Summer Special Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: spcl70

Practice Free Associate-Cloud-Engineer Google Cloud Certified - Associate Cloud Engineer Exam Questions Answers With Explanation

We at Crack4sure are committed to giving students who are preparing for the Google Associate-Cloud-Engineer Exam the most current and reliable questions . To help people study, we've made some of our Google Cloud Certified - Associate Cloud Engineer exam materials available for free to everyone. You can take the Free Associate-Cloud-Engineer Practice Test as many times as you want. The answers to the practice questions are given, and each answer is explained.

Question # 6

You are hosting an application from Compute Engine virtual machines (VMs) in us–central1–a. You want to adjust your design to support the failure of a single Compute Engine zone, eliminate downtime, and minimize cost. What should you do?

A.

– Create Compute Engine resources in us–central1–b.–Balance the load across both us–central1–a and us–central1–b.

B.

– Create a Managed Instance Group and specify us–central1–a as the zone.–Configure the Health Check with a short Health Interval.

C.

– Create an HTTP(S) Load Balancer.–Create one or more global forwarding rules to direct traffic to your VMs.

D.

– Perform regular backups of your application.–Create a Cloud Monitoring Alert and be notified if your application becomes unavailable.–Restore from backups when notified.

Question # 7

You built an application on Google Cloud Platform that uses Cloud Spanner. Your support team needs to monitor the environment but should not have access to table data. You need a streamlined solution to grant the correct permissions to your support team, and you want to follow Google-recommended practices. What should you do?

A.

Add the support team group to the roles/monitoring.viewer role

B.

Add the support team group to the roles/spanner.databaseUser role.

C.

Add the support team group to the roles/spanner.databaseReader role.

D.

Add the support team group to the roles/stackdriver.accounts.viewer role.

Question # 8

Your company has a single sign-on (SSO) identity provider that supports Security Assertion Markup Language (SAML) integration with service providers. Your company has users in Cloud Identity. You would like users to authenticate using your company’s SSO provider. What should you do?

A.

In Cloud Identity, set up SSO with Google as an identity provider to access custom SAML apps.

B.

In Cloud Identity, set up SSO with a third-party identity provider with Google as a service provider.

C.

Obtain OAuth 2.0 credentials, configure the user consent screen, and set up OAuth 2.0 for Mobile & Desktop Apps.

D.

Obtain OAuth 2.0 credentials, configure the user consent screen, and set up OAuth 2.0 for Web Server Applications.

Question # 9

Your company has embraced a hybrid cloud strategy where some of the applications are deployed on Google Cloud. A Virtual Private Network (VPN) tunnel connects your Virtual Private Cloud (VPC) in Google Cloud with your company ' s on-premises network. Multiple applications in Google Cloud need to connect to an on-premises database server, and you want to avoid having to change the IP configuration in all of your applications when the IP of the database changes.

What should you do?

A.

Configure Cloud NAT for all subnets of your VPC to be used when egressing from the VM instances.

B.

Create a private zone on Cloud DNS, and configure the applications with the DNS name.

C.

Configure the IP of the database as custom metadata for each instance, and query the metadata server.

D.

Query the Compute Engine internal DNS from the applications to retrieve the IP of the database.

Question # 10

You are the organization and billing administrator for your company. The engineering team has the Project Creator role on the organization. You do not want the engineering team to be able to link projects to the billing account. Only the finance team should be able to link a project to a billing account, but they should not be able to make any other changes to projects. What should you do?

A.

Assign the finance team only the Billing Account User role on the billing account.

B.

Assign the engineering team only the Billing Account User role on the billing account.

C.

Assign the finance team the Billing Account User role on the billing account and the Project Billing Manager role on the organization.

D.

Assign the engineering team the Billing Account User role on the billing account and the Project Billing Manager role on the organization.

Question # 11

You have been asked to migrate a docker application from datacenter to cloud. Your solution architect has suggested uploading docker images to GCR in one project and running an application in a GKE cluster in a separate project. You want to store images in the project img-278322 and run the application in the project prod-278986. You want to tag the image as acme_track_n_trace:v1. You want to follow Google-recommended practices. What should you do?

A.

Run gcloud builds submit --tag gcr.io/img-278322/acme_track_n_trace

B.

Run gcloud builds submit --tag gcr.io/img-278322/acme_track_n_trace:v1

C.

Run gcloud builds submit --tag gcr.io/prod-278986/acme_track_n_trace

D.

Run gcloud builds submit --tag gcr.io/prod-278986/acme_track_n_trace:v1

Question # 12

(Your company’s developers use an automation that you recently built to provision Linux VMs in Compute Engine within a Google Cloud project to perform various tasks. You need to manage the Linux account lifecycle and access for these users. You want to follow Google-recommended practices to simplify access management while minimizing operational costs. What should you do?)

A.

Enable OS Login for all VMs. Use IAM roles to grant user permissions.

B.

Enable OS Login for all VMs. Write custom startup scripts to update user permissions.

C.

Require your developers to create public SSH keys. Make the owner of the public key the root user.

D.

Require your developers to create public SSH keys. Write custom startup scripts to update user permissions.

Question # 13

You have a Google Cloud Platform account with access to both production and development projects. You need to create an automated process to list all compute instances in development and production projects on a daily basis. What should you do?

A.

Create two configurations using gcloud config. Write a script that sets configurations as active, individually. For each configuration, use gcloud compute instances list to get a list of compute resources.

B.

Create two configurations using gsutil config. Write a script that sets configurations as active, individually. For each configuration, use gsutil compute instances list to get a list of compute resources.

C.

Go to Cloud Shell and export this information to Cloud Storage on a daily basis.

D.

Go to GCP Console and export this information to Cloud SQL on a daily basis.

Question # 14

Your team maintains the infrastructure for your organization. The current infrastructure requires changes. You need to share your proposed changes with the rest of the team. You want to follow Google’s recommended best practices. What should you do?

A.

Use Deployment Manager templates to describe the proposed changes and store them in a Cloud Storage bucket.

B.

Use Deployment Manager templates to describe the proposed changes and store them in Cloud Source Repositories.

C.

Apply the change in a development environment, run gcloud compute instances list, and then save the output in a shared Storage bucket.

D.

Apply the change in a development environment, run gcloud compute instances list, and then save the output in Cloud Source Repositories.

Question # 15

You need to reduce GCP service costs for a division of your company using the fewest possible steps. You need to turn off all configured services in an existing GCP project. What should you do?

A.

1. Verify that you are assigned the Project Owners IAM role for this project.2. Locate the project in the GCP console, click Shut down and then enter the project ID.

B.

1. Verify that you are assigned the Project Owners IAM role for this project.2. Switch to the project in the GCP console, locate the resources and delete them.

C.

1. Verify that you are assigned the Organizational Administrator IAM role for this project.2. Locate the project in the GCP console, enter the project ID and then click Shut down.

D.

1. Verify that you are assigned the Organizational Administrators IAM role for this project.2. Switch to the project in the GCP console, locate the resources and delete them.

Question # 16

Your VMs are running in a subnet that has a subnet mask of 255.255.255.240. The current subnet has no more free IP addresses and you require an additional 10 IP addresses for new VMs. The existing and new VMs should all be able to reach each other without additional routes. What should you do?

A.

Use gcloud to expand the IP range of the current subnet.

B.

Delete the subnet, and recreate it using a wider range of IP addresses.

C.

Create a new project. Use Shared VPC to share the current network with the new project.

D.

Create a new subnet with the same starting IP but a wider range to overwrite the current subnet.

Question # 17

You need to create a Compute Engine instance in a new project that doesn’t exist yet. What should you do?

A.

Using the Cloud SDK, create a new project, enable the Compute Engine API in that project, and then create the instance specifying your new project.

B.

Enable the Compute Engine API in the Cloud Console, use the Cloud SDK to create the instance, and then use the ––project flag to specify a new project.

C.

Using the Cloud SDK, create the new instance, and use the ––project flag to specify the new project.Answer yes when prompted by Cloud SDK to enable the Compute Engine API.

D.

Enable the Compute Engine API in the Cloud Console. Go to the Compute Engine section of the Console to create a new instance, and look for the Create In A New Project option in the creation form.

Question # 18

Your company stores data from multiple sources that have different data storage requirements. These data include:

1. Customer data that is structured and read with complex queries

2. Historical log data that is large in volume and accessed infrequently

3. Real-time sensor data with high-velocity writes, which needs to be available for analysis but can tolerate some data loss

You need to design the most cost-effective storage solution that fulfills all data storage requirements. What should you do?

