Google Professional-Cloud-Architect Exam Dumps

Google Professional-Cloud-Architect Sample Question Answers

Question # 1

For this question, refer to the EHR Healthcare case study. EHR has single Dedicated Interconnectconnection between their primary data center and Googles network. This connectionsatisfiesEHR’s network and security policies:• On-premises servers without public IP addresses need to connect to cloud resourceswithout public IP addresses• Traffic flows from production network mgmt. servers to Compute Engine virtualmachines should never traverse the public internet.You need to upgrade the EHR connection to comply with their requirements. The newconnection design must support business critical needs and meet the same network andsecurity policy requirements. What should you do?

A. Add a new Dedicated Interconnect connection
B. Upgrade the bandwidth on the Dedicated Interconnect connection to 100 G
C. Add three new Cloud VPN connections
D. Add a new Carrier Peering connection

Show Answer

Question # 2

For this question, refer to the EHR Healthcare case study. You are responsible fordesigning the Google Cloud network architecture for Google Kubernetes Engine. You wantto follow Google best practices. Considering the EHR Healthcare business and technicalrequirements, what should you do to reduce the attack surface?

A. Use a private cluster with a private endpoint with master authorized networksconfigured.
B. Use a public cluster with firewall rules and Virtual Private Cloud (VPC) routes.
C. Use a private cluster with a public endpoint with master authorized networks configured.
D. Use a public cluster with master authorized networks enabled and firewall rules.

Show Answer

Question # 3

For this question, refer to the EHR Healthcare case study. You need to define the technicalarchitecture for securely deploying workloads to Google Cloud. You also need to ensurethat only verified containers are deployed using Google Cloud services. What should youdo? (Choose two.)

A. Enable Binary Authorization on GKE, and sign containers as part of a CI/CD pipeline.
B. Configure Jenkins to utilize Kritis to cryptographically sign a container as part of a CI/CD pipeline.
C. Configure Container Registry to only allow trusted service accounts to create and deploycontainers from the registry.
D. Configure Container Registry to use vulnerability scanning to confirm that there are novulnerabilities before deploying the workload.

Show Answer

Question # 4

For this question, refer to the EHR Healthcare case study. You are a developer on the EHRcustomer portal team. Your team recently migrated the customer portal application toGoogle Cloud. The load has increased on the application servers, and now the applicationis logging many timeout errors. You recently incorporated Pub/Sub into the applicationarchitecture, and the application is not logging any Pub/Sub publishing errors. You want toimprove publishing latency. What should you do?

A. Increase the Pub/Sub Total Timeout retry value.
B. Move from a Pub/Sub subscriber pull model to a push model.
C. Turn off Pub/Sub message batching.
D. Create a backup Pub/Sub message queue.

Show Answer

Question # 5

For this question, refer to the EHR Healthcare case study. In the past, configuration errorsput public IP addresses on backend servers that should not have been accessible from theInternet. You need to ensure that no one can put external IP addresses on backendCompute Engine instances and that external IP addresses can only be configured onfrontend Compute Engine instances. What should you do?

A. Create an Organizational Policy with a constraint to allow external IP addresses only onthe frontend Compute Engine instances.
B. Revoke the compute.networkAdmin role from all users in the project with front endinstances.
C. Create an Identity and Access Management (IAM) policy that maps the IT staff to thecompute.networkAdmin role for the organization.
D. Create a custom Identity and Access Management (IAM) role named GCE_FRONTENDwith the compute.addresses.create permission.

Show Answer

Question # 6

For this question, refer to the EHR Healthcare case study. You are responsible for ensuringthat EHR's use of Google Cloud will pass an upcoming privacy compliance audit. Whatshould you do? (Choose two.)

A. Verify EHR's product usage against the list of compliant products on the Google Cloudcompliance page.
B. Advise EHR to execute a Business Associate Agreement (BAA) with Google Cloud.
C. Use Firebase Authentication for EHR's user facing applications.
D. Implement Prometheus to detect and prevent security breaches on EHR's web-based applications.
E. Use GKE private clusters for all Kubernetes workloads.

