You are the lead developer for a company that provides a financial risk calculation API. The API is built on Cloud Run and has a gRPC interface. You frequently develop optimizations to the risk calculators. You want to enable these optimizations for select customers who registered to try out the optimizations prior to rolling out the optimiz...

Correct rollout strategy: C) Use a feature flag for registered customers Key requirements from the scenario Selective enablement: Only specific registered customers should see the optimization. Same API endpoint: It’s a gRPC Cloud Run service; customers connect to the same endpoint. Pre-release testing: Optimizations are experimental and not ready for all users. No traffic-based segmentation: Selection is based on who the customer is, not how much traffic. These requirements strongly favor customer-aware routing, not infrastructure-level traffic splitting. --- Why Option C is the best choice C) Feature flag for registered customers (Selected) Why it fits best Feature flags allow per-customer or per-request logic, which is exactly what’s needed. The optimization can be enabled based on: Customer ID gRPC metadata Auth claims Both optimized and stable logic can coexist in the same Cloud Run revision, avoiding duplication. No need to manage multiple services or revisions for a small subset of users. Easy to: Roll back instantly Gradually expand access Collect metrics per customer group Key factors Customer-based targeting (not traffic-based) Lowest operational complexity Best fit for gRPC APIs Safe experimentation and fast rollback Typical use cases Early access programs Beta features Customer-specific pricing or risk models A/B testing by i...

Author: Olivia Johnson · Last updated Dec 8, 2025

Your team is developing a new application that is packaged as a container and stored in Artifact Registry. You are responsible for configuring the CI/CD pipelines that use Cloud Build. Containers may be pushed manually as a local development effort or in an emergency. Every time a new container is pushed to Artifact Registry, you need to trigger anoth...

Correct choice: A Reasoning Key requirement Every time a new container image is pushed to Artifact Registry, a vulnerability scan Cloud Build pipeline must run Images may be pushed outside CI/CD (manual local push, emergency fix) Use least amount of effort and native GCP capabilities --- Option A (Selected) Configure Artifact Registry to publish a message to a Pub/Sub topic when a new image is pushed. Configure the vulnerability scan pipeline to be triggered by the Pub/Sub message. Why this is correct Artifact Registry → Pub/Sub notifications natively support image push events Cloud Build can be triggered directly by Pub/Sub (no intermediate services) Covers all scenarios: CI/CD pipeline pushes Manual `docker push` Emergency hotfix pushes Event-driven (real-time, no polling) Minimal components → lowest operational overhead Key factors Decoupled architecture Automatically reacts to any image push Uses managed services only Least configuration and maintenance When this option is ideal When all changes to Artifact Registry must trigger downstream automation When you want guaranteed coverage regardless of how the image was p...

Author: Isabella1 · Last updated Dec 8, 2025

You are designing an application that shares PDF files containing time-sensitive information with users. The PDF files are saved in Cloud Storage. You need to provide secure access to the files. You have the following requirements: * Users should only have access to files that they are allowed to view. * Users should be able to request to read,...

Correct approach: use Cloud Storage signed URLs Your requirements point very clearly to object-level, time-bound access without requiring Google identities. Let’s evaluate each option against the key factors. --- Key requirements and decision factors 1. Users may not have Google accounts Rules out solutions that rely on IAM identities or Google authentication. 2. Time-limited access (24 hours) Access must automatically expire without manual cleanup. 3. Fine-grained permissions Users may need read, write, or delete, depending on what they request. 4. Secure access to specific objects Users must only access the PDFs they’re authorized for, not the whole bucket. --- Option analysis A) Signed URLs with 24-hour expiration ✅ (Correct) Why this works Signed URLs provide temporary, cryptographically signed access to specific Cloud Storage objects. They do not require a Google account—any user with the URL can access the object. You can generate URLs with specific HTTP methods: `GET` → read `PUT` → write `DELETE` → delete URLs automatically expire after 24 hours, meeting the time-sensitive requirement. Access is object-level, not bucket-wide, enforcing least privilege. When this scenario is ideal External or anonymous users Temporary access Fine-grained control per file and per operation Secure file sharing from Cloud Storage --- B) Service Account...

Author: ShadowWolf101 · Last updated Dec 8, 2025

You have developed a Python application that you want to containerize and deploy to Cloud Run. You have developed a Cloud Build pipeline with the following steps: After triggering the pipeline, you notice in the Cloud Build logs that the final step of the pipeline fails ...

Cause of the failure The failure occurs because the container image is not available in Artifact Registry at the time Cloud Run tries to deploy it. Cloud Run can only deploy images that already exist in a container registry it can access (Artifact Registry or Container Registry). If the pipeline only builds the image but never pushes it, the final `gcloud run deploy` step will fail with an error like image not found or permission denied. --- Correct Option and Reasoning ✅ Option B — Correct “The Docker container image has not been pushed to Artifact Registry. Add a step to the pipeline to push the application container image to Artifact Registry, and rerun the pipeline.” Key factors: Cloud Build pipelines typically include: 1. Build the container image 2. Push the image to Artifact Registry 3. Deploy the image to Cloud Run Cloud Run does not build images; it only pulls them. If the image is not pushed, Cloud Run cannot find it, causing the deployment step to fail. When this scenario applies: The pipeline has a `docker build` step but no `docker push` Logs show image-not-found or registry-related errors Common mistake when first setting up Cloud Build + Cloud Run --- Why the Other Options Are Rejected ❌ Option A — Incorrect “The final step uses a Cloud Run instance name that does not match the container nam...

Author: Ethan Smith · Last updated Dec 8, 2025

You are a developer of a new customer-facing help desk chat service that is built on Cloud Run. Your customers use the chat option on your website to get support. The application saves each transcript as a text file with a unique identifier in a Cloud Storage bucket. After the conversation is done and before the chat window is closed, the customer receives a link to the chat transcript. You want to provide access ...

Correct approach: Use a signed URL that expires after 2 hours This requirement is a classic temporary, unauthenticated, read-only access to a single Cloud Storage object. Google explicitly recommends signed URLs for this use case. --- Selected Option: D) Create a signed URL for each text file that expires after 2 hours Why this is the best choice (key factors) 1. Principle of least privilege Access is limited to one specific object, not the entire bucket. The permission is read-only and time-bound. 2. Automatic expiration Access is enforced by Cloud Storage itself. No cleanup jobs, cron tasks, or lifecycle policies are required to revoke access. 3. No public exposure Objects remain private. No `allUsers` or public IAM bindings are used. 4. Google-recommended practice Google Cloud documentation explicitly recommends signed URLs for: Temporary access External users Download links Customer-facing applications 5. Simple and scalable Works well for high-volume chat systems. No per-user IAM management. Easy to generate programmatically from Cloud Run using a service account. --- Why the other options are rejected ❌ Option A > Set the ACL permission on the Cloud Storage bucket. Set the permission of each text file to allUsers with READER access. Delete each text file after 2 hours. Why rejected: Makes each transcript publicly accessib...

Author: RadiantPhoenixX · Last updated Dec 8, 2025

You are responsible for managing the security of internal applications in your company. The applications are deployed on Cloud Run, and use Secret Manager to store passwords needed to access internal databases. Each application can cache secrets for up to 15 minu...

Correct approach: Secret rotation with zero downtime on Cloud Run (GCP) You’re running Cloud Run services that read database passwords from Secret Manager, and each service caches secrets for up to 15 minutes. Your goal is to rotate secrets without application downtime. Let’s evaluate the options using key GCP factors: Secret Manager versioning, Cloud Run instance behavior, caching, and deployment impact. --- Key factors to consider 1. Secret Manager supports versioning You can add a new version of a secret without deleting the old one. Existing applications can continue using the old value until they refresh. 2. Cloud Run instances are long-lived Instances are not restarted on demand. You cannot rely on “startup-time only” secret retrieval for timely rotation. 3. Secrets are cached for 15 minutes This creates a natural overlap window during rotation. Both old and new credentials must work briefly. 4. Avoid redeployments Redeploying Cloud Run services introduces risk and operational overhead. Secret rotation should be independent of application releases. --- Option analysis ❌ A) Store the new username and password in the secret Why rejected Changing the username is unnecessary for most password rotations. Database user changes are higher risk and may require additional DB-side changes. Violates the principle of minimal change. When this could be used If the database requires credential pair rotation (username + password),...

Author: Liam123 · Last updated Dec 8, 2025

You are developing a new ecommerce application that uses Cloud Functions. You want to expose your application's APIs to public users while maintaining a high level of security. You need to ensure that only authorized users can access your APIs and that all API traffic is encry...

