GCP Professional Cloud Architect Practice Exam Part 2(2)

Source:

Actual Exam Version:

  1. You need to install a legacy software on a compute engine instance that has no access to the internet. Your networks team have not yet created a VPN connection between Google network and the on-premises network. How can you transfer the software binary from on-premises to Google Cloud so that you can install the legacy software on the VM?

A. From the on-premises network. upload the file to Cloud Source Repositories. Provision the VM with an internal IP address in a subnet with Private Google Access enabled and run gsutil to copy the file.
B. From the on-premises network, upload the file to a bucket in Cloud Storage. Enable a firewall rule to block all but traffic from Cloud Storage IP range and run gsutil to copy the file.
C. From the on-premises network, upload the file to a bucket in Cloud Storage. Provision the VM with an internal IP address in a subnet with Private Google Access enabled and run gsutil to copy the file.
D. From the on-premises network, upload the file to Cloud Source Repositories. Enable a firewall rule to block all but traffic from Cloud Source Repositories IP range and run gsutil to copy
the file.

  1. You are designing an application that handles customer PII data, and your compliance department has asked you to ensure the solution is compliant with the European Union’s GDPR. What should you do?

A. Limit your application to native GCP services & APIs that are signed off for GDPR compliance.
B. Design a robust testing strategy using Cloud Security Scanner to pick up GDPR compliance gaps in GCP services.
C. Google complies with the GDPR in relation processing of customer personal data in all Google Cloud Platform. Your company should also make sure your web application meets GDPR data protection compliance strategy.
D. Turn on GDPR compliance setting for each GCP service you plan to use.

  1. Your company which operates care homes country-wide has decided to migrate its batch workloads to GCP. The batch workloads are not time-critical and can be restarted if interrupted. The local regulations require you to use services that are HIPAA compliant. Which GCP services should your company use while ensuring service costs are minimized?

A. Use preemptible compute instances. Stop using GCP Services/APIs that are not compliant with HIPAA and disable them altogether.
B. Use standard compute instances. Stop using GCP Services/APIs that are not compliant with HIPAA.
C. Use standard compute instances. Stop using GCP Services/APIs that are not compliant with HIPAA and disable them altogether.
D. Use preemptible compute instances. Stop using GCP Services/APls that are not compliant with HIPAA.

  1. Your company has started its Cloud migration journey. The first phase of migration involves moving over internal (staff-only) applications to Google Cloud. These internal applications depend on Active Directory (AD) for user sign-in, but the Active Directory is not scheduled to be migrated until next year. You want to minimize the effort. What should you do?

A. Set up a new replica AD domain controller in a Google Compute Engine (GCE) instance and configure Google Cloud Directory Sync (GCDS) to replicate on-prem AD to the replica in GCE.
B. Configure Google Cloud Directory Sync (GCDS) to sync AD usernames to cloud identities in GCP and configure applications to use SAML SSO with Cloud Identity as the Identity Provider (IdP).
C. Configure Admin Directory API to validate credentials against the AD domain controller.
D. Configure the identity provider in Cloud Identity-Aware Proxy to use the on-prem AD domain controller.

  1. Your company runs mobile gaming servers and lets individual app developers host their games. Some of the games have been hugely popular, causing the gaming servers to go offline. Your company wants to capture vast quantities of key performance indicators from the gaming servers and monitor these KPls in real-time with low latency to identify the games which are taking down the servers. What should you do?

A. Store KPIs in Google Bigtable and visualize KPIs in Google Data Studio.
B. Save KPls in Cloud Datastore and visualize KPls in Cloud Datalab.
C. Store KPIs as custom metrics in Cloud Monitoring, and build dashboards in Cloud Monitoring to visualize KPls.
D. Push KPI files to Cloud Storage hourly, use BigQuery load jobs to ingest them and visualize KPls in Google Data Studio.

  1. Your company is partway through migration to Google Cloud. All compute workloads are scheduled to be migrated to Google Compute Engine this month, but they all depend on Active Directory (AD) which is scheduled isn’t scheduled for migration until next year. How should you configure the firewall rules so that all compute engine instances can reach your data centre to connect to the Active Directory while denying all other outbound traffic from compute engine instances?

A. 1. Create an egress rule with priority 2000 to allow AD traffic for all instances. 2. Rely on the implied deny egress rule with priority 200 to block all other traffic.
B. 1. Create an egress rule with priority 200 to allow AD traffic for all instances. 2. Rely on the implied deny egress rule with priority 2000 to block all other traffic.
C. 1. Create an egress rule with priority 2000 to allow AD traffic for all instances. 2. Create an egress rule with priority 200 to block all other traffic.
D. 1. Create an egress rule with priority 200 to allow AD traffic for all instances. 2. Create an egress rule with priority 2000 to block all other traffic.

  1. All internal applications in your company depend on a legacy staff Single Sign On (SSO) solution for authentication and authorization. The SSO application is deployed in a regional managed instance group (MIG), exposes public HTTPS REST endpoints and relies on a Cloud SQL instance to validate user information. How should you test the resilience of this system?

A. Work with a third-party company specializing in web scraping to compare and detect users credentials exposed in public breaches.
B. Configure Intrusion Detection Management (IDM) and Intrusion Prevention Management (IPM) to detect and prevent unauthorized and suspicious logins.
C. Update the existing system to add Cloud SQL read replica in a different zone to make the system immune from GCP zone failures and work with your operations team to validate the failover works as expected.
D. Work with your operations team and shut down all instances in a zone to simulate a disaster scenario and check if the failover works.

