Professional-Cloud-DevOps-Engineer Practice Exam Questions with Answers Google Cloud Certified - Professional Cloud DevOps Engineer Exam Certification

Comprehensive and Detailed Explanation:

Cloud Run scales down to zero when idle. If CPU is allocated only during request processing, background telemetry tasks (like OpenTelemetry traces) may not complete before the container shuts down.

Solution: Configure CPU to be always-allocated ? This ensures that background tasks (like trace exports) continue even when the service is idle.

????Why not other options?

A (Increasing CPU to 4 cores)?? More CPU won’t help if traces are being cut off due to shutdown.

B (Using an HTTP health check)?? Doesn’t affect OpenTelemetry traces.

C (CPU only during request processing)?? This causes the problem because traces need CPU after request completion to be exported.

????Official Reference:

Cloud Run Tracing with OpenTelemetry

Cloud Run Always-Allocated CPU

The correct answer is A. Select a latency metric for a request-based method of evaluation.

A latency metric measures how responsive your service is to users.For example, you can use thecloud.googleapis.com/http/server/response_latenciesmetric to measure the latency of HTTP requests to your service1. A request-based method of evaluation counts the number of successful requests that meet a certain criterion, such as being below a latency threshold, and compares it to the number of all requests.For example, you can define an SLI as the ratio of requests with latency below 300 ms to all requests2. A request-based method of evaluation is suitable for measuring performance over time, such as per calendar month.You can set an SLO for the SLI to be at least 90%, which means that you expect 90% of the requests to have latency below 300 ms in a month3.

"A Project can host many Projects and appear in many Projects, but it can only be used as the scoping project once. We recommend that you create a new Project for the purpose of having multiple Projects in the same scope."

The best option for storing and using the API key in your application by following Google-recommended practices is to save the API key in Secret Manager as a secret and reference the secret as an environment variable in the Cloud Run application. Secret Manager is a service that allows you to store and manage sensitive data, such as API keys, passwords, and certificates, in Google Cloud. A secret is a resource that represents a logical secret, such as an API key. You can save the API key in Secret Manager as a secret and use IAM policies to control who can access it. You can also reference the secret as an environment variable in the Cloud Run application by using the ${SECRET_NAME} syntax. This way, you can securely store and use the API key in your application without exposing it in your code or configuration files.

Google Workload Identity is the recommended method to allow GKE workloads to securely access Google Cloud APIs using short-lived credentials without managing keys.

"Workload Identity is the recommended way to access Google Cloud services from GKE. It replaces the older method of using service account keys."

— Workload Identity Overview

"You can configure a Kubernetes service account to impersonate a Google Cloud service account by granting the roles/iam.workloadIdentityUser role and using the iam.gke.io/gcp-service-account annotation."

— Configure Workload Identity

This satisfies the customer’s requirement for PoLP and avoids long-lived keys.

Eliminate bad monitoring : Unactionable alerts (i.e., spam)https://cloud.google.com/blog/products/management-tools/meeting-reliability-challenges-with-sre-principles

agree with kyubiblaze about having to remove unactionable items aka spam: "good monitoring alerts on actionable problems" @https://cloud.google.com/blog/products/management-tools/meeting-reliability-challenges-with-sre-principles

Scaling App Engine scales the number of instances automatically in response to processing volume. This scaling factors in the automatic_scaling settings that are provided on a per-version basis in the configuration file. A service with basic scaling is configured by setting the maximum number of instances in the max_instances parameter of the basic_scaling setting. The number of live instances scales with the processing volume. You configure the number of instances of each version in that service's configuration file. The number of instances usually corresponds to the size of a dataset being held in memory or the desired throughput for offline work. You can adjust the number of instances of a manually-scaled version very quickly, without stopping instances that are currently running, using the Modules API set_num_instances function.https://cloud.google.com/appengine/docs/standard/python/how-instances-are-managed

https://cloud.google.com/appengine/docs/standard/python/config/appref

max_idle_instances Optional. The maximum number of idle instances that App Engine should maintain for this version. Specify a value from 1 to 1000. If not specified, the default value is automatic, which means App Engine will manage the number of idle instances. Keep the following in mind: A high maximum reduces the number of idle instances more gradually when load levels return to normal after a spike. This helps your application maintain steady performance through fluctuations in request load, but also raises the number of idle instances (and consequent running costs) during such periods of heavy load.