The best option is D: Deploy your Cloud Functions behind a Cloud API Gateway proxy. Below is a detailed explanation using security, scalability, encryption, and authorization as key factors, and why the other options are less suitable. --- ✅ Selected Option: D) Deploy your Cloud Functions behind a Cloud API Gateway proxy Why this is the best choice Cloud API Gateway is purpose-built for securely exposing APIs on GCP and integrates natively with Cloud Functions. Key factors: 1. Strong Security & Authorization API Gateway supports API keys, IAM-based auth, and JWT/OAuth. Ensures only authorized users can access APIs. Centralized policy enforcement (rate limits, quotas). 2. Encryption All traffic is protected using HTTPS/TLS by default. No additional configuration needed to secure data in transit. 3. Scalability Fully serverless and auto-scaling, just like Cloud Functions. Handles sudden traffic spikes without manual intervention. 4. Operational Simplicity Lightweight compared to Apigee. Designed for Cloud Functions and Cloud Run. No infrastructure management overhead. 5. Best-fit Use Case Public-facing APIs Serverless architectures Mobile, web, and third-party consumers 📌 When to use this option: Use Cloud...

Author: BlazingPhoenix22 · Last updated Dec 8, 2025

You are developing a short-term image hosting service where end users around the world can upload images that are up to 20MB, and the images will be automatically deleted after 10 days. You need to determin...

Goal recap Store user-uploaded images (≤20 MB each) Global access Automatically delete after 10 days Minimize cost Platform: Google Cloud (GCP) --- Key factors for the decision 1. Object size & type – binary image files up to 20 MB 2. Access pattern – simple upload/download, not complex queries 3. Data lifetime – fixed TTL (10 days) 4. Operational simplicity – minimal custom cleanup logic 5. Cost efficiency – storage + operations 6. Scalability & global availability --- Option A: Cloud Storage with lifecycle policy ✅ (Selected) Why this is the best choice Designed for large binary objects like images Lowest cost among the options for file storage Native lifecycle management automatically deletes objects after 10 days No custom code or scheduled jobs required Highly scalable and globally available Supports resumable uploads and CDN integration if needed later Key strengths Pay only for storage used and network egress Lifecycle rules are enforced by GCP itself (reliable, zero maintenance) Simple architecture and minimal operational overhead Typical use cases Image/video hosting Temporary file uploads Backups, logs, static assets with TTL --- Option B: Spanner ❌ Why rejec...

Author: Chloe · Last updated Dec 8, 2025

Your application named ecom-web-app is deployed in three GKE clusters: ecom-web-app-dev, ecom-web-app-qa, and ecom-web-app-prod. You need to ensure that only trusted container images are deployed to the ecom-web-app-prod GKE clus...

Let's carefully analyze your scenario and each option. Scenario key points: You have three GKE clusters: `dev`, `qa`, and `prod`. The goal is only trusted container images can be deployed to production (`ecom-web-app-prod`). Follow Google-recommended practices. This is a GCP-specific solution, so we can leverage GCP services like Binary Authorization, Artifact Registry, Cloud Build, Cloud Functions. --- Option A: Set up Binary Authorization, and define cluster-specific rules in clusterAdmissionRules nodes in the policy YAML file. Analysis: Binary Authorization (BinAuthz) is Google Cloud’s recommended solution for enforcing trusted images in production. `clusterAdmissionRules` allows you to define rules per cluster. This means you can enforce strict verification for `ecom-web-app-prod` and allow more relaxed rules for `dev` and `qa`. This fits exactly with the requirement of enforcing trusted images only in prod while leaving dev/qa flexible. Fully aligns with Google best practices for secure supply chain and production enforcement. ✅ Pros: Recommended, cluster-specific enforcement, supports production-only restrictions. --- Option B: Set up Binary Authorization, and exempt any container images that are not deployed to the ecom-web-app-prod GKE cluster. Analysis: This wording suggests creating exemptions for non-prod clusters. While technically possible, it is less precise than using `clusterAdmissionRules`, because the correct approach is to define per-cluster rules rather than "exempting" images globally. Could cause misconfiguration if exemptions are misapplied. This is not the recommended way according to Google documentation. ❌ ...

Author: Ahmed · Last updated Dec 8, 2025

You are responsible for improving the security of your Cloud Run services to protect these services against supply chain threats. You need to ensure that there are adequate security controls such as SLSA Level 3 builds for container imag...

Let’s analyze the scenario carefully and reason through each option. The key requirements are: Requirements: 1. Protect Cloud Run services against supply chain threats. 2. Ensure SLSA Level 3 builds for container images. 3. Ensure non-falsifiable provenance for container images. 4. Use Google Cloud tools. --- Option A: Ask developers to build container images locally and ensure strict version controls by using Container Registry. Analysis: Building images locally cannot provide SLSA Level 3 guarantees because the build environment is not controlled or verifiable. Non-falsifiable provenance is not possible with local builds; an attacker could modify the build process or metadata. Container Registry alone only stores images; it does not enforce provenance or secure builds. Verdict: ❌ Rejected – Does not meet SLSA Level 3 or non-falsifiable provenance requirements. --- Option B: Use Cloud Build to build container images. Configure a Binary Authorization policy on the Cloud Run job. Analysis: Cloud Build is Google’s managed CI/CD tool and supports SLSA Level 3 builds, generating attestations and provenance for container images. Binary Authorization allows you to enforce policies such as requiring signed images or trusted build provenance before deployment to Cloud Run. This combination directly addresses supply chain security, ensures SLSA compliance, and enforces non-falsifiable image verification before running workloads. ...

Author: Olivia · Last updated Dec 8, 2025

There are three teams developing an ecommerce application in the same Google Cloud project. Team A will build a set of RESTful APIs that exposes some core functionalities for the application. Team B and Team C will make requests to those APIs in their downstream processes running on Cloud Run services. You need to propose a solution f...

Let’s carefully analyze this scenario step by step. The goal is: Expose APIs securely Minimize management overhead Teams are in the same Google Cloud project Teams B and C call APIs from Cloud Run services We are asked to choose the best design among the given options. --- Option A: Service accounts with manual key management What it proposes: Team A uses service accounts to authorize Cloud API Gateway. Team B and Team C create service accounts, export the keys, store them in Secret Manager. They use the keys to get OAuth tokens to access the APIs. Pros: Strong authentication using service accounts. Cons / Key Issues: Manual key management is error-prone. Exporting keys and storing them in Secret Manager is less secure because keys can be leaked. Overhead is high: teams need to manage key rotation and token generation themselves. When it’s used: Only if you cannot attach service accounts directly to services, which is not the case here. Verdict: ❌ Not ideal because of unnecessary key management overhead. --- Option B: Apigee hybrid with API key What it proposes: Team A uses Apigee hybrid to create an API key. Team B and Team C store it in Secret Manager and use it to access the APIs. Pros: Centralized API management and monitoring with Apigee. Cons / Key Issues: API keys are less secure than service accounts, they are easier to leak. Adds complexity because Apigee hybrid is an extra product; not necessary if all teams are in the same project and GCP-native options exist. When it’s used: Best if you need enterprise API management features (analytics, rate-limiting, monetization). Verdict: ❌ Overkill for internal APIs within the same project. --- Option C: Cloud API Gateway with API key ...

Author: Ravi Patel · Last updated Dec 8, 2025

Your application team is developing an ecommerce application. Your team has developed a new functionality that has a dependency on a third-party service. This third-party service will be deployed in a few days. However, you have been unable to ensure the reliability of this service. You need to choose a deployment stra...

Let's carefully analyze the scenario and the options. Key factors in reasoning: Scenario Key Points: 1. The ecommerce app has a new functionality dependent on a third-party service. 2. The third-party service is not yet deployed and its reliability is uncertain. 3. We need a deployment strategy that: Avoids disruption to existing users Can be rolled back quickly if issues are discovered --- Option A: A/B Deployment How it works: Two versions run in parallel, with a portion of users routed to each. Mainly used for testing user experience, UI changes, or conversion rates. Pros: Allows comparison between old and new functionality. Cons: A/B testing is not designed for risk mitigation against unreliable services, because all users in the new variant will still hit the potentially unreliable third-party service. Verdict: Not ideal here since it cannot avoid service disruption for the users in the test group. --- Option B: Blue/Green Deployment How it works: Deploy a new version (green) alongside the existing version (blue). Users are switched to green at once or in phases. Rollback is fast by switching back to blue. Pros: Minimizes downtime; rollback is instant. Cons: If the new functionality depends on a third-party service that may fail immediately, switching all users at once risks disrupting the entire user base. Verdict: Safer than...

Author: Ella · Last updated Dec 8, 2025

You work for an organization that manages an ecommerce site. Your application is deployed behind an external Application Load Balancer. You need to test a new product recommendation algorithm. You plan to use A/B testing to de...