A.

Use Spanner for all data.

B.

Use Cloud SQL for customer data, Cloud Storage (Coldline) for historical logs, and BigQuery for sensor data.

C.

Use Cloud SQL for customer data, Cloud Storage (Archive) for historical logs, and Bigtable for sensor data.

D.

Use Firestore for customer data, Cloud Storage (Nearline) for historical logs, and Bigtable for sensor data.

Question # 19

You have a Bigtable instance that consists of three nodes that store personally identifiable information (Pll) data. You need to log all read or write operations, including any metadata or configuration reads of this database table, in your company ' s Security Information and Event Management (SIEM) system. What should you do?

A.

• Navigate to Cloud Mentioning in the Google Cloud console, and create a custom monitoring job for theBigtable instance to track all changes.• Create an alert by using webhook endpoints. with the SIEM endpoint as a receiver

B.

• Navigate to the Audit Logs page in the Google Cloud console, and enable Data Read. Data Write and Admin Read logs for the Bigtable instance• Create a Pub/Sub topic as a Cloud Logging sink destination, and add your SIEM as a subscriber to the topic.

C.

• Install the Ops Agent on the Bigtable instance during configuration. K• Create a service account with read permissions for the Bigtable instance.• Create a custom Dataflow job with this service account to export logs to the company ' s SIEM system.

D.

• Navigate to the Audit Logs page in the Google Cloud console, and enable Admin Write logs for theBiglable instance.• Create a Cloud Functions instance to export logs from Cloud Logging to your SIEM.

Question # 20

You need to create a custom VPC with a single subnet. The subnet’s range must be as large as possible. Which range should you use?

A.

.00.0.0/0

B.

10.0.0.0/8

C.

172.16.0.0/12

D.

192.168.0.0/16

Question # 21

You have a large 5-TB AVRO file stored in a Cloud Storage bucket. Your analysts are proficient only in SQL and need access to the data stored in this file. You want to find a cost-effective way to complete their request as soon as possible. What should you do?

A.

Load data in Cloud Datastore and run a SQL query against it.

B.

Create a BigQuery table and load data in BigQuery. Run a SQL query on this table and drop this table after you complete your request.

C.

Create external tables in BigQuery that point to Cloud Storage buckets and run a SQL query on these external tables to complete your request.

D.

Create a Hadoop cluster and copy the AVRO file to NDFS by compressing it. Load the file in a hive table and provide access to your analysts so that they can run SQL queries.

Question # 22

You created a Kubernetes deployment by running kubectl run nginx image=nginx labels=app=prod. Your Kubernetes cluster is also used by a number of other deployments. How can you find the identifier of the pods for this nginx deployment?

A.

kubectl get deployments –output=pods

B.

gcloud get pods –selector=”app=prod”

C.

kubectl get pods -I “app=prod”

D.

gcloud list gke-deployments -filter={pod }

Question # 23

During a recent audit of your existing Google Cloud resources, you discovered several users with email addresses outside of your Google Workspace domain.

You want to ensure that your resources are only shared with users whose email addresses match your domain. You need to remove any mismatched users, and you want to avoid having to audit your resources to identify mismatched users. What should you do?

A.

Create a Cloud Scheduler task to regularly scan your projects and delete mismatched users.

B.

Create a Cloud Scheduler task to regularly scan your resources and delete mismatched users.

C.

Set an organizational policy constraint to limit identities by domain to automatically remove mismatched users.

D.

Set an organizational policy constraint to limit identities by domain, and then retroactively remove the existing mismatched users.

Question # 24

You are given a project with a single virtual private cloud (VPC) and a single subnetwork in the us-central1 region. There is a Compute Engine instance hosting an application in thissubnetwork. You need to deploy a new instance in the same project in the europe-west1 region. This new instance needs access to the application. You want to follow Google-recommended practices. What should you do?

A.

1. Create a subnetwork in the same VPC, in europe-west1.2. Create the new instance in the new subnetwork and use the first instance ' s private address as the endpoint.

B.

1. Create a VPC and a subnetwork in europe-west1.2. Expose the application with an internal load balancer.3. Create the new instance in the new subnetwork and use the load balancer ' s address as the endpoint.

C.

1. Create a subnetwork in the same VPC, in europe-west1.2. Use Cloud VPN to connect the two subnetworks.3. Create the new instance in the new subnetwork and use the first instance ' s private address as the endpoint.

D.

1. Create a VPC and a subnetwork in europe-west1.2. Peer the 2 VPCs.3. Create the new instance in the new subnetwork and use the first instance ' s private address as the endpoint.

Question # 25

Your organization has a dedicated person who creates and manages all service accounts for Google Cloud projects. You need to assign this person the minimum role for projects. What should you do?

A.

Add the user to roles/iam.roleAdmin role.

B.

Add the user to roles/iam.securityAdmin role.

C.

Add the user to roles/iam.serviceAccountUser role.

D.

Add the user to roles/iam.serviceAccountAdmin role.

Question # 26

You are planning to migrate your containerized workloads to Google Kubernetes Engine (GKE). You need to determine which GKE option to use. Your solution must have high availability, minimal downtime, and the ability to promptly apply security updates to your nodes. You also want to pay only for the compute resources that your workloads use without managing nodes. You want to follow Google-recommended practices and minimize operational costs. What should you do?

A.

Configure a Standard multi-zonal GKE cluster.

B.

Configure an Autopilot GKE cluster.

C.

Configure a Standard zonal GKE cluster.

D.

Configure a Standard regional GKE cluster.

Question # 27

Your company has workloads running on Compute Engine and on-premises. The Google Cloud Virtual Private Cloud (VPC) is connected to your WAN over a Virtual Private Network (VPN). You need to deploy a new Compute Engine instance and ensure that no public Internet traffic can be routed to it. What should you do?

A.

Create the instance without a public IP address.

B.

Create the instance with Private Google Access enabled.

C.

Create a deny-all egress firewall rule on the VPC network.

D.

Create a route on the VPC to route all traffic to the instance over the VPN tunnel.

Question # 28

You assist different engineering teams in deploying their infrastructure on Google Cloud. Your company has defined certain practices required for all workloads. You need to provide the engineering teams with a solution that enables teams to deploy their infrastructure independently without having to know all implementation details of the company ' s required practices. What should you do?

A.

Create a service account per team, and grant the service account the Project Editor role. Ask the teams to provision their infrastructure through the Google Cloud CLI (gcloud CLI), while impersonating their dedicated service account.

B.

Provide training for all engineering teams you work with to understand the company’s required practices. Allow the engineering teams to provision the infrastructure to best meet their needs.

C.

Configure organization policies to enforce your company’s required practices. Ask the teams to provision their infrastructure by using the Google Cloud console.

D.

Write Terraform modules for each component that are compliant with the company’s required practices, and ask teams to implement their infrastructure through these modules.

Question # 29

You are working for a startup that was officially registered as a business 6 months ago. As your customer base grows, your use of Google Cloud increases. You want to allow all engineers to create new projects without asking them for their credit card information. What should you do?

A.

Create a Billing account, associate a payment method with it, and provide all project creators with permission to associate that billing account with their projects.

B.

Grant all engineer’s permission to create their own billing accounts for each new project.

C.

Apply for monthly invoiced billing, and have a single invoice tor the project paid by the finance team.

D.

Create a billing account, associate it with a monthly purchase order (PO), and send the PO to Google Cloud.

Question # 30

You are building an application that processes data files uploaded from thousands of suppliers. Your primary goals for the application are data security and the expiration of aged data. You need to design the application to:

•Restrict access so that suppliers can access only their own data.

•Give suppliers write access to data only for 30 minutes.

•Delete data that is over 45 days old.

You have a very short development cycle, and you need to make sure that the application requires minimal maintenance. Which two strategies should you use? (Choose two.)

A.

Build a lifecycle policy to delete Cloud Storage objects after 45 days.

B.

Use signed URLs to allow suppliers limited time access to store their objects.

C.

Set up an SFTP server for your application, and create a separate user for each supplier.

D.

Build a Cloud function that triggers a timer of 45 days to delete objects that have expired.

E.

Develop a script that loops through all Cloud Storage buckets and deletes any buckets that are older than 45 days.

Question # 31

You need to update a deployment in Deployment Manager without any resource downtime in the deployment. Which command should you use?