Cloud Build is a fully managed continuous integration and continuous delivery (CI/CD) service that helps you automate your builds, tests, and deployments. Google Cloud Deploy is a service that automates the deployment of your applications to Google Kubernetes Engine (GKE).

Together, Cloud Build and Google Cloud Deploy can be used to build and deploy your application's custom Compute Engine images to your current environment and to other cloud providers in the future.

Here are the steps involved in using Cloud Build and Google Cloud Deploy to implement a CI/CD pipeline for your application:

Create a Cloud Build trigger that fires whenever a change is made to your application's code.

In the Cloud Build trigger, configure Cloud Build to build your application's Docker image.

Create a Google Cloud Deploy configuration file that specifies how to deploy your application's Docker image to GKE.

In Google Cloud Deploy, create a deployment that uses your configuration file.

Once you have created the Cloud Build trigger and Google Cloud Deploy configuration file, any changes made to your application's code will trigger Cloud Build to build a new Docker image. Google Cloud Deploy will then deploy the new Docker image to GKE.

This solution stack is adaptable to future changes because it uses a cloud-agnostic approach. Cloud Build can be used to build Docker images for any cloud provider, and Google Cloud Deploy can be used to deploy Docker images to any Kubernetes cluster.

The other solution stacks are not as adaptable to future changes. For example, solution stack A (Cloud Build with Packer) is limited to building Docker images for Compute Engine. Solution stack C (Google Kubernetes Engine with Google Cloud Deploy) is limited to deploying Docker images to GKE. Solution stack D (Cloud Build with kpt) is a newer solution that is not yet as mature as Cloud Build and Google Cloud Deploy.

Overall, the best solution stack for implementing a CI/CD pipeline for your application in a multi-cloud environment is Cloud Build with Google Cloud Deploy. This solution stack is fully managed, cloud-agnostic, and adaptable to future changes.

https://cloud.google.com/kubernetes-engine/docs/concepts/horizontalpodautoscaler

The Horizontal Pod Autoscaler changes the shape of your Kubernetes workload by automatically increasing or decreasing the number of Pods in response to the workload's CPU or memory consumption

The best option for ensuring that the three environments are consistent and following Google-recommended practices is to use Cloud Build to render and deploy the network policies and the DaemonSet, and set up Config Sync to sync the configurations for the three environments. Cloud Build is a service that executes your builds on Google Cloud infrastructure. You can use Cloud Build to render and deploy your network policies and DaemonSet as code using tools like Kustomize, Helm, or kpt. Config Sync is a feature that enables you to manage the configurations of your GKE clusters from a single source of truth, such as a Git repository. You can use Config Sync to sync the configurations for your development, staging, and production environments and ensure that they are consistent.

 The best option for optimizing your cloud spend by ensuring that only a single instance of your infrastructure stack exists at a time is to confirm that the pipeline is storing and retrieving the terraform.tfstate file from Cloud Storage with the Terraform gcs backend. The terraform.tfstate file is a file that Terraform uses to store the current state of your infrastructure. The Terraform gcs backend is a backend type that allows you to store the terraform.tfstate file in a Cloud Storage bucket. By using the Terraform gcs backend, you can ensure that your pipeline has access to the latest state of your infrastructure and avoid creating multiple copies of the entire infrastructure stack.

Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure. Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives1. Cloud Build can also run integration tests as part of your build steps2.