Here’s a careful analysis of your scenario in GCP for A/B testing a new product recommendation algorithm. Let’s go option by option, using the key factors in reasoning: randomized user exposure, real user impact, and measuring effect on sales. --- Scenario: You have an ecommerce application behind an external Application Load Balancer (ALB). Goal: Test a new recommendation algorithm using A/B testing. Requirements: Randomized user exposure, measurable impact on real users, minimal risk. --- Option A: Split traffic between versions using weights ✅ How it works: You deploy two versions of your application (current and new recommendation algorithm) and configure the load balancer or GCP’s traffic management to send a percentage of traffic to each version. Why it fits: Allows true A/B testing with randomized user traffic. You can control exposure, e.g., 90% old vs 10% new, then adjust as confidence grows. Can measure real impact on metrics like sales or click-through rate. When to use: Best for testing changes that affect real users in production and need quantitative metrics. --- Option B: Enable the new recommendation feature flag on a single instance ❌ How it works: You turn on the new feature only for one instance of your app. Why it’s rejected: The traffic is not randomized, only users routed to that instance see the feature. Could create skewed results due to instance-specific traff...

Author: StarryEagle42 · Last updated Dec 8, 2025

You maintain a CI/CD pipeline for an application running on GKE. You use Cloud Build to create container images and push the images to Artifact Registry. When you build the image, you use the latest tag in your pipeline. You recently had to roll back a deployment 24 hours after rollout. The rollback process was difficult because th...

Let's break this down carefully. You are facing rollback difficulties because the `latest` tag is overwritten. Key factors to consider: 1. Problem: Using `latest` is risky in production because it always points to the most recent build. You lose traceability for past versions. 2. Requirement: Be able to rollback efficiently to a previous version. 3. Efficiency: Avoid unnecessary rebuilding or complicated management if possible. --- Option Analysis: A) Rebuild the Docker image for each environment, and tag it with the specific environment name. Pros: Each environment can have its own image. Cons: This does not solve the rollback issue because the image is still rebuilt each time; older versions may not be preserved. It also adds extra builds per environment, which is inefficient. Scenario where this is used: When you need environment-specific images with different configurations. B) Build a separate Docker image for each new version of the application, and tag it with the version number. Pros: Every image is uniquely identified by its version. You can rollback to any previous version easily. No overwriting occurs. Cons: Slightly more tagging effort, but minor. Scenario where this is used: When you want immutable builds and re...

Author: NightmareDragon2025 · Last updated Dec 8, 2025

You are designing a microservices application on GKE that will expose a public API to users. Users will interact with the application by using OAuth 2.0, and illegitimate requests should receive a 403 response code. You need the API to be resilient against distributed denial of service (DDoS) attacks and critical security risks such as SQL injection (SQ...

Let's carefully analyze the requirements and the options. Requirements from the scenario: 1. Public API on GKE → must expose application externally. 2. OAuth 2.0 authentication → illegitimate requests must get 403. 3. Resilient against DDoS → i.e., mitigate large-scale attacks. 4. Protect against critical security risks → SQL injection, XSS, etc. 5. Follow Google-recommended practices → use managed services when possible. --- Option A: Service Mesh (Istio) with OIDC and VPC firewall rules Pros: Istio supports mTLS and can integrate with OIDC for authentication. Can enforce policies at the service level. Cons: Istio alone does not protect against DDoS or application-level attacks (SQLi/XSS) effectively. Relying on VPC firewall rules only filters at network level, not at application layer. Verdict: Rejected because it doesn’t address DDoS protection or application-layer security. --- Option B: Apache HTTP on Cloud Run as reverse proxy to GKE Pros: Can filter traffic before forwarding to GKE. Cons: Requires manually configuring Apache for authentication, request validation. Cloud Run is serverless, but using it as a reverse proxy adds operational overhead. Does not provide managed DDoS or application-layer security. Verdict: Rejected because it’s a DIY approach and doesn’t leverage Google-recommended managed services for security or DDoS protection. --- Option C: External Application Load Balancer (ALB) + Cloud Armor + reCAPTCHA Enterprise → forward to GKE Pros: Cloud Armor provides DDoS mitigation and WAF (Web Application Firewall) rules to block SQLi/XSS attacks. reCAPTCHA Enterprise helps filter bots and automated requests. ALB exposes the service externally. GKE remains the backend; can integrate OAuth 2.0 in application. Fully managed and recommended by Google for internet-facing APIs. Cons: Slightly more complex than Service Mesh fo...

Author: Andrew · Last updated Dec 8, 2025

You are a developer at a regulated financial company and are the lead of a risk calculation application that is running on Cloud Run. Binary Authorization for Cloud Run has been enabled as an organization policy, and there is one attestor. All applications in the company are attested. Each application's image is deployed as part of a CI/CD pipeline during a 1-hour change window at 11 PM local time. There is a new security issue that req...

Let’s carefully analyze this scenario and reason through the options. Key factors: Environment: Cloud Run with Binary Authorization (BinAuthz) enabled at the organization level. Attestation: There is one attestor, and all apps are attested. Deployment window: 1-hour change window at 11 PM. Problem: A critical security fix must be deployed before the next change window. Approval: Manager has approved the image via email. Binary Authorization enforces that only signed and attested images can be deployed. Therefore, any deployment without proper attestation will fail. --- Option Analysis: A) Add the image to the exempt image patterns in the Binary Authorization policy. Exempt image patterns allow certain images to bypass BinAuthz checks. Pros: Deployment could succeed immediately. Cons: Changing organization policies (especially exempt patterns) requires administrative rights and can take time. This also bypasses the security control, which may be against compliance rules, especially in a regulated company. Scenario for use: Only when temporary bypass is approved at the policy level and immediate deployment is needed. Not ideal in highly regulated environments. B) Sign the image with your private key and ask the project admin to change the public key in the attestor. Binary Authorization requires images to be attested using attestors’ public keys. Simply signing with y...

Author: Elizabeth · Last updated Dec 8, 2025

You developed a Python script that retrieves information from files that are uploaded to Cloud Storage and writes the information to Bigtable. You have completed testing on your local environment and created the python-script service account with the Bigtable User IAM role. You wan...

Let's carefully evaluate the scenario and each option. Key points in the scenario: 1. Python script reads files from Cloud Storage and writes to Bigtable. 2. You already have a service account with Bigtable User IAM role. 3. You want to deploy the code with proper authentication following Google-recommended practices. 4. Best practices in GCP generally avoid service account keys for deployed services; instead, use IAM-based authentication (Workload Identity, Cloud Function service accounts, Cloud Run service accounts). --- Option A Steps: 1. Deploy code to Cloud Functions with a Cloud Storage trigger. 2. Configure IAM binding for authentication. ✅ Analysis: Cloud Functions can directly use the attached service account. IAM roles are used instead of service account keys, which aligns with best practices. Cloud Storage trigger ensures the function runs whenever a file is uploaded. Fully compliant with recommended authentication and minimal manual key handling. ✅ This is a correct approach. --- Option B Steps: 1. Deploy code to Cloud Functions with Cloud Storage trigger. 2. Create a service account key for authentication. ❌ Why not: Using a service account key is not recommended in GCP for deployed workloads. Keys must be ...

Author: Isabella · Last updated Dec 8, 2025

You work for an ecommerce company. You are developing a new application with the following requirements: * The application must have access to the most up-to-date data at all times. * Due to company policy, data older than 30 days must be automatically deleted. You need to determine which service ...

Correct choice: D) Configure Bigtable to host the database. Create a garbage collection policy in Bigtable that deletes data older than 30 days. --- Reasoning using key factors 1. Requirement: Most up-to-date data at all times Cloud Bigtable provides strong consistency at the row level, meaning reads always return the latest written data. This meets the requirement for serving current ecommerce data such as product availability, inventory counters, or user activity. 2. Requirement: Automatically delete data older than 30 days Bigtable garbage collection (GC) policies are designed exactly for this purpose. You can configure a time-based GC rule (e.g., delete cells older than 30 days). This is automatic, efficient, and native, requiring no external jobs or services. 3. Efficiency (most important factor) Bigtable GC runs inside the storage layer, making it: Low operational overhead Highly scalable Cost-efficient (old data is physically removed) This is more efficient than running scheduled deletion jobs or external services. --- Why this option is selected Option D fits all requirements directly and efficiently: Strong consistency for up-to-date data Native automatic ...

Author: Liam · Last updated Dec 8, 2025

Your application in production has recently been experiencing reliability issues, and you are unsure how the application will behave in the event of an unexpected failu...