Show Answer

Question # 7

You need to upgrade the EHR connection to comply with their requirements. The newconnection design must support business-critical needs and meet the same network andsecurity policy requirements. What should you do?

A. Add a new Dedicated Interconnect connection.
B. Upgrade the bandwidth on the Dedicated Interconnect connection to 100 G.
C. Add three new Cloud VPN connections.
D. Add a new Carrier Peering connection.

Show Answer

Question # 8

For this question, refer to the EHR Healthcare case study. You need to define the technicalarchitecture for hybrid connectivity between EHR's on-premises systems and GoogleCloud. You want to follow Google's recommended practices for production-levelapplications. Considering the EHR Healthcare business and technical requirements, whatshould you do?

A. Configure two Partner Interconnect connections in one metro (City), and make sure theInterconnect connections are placed in different metro zones.
B. Configure two VPN connections from on-premises to Google Cloud, and make sure theVPN devices on-premises are in separate racks.
C. Configure Direct Peering between EHR Healthcare and Google Cloud, and make sureyou are peering at least two Google locations.
D. Configure two Dedicated Interconnect connections in one metro (City) and twoconnections in another metro, and make sure the Interconnect connections are placed indifferent metro zones.

Show Answer

Question # 9

For this question, refer to the Helicopter Racing League (HRL) case study. Your team is incharge of creating apayment card data vault for card numbers used to bill tens of thousands of viewers,merchandise consumers,and season ticket holders. You need to implement a custom card tokenization service thatmeets the followin grequirements:• It must provide low latency at minimal cost. • It must be able to identify duplicate credit cards and must not store plaintext cardnumbers.• It should support annual key rotation.Which storage approach should you adopt for your tokenization service?

A. Store the card data in Secret Manager after running a query to identify duplicates.
B. Encrypt the card data with a deterministic algorithm stored in Firestore using Datastore mode.
C. Encrypt the card data with a deterministic algorithm and shard it across multiple Memorystore instances.
D. Use column-level encryption to store the data in Cloud SQL.

Show Answer

Question # 10

For this question, refer to the Helicopter Racing League (HRL) case study. A recent financeaudit of cloudinfrastructure noted an exceptionally high number of Compute Engine instances areallocated to do videoencoding and transcoding. You suspect that these Virtual Machines are zombie machinesthat were not deletedafter their workloads completed. You need to quickly get a list of which VM instances areidle. What should youdo?

A. Log into each Compute Engine instance and collect disk, CPU, memory, and networkusage statistics foranalysis.
B. Use the gcloud compute instances list to list the virtual machine instances that have theidle: true label set.
C. Use the gcloud recommender command to list the idle virtual machine instances.
D. From the Google Console, identify which Compute Engine instances in the managedinstance groups areno longer responding to health check probes.

Show Answer

Question # 11

For this question, refer to the Helicopter Racing League (HRL) case study. Recently HRLstarted a new regionalracing league in Cape Town, South Africa. In an effort to give customers in Cape Town abetter userexperience, HRL has partnered with the Content Delivery Network provider, Fastly. HRLneeds to allow trafficcoming from all of the Fastly IP address ranges into their Virtual Private Cloud network(VPC network). You area member of the HRL security team and you need to configure the update that will allowonly the Fastly IPaddress ranges through the External HTTP(S) load balancer. Which command should youuse?

A. glouc compute firewall rules update hlr-policy \--priority 1000 \target tags-sourceiplist fastly \--allow tcp:443
B. gcloud compute security policies rules update 1000 \--security-policy hlr-policy \--expression "evaluatePreconfiguredExpr('sourceiplist-fastly')" \--action " allow"
C. gcloud compute firewall rules updatesourceiplist-fastly \priority 1000 \allow tcp: 443
D. gcloud compute priority-policies rules update1000 \security policy from fastly--src- ip-ranges"-- action " allow"

Show Answer

Question # 12

For this question, refer to the Helicopter Racing League (HRL) case study. HRL wantsbetter predictionaccuracy from their ML prediction models. They want you to use Google’s AI Platform soHRL can understandand interpret the predictions. What should you do?