You can use Cloud Build to run tests in a specific folder by specifying the path to the folder in the dir field of your build step3. For example, if you have a folder named tests that contains your integration tests, you can use the following build step to run them:

steps:

- name: 'gcr.io/cloud-builders/go'

args: ['test', '-v']

dir: 'tests'

Copy

You can use Cloud Build to trigger builds for every GitHub pull request by using the Cloud Build GitHub app. The app allows you to automatically build on Git pushes and pull requests and view your build results on GitHub and Google Cloud console4. You can configure the app to run builds on specific branches, tags, or paths5. For example, if you want to run builds on pull requests that target the master branch, you can use the following trigger configuration:

includedFiles:

- '**'

name: 'pull-request-trigger'

github:

name: 'my-repo'

owner: 'my-org'

pullRequest:

branch: '^master$'

Using Cloud Build to run tests in a specific folder and trigger builds for every GitHub pull request is a good way to continuously test your feature branch and ensure that all code is tested before changes areaccepted. This way, you can catch any errors or bugs early and prevent them from affecting the main branch.

Using a Jenkins server for CI/CD pipelines is not a bad option, but it would require more setup and maintenance than using Cloud Build, which is fully managed by Google Cloud. Periodically running all tests in the feature branch is not as efficient as running tests for every pull request, as it may delay the feedback loop and increase the risk of conflicts or failures.

Using Cloud Build to run the tests after a pull request is merged is not a good practice, as it may introduce errors or bugs into the main branch that could have been prevented by testing before merging.

Asking the pull request reviewers to run the integration tests before approving the code is not a reliable way of ensuring code quality, as it depends on human intervention and may be prone to errors or oversights.

The correct answer is B. Apply the constraints/iam.disableServiceAccountKeyCreation constraint to the organization.

According to the Google Cloud documentation, the constraints/iam.disableServiceAccountKeyCreation constraint is an organization policy constraint that prevents the creation of user-managed service account keys1.User-managed service account keys are long-lived credentials that can be downloaded as JSON or P12 files and used to authenticate as a service account2.These keys pose severe security risks if they are leaked, stolen, or misused by unauthorized entities34.By applying this constraint to the organization, you can completely eliminate the risks associated with the use of JSON service account keys and enforce a more secure alternative for authentication, such as Workload Identity or short-lived access tokens12. This also minimizes operational overhead by avoiding the need to manage, rotate, or revoke user-managed service account keys.

The other options are incorrect because they do not completely eliminate the risks associated with the use of JSON service account keys. Option A is incorrect because it only restricts the IAM permissions to create, list, get, delete, or sign service account keys, but it does not prevent existing keys from being used or leaked. Option C is incorrect because it only disables the upload of user-managed service account keys, but it does not prevent the creation or download of such keys. Option D is incorrect because it only limits the IAM role that can create and manage service account keys, but it does not prevent the keys from being distributed or exposed to unauthorized entities.

The best option for sharing a Cloud Monitoring custom dashboard with a partner team is to provide the partner team with the dashboard URL to enable the partner team to create a copy of the dashboard. A Cloud Monitoring custom dashboard is a dashboard that allows you to create and customize charts and widgets to display metrics, logs, and traces from your Google Cloud resources and applications. You can share a custom dashboard with a partner team by providing them with the dashboard URL, which is a link that allows them to view the dashboard in their browser. The partner team can then create a copy of the dashboard in their own project by using the Copy Dashboard option. This way, they can access and modify the dashboard without affecting the original one.

https://cloud.google.com/container-registry/docs/pushing-and-pulling

The best option for creating the development and production environments for each team while minimizing costs and ensuring isolation is to create a development and a production GKE cluster in separate projects, in each cluster create a Kubernetes namespace per team, and then configure Kubernetes role-based access control (RBAC) so that each team can only access its own namespace. This option allows you to use fewer clusters and projects than creating one project or cluster per team, which reduces costs and complexity. It also allows you to isolate each team’s environment by using namespaces and RBAC, which prevents teams from accessing other teams’ environments.

https://cloud.google.com/monitoring/access-control

The most cost-effective network tier and load balancing configuration for your frontend tier is to use Premium Tier with a regional load balancer. Premium Tier is a network tier that provides high-performance and low-latency network connectivity across Google’s global network. A regional load balancer is a load balancer that distributes traffic within a single region. Since your application is deployed entirely within the europe-west2 region and only serves users based in the United Kingdom, you can use Premium Tier with a regional load balancer to optimize the network performance and cost.