A.

gcloud deployment-manager deployments create --config < deployment-config-path >

B.

gcloud deployment-manager deployments update --config < deployment-config-path >

C.

gcloud deployment-manager resources create --config < deployment-config-path >

D.

gcloud deployment-manager resources update --config < deployment-config-path >

Question # 32

You need to verify that a Google Cloud Platform service account was created at a particular time. What should you do?

A.

Filter the Activity log to view the Configuration category. Filter the Resource type to Service Account.

B.

Filter the Activity log to view the Configuration category. Filter the Resource type to Google Project.

C.

Filter the Activity log to view the Data Access category. Filter the Resource type to Service Account.

D.

Filter the Activity log to view the Data Access category. Filter the Resource type to Google Project.

Question # 33

You want to set up a Google Kubernetes Engine cluster Verifiable node identity and integrity are required for the cluster, and nodes cannot be accessed from the internet. You want to reduce the operational cost of managing your cluster, and you want to follow Google-recommended practices. What should you do?

A.

Deploy a private autopilot cluster

B.

Deploy a public autopilot cluster.

C.

Deploy a standard public cluster and enable shielded nodes.

D.

Deploy a standard private cluster and enable shielded nodes.

Question # 34

You are using Deployment Manager to create a Google Kubernetes Engine cluster. Using the same Deployment Manager deployment, you also want to create a DaemonSet in the kube-system namespace of the cluster. You want a solution that uses the fewest possible services. What should you do?

A.

Add the cluster’s API as a new Type Provider in Deployment Manager, and use the new type to create the DaemonSet.

B.

Use the Deployment Manager Runtime Configurator to create a new Config resource that contains the DaemonSet definition.

C.

With Deployment Manager, create a Compute Engine instance with a startup script that uses kubectl to create the DaemonSet.

D.

In the cluster’s definition in Deployment Manager, add a metadata that has kube-system as key and the DaemonSet manifest as value.

Question # 35

You need to create an autoscaling managed instance group for an HTTPS web application. You want to make sure that unhealthy VMs are recreated. What should you do?

A.

Create a health check on port 443 and use that when creating the Managed Instance Group.

B.

Select Multi-Zone instead of Single-Zone when creating the Managed Instance Group.

C.

In the Instance Template, add the label ‘health-check’.

D.

In the Instance Template, add a startup script that sends a heartbeat to the metadata server.

Question # 36

Your web application is hosted on Cloud Run and needs to query a Cloud SOL database. Every morning during a traffic spike, you notice API quota errors in Cloud SOL logs. The project has already reached the maximum API quota. You want to make a configuration change to mitigate the issue. What should you do?

A.

Modify the minimum number of Cloud Run instances.

B.

Set a minimum concurrent requests environment variable for the application.

C.

Modify the maximum number of Cloud Run instances.

D.

Use traffic splitting.

Question # 37

You have several hundred microservice applications running in a Google Kubernetes Engine (GKE) cluster. Each microservice is a deployment with resource limits configured for each container in the deployment. You ' ve observed that the resource limits for memory and CPU are not appropriately set for many of the microservices. You want to ensure that each microservice has right sized limits for memory and CPU. What should you do?

A.

Modify the cluster ' s node pool machine type and choose a machine type with more memory and CPU.

B.

Configure a Horizontal Pod Autoscaler for each microservice.

C.

Configure GKE cluster autoscaling.

D.

Configure a Vertical Pod Autoscaler for each microservice.

Question # 38

You are creating an application that will run on Google Kubernetes Engine. You have identified MongoDB as the most suitable database system for your application and want to deploy a managed MongoDB environment that provides a support SLA. What should you do?

A.

Create a Cloud Bigtable cluster and use the HBase API

B.

Deploy MongoDB Alias from the Google Cloud Marketplace

C.

Download a MongoDB installation package and run it on Compute Engine instances

D.

Download a MongoDB installation package, and run it on a Managed Instance Group

Question # 39

You have a web application deployed as a managed instance group. You have a new version of the application to gradually deploy. Your web application is currently receiving live web traffic. You want to ensure that the available capacity does not decrease during the deployment. What should you do?

A.

Perform a rolling-action start-update with maxSurge set to 0 and maxUnavailable set to 1.

B.

Perform a rolling-action start-update with maxSurge set to 1 and maxUnavailable set to 0.

C.

Create a new managed instance group with an updated instance template. Add the group to the backend service for the load balancer. When all instances in the new managed instance group are healthy, delete the old managed instance group.

D.

Create a new instance template with the new application version. Update the existing managed instance group with the new instance template. Delete the instances in the managed instance group to allow the managed instance group to recreate the instance using the new instance template.

Question # 40

Your team is running an on-premises ecommerce application. The application contains a complex set of microservices written in Python, and each microservice is running on Docker containers. Configurations are injected by using environment variables. You need to deploy your current application to a serverless Google Cloud cloud solution. What should you do?

A.

Use your existing CI/CD pipeline Use the generated Docker images and deploy them to Cloud Run. Update the configurations and the required endpoints.

B.

Use your existing continuous integration and delivery (CI/CD) pipeline. Use the generated Docker images and deploy them to Cloud Function. Use the same configuration as on-premises.

C.

Use the existing codebase and deploy each service as a separate Cloud Function Update the configurations and the required endpoints.

D.

Use your existing codebase and deploy each service as a separate Cloud Run Use the same configurations as on-premises.

Question # 41

Your company would like to store invoices and other financial documents in Google Cloud. You need to identify a Google-managed solution to store this information for your company. You must ensure that the documents are kept for a duration of three years. Your company ' s analysts need frequent access to invoices from the past six months. After six months, invoices should be archived for audit purposes only. You want to minimize costs and follow Google-recommended practices. What should you do?

A.

Use Cloud Storage with Object Lifecycle Management to change the object storage class to Standard after six months.

B.

Use Cloud Storage with Object Lifecycle Management to change the object storage class to Coldline after six months.

C.

Store your documents on Filestore, and move the documents to Cloud Storage with object storage class set to Standard after six months.

D.

Store your documents on Filestore, and move the documents to Cloud Storage with object storage class set to Coldline after six months.

Question # 42

You have files in a Cloud Storage bucket that you need to share with your suppliers. You want to restrict the time that the files are available to your suppliers to 1 hour. You want to follow Google recommended practices. What should you do?

A.

Create a service account with just the permissions to access files in the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -m 1h gs:///*.

B.

Create a service account with just the permissions to access files in the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -d 1h gs:///.

C.

Create a service account with just the permissions to access files in the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -p 60m gs:///.

D.

Create a JSON key for the Default Compute Engine Service Account. Execute the command gsutil signurl -t 60m gs:///*

Question # 43

An employee was terminated, but their access to Google Cloud Platform (GCP) was not removed until 2 weeks later. You need to find out this employee accessed any sensitive customer information after their termination. What should you do?

A.

View System Event Logs in Stackdriver. Search for the user’s email as the principal.

B.

View System Event Logs in Stackdriver. Search for the service account associated with the user.

C.

View Data Access audit logs in Stackdriver. Search for the user’s email as the principal.

D.

View the Admin Activity log in Stackdriver. Search for the service account associated with the user.

Question # 44

You have a development project with appropriate IAM roles defined. You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps. What should you do?

A.

Use gcloud iam roles copy and specify the production project as the destination project.

B.

Use gcloud iam roles copy and specify your organization as the destination organization.

C.

In the Google Cloud Platform Console, use the ‘create role from role’ functionality.

D.

In the Google Cloud Platform Console, use the ‘create role’ functionality and select all applicable permissions.

Question # 45

You are assigned to maintain a Google Kubernetes Engine (GKE) cluster named dev that was deployed on Google Cloud. You want to manage the GKE configuration using the command line interface (CLI). You have just downloaded and installed the Cloud SDK. You want to ensure that future CLI commands by default address this specific cluster. What should you do?

A.

Use the command gcloud config set container/cluster dev.

B.

Use the command gcloud container clusters update dev.

C.

Create a file called gke.default in the ~/.gcloud aname.

D.

Create a file called defaults.json in the ~/.gcloud folder that contains the cluster name.

Question # 46

After a recent security incident, your startup company wants better insight into what is happening in the Google Cloud environment. You need to monitor unexpected firewall changes and instance creation. Your company prefers simple solutions. What should you do?

A.