A. Use Explainable AI.
B. Use Vision AI.
C. Use Google Cloud’s operations suite.
D. Use Jupyter Notebooks.

Show Answer

Question # 13

For this question, refer to the Helicopter Racing League (HRL) case study. HRL is lookingfor a cost-effectiveapproach for storing their race data such as telemetry. They want to keep all historicalrecords, train modelsusing only the previous season's data, and plan for data growth in terms of volume andinformation collected.You need to propose a data solution. Considering HRL business requirements and thegoals expressed byCEO S. Hawke, what should you do?

A. Use Firestore for its scalable and flexible document-based database. Use collections to aggregate race databy season and event.
B. Use Cloud Spanner for its scalability and ability to version schemas with zero downtime. Split race datausing season as a primary key.
C. Use BigQuery for its scalability and ability to add columns to a schema. Partition race data based on season.
D. Use Cloud SQL for its ability to automatically manage storage increases and compatibility with MySQL. Useseparate database instances for each season.

Show Answer

Question # 14

For this question, refer to the Helicopter Racing League (HRL) case study. The HRLdevelopment teamreleases a new version of their predictive capability application every Tuesday evening at 3a.m. UTC to arepository. The security team at HRL has developed an in-house penetration test CloudFunction called Airwolf.The security team wants to run Airwolf against the predictive capability application as soonas it is releasedevery Tuesday. You need to set up Airwolf to run at the recurring weekly cadence. Whatshould you do?

A. Set up Cloud Tasks and a Cloud Storage bucket that triggers a Cloud Function.
B. Set up a Cloud Logging sink and a Cloud Storage bucket that triggers a Cloud Function.
C. Configure the deployment job to notify a Pub/Sub queue that triggers a Cloud Function.
D. Set up Identity and Access Management (IAM) and Confidential Computing to trigger a Cloud Function.

Show Answer

Question # 15

You are monitoring Google Kubernetes Engine (GKE) clusters in a Cloud Monitoringworkspace. As a Site Reliability Engineer (SRE), you need to triage incidents quickly. Whatshould you do?

A. Navigate the predefined dashboards in the Cloud Monitoring workspace, and then addmetrics and create alert policies.
B. Navigate the predefined dashboards in the Cloud Monitoring workspace, create custommetrics, and install alerting software on a Compute Engine instance.
C. Write a shell script that gathers metrics from GKE nodes, publish these metrics to aPub/Sub topic, export the data to BigQuery, and make a Data Studio dashboard.
D. Create a custom dashboard in the Cloud Monitoring workspace for each incident, andthen add metrics and create alert policies.

Show Answer

Question # 16

You are designing a Data Warehouse on Google Cloud and want to store sensitive data inBigQuery. Your company requires you to generate encryption keys outside of GoogleCloud. You need to implement a solution. What should you do?

A. Generate a new key in Cloud Key Management Service (Cloud KMS). Store all data inCloud Storage using the customer-managed key option and select the created key. Set upa Dataflow pipeline to decrypt the data and to store it in a BigQuery dataset.
B. Generate a new key in Cloud Key Management Service (Cloud KMS). Create a datasetin BigQuery using the customer-managed key option and select the created key
C. Import a key in Cloud KMS. Store all data in Cloud Storage using the customermanagedkey option and select the created key. Set up a Dataflow pipeline to decrypt thedata and to store it in a new BigQuery dataset.
D. Import a key in Cloud KMS. Create a dataset in BigQuery using the customer-suppliedkey option and select the created key.

Show Answer

Question # 17

Your team is developing a web application that will be deployed on Google KubernetesEngine (GKE). Your CTO expects a successful launch and you need to ensure yourapplication can handle the expected load of tens of thousands of users. You want to testthe current deployment to ensure the latency of your application stays below a certainthreshold. What should you do?

A. Use a load testing tool to simulate the expected number of concurrent users and totalrequests to your application, and inspect the results.
B. Enable autoscaling on the GKE cluster and enable horizontal pod autoscaling on yourapplication deployments. Send curl requests to your application, and validate if the autoscaling works.
C. Replicate the application over multiple GKE clusters in every Google Cloud region.Configure a global HTTP(S) load balancer to expose the different clusters over a single global IP address.
D. Use Cloud Debugger in the development environment to understand the latencybetween the different microservices.