The best option for ensuring continued operations until the microservice is fixed is to add a HTTP liveness probe to the microservice’s deployment. A HTTP liveness probe is a type of probe that checks if a Pod is alive by sending an HTTP request and expecting a success response code. If the probe fails, Kubernetes will restart the Pod. You can add a HTTP liveness probe to your microservice’s deployment by using a livenessProbe field in your Pod spec. This way, you can ensure that any Pod that returns 403 errors after running for more than five hours will be restarted automatically and resume normal operations.

The best option for managing all charts uniformly, with native access control and VPC Service Controls is to store public and private charts in OCI format by using Artifact Registry. Artifact Registry is a service that allows you to store and manage container images and other artifacts in Google Cloud. Artifact Registry supports OCI format, which is an open standard for storing container images and other artifacts such as Helm charts. You can use Artifact Registry to store public and private charts in OCI format and manage them uniformly. You can also use Artifact Registry’s native access control features, such as IAM policies and VPC Service Controls, to secure your charts and control who can access them.

Create log views for each project team, and only show each project team their application logs. Grant the operations team access to the _AllLogs View in the central logging project1.

This approach aligns with the Google Cloud’s recommended methodologies for Professional Cloud DevOps Engineers1. Log views allow you to create and manage access control at a finer granularity for your logs. By creating a separate log view for each project team, you can ensure that they only have access to their respective logs. The operations team, on the other hand, can be granted access to the _AllLogs view in the central logging project, allowing them to view all logs as required.

This solution not only meets the security team’s requirements but also minimizes costs as it leverages built-in features of Google Cloud’s logging and does not require exporting logs to another service like BigQuery (as suggested in option A), which could incur additional costs1.

https://www.atlassian.com/incident-management/kpis/common-metrics

https://linkedin.github.io/school-of-sre/

To restrict access to specific sensitive log fields (e.g. PII), Google Cloud offers Log field-level access control. You can apply field-level restrictions and then assign the Log Field Accessor role only to trusted personnel.

“You can use field-level access control to restrict access to certain fields in your logs. For example, you can restrict access to jsonPayload.user_email.”

— Cloud Logging Field-Level Access

“Grant the roles/logging.fieldAccessor role to principals that require access to these restricted fields.”

— Log Field Accessor Role

This lets your operations team continue using logs while ensuring that PII is only visible to the security team, fulfilling your compliance obligations.

Cloud Build Private Pools allow your builds to run in a secure, isolated environment with direct access to resources inside your private VPC network, without exposing them to the public internet. This is the Google-recommended approach for minimizing management overhead while maintaining strong security boundaries.

From the official documentation:

"Private pools run your builds in a dedicated and secure environment that can connect to private network resources."

— Cloud Build Private Pools Overview

"You can configure private pools to access resources in a VPC network, which enables secure access to services without using public IPs."

— Accessing Private Resources

This method eliminates the need to create and manage additional compute instances or complex load balancing setups, providing seamless integration with your private services during CI pipeline execution.

The best option for selecting a deployment and testing strategy that meets your requirements is to use blue/green deployment and canary testing. A blue/green deployment is a deployment strategy that involves creating two identical environments, one running the current version of the application (blue) and one running the new version of the application (green). The traffic is switched from blue to green after testing the new version, and if any issues are discovered, the traffic can be switched back to blue instantly. This way, you can reduce the complexity of release deployments and minimize the duration of deployment rollbacks. A canary testing is a testing strategy that involves releasing a new version of an application to a subset of users or servers and monitoring its performance and reliability. This way, you can test real production traffic with a gradual increase in the number of affected users.

OOMKilled means the containers exceeded their allocated memory. Since the HPA isn't scaling up (stuck at min), this indicates the issue is not scale-related but container memory limits are too low.

"Pods terminated with OOMKilled have exceeded their memory limits. You should adjust the container's resource requests and limits."

— Kubernetes OOMKill Debug Guide

Scaling the number of replicas won't help if each replica crashes. You need to increase memory limits so pods can run reliably before autoscaling can even work.