Let’s carefully analyze each option based on your goal: assessing the application’s resilience in GCP, particularly under unexpected failures. --- Option A: Write end-to-end tests to determine how different microservices interact. Validate that all tests pass. Pros: Ensures that microservices work correctly together under normal conditions. Cons: End-to-end tests primarily validate correctness, not resilience. They generally run in controlled environments and won’t simulate unexpected failures like instance crashes, network issues, or zone failures in production. Scenario for use: Good for verifying functional integration, not for assessing how the system recovers from failures. Conclusion: Not ideal for resilience testing. --- Option B: Perform chaos engineering by intentionally introducing failures into the system. Observe how the application behaves, and ensure that it is able to recover from a failure. Pros: Directly tests resilience. Chaos engineering deliberately introduces failures (e.g., VM shutdowns, network latency, service crashes) to see if the system can handle them and recover. This is exactly what is needed to assess production reliability. Cons: Must be done carefully to avoid real outages, ideally starting in a staging environment or using controlled chaos tools. Scenario for use: Perfect for evaluating how your system behaves under unexpected conditions, such as a GCP Compute Engine VM failure or GKE pod crash. Conclusion: ✅ This is the most suitable option for assessing resilience. --- Option C: Test individual units of code for a...

Author: Emma Brown · Last updated Dec 8, 2025

Your team is responsible for developing multiple microservices. These microservices are deployed in Cloud Run and connected to a Cloud SQL instance. You typically conduct tests in a local environment prior to deploying new features. However, the external IP was recently removed from your Cloud SQL instance, and you are unable to perform the tests....

Let’s analyze this step by step. The key requirements and constraints are: You want to connect to Cloud SQL from your local environment for testing. The Cloud SQL instance no longer has an external IP. You want to follow Google-recommended practices. You need access to up-to-date data. Now let’s review each option carefully: --- A) Export the data from the database to a Cloud Storage bucket. Create a database on your computer and import the data. Pros: You could work locally without connecting directly to Cloud SQL. Cons: This only gives you a snapshot of the data. Any changes in the database after export will not be reflected. It’s a manual process and doesn’t allow testing against the live/most updated database. Scenario where it can be used: When you just need a copy of data for offline testing or development, and don’t need live database access. ✅ Not suitable here because the requirement is to test with the most updated data. --- B) Create a Cloud VPN tunnel from your computer to your Google Cloud project, and connect to the Cloud SQL instance. Pros: Could allow private network access to Cloud SQL. Cons: Requires setting up VPN, which is complex and unnecessary for local development. Google recommends using Cloud SQL Auth Proxy rather than VPN for secure connections from local machines. Scenario where it can be used: When you need to connect multiple resources in an on-premises network to GCP VPC securely. ✅ Not recommended for this use case due to complexity and non-standard ...

Author: Ahmed97 · Last updated Dec 8, 2025

You have an application running on Cloud Run that receives a large volume of traffic. You need to deploy a new version of the application. You want your deployment process to minimize the r...

Let’s carefully evaluate each option based on Google Cloud recommended deployment practices for Cloud Run, especially for minimizing downtime and risk: --- Option A: > Use Cloud Run emulator to test changes locally before deploying the new version of the application to the production Cloud Run service. Reasoning: Testing locally is a good practice for development and catching early bugs. However, it does not minimize downtime for production or allow safe incremental rollout. This option is insufficient for handling high-volume traffic in production because local testing cannot replicate real-world load or production environment issues. ✅ When it can be used: Pre-deployment local testing in development stages. ❌ Rejected for production deployment because it doesn’t reduce risk for live users. --- Option B: > Use Cloud Build to create a pipeline, and configure a test stage before the deployment stage. When all tests pass, deploy the application to Cloud Run, and direct 100% of users to this new version of the application. Roll back if any issues are detected. Reasoning: A CI/CD pipeline with automated testing is highly recommended. However, sending 100% of traffic to the new version immediately is risky. If an unexpected issue occurs in production, all users are impacted. This is called a "big bang" deployment, which Google recommends avoiding for high-volume or critical services. ✅ When it can be used: Small or low-risk services where immediate full rollout is acceptable. ❌ Rejected for minimizing downtime and risk in high-traffic production environments. --- Option C: > Use Cloud Load Balancing to route a percent...

Author: Mia · Last updated Dec 8, 2025

You are a developer at an ecommerce company. You are tasked with developing a globally consistent shopping cart for logged-in users across both mobile and desktop clients. You need to configure how the ite...

Let’s carefully evaluate the options for storing shopping cart data in a globally consistent way on GCP. The key requirements are: Global consistency: Users should see the same cart on both mobile and desktop. User-specific storage: Each logged-in user’s cart should be uniquely identifiable. Scalability and reliability: Must handle potentially millions of users. Security: Sensitive information like passwords should never be used as keys. --- Option A: Memorystore for Redis, using user IP as key Pros: Redis is fast, low-latency, good for caching session-like data. Cons: Using IP addresses as keys is unreliable, because users can switch networks, use mobile data, or be behind NATs—same user might get different carts. Redis is typically regional, so global consistency across regions would require complex replication. Scenario where useful: Short-lived session data or ephemeral caches where exact global consistency isn’t critical. Verdict: ❌ Not suitable due to IP-based key and weak global consistency. --- Option B: Firestore, using user ID as the document key Pros: Firestore is fully managed, globally replicated, and ensures strong consistency for single-document reads/writes. Using user ID as the key is secure and directly tied to the logged-in account. Supports both mobile and web clients seamlessly. Scales automatically for millions of users. Cons:...

Author: Grace · Last updated Dec 8, 2025

You are deploying a containerized application to GKE. You have set up a build pipeline by using Cloud Build that builds a Java application and pushes the application container image to Artifact Registry. Your build pipeline executes multiple sequential steps that reference Docker container images with the same layers. You n...

Let’s analyze this step by step, focusing on key factors: your scenario is Cloud Build building Docker images, multiple sequential steps share common layers, and the issue is that builds are slow. --- Option A: Add the `--squash` parameter to the Docker build steps `--squash` combines all new image layers into a single layer. Effect: This reduces image size but breaks layer caching. Docker cache works layer by layer, and Cloud Build can reuse layers from previous builds. If you squash, every build may need to rebuild everything because there’s no reusable layer anymore. Conclusion: Not suitable here because the problem is slow builds due to repeated layer rebuilding, and squashing would make caching less effective, not faster. Scenario where this is useful: Minimizing final image size for production, not improving build speed. --- Option B: Configure Cloud Build to use a private pool in your VPC Private pools allow builds to run in your VPC network on dedicated compute. Effect: This improves network isolation and sometimes performance for network-heavy builds. Problem in your case: The build slowness is not about network latency; it’s about Docker layer rebuilds. Conclusion: This won’t address repeated layer rebuilds. Scenario where this is useful: When you need builds to access private resources in your VPC, not for Docker caching optimizat...

Author: MysticJaguar44 · Last updated Dec 8, 2025

You are developing a dashboard that aggregates temperature readings from thousands of IoT devices monitoring a city's ambient temperature. You expect a large amount of viewing traffic resulting in a large amount of data egress once the dashboard is live. The dashboard temperature display data doesn't need to be real-time and can tolerate a few seconds of lag. You decide to deploy Memor...

Let’s carefully analyze the scenario and the options: Scenario Key Factors: 1. High availability needed – The dashboard should remain operational even if a Redis node fails. 2. High read traffic expected – Many users will view the dashboard, causing a lot of data egress. 3. Real-time updates not critical – A few seconds of lag are acceptable. 4. GCP Memorystore for Redis as storage backend. --- Option Analysis: A) Update Memorystore for Redis to the latest version Reasoning: Updating ensures you have the latest features and security patches, but it does not inherently provide high availability or scalability. Use case: Good for maintenance and security, but irrelevant for high availability or read scaling. Reject. B) Configure Memorystore to use read replicas Reasoning: Read replicas allow horizontal scaling of read traffic and also improve availability. Since your dashboard tolerates a few seconds of lag, replicas can serve stale data without problems. This directly addresses high read traffic and high availability needs. Use case: Excellent for dashboards with many viewer...

Author: Isabella · Last updated Dec 8, 2025

You are deploying new workloads on a GKE Autopilot mode cluster. You need to ensure that the Pods are scheduled on nodes that use Arm architecture CPUs. The cluster currently has no Arm-based CPUs. You want to minimize cluster op...