Show Answer

Question # 18

An application development team has come to you for advice.They are planning to write and deploy an HTTP(S) API using Go 1.12. The API will have a very unpredictableworkload and must remain reliable during peaks in traffic. They want to minimizeoperational overhead for this application. What approach should you recommend?

A. Use a Managed Instance Group when deploying to Compute Engine
B. Develop an application with containers, and deploy to Google Kubernetes Engine (GKE)
C. Develop the application for App Engine standard environment
D. Develop the application for App Engine Flexible environment using a custom runtime

Show Answer

Question # 19

Your company has a Google Cloud project that uses BlgQuery for data warehousing Thereare some tables that contain personally identifiable information (PI!) Only the complianceteam may access the PH. The other information in the tables must be available to the datascience team. You want to minimize cost and the time it takes to assign appropriate accessto the tables What should you do?

A. 1 From the dataset where you have the source data, create views of tables that youwant to share, excluding Pll2 Assign an appropriate project-level IAM role to the members of the data science team3 Assign access controls to the dataset that contains the view
B. 1 From the dataset where you have the source data, create materialized views of tablesthat you want to share excluding Pll2 Assign an appropriate project-level IAM role to the members of the data science team 3.Assign access controls to the dataset that contains the view.
C. 1 Create a dataset for the data science team2 Create views of tables that you want to share excluding Pll3 Assign an appropriate project-level IAM role to the members of the data science team4 Assign access controls to the dataset that contains the view5 Authorize the view to access the source dataset
D. 1. Create a dataset for the data science team.2. Create materialized views of tables that you want to share, excluding Pll3. Assign an appropriate project-level IAM role to the members of the data science team4 Assign access controls to the dataset that contains the view5 Authorize the view to access the source dataset

Show Answer

Question # 20

You want to allow your operations learn to store togs from all the production protects inyour Organization, without during logs from other projects All of the production projects arecontained in a folder. You want to ensure that all logs for existing and new productionprojects are captured automatically. What should you do?

A. Create an aggregated export on the Production folder. Set the log sink to be a CloudStorage bucket in an operations project
B. Create an aggregated export on the Organization resource. Set the tog sink to be aCloud Storage bucket in an operations project.
C. Create log exports in the production projects. Set the log sinks to be a Cloud Storage bucket in an operations project.
D. Create tog exports in the production projects. Set the tog sinks to be BigQuery datasetsin the production projects and grant IAM access to the operations team to run queries onthe datasets

Show Answer

Question # 21

Your company has a support ticketing solution that uses App Engine Standard. The projectthat contains the App Engine application already has a Virtual Private Cloud(VPC) networkfullyconnected to the company’s on-premises environment through a Cloud VPN tunnel. Youwant to enable App Engine application to communicate with a database that is running in the company’s on-premises environment. What should you do?

A. Configure private services access
B. Configure private Google access for on-premises hosts only
C. Configure serverless VPC access
D. Configure private Google access

Show Answer

Question # 22

Your company is using Google Cloud. You have two folders under the Organization:Finance and Shopping. The members of the development team are in a Google Group.The development team group has been assigned the Project Owner role on the Organization. You want to prevent the development team from creating resources inprojects in the Finance folder. What should you do?

A. Assign the development team group the Project Viewer role on the Finance folder, andassign the development team group the Project Owner role on the Shopping folder.
B. Assign the development team group only the Project Viewer role on the Finance folder.
C. Assign the development team group the Project Owner role on the Shopping folder, andremove the development team group Project Owner role from the Organization.
D. Assign the development team group only the Project Owner role on the Shopping folder.

Show Answer

Question # 23

Your company uses the Firewall Insights feature in the Google Network Intelligence Center.You have several firewall rules applied to Compute Engine instances. You need to evaluatethe efficiency of the applied firewall ruleset. When you bring up the Firewall Insights page inthe Google Cloud Console, you notice that there are no log rows to display. What shouldyou do to troubleshoot the issue?