The best option for configuring Cloud Logging to log each IP address that accesses the API by using the fewest number of steps is to enable logging on the firewall rule. A firewall rule is a rule that controls the traffic to and from your Compute Engine instances. You can enable logging on a firewall rule to capture information about the traffic that matches the rule, such as source and destination IP addresses, protocols, ports, and actions. You can use Cloud Logging to view and export the firewall logs to other destinations, such as BigQuery, for further analysis.

https://medium.com/velotio-perspectives/exploring-upgrade-strategies-for-stateful-sets-in-kubernetes-c02b8286f251

A change advisory board (CAB) is a traditional way of approving changes to a service, but it can slow down the software delivery performance and introduce bottlenecks. A better way to improve the speed and quality of changes is to use a peer-review based process for individual changes that is enforced at code check-in time and supported by automated tests. This way, developers can get fast feedback on the impact of their changes and catch any errors or bugs before they reach production. Additionally, the team’s development platform should enable developers to get fast feedback on the impact of their changes, such as using Cloud Code, Cloud Build, or Cloud Debugger.

https://cloud.google.com/compute/docs/instances/preemptible

The best option for determining whether the increase in availability is worth the investment for a single year of usage is to calculate the value of improved availability to be $900, and determine that the increase in availability is not worth the investment. To calculate the value of improved availability, we can use the following formula:

Value of improved availability = Revenue * (New availability - Current availability)

Plugging in the given numbers, we get:

Value of improved availability = $1,000,000 * (0.9999 - 0.999) = $900

Since the value of improved availability is less than the investment of $2,000, we can conclude that the increase in availability is not worth the investment.

https://cloud.google.com/architecture/customizing-stackdriver-logs-fluentd

Besides the list of default logs that the Logging agent streams by default, you can customize the Logging agent to send additional logs to Logging or to adjust agent settings by adding input configurations. The configuration definitions in these sections apply to the fluent-plugin-google-cloud output plugin only and specify how logs are transformed and ingested into Cloud Logging.https://cloud.google.com/logging/docs/agent/logging/configuration#configure

Your application runs on Google Cloud Platform (GCP). You need to implement Jenkins for deploying application releases to GCP. You want to streamline the release process, lower operational toil, and keep user data secure. What should you do?

https://plugins.jenkins.io/google-compute-engine/

https://cloud.google.com/monitoring/support/notification-options#creating_channels

To configure SMS notifications, do the following:

In the SMS section, click Add new and follow the instructions. Click Save. When you set up your alerting policy, select the SMS notification type and choose a verified phone number from the list.

The best option for configuring Cloud Monitoring dashboards to only display metrics from the projects within one folder is to create new scoping projects for each folder. A scoping project is a project that defines which resources are monitored by Cloud Monitoring. You can create new scoping projects for each folder by using the gcloud monitoring register-project command. This way, you can associate each scoping project with a folder and only monitor the resources within that folder. You can then configure Cloud Monitoring dashboards to use the scoping projects as data sources and only display metrics from the projects within one folder.

According to SRE Workbook, one of potential SLI is as below:

* Type of service: Request-driven

* Type of SLI: Availability

* Description: The proportion of requests that resulted in a successful response.

https://sre.google/workbook/implementing-slos/

The best option for deploying a new release of your microservice on Cloud Run and testing it extensively in the staging and production environments with minimal user and developer impact is to deploy the new version of the service to the staging environment with a new-release tag without serving traffic, test the new-release version, and if the test passes, gradually roll out this tagged version. A tag is a label that you can assign to a revision of your service on Cloud Run. You can use tags to create different versions of your service without affecting traffic. You can also use tags to gradually roll out traffic to a new version of your service by using traffic splitting. This way, you can test your new release extensively in both environments and minimize user and developer impact.

https://cloud.google.com/error-reporting/docs/formatting-error-messages

https://cloud.google.com/error-reporting/docs/reference/libraries#client-libraries-install-python

no need to install error reporting library on App Engine Flex.