Let's carefully analyze the problem and the options: Scenario: You are using GKE Autopilot. You need Pods to run on Arm-based CPU nodes. The cluster currently has no Arm nodes. You want to minimize cluster operations. --- Option A: Apply Pod tolerations to request GKE to avoid scheduling Pods on nodes that do not have Arm-based CPUs. Analysis: Pod tolerations allow a Pod to be scheduled on nodes with matching taints. Problem: Currently, the cluster has no Arm-based nodes. You cannot schedule Pods on non-existent nodes, and in Autopilot mode, you cannot manually create or manage node taints. Verdict: ❌ Not feasible in Autopilot without Arm nodes. --- Option B: Apply node taints on node pools to tell GKE to only schedule your workloads on Arm-based CPU nodes. Analysis: Node taints are applied on nodes to control scheduling. In Autopilot, users cannot manage nodes or node pools directly, as Autopilot abstracts node management. Without Arm nodes, taints won’t help. Verdict: ❌ Not applicable in Autopilot mode. Taints work in GKE Standard mode with user-managed node pools. --- Option C: Deploy a new cluster in GKE Standard mode, and set up a node pool with Arm-based CPU nodes. Use nodeSelector in your manifest to ensure that Pods are scheduled in this node pool. Analysis: Standard mode allows you to create node pools with specific CPU architectures, including Arm (e.g., Tau T2A instances). You can use nodeSelector or node affi...

Author: FlamePhoenix2025 · Last updated Dec 8, 2025

You are developing a new Python 3 API that needs to be deployed to Cloud Run. Your Cloud Run service sits behind an Apigee proxy. You need to ensure that the Cloud Run service is running with the already deployed...

Let's analyze the options carefully using key factors: speed, ability to test behind the already deployed Apigee proxy, and practicality in GCP Cloud Run deployment. --- Option A: “Store the service code as a zip file in a Cloud Storage bucket. Deploy your application by using the gcloud run deploy --source command, and test the integration by pointing Apigee to Cloud Run.” ✅ This approach works for deploying code without building a container manually. ❌ Downside: Uploading to Cloud Storage first adds extra steps (slower), and you still have to deploy to Cloud Run to test with Apigee. ⚠️ Key point: It’s not the fastest way for testing during active development. Scenario use: Useful when your source code is large or needs centralized storage, but not ideal for rapid testing. --- Option B: “Use the Cloud Run emulator to test your application locally. Test the integration by pointing Apigee to your local Cloud Run emulator.” ✅ Fastest for local testing of your code without deployment. ❌ Critical problem: Apigee cannot reach a local emulator directly because it’s not publicly accessible. ⚠️ Key point: Cloud Run emulator is only suitable for local development, not for testing integration behind Apigee. Scenario use: Great for unit tests or pre-deployment debugging. --- Option C: “Build a container image locally, and push the image to Artifact Registry. Deploy the Image to Cloud Run, and test the integration by pointing Apigee to Cloud Run.” ✅ Full control over the container, can test exact environment as in production. ✅ Wo...

Author: Max · Last updated Dec 8, 2025

Your company is planning a global event. You need to configure an event registration portal for the event. You have decided to deploy the registration service by using Cloud Run. Your company's marketing team does not want to advertise the Cloud Run service URL. They want the registration portal to be accessed by using a personalized hostname or path i...

Let’s analyze this step by step. The goal is: Deploy a Cloud Run service for event registration. Marketing wants users to access it via a custom domain (e.g., `register.example.com`) rather than the default Cloud Run URL. Follow Google-recommended practices. --- Option A: Configure Cloud Armor to block traffic on the Cloud Run service URL and allow reroutes from only the custom domain URL pattern Reasoning: Cloud Armor is a security service for filtering traffic at the edge (like DDoS protection or IP-based rules). It does not handle custom domain mapping or routing from a domain to a Cloud Run service. Conclusion: This does not solve the custom domain access requirement. Cloud Armor is useful for security policies, not for exposing Cloud Run under a custom domain. --- Option B: Set up an HAProxy on Compute Engine, and add routing rules for a custom domain to the Cloud Run service URL Reasoning: Technically, this could work: the HAProxy would receive traffic on your custom domain and proxy it to Cloud Run. Issues: Adds unnecessary infrastructure (you’d have to manage a VM for routing). Not Google-recommended; Cloud Run can natively integrate with custom domains via Cloud Load Balancing and managed certificates. Introduces maintenance overhead, scaling issues, and single points of failure. Conclusion: Works but not recommended by Google for Cloud Run services. Only reasonable if you have very specific routing needs that cannot be handled by Google-managed services. --- Option C: Add a global external A...

Author: Harper · Last updated Dec 8, 2025

You are building a Workflow to process complex data analytics for your application. You plan to use the Workflow to execute a Cloud Run job whi...

Let's carefully analyze this step by step. The goal is: build a Workflow to process complex data analytics and execute a Cloud Run job while following Google-recommended practices. Key factors to consider: Google best practices, reliability, simplicity, native integration, and maintainability. --- Option A: Create a Pub/Sub topic, and subscribe the Cloud Run job to the topic How it works: Cloud Run can be triggered by Pub/Sub messages. You would publish a message to the topic from your Workflow. Pros: Reliable, decoupled, asynchronous processing. Cons: Adds extra complexity. Workflows cannot directly include Pub/Sub as a first-class step (you would need an extra publish step). Not the most direct integration. Use case: Best if you need event-driven, decoupled, asynchronous processing or fan-out processing for multiple consumers. Verdict: Not ideal for simply executing a job directly from a Workflow. --- Option B: Configure an Eventarc trigger to invoke the Cloud Run job, and include the trigger in a step of the Workflow How it works: Eventarc can route events to Cloud Run. You could have the Workflow generate an event that triggers the Cloud Run job. Pros: Event-driven, scalable. Cons: Overkill for directly running a Cloud Run job. Eventarc is meant for event-based architectures, not for direct job execution in a Workflow. Adds unnecessary complexity. Use case: Best for reacting to system events like GCS file creation, audit logs, or Pub/Sub messages. Verdict: Not recommended for direct job execution from a Workflow. --- Opti...

Author: Ethan · Last updated Dec 8, 2025

You are developing an application that needs to connect to a Cloud SQL for PostgreSQL database by using the Cloud SQL Auth Proxy. The Cloud SQL Auth Proxy is hosted in a different Google Cloud VPC network. The Cloud SQL for PostgreSQL instance has public and private IP addresses. You are required to use the private IP for security reasons. When testing the connection to the...

Let’s break this down carefully. The situation is: You have a Cloud SQL for PostgreSQL instance with both public and private IPs. You must use the private IP for security. The Cloud SQL Auth Proxy is running in a different VPC network. You can connect via the public IP, but not via the private IP. We need to determine why the private IP connection fails and which solution addresses it. --- Option A: Run the Cloud SQL Auth Proxy as a background service Running it as a background service does not affect network connectivity. This option is unrelated to the private IP issue. Whether the proxy is running in the foreground or background, it still needs network access to the private IP. ✅ Rejected: does not solve connectivity across VPCs. --- Option B: Add the `--private-ip` option when starting the Cloud SQL Auth Proxy The `--private-ip` flag tells the Auth Proxy to connect via the instance's private IP instead of the public IP. However, even if you add this flag, the Auth Proxy must be able to route traffic to the private IP. In this scenario, the proxy is in a different VPC, so it cannot reach the private IP unless the VPCs are connected. ✅ Rejected: correct flag, but connectivity across VPCs is missing. --- Option C...

Author: Daniel · Last updated Dec 8, 2025

You are developing a custom job scheduler that must have a persistent cache containing entries of all Compute Engine VMs that are in a running state (not deleted, stopped, or suspended). The job scheduler checks this cache and only sends jobs to the available Compute Engine ...

Let’s analyze this carefully. The goal is: Maintain a persistent cache of running Compute Engine VMs. Ensure the cache is up-to-date (not stale). Respond to VM state changes like creation, deletion, stop, or suspend. We are given four options. Let’s go through each one, highlighting key factors. --- Option A: Cloud Storage log sink + Eventarc This suggests capturing audit logs into a Cloud Storage bucket, then triggering Eventarc when the bucket is updated. Problem: Cloud Storage is not real-time for this use case. There’s latency between logs being written and Eventarc trigger firing. Also, logs are batched in storage, which could delay cache updates. Scenario for Cloud Storage sink: Good for historical analysis or batch processing, not for near real-time updates. ❌ Not ideal for keeping a cache of live VM state. --- Option B: Cloud Asset Inventory real-time feed + Eventarc Cloud Asset Inventory (CAI) can provide real-time feeds of changes to GCP assets, including `compute.googleapis.com/Instance`. Key points: Feeds can deliver insert, update, delete events for instances. Can be directly integrated with Eventarc to notify the application. Provides near real-time updates, ensuring the cache reflects running VMs almost instantly. ✅ Perfect fit for maintaining a live cache of runn...

Author: Lucas Carter · Last updated Dec 8, 2025

You have a GKE cluster that has three TPU nodes. You are running an ML training job on the cluster, and you observe log entries in Cloud Logging similar to the one below. To identify the root cause of a performance issue, yo...

Author: Evelyn · Last updated Dec 8, 2025

You have a Cloud Run service that connects to a Cloud SQL Enterprise edition database instance using the default Cloud SQL connection. You need to enable mo...