A. Enable Virtual Private Cloud (VPC) flow logging.
B. Enable Firewall Rules Logging for the firewall rules you want to monitor.C. Verify that your user account is assigned the compute.networkAdmin Identity andAccess Management (IAM) role.
D. Install the Google Cloud SDK, and verify that there are no Firewall logs in the commandline output.

Show Answer

Question # 24

Your company is running its application workloads on Compute Engine. The applicationshave been deployed in production, acceptance, and development environments. Theproduction environment is business-critical and is used 24/7, while the acceptance anddevelopment environments are only critical during office hours. Your CFO has asked you tooptimize these environments to achieve cost savings during idle times. What should youdo?

A. Create a shell script that uses the gcloud command to change the machine type of the development and acceptance instances to a smaller machine type outside of office hours.Schedule the shell script on one of the production instances to automate the task.
B. Use Cloud Scheduler to trigger a Cloud Function that will stop the development andacceptance environments after office hours and start them just before office hours.
C. Deploy the development and acceptance applications on a managed instance group andenable autoscaling.
D. Use regular Compute Engine instances for the production environment, and usepreemptible VMs for the acceptance and development environments.

Show Answer

Question # 25

You are implementing the infrastructure for a web service on Google Cloud. The webservice needs to receive and store the data from 500,000 requests per second. The datawill be queried later in real time, based on exact matches of a known set of attributes.There will be periods where the web service will not receive any requests. The businesswants to keep costs low. Which web service platform and database should you use for theapplication?

A. Cloud Run and BigQuery
B. Cloud Run and Cloud Bigtable
C. A Compute Engine autoscaling managed instance group and BigQuery
D. A Compute Engine autoscaling managed instance group and Cloud Bigtable

Show Answer

Question # 26

Your company has a Google Workspace account and Google Cloud Organization Somedevelopers in the company have created Google Cloud projects outside of the GoogleCloud OrganizationYou want to create an Organization structure that allows developers to create projects, butprevents them from modifying production projects You want to manage policies for allprojects centrally and be able to set more restrictive policies for production projectsYou want to minimize disruption to users and developers when business needs change inthe future You want to follow Google-recommended practices How should you design theOrganization structure?

A. 1 Create a second Google Workspace account and Organization2 Grant all developers the Project Creator IAM role on the new Organization3 Move the developer projects into the new Organization4 Set the policies for all projects on both Organizations.5 Additionally set the production policies on the original Organization
B. 1 Create a folder under the Organization resource named "Production '2 Grant all developers the Project Creator IAM role on the Organization 3. Move thedeveloper projects into the Organization4 Set the policies for all projects on the Organization5 Additionally set the production policies on the 'Production" folder
C. 1 Create folders under the Organization resource named "Development" andProduction'2 Grant all developers the Project Creator IAM role on the ""Development1 folder 3. Movethe developer projects into the "Development" folder 4 Set the policies for all projects on the Organization5 Additionally set the production policies on the "Production" folder
D. 1 Designate the Organization for production projects only2 Ensure that developers do not have the Project Creator IAM role on the Organization3 Create development projects outside of the Organization using the developer GoogleWorkspace accounts4 Set the policies for all projects on the Organization5 Additionally set the production policies on the individual production projects

Show Answer

Question # 27

You are managing several projects on Google Cloud and need to interact on a daily basiswith BigQuery, Bigtable and Kubernetes Engine using the gcloud CLI tool You aretravelling a lot and work on different workstations during the week You want to avoid havingto manage the gcloud CLI manually What should you do?

A. Use a package manager to install gcloud on your workstations instead of installing itmanually
B. Create a Compute Engine instance and install gcloud on the instance Connect to thisinstance via SSH to always use the samegcloud installation when interacting with Google Cloud
C. Install gcloud on all of your workstations Run the command gcloud components autoupdateon each workstation
D. Use Google Cloud Shell in the Google Cloud Console to interact with Google Cloud

Show Answer

Question # 28

Your company has developed a monolithic, 3-tier application to allow external users toupload and share files. The solution cannot be easily enhanced and lacks reliability. Thedevelopment team would like to re-architect the application to adopt microservices and afully managed service approach, but they need to convince their leadership that the effort isworthwhile. Which advantage(s) should they highlight to leadership?