The best option for configuring all current and future Compute Engine instances to collect system logs and ensure that the Ops Agent remains up to date is to use the gcloud CLI to create an Agent Policy. An Agent Policy is a resource that defines how Ops Agents are installed and configured on VM instances that match certain criteria, such as labels or zones. Ops Agents are software agents that collect metrics and logs from VM instances and send them to Cloud Operations products, such as Cloud Monitoring and Cloud Logging. By creating an Agent Policy, you can ensure that all current and future VM instances that match the policy criteria will have the Ops Agent installed and updated automatically. This way, you can collect system logs from all VM instances and use them to generate dashboards in Cloud Operations.

The best option for storing all logs for one year and minimizing required code changes is to create a logs bucket and logging sink, set the retention on the logs bucket to 365 days, configure the logging sink to send logs to the bucket, and give your client access to the bucket to retrieve the logs. A logs bucket is a Cloud Storage bucket that is used to store logs from Cloud Logging. A logging sink is a resource that defines where log entries are sent, such as a logs bucket, BigQuery dataset, or Pub/Sub topic. You can create a logs bucket and logging sink in Cloud Logging and set the retention on the logs bucket to 365 days. This way, you can ensure that all logs are stored for one year and protected from deletion. You can also configure the logging sink to send logs from Cloud Run and Cloud Functions to the logs bucket without any code changes. You can then give your client access to the logs bucket by using IAM policies or signed URLs.

 The best option for ensuring that third parties are able to upload their data securely and minimizing costs while ensuring that the data is processed as quickly as possible is to provide a Cloud Storage bucket so that third parties can upload batches of data, and provide appropriate Identity and Access Management (IAM) access to the bucket; create a Cloud Function with a google.storage.object.finalize Cloud Storage trigger; write code so that the function can scale up a Compute Engine autoscaling managed instance group; use an image pre-loaded with the data processing software that terminates the instances when processing completes. A Cloud Storage bucket is a resource that allows you to store and access data in Google Cloud. You can provide a Cloud Storage bucket so that third parties can upload batches of data securely and conveniently. You can also provide appropriate IAM access to the bucket by using roles and policies to control who can read or write data to the bucket. A Cloud Function is a serverless function that executes code in response to an event, such as a change in a Cloud Storage bucket. A google.storage.object.finalize trigger is a type of trigger that fires when a new object is created or an existing object is overwritten in a Cloud Storage bucket. You can create a Cloud Function with a google.storage.object.finalize trigger so that the function runs whenever a new batch of data is uploaded to the bucket. You can write code so that the function can scale up a Compute Engine autoscaling managed instance group, which is a group of VM instances that automatically adjusts its size based on load or custom metrics. You can use an image pre-loaded with the data processing software that terminates the instances when processing completes, which means that the instances only run when there is data to process and stop when they are done. This way, you can minimize costs while ensuring that the data is processed as quickly as possible.

The first thing you should do to prepare your ecommerce application for the upcoming peak traffic season is to load test the application to profile its performance for scaling. Load testing is a process of simulating high traffic or user demand on your application and measuring how it responds.Load testing can help you identify any bottlenecks, errors, or performance issues that might affect your application during the busy season1.Load testing can also help you determine the optimal scaling strategy for your application, such as horizontal scaling (adding more instances) or vertical scaling (adding more resources to each instance)2.

There are different tools and methods for load testing your ecommerce application on Google Cloud, depending on the type and complexity of your application.For example, you can use Cloud Load Balancing to distribute traffic across multiple instances of your application, and use Cloud Monitoring to measure the latency, throughput, and error rate of your application3.You can also use Cloud Functions or Cloud Run to create serverless load generators that can simulate user requests and send them to your application4. Alternatively, you can use third-party tools such as Apache JMeter or Locust to create and run load tests on your application.

By load testing your ecommerce application before the peak traffic season, you can ensure that your application is ready to handle the expected load and provide a good user experience. You can also use the results of your load tests to plan and implement other steps to prepare your application for the busy season, such as migrating to a more scalable platform, creating a Terraform configuration for deploying to additional regions, or pre-provisioning additional compute power.

The most effective ways to measure application reliability from a user perspective without making any engineering changes are to create new synthetic clients to simulate a user journey using the application, and to use current and historic Request Logs to trace customer interaction with the application. These methods can help you monitor the availability, latency, and errors of your application from an end-user perspective .