Use Cloud Logging filters to create log-based metrics for firewall and instance actions. Monitor the changes and set up reasonable alerts.

B.

Install Kibana on a compute Instance. Create a log sink to forward Cloud Audit Logs filtered for firewalls andcompute instances to Pub/Sub. Target the Pub/Sub topic to push messages to the Kibana instance. Analyze the logs on Kibana in real time.

C.

Turn on Google Cloud firewall rules logging, and set up alerts for any insert, update, or delete events.

D.

Create a log sink to forward Cloud Audit Logs filtered for firewalls and compute instances to Cloud Storage.Use BigQuery to periodically analyze log events in the storage bucket.

Question # 47

You need to create and manage service accounts for your workloads running on Google Cloud. You want to follow Google-recommended practices. What should you do?

Choose 2 answers

A.

Create as few service accounts as possible.

B.

Delete any unused service accounts immediately.

C.

Create single-purpose service accounts.

D.

Manage service accounts as resources.

E.

Use random names for the service accounts.

Question # 48

You have created a new project in Google Cloud through the gcloud command line interface (CLI) and linked a billing account. You need to create a new Compute

Engine instance using the CLI. You need to perform the prerequisite steps. What should you do?

A.

Create a Cloud Monitoring Workspace.

B.

Create a VPC network in the project.

C.

Enable the compute googleapis.com API.

D.

Grant yourself the IAM role of Compute Admin.

Question # 49

You are using Google Kubernetes Engine with autoscaling enabled to host a new application. You want to expose this new application to the public, using HTTPS on a public IP address. What should you do?

A.

Create a Kubernetes Service of type NodePort for your application, and a Kubernetes Ingress to expose this Service via a Cloud Load Balancer.

B.

Create a Kubernetes Service of type ClusterIP for your application. Configure the public DNS name of your application using the IP of this Service.

C.

Create a Kubernetes Service of type NodePort to expose the application on port 443 of each node of the Kubernetes cluster. Configure the public DNS name of your application with the IP of every node of the cluster to achieve load-balancing.

D.

Create a HAProxy pod in the cluster to load-balance the traffic to all the pods of the application. Forward the public traffic to HAProxy with an iptable rule. Configure the DNS name of your application using the public IP of the node HAProxy is running on.

Question # 50

You are planning to migrate your on-premises data to Google Cloud. The data includes:

• 200 TB of video files in SAN storage

• Data warehouse data stored on Amazon Redshift

• 20 GB of PNG files stored on an S3 bucket

You need to load the video files into a Cloud Storage bucket, transfer the data warehouse data into BigQuery, and load the PNG files into a second Cloud Storage bucket. You want to follow Google-recommended practices and avoid writing any code for the migration. What should you do?

A.

Use gcloud storage for the video files. Dataflow for the data warehouse data, and Storage Transfer Service for the PNG files.

B.

Use Transfer Appliance for the videos. BigQuery Data Transfer Service for the data warehouse data, and Storage Transfer Service for the PNG files.

C.

Use Storage Transfer Service for the video files, BigQuery Data Transfer Service for the data warehouse data, and Storage Transfer Service for the PNG files.

D.

Use Cloud Data Fusion for the video files, Dataflow for the data warehouse data, and Storage Transfer Service for the PNG files.

Question # 51

You create a new Google Kubernetes Engine (GKE) cluster and want to make sure that it always runs a supported and stable version of Kubernetes. What should you do?

A.

Enable the Node Auto-Repair feature for your GKE cluster.

B.

Enable the Node Auto-Upgrades feature for your GKE cluster.

C.

Select the latest available cluster version for your GKE cluster.

D.

Select “Container-Optimized OS (cos)” as a node image for your GKE cluster.

Question # 52

You are migrating a business critical application from your local data center into Google Cloud. As part of your high-availability strategy, you want to ensure that any data used by the application will be immediately available if a zonal failure occurs. What should you do?

A.

Store the application data on a zonal persistent disk. Create a snapshot schedule for the disk. If an outage occurs, create a new disk from the most recent snapshot and attach it to a new VM in another zone.

B.

Store the application data on a zonal persistent disk. If an outage occurs, create an instance in another zone with this disk attached.

C.

Store the application data on a regional persistent disk. Create a snapshot schedule for the disk. If an outage occurs, create a new disk from the most recent snapshot and attach it to a new VM in another zone.

D.

Store the application data on a regional persistent disk If an outage occurs, create an instance in another zone with this disk attached.

Question # 53

You are running a data warehouse on BigQuery. A partner company is offering a recommendation engine based on the data in your data warehouse. The partner company is also running their application on Google Cloud. They manage the resources in their own project, but they need access to the BigQuery dataset in your project. You want to provide the partner company with access to the dataset What should you do?

A.

Create a Service Account in your own project, and grant this Service Account access to BigGuery in your project

B.

Create a Service Account in your own project, and ask the partner to grant this Service Account access to BigQuery in their project

C.

Ask the partner to create a Service Account in their project, and have them give the Service Account access to BigQuery in their project

D.

Ask the partner to create a Service Account in their project, and grant their Service Account access to the BigQuery dataset in your project

Question # 54

(You are deploying a web application using Compute Engine. You created a managed instance group (MIG) to host the application. You want to follow Google-recommended practices to implement a secure and highly available solution. What should you do?)

A.

Use a proxy Network Load Balancer for the MIG and an A record in your DNS private zone with the load balancer ' s IP address.

B.

Use a proxy Network Load Balancer for the MIG and a CNAME record in your DNS public zone with the load balancer ' s IP address.

C.

Use an Application Load Balancer for the MIG and a CNAME record in your DNS private zone with the load balancer ' s IP address.

D.

Use an Application Load Balancer for the MIG and an A record in your DNS public zone with the load balancer ' s IP address.

Question # 55

You built an application on your development laptop that uses Google Cloud services. Your application uses Application Default Credentials for authentication and works fine on your development laptop. You want to migrate this application to a Compute Engine virtual machine (VM) and set up authentication using Google- recommended practices and minimal changes. What should you do?

A.

Assign appropriate access for Google services to the service account used by the Compute Engine VM.

B.

Create a service account with appropriate access for Google services, and configure the application to use this account.

C.

Store credentials for service accounts with appropriate access for Google services in a config file, and deploy this config file with your application.

D.

Store credentials for your user account with appropriate access for Google services in a config file, and deploy this config file with your application.

Question # 56

You are in charge of provisioning access for all Google Cloud users in your organization. Your company recently acquired a startup company that has their own Google Cloud organization. You need to ensure that your Site Reliability Engineers (SREs) have the same project permissions in the startup company ' s organization as in your own organization. What should you do?

A.

In the Google Cloud console for your organization, select Create role from selection, and choose destination as the startup company ' s organization

B.

In the Google Cloud console for the startup company, select Create role from selection and choose source as the startup company ' s Google Cloud organization.

C.

Use the gcloud iam roles copy command, and provide the Organization ID of the startup company ' sGoogle Cloud Organization as the destination.

D.

Use the gcloud iam roles copy command, and provide the project IDs of all projects in the startup company s organization as the destination.

Question # 57

You are running multiple microservices in a Kubernetes Engine cluster. One microservice is rendering images. The microservice responsible for the image rendering requires a large amount of CPU time compared to the memory it requires. The other microservices are workloads that are optimized for n1-standard machine types. You need to optimize your cluster so that all workloads are using resources as efficiently as possible. What should you do?

A.

Assign the pods of the image rendering microservice a higher pod priority than the older microservices

B.

Create a node pool with compute-optimized machine type nodes for the image rendering microservice Use the node pool with general-purposemachine type nodes for the other microservices

C.

Use the node pool with general-purpose machine type nodes for lite mage rendering microservice Create a nodepool with compute-optimized machine type nodes for the other microservices

D.

Configure the required amount of CPU and memory in the resource requests specification of the image rendering microservice deployment Keep the resource requests for the other microservices at the default

Question # 58

You have designed a solution on Google Cloud Platform (GCP) that uses multiple GCP products. Your company has asked you to estimate the costs of the solution. You need to provide estimates for the monthly total cost. What should you do?

A.

For each GCP product in the solution, review the pricing details on the products pricing page. Use the pricing calculator to total the monthly costs for each GCP product.

B.

For each GCP product in the solution, review the pricing details on the products pricing page. Create a Google Sheet that summarizes the expected monthly costs for each product.

C.