Let's carefully analyze the scenario and each option. Key points in your question: Cloud Run service Cloud SQL Enterprise edition Using default Cloud SQL connection (not the Auth Proxy) Need more than 100 connections per Cloud Run instance --- Step 1: Understand the limitation By default, Cloud Run connections to Cloud SQL using the built-in connector share a connection pool. Cloud SQL itself enforces max_connections, which varies by edition and machine type. The built-in connector (default connection) limits the number of concurrent connections per instance, and you cannot exceed 100 connections per Cloud Run instance with it. To scale beyond that, you need either a connection pooler or the Auth Proxy to manage more connections efficiently. --- Step 2: Analyze each option A) Increase the queries per minute quota limit of the Cloud SQL Admin API Reasoning: This affects how many API calls you can make to manage Cloud SQL instances (e.g., creating, deleting, or modifying instances), not the number of database connections. Rejected: This is irrelevant for increasing connections from Cloud Run. --- B) Increase the max_connections flag in Cloud SQL for PostgreSQL Reasoning: This sets the maximum number of database connections Cloud SQL allows. While it sounds related, the built-in Cloud Run ...

Author: Maya · Last updated Dec 8, 2025

You are developing a new mobile game that will be deployed on GKE and Cloud Run as a set of microservices. Currently, there are no projections for the game's user volume. You need to store the following data types: * Data type 1: leaderboard data * Data type 2: player profiles, chats, and news feed * Data type 3: player clickstream data for BI You need to identify a data storage solution...

Correct choice: A) • Data type 1: Memorystore • Data type 2: Firestore • Data type 3: BigQuery --- Key requirements to keep in mind Unknown / unpredictable user volume → must auto-scale Mobile game backend → low latency, simple APIs Cost-effective & easy to use Offline caching on user devices → critical for mobile Different access patterns per data type --- Data type–by–data type analysis 🔹 Data type 1: Leaderboard data Selected service: Memorystore Why this fits Leaderboards require: Very low latency Fast reads/writes Sorted sets and counters Memorystore (Redis) is ideal for: In-memory performance Real-time ranking Frequently updated data Why not Firestore / SQL Firestore is persistent but slower for frequent rank updates SQL-based systems are inefficient for real-time leaderboard operations Typical use cases Game leaderboards Session state Real-time counters --- 🔹 Data type 2: Player profiles, chats, news feed Selected service: Firestore Why this fits Serverless & auto-scaling (perfect for unknown user volume) Mobile SDKs with offline caching Real-time listeners (great for chats and feeds) Flexible schema (player profiles evolve over time) Offline support (key requirement) Firestore automatically: Caches data on device Syncs when connectivity returns Why not Spanner or Cloud SQL Spanner: Expensive Overkill unless you need relational + global transactions Cloud SQL: Manual scaling No offline mobile SDK support Typical use cas...

Author: Samuel · Last updated Dec 8, 2025

Your team developed a web-based game that has many simultaneous players. Recently, users have started to complain that the leaderboard tallies the top scores too slowly. You investigated the issue and discovered that the application stack is currently using Cloud SQL for PostgreSQL. Y...

Let’s carefully analyze each option for improving leaderboard performance in a GCP environment with many simultaneous users. The key factors here are high read performance, real-time updates, and many simultaneous requests. --- Option A: Re-implement the leaderboard data to be stored in Memorystore for Redis Pros: Redis is an in-memory database, optimized for extremely fast reads and writes. Perfect for high-frequency leaderboard updates and retrieving top scores quickly. Can easily handle thousands of simultaneous requests with low latency. Cons: You would need to maintain consistency between PostgreSQL (Cloud SQL) and Redis if persistence is required. Scenario suitability: When you need real-time, high-performance leaderboard queries and can accept eventual consistency or have a strategy to sync with the main database. ✅ This is very well-suited for the problem described. --- Option B: Optimize the SQL queries to minimize slow-running queries Pros: Query optimization can reduce latency without changing architecture. Cons: For very high concurrency (many simultaneous users), even optimized queries in a traditional RDBMS like Cloud SQL may not scale enough for a real-time leaderboard. Indexing and query tuning can help, but for top-N leaderboard queries with constant updates, the bottleneck is often read/write throughput, not just query efficiency. Scenario suitability: When the database can handle the load but individual queries are inefficient. Helpful, but insufficient alone for real-time leaderboards. ❌ Not the best for high-frequency, large-scale leaderboard updates. --- O...

Author: Sara · Last updated Dec 8, 2025

You are a developer at a large corporation. You manage three GKE clusters. Your team's developers need to switch from one cluster to another regularly on the same workstation. You want to configure individual access to th...

Let’s carefully analyze the options based on Google Cloud’s recommended practices, security, and usability for developers managing multiple GKE clusters. Key factors include secure authentication, ease of switching clusters, and avoiding manual error-prone configurations. --- Option A: Use Cloud Shell and `gcloud container clusters get-credentials` Pros: Cloud Shell comes pre-installed with `gcloud` and `kubectl`. Developers can authenticate via their Google identity (IAM). Automatically manages kubeconfig updates when switching clusters. Cons: Developers are restricted to Cloud Shell, which might not be ideal for local development tools or IDEs. Not flexible for local workstations if offline or needing local IDE integration. Verdict: Works, but limited for real workstation use. Better for quick access or demos, not day-to-day local development. --- Option B: Install gcloud CLI and run `gcloud container clusters get-credentials` on local workstation Pros: Recommended by Google: `get-credentials` automatically configures per-user, per-cluster kubeconfigs. IAM-based authentication is used, so no static kubeconfig secrets need to be shared. Switching between clusters is simple: just rerun `get-credentials` with a new cluster. Supports multiple clusters with separate contexts for easy switching (`kubectl config use-context`). Cons: Developers need to install `gcloud` CLI locally (but this is standard pract...

Author: Mia · Last updated Dec 8, 2025

You are tasked with using C++ to build and deploy a microservice for an application hosted on Google Cloud. The code needs to be containerized and use several custom software libraries that your team has built. You want to minimize...

Let’s carefully analyze this step by step based on the key factors in your scenario: Key factors from the scenario: 1. C++ microservice — likely compiled binaries and custom libraries. 2. Containerization required — microservice must run in a container. 3. Custom software libraries — dependencies need to be included in the container. 4. Minimize infrastructure maintenance — ideally, we don’t want to manage nodes or OS updates manually. 5. Deployment on GCP — options include Cloud Run, GKE, Compute Engine, Cloud Functions. --- Option A: Use Cloud Run functions to deploy the microservice Why it doesn’t work well: Cloud Run Functions (i.e., serverless functions) are mainly designed for lightweight event-driven workloads, often interpreted languages like Python, Node.js, or Go. Deploying a full C++ microservice with custom compiled libraries would be complex because serverless functions expect quick start-up times and don’t support arbitrary container setups out of the box. Not ideal for compiled languages with heavy custom libraries. ✅ Scenario where it works: Small, lightweight event-driven functions, mostly using supported runtime environments. --- Option B: Use Cloud Build to create the container, and deploy it on Cloud Run Why it works: Cloud Build can containerize your C++ microservice, including all your custom libraries. Cloud Run can run any container (fully containerized workloads) with minimal maintenance — no servers or cluster management required. Cloud Run scales automatically, manages underlying infrastructure, and supports C++ services compiled into ...

Author: IceDragon2023 · Last updated Dec 8, 2025

You are a developer that works for a local concert venue. Customers use your company's website to purchase tickets for events. You need to provide customers with immediate confirmation when a ...

Got it! Let’s carefully analyze this scenario step by step. Scenario requirements: Immediate confirmation to customers when a seat is reserved. The system is for a GCP-based website for a concert venue. Key factors: low latency, real-time processing, consistency (no double booking of seats), and scalability. --- Option A: Upload the seat reservation to a Cloud Storage bucket How it works: The file upload triggers an event that notifies a backend service to process the seat reservation. Pros: Event-driven, can decouple frontend and backend. Cons: Cloud Storage events are not real-time enough for immediate seat confirmation. There’s latency because you have to wait for the event to trigger and be processed. Also, Cloud Storage is better for storing large objects, not transactional seat reservations. Conclusion: Rejected because it is not suitable for low-latency, transactional operations that need immediate confirmation. --- Option B: Submit the seat reservation via HTTP POST to an Application Load Balancer How it works: The user’s request goes through an HTTP load balancer, which routes it directly to a backend service that processes the reservation. Pros: Immediate processing: Backend receives the request instantly. Can return confirmation immediately once the seat is reserved. Simple and direct, suitable for transactional operations. Cons: Scaling may require careful backend design if many u...