A. The new approach will be significantly less costly, make it easier to manage theunderlying infrastructure, and automatically manage the CI/CD pipelines.
B. The monolithic solution can be converted to a container with Docker. The generatedcontainer can then be deployed into a Kubernetes cluster.
C. The new approach will make it easier to decouple infrastructure from application,develop and release new features, manage the underlying infrastructure, manage CI/CDpipelines and perform A/B testing, and scale the solution if necessary.
D. The process can be automated with Migrate for Compute Engine.

Show Answer

Question # 29

You need to migrate Hadoop jobs for your company’s Data Science team without modifyingthe underlying infrastructure. You want to minimize costs and infrastructure managementeffort. What should you do?

A. Create a Dataproc cluster using standard worker instances.
B. Create a Dataproc cluster using preemptible worker instances.
C. Manually deploy a Hadoop cluster on Compute Engine using standard instances.
D. Manually deploy a Hadoop cluster on Compute Engine using preemptible instances.

Show Answer

Question # 30

Your organization has decided to restrict the use of external IP addresses on instances toonly approved instances. You want to enforce this requirement across all of your VirtualPrivate Clouds (VPCs). What should you do?

A. Remove the default route on all VPCs. Move all approved instances into a new subnetthat has a default route to an internet gateway.
B. Create a new VPC in custom mode. Create a new subnet for the approved instances,and set a default route to the internet gateway on this new subnet.
C. Implement a Cloud NAT solution to remove the need for external IP addresses entirely.
D. Set an Organization Policy with a constraint onconstraints/compute.vmExternalIpAccess. List the approved instances in theallowedValues list.

Show Answer

Question # 31

You are managing an application deployed on Cloud Run for Anthos, and you need todefine a strategy for deploying new versions of the application. You want to evaluate thenew code with a subset of production traffic to decide whether to proceed with the rollout.What should you do?

A. Deploy a new revision to Cloud Run with the new version. Configure traffic percentagebetween revisions.
B. Deploy a new service to Cloud Run with the new version. Add a Cloud Load Balancinginstance in front of both services.
C. In the Google Cloud Console page for Cloud Run, set up continuous deployment usingCloud Build for the development branch. As part of the Cloud Build trigger, configure thesubstitution variable TRAFFIC_PERCENTAGE with the percentage of traffic you wantdirected to a new version.
D. In the Google Cloud Console, configure Traffic Director with a new Service that points tothe new version of the application on Cloud Run. Configure Traffic Director to send a smallpercentage of traffic to the new version of the application.

Show Answer

Question # 32

Your company has an application running as a Deployment in a Google Kubernetes Engine(GKE) cluster When releasing new versions of the application via a rolling deployment, theteam has been causing outages The root cause of the outages is misconfigurations withparameters that are only used in production You want to put preventive measures for this inthe platform to prevent outages What should you do?

A. Configure liveness and readiness probes in the Pod specification
B. Configure an uptime alert in Cloud Monitoring
C. Create a Scheduled Task to check whether the application is available
D. Configure health checks on the managed instance group

Show Answer

Question # 33

Your company has just recently activated Cloud Identity to manage users. The GoogleCloud Organization has been configured as wed. The security learn needs to secureprotects that will be part of the Organization. They want to prohibit IAM users outside thedomain from gaining permissions from now on. What should they do?

A. Configure an organization policy to restrict identities by domain
B. Configure an organization policy to block creation of service accounts
C. Configure Cloud Scheduler o trigger a Cloud Function every hour that removes all usersthat don't belong to the Cloud identity domain from all projects.
D. Create a technical user (e g . crawler@yourdomain com), and give it the protect ownerrote at root organization level Write a bash script that• Lists all me IAM rules of all projects within the organization• Deletes all users that do not belong to the company domainCreate a Compute Engine instance m a project within the Organization and configuregcloud to be executed with technical user credentials Configure a cron job that executesthe bash script every hour.

Show Answer