Provision the solution on GCP. Leave the solution provisioned for 1 week. Navigate to the Billing Report page in the Google Cloud Platform Console. Multiply the 1 week cost to determine the monthly costs.

D.

Provision the solution on GCP. Leave the solution provisioned for 1 week. Use Stackdriver to determine the provisioned and used resource amounts. Multiply the 1 week cost to determine the monthly costs.

Question # 59

You are storing sensitive information in a Cloud Storage bucket. For legal reasons, you need to be able to record all requests that read any of the stored data. You want to make sure you comply with these requirements. What should you do?

A.

Enable the Identity Aware Proxy API on the project.

B.

Scan the bucker using the Data Loss Prevention API.

C.

Allow only a single Service Account access to read the data.

D.

Enable Data Access audit logs for the Cloud Storage API.

Question # 60

Your company uses BigQuery for data warehousing. Over time, many different business units in your company have created 1000+ datasets across hundreds of projects. Your CIO wants you to examine all datasets to find tables that contain an employee_ssn column. You want to minimize effort in performing this task. What should you do?

A.

Go to Data Catalog and search for employee_ssn in the search box.

B.

Write a shell script that uses the bq command line tool to loop through all the projects in your organization.

C.

Write a script that loops through all the projects in your organization and runs a query on INFORMATION_SCHEMA.COLUMNS view to find the employee_ssn column.

D.

Write a Cloud Dataflow job that loops through all the projects in your organization and runs a query on INFORMATION_SCHEMA.COLUMNS view to find employee_ssn column.

Question # 61

You deployed an App Engine application using gcloud app deploy, but it did not deploy to the intended project. You want to find out why this happened and where the application deployed. What should you do?

A.

Check the app.yaml file for your application and check project settings.

B.

Check the web-application.xml file for your application and check project settings.

C.

Go to Deployment Manager and review settings for deployment of applications.

D.

Go to Cloud Shell and run gcloud config list to review the Google Cloud configuration used for deployment.

Question # 62

You created an instance of SQL Server 2017 on Compute Engine to test features in the new version. You want to connect to this instance using the fewest number of steps. What should you do?

A.

Install a RDP client on your desktop. Verify that a firewall rule for port 3389 exists.

B.

Install a RDP client in your desktop. Set a Windows username and password in the GCP Console. Use the credentials to log in to the instance.

C.

Set a Windows password in the GCP Console. Verify that a firewall rule for port 22 exists. Click the RDP button in the GCP Console and supply the credentials to log in.

D.

Set a Windows username and password in the GCP Console. Verify that a firewall rule for port 3389 exists. Click the RDP button in the GCP Console, and supply the credentials to log in.

Question # 63

You have production and test workloads that you want to deploy on Compute Engine. Production VMs need to be in a different subnet than the test VMs. All the VMs must be able to reach each other over internal IP without creating additional routes. You need to set up VPC and the 2 subnets. Which configuration meets these requirements?

A.

Create a single custom VPC with 2 subnets. Create each subnet in a different region and with a different CIDR range.

B.

Create a single custom VPC with 2 subnets. Create each subnet in the same region and with the same CIDR range.

C.

Create 2 custom VPCs, each with a single subnet. Create each subnet is a different region and with a different CIDR range.

D.

Create 2 custom VPCs, each with a single subnet. Create each subnet in the same region and with the same CIDR range.

Question # 64

Your company’s infrastructure is on-premises, but all machines are running at maximum capacity. You want to burst to Google Cloud. The workloads on Google Cloud must be able to directly communicate to the workloads on-premises using a private IP range. What should you do?

A.

In Google Cloud, configure the VPC as a host for Shared VPC.

B.

In Google Cloud, configure the VPC for VPC Network Peering.

C.

Create bastion hosts both in your on-premises environment and on Google Cloud. Configure both as proxy servers using their public IP addresses.

D.

Set up Cloud VPN between the infrastructure on-premises and Google Cloud.

Question # 65

You are working for a hospital that stores Its medical images in an on-premises data room. The hospital wants to use Cloud Storage for archival storage of these images. The hospital wants an automated process to upload any new medical images to Cloud Storage. You need to design and implement a solution. What should you do?

A.

Deploy a Dataflow job from the batch template " Datastore lo Cloud Storage " Schedule the batch job on the desired interval

B.

In the Cloud Console, go to Cloud Storage Upload the relevant images to the appropriate bucket

C.

Create a script that uses the gsutil command line interface to synchronize the on-premises storage with Cloud Storage Schedule the script as a cron job

D.

Create a Pub/Sub topic, and enable a Cloud Storage trigger for the Pub/Sub topic. Create an application that sends all medical images to the Pub/Sub lope

Question # 66

(Your company was recently impacted by a service disruption that caused multiple Dataflow jobs to get stuck, resulting in significant downtime in downstream applications and revenue loss. You were able to resolve the issue by identifying and fixing an error you found in the code. You need to design a solution with minimal management effort to identify when jobs are stuck in the future to ensure that this issue does not occur again. What should you do?)

A.

Set up Error Reporting to identify stack traces that indicate slowdowns in Dataflow jobs. Set up alerts based on these log entries.

B.

Use the Personalized Service Health dashboard to identify issues with Dataflow jobs across regions.

C.

Update the Dataflow job configurations to send messages to a Pub/Sub topic when there are delays. Configure a backup Dataflow job to process jobs that are delayed. Use Cloud Tasks to trigger an alert when messages are pushed to the Pub/Sub topic.

D.

Set up Cloud Monitoring alerts on the data freshness metric for the Dataflow jobs to receive a notification when a certain threshold is reached.

Question # 67

Your company uses Pub/Sub for event-driven workloads. You have a subscription named email-updates attached to the new-orders topic. You need to fetch and acknowledge waiting messages from this subscription. What should you do?

A.

Use the gcloud pubsub subscriptions seek email-updates command.

B.

Use the gcloud pubsub topics describe new-orders command.

C.

Use the gcloud pubsub subscriptions pull email-updates —auto-ack command.

D.

Use the gcloud pubsub topics list-subscriptions new-orders —1ilter= " email-updates " command.

Question # 68

You have a Compute Engine instance hosting a production application. You want to receive an email if the instance consumes more than 90% of its CPU resources for more than 15 minutes. You want to use Google services. What should you do?

A.

1. Create a consumer Gmail account.2.Write a script that monitors the CPU usage.3.When the CPU usage exceeds the threshold, have that script send an email using the Gmail account and smtp.gmail.com on port 25 as SMTP server.

B.

1. Create a Stackdriver Workspace, and associate your Google Cloud Platform (GCP) project with it.2.Create an Alerting Policy in Stackdriver that uses the threshold as a trigger condition.3.Configure your email address in the notification channel.

C.

1. Create a Stackdriver Workspace, and associate your GCP project with it.2.Write a script that monitors the CPU usage and sends it as a custom metric to Stackdriver.3.Create an uptime check for the instance in Stackdriver.

D.

1. In Stackdriver Logging, create a logs-based metric to extract the CPU usage by using this regular expression: CPU Usage: ([0-9] {1,3}) %2.In Stackdriver Monitoring, create an Alerting Policy based on this metric.3.Configure your email address in the notification channel.

Question # 69

You have successfully created a development environment in a project for an application. This application uses Compute Engine and Cloud SQL. Now, you need to create a production environment for this application.

The security team has forbidden the existence of network routes between these 2 environments, and asks you to follow Google-recommended practices. What should you do?

A.

Create a new project, enable the Compute Engine and Cloud SQL APIs in that project, and replicate the setup you have created in the development environment.

B.

Create a new production subnet in the existing VPC and a new production Cloud SQL instance in your existing project, and deploy your application using those resources.

C.

Create a new project, modify your existing VPC to be a Shared VPC, share that VPC with your new project, and replicate the setup you have in the development environment in that new project, in the Shared VPC.

D.

Ask the security team to grant you the Project Editor role in an existing production project used by another division of your company. Once they grant you that role, replicate the setup you have in the development environment in that project.

Question # 70

(You are managing a stateful application deployed on Google Kubernetes Engine (GKE) that can only have one replica. You recently discovered that the application becomes unstable at peak times. You have identified that the application needs more CPU than what has been configured in the manifest at these peak times. You want Kubernetes to allocate the application sufficient CPU resources during these peak times, while ensuring cost efficiency during off-peak periods. What should you do?)

A.

Enable cluster autoscaling on the GKE cluster.