Author: MoonlitPantherX · Last updated Dec 8, 2025

You recently deployed an API to process hotel room requests. You need to enforce a quota on incoming API requests that allows no more than 1000 API search requests by each customer for every successful booking by that customer. You want the quota to reset every 24 hours. Y...

Let's carefully analyze this GCP scenario. The goal is to enforce a quota of no more than 1000 API search requests per successful booking for each customer, resetting every 24 hours, prioritizing API speed over exact enforcement. We’ll go option by option. --- A) Configure an Apigee Quota policy with Synchronous set to false How it works: Apigee Quota policies let you set limits on API usage. Setting Synchronous=false means quota enforcement is asynchronous: the API call is processed immediately, and quota tracking happens in the background. Pros: Very fast (asynchronous) → aligns with speed over exact quota enforcement. Built-in support for per-customer quota policies. Can reset quota based on time intervals (24 hours) or events (booking). Cons: Asynchronous means quota enforcement is approximate. Some requests might exceed the limit slightly, which is acceptable here. ✅ Best fit for speed-priority scenarios with approximate enforcement. --- B) Store a query counter in a Firestore document How it works: Each customer’s search count is stored in Firestore. Reset counter on booking or every 24 hours. Deny requests if over 1000. Pros: Flexible, exact enforcement possible. Easy to track per-customer quotas. Cons: Firestore writes/reads are slower than in-memory or Apigee async quotas. High API traffic may create bottlenecks → slower API responses. ⚠ Not ideal when prioritizing speed over exact quota enforcement. --- C) Store a query co...

Author: Leah Davis · Last updated Dec 8, 2025

Your team is trying to reduce their cloud spend, and you want to evaluate your GKE Autopilot cluster costs. When reviewing the manifests, you see that resource requests are currently not specified. Your application is stateless and fault-tolerant, and there are no specific hardware or memory requirements on nodes. You want to modify the cl...

Let's carefully go through each option and reason which is the best choice given your scenario. Key factors: Cluster type: GKE Autopilot Current state: Resource requests are not specified App characteristics: Stateless, fault-tolerant, no strict hardware/memory requirements Goal: Scalable, cost-effective, sufficient resources --- Option A: Request that your Pods run as Spot Pods, and use the `cloud.google.com/gke-spot=true` label in your YAML manifest Pros: Spot Pods are much cheaper than standard VMs. Good for stateless, fault-tolerant workloads because they can handle preemption. Cons: Spot Pods can be evicted anytime, so they are not suitable for critical workloads. Scenario fit: Perfect for stateless, resilient workloads where cost reduction is important. This aligns exactly with your scenario. ✅ --- Option B: Request the Balanced compute class in your YAML manifest Pros: Balanced compute is a feature in Autopilot that gives a mix of CPU and memory allocation. Cons: In GKE Autopilot, you cannot specify the compute class in the pod manifest; Autopilot manages nodes automatically based on your pod resource requests. Also, since requests are not set, Autopilot defaults may overprovision. Scenario fit: Not applicable because Autopilot does not support specifying the compute class via YAML for individual pods. ❌ --- Optio...

Author: Olivia · Last updated Dec 8, 2025

You are building an application that will store frequently accessed data in a Memorystore for Redis Cluster instance. You would like to make the application resilient to network issues. You need to ensure that the application handles client disconnections from...

Let’s carefully analyze your scenario. You are building a GCP application using Memorystore for Redis Cluster, and the goal is to make the application resilient to network issues. This means handling Redis client disconnections gracefully to minimize disruption and maintain application stability. We’ll evaluate each option using key factors: resilience, disruption minimization, best practices for Redis clients, and GCP Memorystore capabilities. --- Option A: Immediately terminate the application instance upon detecting a Redis disconnection Analysis: Terminating the app forces a restart, but this is very disruptive. During the downtime, users cannot access the app. This does not handle transient network issues gracefully, which are common in cloud environments. Conclusion: Not suitable. Best for scenarios where a crash guarantees a clean state, but not for resiliency against brief Redis outages. --- Option B: Configure the Redis client to reconnect after a fixed delay of 60 seconds Analysis: Using a fixed 60-second delay is simple but problematic: It may be too long, leaving the app unavailable unnecessarily. It may be too short during extended network instability, causing repeated retries and potential overload. Conclusion: Not ideal. Fixed reconnect intervals are rarely optimal for cloud applications that can experience variable network issues. --- Option C: Use Memorystore’s automatic failover mechanisms Analysis: Memorystore ...

Author: ElectricLionX · Last updated Dec 8, 2025

You have an application running in Cloud Run that validates bucket names based on your organization's compliance rule. You want the Cloud Run application to receive a notification as quickly as possible each time a new Cloud Storage bucket is created, and send an alert to the project owner if the bucket ...

Let's analyze the scenario carefully, step by step, using key factors and Google-recommended practices for GCP: Scenario Requirements: 1. Cloud Run app should validate bucket names as soon as possible when a new bucket is created. 2. Send an alert if the bucket name is non-compliant. 3. Follow Google-recommended practices. --- Option A: Create a log-based metric with an alerting policy that sends a notification using the webhook to the Cloud Run endpoint. Pros: Uses log-based metrics and alerting policy. Cons / Issues: Log-based alerts rely on audit logs, which are near real-time but not immediate; there can be a delay of a few minutes. Sending notifications directly to Cloud Run via webhook is not recommended because Cloud Run endpoints might scale down to zero, causing request failures. When it’s used: Suitable for monitoring patterns over time (like error rates), not for immediate event-driven triggers. Verdict: ❌ Not ideal because the requirement is “as quickly as possible” for event-driven notification. --- Option B: Configure an Eventarc trigger using the `storage.buckets.create` filter that sends a notification to the Cloud Run endpoint. Pros: Eventarc is designed for event-driven architectures in GCP. Can directly trigger Cloud Run when a bucket creation event occurs. Minimal latency → satisfies “as quickly as possible” requirement. Follows GCP recommended pattern: Eventarc → Cloud Run. Cons: None significant for this use case. When it’s used: When you need near real-time, serverless, event-driven execution for Cloud Run based on Cloud Storage events. Verdict: ✅ Correc...

Author: Deepak · Last updated Dec 8, 2025

You are customizing a VM instance for development and need to choose either SSD or Standard Persistent Disks for your VM. Your team's cloud architect is not currently available for you to consult. You need to quickly de...

Best action: Review the Google Cloud documentation on Persistent Disks (Option C). Why this is the right choice You need a quick, accurate, and authoritative comparison to make a technical decision on GCP infrastructure. Google Cloud documentation is: Official and up to date (performance numbers, limits, pricing models) Directly comparable (SSD vs Standard Persistent Disk specs) Fast to scan with tables and use-case guidance Designed for exactly this decision Key factors to consider (SSD vs Standard Persistent Disk) SSD Persistent Disk (pd-ssd) Advantages Very high IOPS and low latency Best for performance-sensitive workloads Consistent performance even under load Disadvantages More expensive per GB Overkill for simple or low-IO workloads Best used when Development environments that mimic production performance Databases (MySQL, PostgreSQL) CI/CD pipelines Latency-sensitive apps, APIs, microservices --- Standard Persistent Disk (pd-standard) Advantages ...

Author: Zara1234 · Last updated Dec 8, 2025

You need to restrict access to your Google Cloud load-balanced application so that only specific IP ...

To restrict access to a Google Cloud load-balanced application to specific IP addresses, it's important to select the correct approach based on how Google Cloud manages access controls, firewalls, and networking. Let's break down each option: A) Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges. - Why it’s rejected: VPC Service Controls and Access Context Manager are primarily used to define a perimeter around sensitive Google Cloud resources. This is not a typical solution for controlling IP access to a load-balanced service. It’s designed for managing access to services and resources like APIs or data rather than controlling direct network access to an application behind a load balancer. It's more about controlling how data is accessed within a broader security perimeter, but it does not directly manage IP filtering at the load balancer level. B) Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges. - Why it’s rejected: Similar to Option A, this uses VPC Service Controls. While VPC Service Controls can help secure sensitive data, it's not typically the right solution for controlling IP access directly to a load-balanced application. Again, this is not the most effective way to restrict access at the network level to specific IP ranges. C) Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges. - Why it’s rejected: This option leverages network tags, which is a common way to manage network access for backend instances in Google Clo...

Author: Chloe · Last updated Apr 6, 2026

Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost an...

