable Cloud CDN, and send traffic to the managed instance group.

  B. 1) Create an unmanaged instance group. Replicate the static content across the VMs. 2) Create an external HTTP(S) load balancer 3) Enable Cloud CDN, and send traffic to the unmanaged instance group.

  C. 1) Create a Standard storage class, regional Cloud Storage bucket. Put the static content in the bucket 2) Reserve an external IP address, and create an external HTTP(S) load balancer 3) Enable Cloud CDN, and send traffic to your backend bucket

  D. 1) Create a Standard storage class, multi-regional Cloud Storage bucket. Put the static content in the bucket. 2) Reserve an external IP address, and create an external HTTP(S) load balancer. 3) Enable Cloud CDN, and send traffic to your backend bucket.

  Correct Answer: D

• Question 16:

  You are developing a JPEG image-resizing API hosted on Google Kubernetes Engine (GKE). Callers of the service will exist within the same GKE cluster. You want clients to be able to get the IP address of the service.

  What should you do?

  A. Define a GKE Service. Clients should use the name of the A record in Cloud DNS to find the service's cluster IP address.

  B. Define a GKE Service. Clients should use the service name in the URL to connect to the service.

  C. Define a GKE Endpoint. Clients should get the endpoint name from the appropriate environment variable in the client container.

  D. Define a GKE Endpoint. Clients should get the endpoint name from Cloud DNS.

  Correct Answer: C

• Question 17:

  Your development team has been tasked with maintaining a .NET legacy application. The application incurs occasional changes and was recently updated. Your goal is to ensure that the application provides consistent results while moving through the CI/CD pipeline from environment to environment. You want to minimize the cost of deployment while making sure that external factors and dependencies between hosting environments are not problematic. Containers are not yet approved in your organization. What should you do?

  A. Rewrite the application using .NET Core, and deploy to Cloud Run. Use revisions to separate the environments.

  B. Use Cloud Build to deploy the application as a new Compute Engine image for each build. Use this image in each environment.

  C. Deploy the application using MS Web Deploy, and make sure to always use the latest, patched MS Windows Server base image in Compute Engine.

  D. Use Cloud Build to package the application, and deploy to a Google Kubernetes Engine cluster. Use namespaces to separate the environments.

  Correct Answer: B

  https://cloud.google.com/architecture/modernization-path-dotnet-applications-google- cloud#phase_1_rehost_in_the_cloud https://cloud.google.com/architecture/modernization-path-dotnet-applications-google-cloud

• Question 18:

  You want to migrate an on-premises container running in Knative to Google Cloud. You need to make sure that the migration doesn't affect your application's deployment strategy, and you want to use a fully managed service. Which Google Cloud service should you use to deploy your container?

  A. Cloud Run

  B. Compute Engine

  C. Google Kubernetes Engine

  D. App Engine flexible environment

  Correct Answer: A

  Explanation: https://cloud.google.com/blog/products/serverless/knative-based-cloud-run- services-are-ga

• Question 19:

  You are using the Cloud Client Library to upload an image in your application to Cloud Storage. Users of the application report that occasionally the upload does not complete and the client library reports an HTTP 504 Gateway Timeout error. You want to make the application more resilient to errors. What changes to the application should you make?

  A. Write an exponential backoff process around the client library call.

  B. Write a one-second wait time backoff process around the client library call.

  C. Design a retry button in the application and ask users to click if the error occurs.

  D. Create a queue for the object and inform the users that the application will try again in 10 minutes.

  Correct Answer: A

• Question 20:

  You have an application deployed in production. When a new version is deployed, you want to ensure that all production traffic is routed to the new version of your application. You also want to keep the previous version deployed so that you can revert to it if there is an issue with the new version.

  Which deployment strategy should you use?

  A. Blue/green deployment

  B. Canary deployment

  C. Rolling deployment

  D. Recreate deployment

  Correct Answer: A