B.

Configure a Vertical Pod Autoscaler on the Deployment.

C.

Configure a Horizontal Pod Autoscaler on the Deployment.

D.

Enable node auto-provisioning on the GKE cluster.

Question # 71

Your company uses Google Kubernetes Engine (GKE) for all application deployments. Your team needs to provision and manage other Google Cloud resources using the same declarative approach and tooling as your application deployments. What should you do?

A.

Use the Google Cloud console to provision and manage Google Cloud resources.

B.

Write shell scripts using gcloud commands to provision and manage Google Cloud resources.

C.

Create Terraform configurations for your Google Cloud resources, and store the state file in a Cloud Storage bucket.

D.

Install Config Connector in a GKE cluster, and define your Google Cloud resources as custom resources in Kubernetes manifests.

Question # 72

Your company has a 3-tier solution running on Compute Engine. The configuration of the current infrastructure is shown below.

Associate-Cloud-Engineer question answer

Each tier has a service account that is associated with all instances within it. You need to enable communication on TCP port 8080 between tiers as follows:

• Instances in tier #1 must communicate with tier #2.

• Instances in tier #2 must communicate with tier #3.

What should you do?

A.

1. Create an ingress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.2.0/24)• Protocols: allow all2. Create an ingress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.1.0/24)• Protocols: allow all

B.

1. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #2 service account• Source filter: all instances with tier #1 service account• Protocols: allow TCP:80802. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #3 service account• Source filter: all instances with tier #2 service account• Protocols: allow TCP: 8080

C.

1. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #2 service account• Source filter: all instances with tier #1 service account• Protocols: allow all2. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #3 service account• Source filter: all instances with tier #2 service account• Protocols: allow all

D.

1. Create an egress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.2.0/24)• Protocols: allow TCP: 80802. Create an egress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.1.0/24)• Protocols: allow TCP: 8080

Question # 73

You have an application that reads data from a Pub/Sub topic. During local development, you authenticated using your personal credentials to test the application. You now want to deploy the application to Vertex AI and have created a new service account to be used as the application ' s identity. You need to ensure that the deployed application can still access the Pub/Sub topic. What should you do?

A.

Extract your access token by using the gcloud auth print-access-token command, and store it with the application.

B.

Grant the relevant IAM roles to the service account used as your agent identity.

C.

Create a secret in Secret Manager to store your personal credentials, and configure the application ' s authentication code to use this secret.

D.

Generate a JSON private key for the service account, and upload the key as Vertex AI metadata.

Question # 74

Your company has an existing GCP organization with hundreds of projects and a billing account. Your company recently acquired another company that also has hundreds of projects and its own billing account. You would like to consolidate all GCP costs of both GCP organizations onto a single invoice. You would like to consolidate all costs as of tomorrow. What should you do?

A.

Link the acquired company’s projects to your company ' s billing account.

B.

Configure the acquired company ' s billing account and your company ' s billing account to export the billing data into the same BigQuery dataset.

C.

Migrate the acquired company’s projects into your company’s GCP organization. Link the migrated projects to your company ' s billing account.

D.

Create a new GCP organization and a new billing account. Migrate the acquired company ' s projects and your company ' s projects into the new GCP organization and link the projects to the new billing account.

Question # 75

You are developing a monitoring application that runs on a Google Kubernetes Engine (GKE) cluster. The application requires credentials from a service account to collect performance data. However, your organization has a policy that prohibits the creation of new service account keys. You need to grant the application access while following Google-recommended security practices. What should you do?

A.

Use your personal user credentials to authenticate the application, ensuring your account has the necessary permissions.

B.

Create a new project, generate a service account key in the new project, and grant the service account the required IAM roles in the application project.

C.

Override the organization policy in the project, and create a long-lived service account key in the GKE cluster.

D.

Configure Workload Identity Federation to allow the application to impersonate a service account.

Question # 76

You are planning to manage all of your Google Cloud resources by using Terraform. You have multiple applications that you want to manage independently of each other. You need to structure your Terraform code repository to facilitate this separation. What should you do?

A.

Create a single module for each resource type, and place all modules in the same directory.

B.

Put the Terraform configuration resources for each application in its own root directory.

C.

Create a single module for each application, and place all modules in the same directory.

D.

Put resources of the same type in their own root directory.

Question # 77

You need a dynamic way of provisioning VMs on Compute Engine. The exact specifications will be in a dedicated configuration file. You want to follow Google’s recommended practices. Which method should you use?

A.

Deployment Manager

B.

Cloud Composer

C.

Managed Instance Group

D.

Unmanaged Instance Group

Question # 78

You need to set a budget alert for use of Compute Engineer services on one of the three Google Cloud Platform projects that you manage. All three projects are linked to a single billing account. What should you do?

A.

Verify that you are the project billing administrator. Select the associated billing account and create a budget and alert for the appropriate project.

B.

Verify that you are the project billing administrator. Select the associated billing account and create a budget and a custom alert.

C.

Verify that you are the project administrator. Select the associated billing account and create a budget for the appropriate project.

D.

Verify that you are project administrator. Select the associated billing account and create a budget and a custom alert.

Question # 79

An external member of your team needs list access to compute images and disks in one of your projects. You want to follow Google-recommended practices when you grant the required permissions to this user. What should you do?

A.

Create a custom role, and add all the required compute.disks.list and compute, images.list permissions as includedPermissions. Grant the custom role to the user at the project level.

B.

Create a custom role based on the Compute Image User role Add the compute.disks, list to theincludedPermissions field Grant the custom role to the user at the project level

C.

Grant the Compute Storage Admin role at the project level.

D.

Create a custom role based on the Compute Storage Admin role. Exclude unnecessary permissions from the custom role. Grant the custom role to the user at the project level.

Question # 80

You have a website hosted on App Engine standard environment. You want 1% of your users to see a new test version of the website. You want to minimize complexity. What should you do?

A.

Deploy the new version in the same application and use the --migrate option.

B.

Deploy the new version in the same application and use the --splits option to give a weight of 99 to the current version and a weight of 1 to the new version.

C.

Create a new App Engine application in the same project. Deploy the new version in that application. Use the App Engine library to proxy 1% of the requests to the new version.

D.

Create a new App Engine application in the same project. Deploy the new version in that application. Configure your network load balancer to send 1% of the traffic to that new application.

Question # 81

You need to deploy a third-party software application onto a single Compute Engine VM instance. The application requires the highest speed read and write disk access for the internal database. You need to ensure the instance will recover on failure. What should you do?

A.

Create an instance template. Set the disk type to be an SSD Persistent Disk. Launch the instance template as part of a stateful managed instance group.

B.

Create an instance template. Set the disk type to be an SSD Persistent Disk. Launch the instance template as part of a stateless managed instance group.

C.

Create an instance template. Set the disk type to be Hyperdisk Extreme. Launch the instance template as part of a stateful managed instance group.

D.

Create an instance template. Set the disk type to be Hyperdisk Extreme. Launch the instance template as part of a stateless managed instance group.

Question # 82

You created several resources in multiple Google Cloud projects. All projects are linked to different billing accounts. To better estimate future charges, you want to have a single visual representation of all costs incurred. You want to include new cost data as soon as possible. What should you do?

A.

Configure Billing Data Export to BigQuery and visualize the data in Data Studio.

B.

Visit the Cost Table page to get a CSV export and visualize it using Data Studio.

C.

Fill all resources in the Pricing Calculator to get an estimate of the monthly cost.

D.

Use the Reports view in the Cloud Billing Console to view the desired cost information.

Question # 83

You are deploying an application to Google Kubernetes Engine (GKE) that needs to call an external third-party API. You need to provide the external API vendor with a list of IP addresses for their firewall to allow traffic from your application. You want to follow Google-recommended practices and avoid any risk of interrupting traffic to the API due to IP address changes. What should you do?

A.

Configure your GKE cluster with one node, and set the node to have a static external IP address. Ensure that the GKE cluster autoscaler is off. Send the external IP address of the node to the vendor to be added to the allowlist.

B.

Configure your GKE cluster with private nodes. Configure a Cloud NAT instance with static IP addresses. Provide these IP addresses to the vendor to be added to the allowlist.

C.

Configure your GKE cluster with public nodes. Write a Cloud Function that pulls the public IP addresses of each node in the cluster. Trigger the function to run every day with Cloud Scheduler. Send the list to the vendor by email every day.

D.