To design a network topology that minimizes cost and increases network efficiency while allowing communication between workloads located in us-east1 and europe-west1, let's evaluate the options in terms of both cost and network performance: Option A: Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions. - Why it’s rejected: While this option allows connectivity between two regions, using VPN gateways to establish inter-region communication introduces extra complexity and cost. VPN gateways are typically used for secure, encrypted communication over public networks and can incur additional costs, especially when handling inter-region traffic. This option is also less efficient as it does not take advantage of Google's private network infrastructure for inter-region communication. Option B: Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions. - Why it’s rejected: Using external IP addresses for communication between regions would send traffic over the public internet, which is not efficient for workloads that need to communicate across regions within the same cloud provider. This introduces potential latency and security concerns due to the reliance on the public internet, making it more costly and less optimal compared to private connections. Option C: Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions. - Why it’s rejected: This option uses a global load balancer, which is designed to distribute traffic between different regions but is mainly for web traffic and applications that require high availability across global regions. While this is great for web applications, it does no...

Author: Joseph · Last updated Apr 6, 2026

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative d...

To design a topology for three separate departments while ensuring network isolation between one department and connectivity between the other two, we need to choose an approach that minimizes operational overhead while also maintaining separate network administrative domains. Let's evaluate the options: Option A: Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments. - Why this is selected: In a Shared VPC setup, you create a central "host" VPC in a project that acts as the administrative domain, while each department's project (a service project) can access shared network resources (such as subnets in the host VPC). The host project is where the VPC is managed, and access to resources is granted by network policies, providing isolation between departments. With a Shared VPC, you can create separate subnets for each department and control communication between those subnets using firewall rules. This setup minimizes operational overhead since network management and connectivity are centralized, and you avoid the complexity of managing multiple independent VPCs. - Network Isolation: Departments can have separate subnets and manage their firewall rules for isolation. - Connectivity: Departments that require connectivity can share subnets or be allowed to communicate via firewall rules. - Minimized Overhead: Centralized network management reduces operational complexity compared to using multiple VPCs with VPNs or peering. Option B: Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs. - Why it’s rejected: Using Cloud VPN to connect separate VPCs introduces additional complexity and cost due to the VPN configuration. VPNs also add overhead in terms of management and maintenance, which can be avoided by using Shared VPCs. Additionally, VPNs are not as efficient or scalable as other solutions like VPC peering or Shared VPC for internal communication. This would increase operational overhead without offering a significant benefit over Shared VPC. Option C: Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs. - Why it’s ...

Author: Sofia · Last updated Apr 6, 2026

You are migrating to Cloud DNS and want to import your BIND zone file. Which command should you use...

To migrate to Cloud DNS and import a BIND zone file, you need to use the correct `gcloud` command that fits the format and requirements for importing zone records. Let's review each option: Option A: `gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE` - Why it’s rejected: This command imports a BIND zone file but doesn’t specify the format or any flags to control how the import is handled (e.g., whether the records should replace existing ones). While it does specify the `--zone` and the zone file (`ZONE_FILE`), it lacks additional parameters like `--zone-file-format` that are necessary to handle the BIND zone format properly. Without the `--zone-file-format` flag, Cloud DNS won’t automatically recognize the input file as a BIND zone file and could fail or produce errors. Option B: `gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE` - Why it’s rejected: This command adds the `--replace-origin-ns` flag, which replaces the origin NS records in the zone with those from the zone file. While this can be useful if you want to change the nameservers (NS records) from the zone file during the import, it's not necessary for a simple migration and would overwrite the existing NS records, potentially disrupting the DNS setup. This option adds extra complexity and risk if you do not need to replace the NS records. Option C: `gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE` - Why this is selected: This command is specifically designed to import a BIND zone file, and the `--zone-file-format` flag ensures that the input file ...

Author: Victoria · Last updated Apr 6, 2026

You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Ret...

To create the Distribution VPC and peer it with the Retail VPC, the goal is to ensure proper network configuration, subnet design, and CIDR range management, especially considering the auto-mode VPC that was used for Retail. Let's evaluate the options: Option A: Create the Distribution VPC in auto mode. Peer both the VPCs via network peering. - Why it’s rejected: The Retail VPC is in auto mode, which automatically creates subnets in predefined ranges for each region. If you also create the Distribution VPC in auto mode, it will automatically create subnets in predefined ranges, and there’s a risk of IP range conflicts between the two VPCs. Peering VPCs with conflicting subnets is not allowed. Therefore, using auto mode for both VPCs is not ideal because it will limit flexibility and may lead to IP range conflicts. Option B: Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering. - Why it’s rejected: Using a CIDR range of 10.0.0.0/9 is too large, and it overlaps with the default CIDR range used by auto-mode VPCs. The Retail VPC in auto mode likely uses subnets within the 10.0.0.0/8 range, so using 10.0.0.0/9 would conflict with the Retail VPC's subnets, making this range unsuitable for the Distribution VPC. Option C: Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering. - Why this is selected: This option uses a custom mode VPC, allowing you to define your own subnet ranges and avoid conflicts. The CIDR r...

Author: Isabella · Last updated Apr 6, 2026

You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub...

To solve this issue of allowing VPC instances without public IP addresses to access BigQuery and Cloud Pub/Sub APIs without sending the traffic through the third-party firewall, let’s analyze each option: A) Turn on Private Google Access at the subnet level. - Explanation: Enabling Private Google Access at the subnet level ensures that instances without public IP addresses in that subnet can reach Google APIs and services using private IP addresses, bypassing the public internet. This is the recommended way to provide VPC instances access to Google Cloud APIs like BigQuery and Cloud Pub/Sub without exposing them to the internet. - Why selected: This option directly allows the VPC instances to access Google services privately, ensuring that traffic doesn't route through the firewall. - Why other options are rejected: While this option is specific to subnet configuration, it’s the most direct and appropriate approach for instances without public IPs to access Google services. B) Turn on Private Google Access at the VPC level. - Explanation: Private Google Access is typically set at the subnet level, not at the VPC level. Google Cloud API traffic (e.g., BigQuery, Cloud Pub/Sub) does not need to be enabled at the VPC level; it's the subnet configuration that controls access. - Why rejected: This option is not valid because Google Cloud does not offer Private Google Access at the VPC level. It's a subnet-level setting. C) Turn on Private Services Access at the VPC level. - Explanation: Private Services Access is used for services like Cloud SQL or connecting to Google APIs with VPC peering (for exampl...

Author: SilverBear · Last updated Apr 6, 2026

All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are...

Let's analyze each option to determine the best approach for SSH access: A) Open the Cloud Shell SSH into the instance using gcloud compute ssh. - Explanation: Cloud Shell provides an environment with pre-configured SSH access, and the `gcloud compute ssh` command allows SSH access even if the instance has no SSH keys or project-wide SSH keys configured, as long as Cloud Shell can access the instance. Given that the metadata setting `enable-oslogin` is set to `FALSE`, the Cloud Shell environment will handle SSH access without relying on the instance's SSH keys or metadata settings. - Why selected: This option is effective because Cloud Shell uses its own access control for SSH into instances, bypassing the need for manually configuring SSH keys on the instance. This works even when `enable-oslogin` is set to `FALSE` and project-wide SSH keys are not configured. B) Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like Putty or SSH. - Explanation: Enabling `enable-oslogin` would allow SSH access via IAM roles and metadata. However, since the requirement specifies that `enable-oslogin` is set to `FALSE`, this option would require modifying the metadata, which contradicts the existing configuration. Additionally, modifying metadata is unnecessary if alternative methods like Cloud Shell are available. - Why rejected: This option would involve unnecessary changes to the metadata configuration, and the solution might not be necessary as Cloud Shell can already provide SSH access without changing `enable-oslogin`. ...

Author: Noah · Last updated Apr 6, 2026

You work for a university that is migrating to GCP. These are the cloud requirements: * On-premises connectivity with 10 Gbps * Lowest latency access to the cloud * Centralized Networking Administration Team New departments are asking for on-premises connectivity to their projects. You...

Let's evaluate each option based on the requirements for cost-efficiency, 10 Gbps connectivity, low latency, and centralized networking administration. A) Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project. - Explanation: This option uses a Shared VPC where the VLAN attachments and Interconnect are deployed in the host project, while other service projects use the VPC resources. This provides a centralized approach to networking, where a single VPC is used across multiple projects. - Why selected: Shared VPC is a good option here because it allows for centralized management of networking and interconnect resources. All the departments (service projects) would benefit from the same interconnect, and you would only need to manage one interconnect, which is cost-efficient and scalable. Additionally, this setup can support high bandwidth (e.g., 10 Gbps) and ensure low latency access to the cloud. - Why other options are rejected: This approach ensures centralized networking administration (per your requirement) and avoids the complexity of managing interconnects in multiple projects. B) Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project. - Explanation: In this setup, VLAN attachments are deployed in service projects, but they are connected to the Shared VPC in the host project. This is essentially similar to option A, but it introduces more complexity by requiring VLAN management in each service project. - Why rejected: Although this still uses a Shared VPC, having VLAN attachments in each service project adds unnecessary complexity in network management and does not provide any major advantag...

Author: IronLion88 · Last updated Apr 6, 2026