Configure your GKE cluster with private nodes. Configure a Cloud NAT instance with dynamic IP addresses. Provide these IP addresses to the vendor to be added to the allowlist.

Question # 84

You are running a web application on Cloud Run for a few hundred users. Some of your users complain that the initial web page of the application takes much longer to load than the following pages. You want to follow Google ' s recommendations to mitigate the issue. What should you do?

A.

Update your web application to use the protocol HTTP/2 instead of HTTP/1.1

B.

Set the concurrency number to 1 for your Cloud Run service.

C.

Set the maximum number of instances for your Cloud Run service to 100.

D.

Set the minimum number of instances for your Cloud Run service to 3.

Question # 85

You are setting up a Windows VM on Compute Engine and want to make sure you can log in to the VM via RDP. What should you do?

A.

After the VM has been created, use your Google Account credentials to log in into the VM.

B.

After the VM has been created, use gcloud compute reset-windows-password to retrieve the login credentials for the VM.

C.

When creating the VM, add metadata to the instance using ‘windows-password’ as the key and a password as the value.

D.

After the VM has been created, download the JSON private key for the default Compute Engine service account. Use the credentials in the JSON file to log in to the VM.

Question # 86

Your application stores files on Cloud Storage by using the Standard Storage class. The application only requires access to files created in the last 30 days. You want to automatically save costs on files that are no longer accessed by the application. What should you do?

A.

Create a retention policy on the storage bucket of 30 days, and lock the bucket by using a retention policy lock.

B.

Enable object versioning on the storage bucket and add lifecycle rules to expire non-current versions after 30 days

C.

Create an object lifecycle on the storage bucket to change the storage class to Archive Storage for objects with an age over 30 days.

D.

Create a cron job in Cloud Scheduler to call a Cloud Functions instance every day to delete files older than 30 days.

Question # 87

You need to provide a cost estimate for a Kubernetes cluster using the GCP pricing calculator for Kubernetes. Your workload requires high IOPs, and you will also be using disk snapshots. You start by entering the number of nodes, average hours, and average days. What should you do next?

A.

Fill in local SSD. Fill in persistent disk storage and snapshot storage.

B.

Fill in local SSD. Add estimated cost for cluster management.

C.

Select Add GPUs. Fill in persistent disk storage and snapshot storage.

D.

Select Add GPUs. Add estimated cost for cluster management.

Question # 88

You have just created a new project which will be used to deploy a globally distributed application. You will use Cloud Spanner for data storage. You want to create a Cloud Spanner instance. You want to perform the first step in preparation of creating the instance. What should you do?

A.

Grant yourself the IAM role of Cloud Spanner Admin

B.

Create a new VPC network with subnetworks in all desired regions

C.

Configure your Cloud Spanner instance to be multi-regional

D.

Enable the Cloud Spanner API

Question # 89

You host a static website on Cloud Storage. Recently, you began to include links to PDF files on this site. Currently, when users click on the links to these PDF files, their browsers prompt them to save the file onto their local system. Instead, you want the clicked PDF files to be displayed within the browser window directly, without prompting the user to save the file locally. What should you do?

A.

Enable Cloud CDN on the website frontend.

B.

Enable ‘Share publicly’ on the PDF file objects.

C.

Set Content-Type metadata to application/pdf on the PDF file objects.

D.

Add a label to the storage bucket with a key of Content-Type and value of application/pdf.

Question # 90

Your organization is a financial company that needs to store audit log files for 3 years. Your organization has hundreds of Google Cloud projects. You need to implement a cost-effective approach for log file retention. What should you do?

A.

Create an export to the sink that saves logs from Cloud Audit to BigQuery.

B.

Create an export to the sink that saves logs from Cloud Audit to a Coldline Storage bucket.

C.

Write a custom script that uses logging API to copy the logs from Stackdriver logs to BigQuery.

D.

Export these logs to Cloud Pub/Sub and write a Cloud Dataflow pipeline to store logs to Cloud SQL.

Question # 91

All development (dev) teams in your organization are located in the United States. Each dev team has its own Google Cloud project. You want to restrict access so that each dev team can only create cloud resources in the United States (US). What should you do?

A.

Create a folder to contain all the dev projects Create an organization policy to limit resources in US locations.

B.

Create an organization to contain all the dev projects. Create an Identity and Access Management (IAM) policy to limit the resources in US regions.

C.

Create an Identity and Access Management < IAM) policy to restrict the resources locations in the US. Apply the policy to all dev projects.

D.

Create an Identity and Access Management (IAM)policy to restrict the resources locations in all dev projects. Apply the policy to all dev roles.

Question # 92

Your company is using Google Workspace to manage employee accounts. Anticipated growth will increase the number of personnel from 100 employees to 1.000 employees within 2 years. Most employees will need access to your company ' s Google Cloud account. The systems and processes will need to support 10x growth without performance degradation, unnecessary complexity, or security issues. What should you do?

A.

Migrate the users to Active Directory. Connect the Human Resources system to Active Directory. Turn on Google Cloud Directory Sync (GCDS) for Cloud Identity. Turn on Identity Federation from Cloud Identity to Active Directory.

B.

Organize the users in Cloud Identity into groups. Enforce multi-factor authentication in Cloud Identity.

C.

Turn on identity federation between Cloud Identity and Google Workspace. Enforce multi-factor authentication for domain wide delegation.

D.

Use a third-party identity provider service through federation. Synchronize the users from Google Workplace to the third-party provider in real time.

Question # 93

You have developed a web application that serves traffic for a local event and are expecting unpredictable traffic. You have containerized the application, and you now want to deploy the application on Google Cloud. You also want to minimize costs. What should you do?

A.

Deploy the web application as a Cloud Run service.

B.

Deploy the web application on Google Kubernetes Engine In Standard mode.

C.

Deploy the web application as a Cloud Run job.

D.

Deploy the web application on Google Kubernetes Engine in Autopilot mode.

Question # 94

You want to configure 10 Compute Engine instances for availability when maintenance occurs. Your requirements state that these instances should attempt to automatically restart if they crash. Also, the instances should be highly available including during system maintenance. What should you do?

A.

Create an instance template for the instances. Set the ‘Automatic Restart’ to on. Set the ‘On-host maintenance’ to Migrate VM instance. Add the instance template to an instance group.

B.

Create an instance template for the instances. Set ‘Automatic Restart’ to off. Set ‘On-host maintenance’ to Terminate VM instances. Add the instance template to an instance group.

C.

Create an instance group for the instances. Set the ‘Autohealing’ health check to healthy (HTTP).

D.

Create an instance group for the instance. Verify that the ‘Advanced creation options’ setting for ‘do not retry machine creation’ is set to off.

Question # 95

You are managing a new project for a web application on Google Cloud. The web application is running on a Compute Engine VM, and your team has a strict budget. You have already created a budget in Cloud Billing and set an alert rule to send an email when 90% of the budget is consumed. You must ensure that project spending automatically stops if it exceeds the budgeted amount. What should you do?

A.

Create a new Cloud Billing account, and associate the project with it to prevent new spending from affecting your project ' s budget.

B.

Create a Pub/Sub topic, and connect it to the budget. Create a Cloud Run function that subscribes to the Pub/Sub topic and executes code to stop the VM.

C.

Use the Cloud Billing dashboard to identify the forecasted spend of your project, and then update the budget and alert to match the forecasted spend.

D.

Rely on the budget ' s configuration to automatically disable billable resources when the spend reaches 100%.

Question # 96

Your organization needs to grant users access to query datasets in BigQuery but prevent them from accidentally deleting the datasets. You want a solution that follows Google-recommended practices. What should you do?

A.

Add users to roles/bigquery user role only, instead of roles/bigquery dataOwner.

B.

Add users to roles/bigquery dataEditor role only, instead of roles/bigquery dataOwner.

C.

Create a custom role by removing delete permissions, and add users to that role only.

D.

Create a custom role by removing delete permissions. Add users to the group, and then add the group to the custom role.

Question # 97

You need to manage a Cloud Spanner Instance for best query performance. Your instance in production runs in a single Google Cloud region. You need to improve performance in the shortest amount of time. You want to follow Google best practices for service configuration. What should you do?

A.

Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 45% If you exceed this threshold, add nodes lo your instance.

B.

Create an alert in Cloud Monitoring to alert when the percentage to high priority CPU utilization reaches 45% Use database query statistics to identify queries that result in high CPU usage, and then rewrite those queries to optimize their resource usage

C.

Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 65% If you exceed this threshold, add nodes to your instance

D.

Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 65%. Use database query statistics to identity queries that result in high CPU usage, and then rewrite those queries to optimize their resource usage.

Question # 98

You received a JSON file that contained a private key of a Service Account in order to get access to several resources in a Google Cloud project. You downloaded and installed the Cloud SDK and want to use this private key for authentication and authorization when performing gcloud commands. What should you do?

A.

Use the command gcloud auth login and point it to the private key

B.

Use the command gcloud auth activate-service-account and point it to the private key

C.

Place the private key file in the installation directory of the Cloud SDK and rename it to " credentials ison "

D.

Place the private key file in your home directory and rename it to ‘’GOOGLE_APPUCATION_CREDENTiALS " .

Question # 99

Your company ' s machine learning team requires a scalable and flexible platform to fine-tune large language models utilizing a large volume of proprietary data on Google Cloud. You are tasked with building a solution for this team. What should you do?

A.

Use Dataflow as a platform to run the fine-tuning jobs.

B.

Use a Compute Engine managed instance group as a platform to deploy Jupyter Notebooks and run fine-tuning jobs.

C.

Use Google Kubernetes Engine (GKE) and hardware accelerators as a platform to run the fine-tuning jobs.

D.

Use Cloud Run and GPU as a platform to run the fine-tuning jobs.

Question # 100

You have been asked to set up Object Lifecycle Management for objects stored in storage buckets. The objects are written once and accessed frequently for 30 days. After 30 days, the objects are not read again unless there is a special need. The object should be kept for three years, and you need to minimize cost. What should you do?

A.

Set up a policy that uses Nearline storage for 30 days and then moves to Archive storage for three years.

B.

Set up a policy that uses Standard storage for 30 days and then moves to Archive storage for three years.

C.

Set up a policy that uses Nearline storage for 30 days, then moves the Coldline for one year, and then moves to Archive storage for two years.

D.

Set up a policy that uses Standard storage for 30 days, then moves to Coldline for one year, and then moves to Archive storage for two years.

Question # 101

You have developed a containerized web application that will serve Internal colleagues during business hours. You want to ensure that no costs are incurred outside of the hours the application is used. You have just created a new Google Cloud project and want to deploy the application. What should you do?

A.

Deploy the container on Cloud Run for Anthos, and set the minimum number of instances to zero

B.

Deploy the container on Cloud Run (fully managed), and set the minimum number of instances to zero.

C.

Deploy the container on App Engine flexible environment with autoscaling. and set the value min_instances to zero in the app yaml

D.

Deploy the container on App Engine flexible environment with manual scaling, and set the value instances to zero in the app yaml

Question # 102

You have a Dockerfile that you need to deploy on Kubernetes Engine. What should you do?

A.

Use kubectl app deploy < dockerfilename > .

B.

Use gcloud app deploy < dockerfilename > .

C.

Create a docker image from the Dockerfile and upload it to Container Registry. Create a Deployment YAML file to point to that image. Use kubectl to create the deployment with that file.

D.

Create a docker image from the Dockerfile and upload it to Cloud Storage. Create a Deployment YAML file to point to that image. Use kubectl to create the deployment with that file.

Question # 103

You are creating and deploying an application on Cloud Run that uses Cloud SQL for data storage. You need to track the number of database connections created by the application to ensure that database connections are reused. What should you do?

A.

In Cloud Monitoring, create a custom metric that tracks the creation of Cloud Run instances, and display the metric on a dashboard.

B.

Log each new database connection in the application. In Cloud Monitoring, create a custom metric for these logs, and display the metric on a dashboard.

C.

In the Google Cloud console, navigate to the Cloud SQL instance, and review the instance logs.

D.

In Cloud Trace, enable trace storage for your project, and use a filter to check for new database connections.

Question # 104

Your company ' s security vulnerability management policy wonts 3 member of the security team to have visibility into vulnerabilities and other OS metadata for a specific Compute Engine instance This Compute Engine instance hosts a critical application in your Goggle Cloud project. You need to implement your company ' s security vulnerability management policy. What should you dc?

A.

• Ensure that the Ops Agent Is Installed on the Compute Engine instance.• Create a custom metric in the Cloud Monitoring dashboard.• Provide the security team member with access to this dashboard.

B.

• Ensure that the Ops Agent is installed on tie Compute Engine instance.• Provide the security team member roles/configure.inventoryViewer permission.

C.

• Ensure that the OS Config agent Is Installed on the Compute Engine instance.• Provide the security team member roles/configure.vulnerabilityViewer permission.

D.

• Ensure that the OS Config agent is installed on the Compute Engine instance• Create a log sink Co a BigQuery dataset.• Provide the security team member with access to this dataset.

Question # 105

You are managing your company’s archival records that are stored in a Cloud Storage bucket using the Multi-Regional storage class. These objects are rarely accessed after 90 days but must be retained indefinitely to meet regulatory compliance requirements. You need to implement a cost-effective process that automatically transitions these objects to the lowest-cost storage class suitable for long-term retention immediately after the 90-day period. What should you do?

A.

Enable Object Versioning on the bucket, and create an Object Lifecycle Management rule that sets the daysSinceNoncurrentTime condition to 90 days, transitioning noncurrent versions to Archive storage.

B.

Create an Object Lifecycle Management rule on the bucket that specifies an age condition of 90 days and uses the SetStorageClass action to transition the objects to Archive storage.

C.

Create a nightly scheduled Cloud Run function that uses the Cloud Storage API to change the storage class of all objects older than 90 days to Archive storage.

D.

Create an Object Lifecycle Management rule on the bucket that specifies the createdBefore condition set to 90 days ago and uses the Delete action to remove the objects.

Question # 106

You created a Kubernetes deployment by running kubectl run nginx image=nginx replicas=1. After a few days, you decided you no longer want this deployment. You identified the pod and deleted it by running kubectl delete pod. You noticed the pod got recreated.

$ kubectlgetpods

NAME READY STATUS RESTARTS AGE

nginx-84748895c4-nqqmt 1/1 Running 0 9m41s

$ kubectldeletepod nginx-84748895c4-nqqmt

pod nginx-84748895c4-nqqmt deleted

$ kubectlgetpods

NAME READY STATUS RESTARTS AGE

nginx-84748895c4-k6bzl 1/1 Running 0 25s

What should you do to delete the deployment and avoid pod getting recreated?

A.

kubectl delete deployment nginx

B.

kubectl delete –deployment=nginx

C.

kubectl delete pod nginx-84748895c4-k6bzl –no-restart 2

D.

kubectl delete inginx

Question # 107

Your company ' s Human Resources department publishes a BigQuery dataset with anonymized information about company sales and products. All employees in your company are managed in the terramearth.com Cloud Identity account and must be able to view this dataset as an authenticated user. You need to grant all employees in your company read-only access to this BigQuery dataset. What should you do?

A.

Grant the roles/bigquery.dataViewer role to the domain:terramearth.com principal on the dataset ' s IAM policy.

B.

Grant the roles/bigquery.dataViewer role to the allUsers principal on the dataset ' s IAM policy.

C.

Grant the roles/bigquery.dataViewer role to a new service account on the dataset ' s IAM policy.

D.

Grant the roles/bigquery.dataViewer role to the allAuthenticatedUsers principal on the dataset ' s IAM policy.

Question # 108

You have two Google Cloud projects: project-a with VPC vpc-a (10.0.0.0/16) and project-b with VPC vpc-b (10.8.0.0/16). Your frontend application resides in vpc-a and the backend API services ate deployed in vpc-b. You need to efficiently and cost-effectively enable communication between these Google Cloud projects. You also want to follow Google-recommended practices. What should you do?

A.

Configure a Cloud Router in vpc-a and another Cloud Router in vpc-b.

B.

Configure a Cloud Interconnect connection between vpc-a and vpc-b.

C.

Create VPC Network Peering between vpc-a and vpc-b.

D.

Create an OpenVPN connection between vpc-a and vpc-b.

Associate-Cloud-Engineer PDF

$33

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

Associate-Cloud-Engineer PDF + Testing Engine

$52.8

$175.99

3 Months Free Update

  • Exam Name: Google Cloud Certified - Associate Cloud Engineer
  • Last Update: Jul 7, 2026
  • Questions and Answers: 363
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

Associate-Cloud-Engineer Engine

$39.6

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included