  1. You deployed an application on Google Compute Engine, but scaling the application is problematic because it requires a consistent set of hostnames. You plan to migrate this application to GKE to overcome the scaling issue. What GKE feature should you use to enable a consistent set of hostnames?

A. StatefulSets
B. RBAC (Role-based access control) Cluster Role and Cluster Role Binding
C. Persistent Volumes and Claims
D. Use hostname environment variable inside containers

  1. Your company’s stock market recommendations application has garnered good feedback among clients, and your CEO wants to use this as a launchpad to develop an even better machine learning-driven recommendations application. The CTO has asked you for your recommendation on how to improve the machine learning results over time. You want to follow Google recommended practices. What should you do?

A. Retain as much data as possible, including historical all recommendations and use this data to train machine learning models.
B. Use Cloud Monitoring to monitor the performance of existing ML Engine, and tune as necessary.
C. Deploy Machine learning models on newer & more powerful CPU architectures as they become available.
D. Migrate to TPUs that offer better performance.

  1. You are migrating an application from an on-premises network to Google Cloud. The application should be resistant to regional failures, so your team has decided to deploy the application across two regions within the same VPC and fronted by an external HTTP(s) Load balancer. The workload depends on Active Directory, which is still hosted in the on-premises network. How should you configure the VPN between GCP Network and the on-premises network?

A. Enable network peering between GCP VPC and on-prem network.
B. Deploy a regional VPN Gateway and make sure both regions in use have at least one VPN tunnel to the on-prem network.
C. Deploy a global VPN Gateway with redundant VPN tunnels from all regions in the VPC to the on-prem network.
D. Tweak IAM rules to enable VPC sharing & expose VPC to on-prem network.

  1. Your team would like to start using Google Kubernetes Engine (GKE) for deploying an application. A colleague has provided you with a Kubernetes deployment file. You enabled the Kubernetes Engine API, and you now need to deploy the application. What should you do?

A. Create a Kubernetes cluster by running gcloud container clusters create. Create a Kubernetes deployment by running kubectl apply -f .
B. Create a Kubernetes cluster by running kubectl container clusters create. Automate the deployment using a deployment manager template.
C. Create a Kubernetes cluster by running gcloud container clusters create. Automate the deployment using a deployment manager template.
D. Create a Kubernetes cluster by running kubectl container clusters create. Use kubectl to create the deployment. Create a Kubernetes deployment by running kubectl apply -f .

  1. Your company has accumulated over hundreds of terabytes of marketing analytics data, and you have been asked to identify a database for an OLAP tool that can handle this volume of data. Which database would you recommend for this analytics data?

A. BigQuery
B. Cloud Firestore in Datastore mode
C. Cloud SQL
D. Cloud Storage
E. Cloud Spanner

  1. You deployed multiple applications in a GKE cluster; however, one application is not responding to requests. All pods of the deployment that underpins the troublesome application keep restarting every 10 seconds. You have been asked to inspect the logs and identify the issue. What should you do?

A. In Cloud Logging, inspect logs of all compute engine instances from the GKE node pool.
B. Inspect Serial Port logs of all compute engine instances from the GKE node pool.
C. In Cloud Logging, inspect logs of all pods that serve the troublesome application.
D. Connect to a VM in the node pool, use kubectl exec -it

  1. You deployed an application on Google Kubernetes Engine by running kubectl apply -f deployment.yaml and kubectl apply -f service.yaml. These have created a deployment called demo-deployment and a service called demo-service. You have now been asked to perform an update while minimizing the downtime to this application. You want to follow Google recommended practices. What should you do?

A. Execute a rolling update of the GKE compute cluster Managed Instance Group (MIG).
B. Update service.yaml file with the new container image. To deploy the update, delete the existing service and create a new service: kubectl delete service/demo-service and kubectl create -f service.yaml.
C. Update deployment.yaml file with the new container image. To deploy the update, delete the existing deployment and create a new deployment: kubectl delete deployment/demo-deployment and kubectl create -f deployment.yaml.
D. Deploy the update by updating image on the existing deployment: kubectl set image deployment/demo-deployment .

  1. Your company wants to migrate a mission-critical application from your data centre to Google cloud. The application must be immune to regional outages. How should you deploy the application?

A. Migrate the application to two Compute Engine VMs in different regions within the same project. Use HTTP(s) load balancer to failover from one instance to another.
B. Migrate the application to a single Compute Engine VM and use HTTP(s) load balancer to failover from one instance to another.
C. Migrate the application to two Compute Engine Managed Instance Groups (MIG) in different regions within the same project. Use HTTP(s) load balancer to failover from one MIG to another.
D. Migrate the application to two Compute Engine Managed Instance Groups (MIG) in different regions in different projects. Use HTTP(s) load balancer to failover from one MIG to another.

  1. Your company is designing a new application that requires robust and reliable task scheduling. Which GCP services should you use?

A. Set up RabbitMQ on a single compute engine instance. Use Cron service provided by Google Kubernetes Engine (GKE) to publish messages directly to RabbitMQ topic. Deploy an application in Compute Engine to subscribe to the topic and process messages as they arrive.
B. Use Cron service provided by Google Kubernetes Engine (GKE) to publish messages directly to a Cloud Pub/Sub topic. Deploy an application in Compute Engine to subscribe to the topic and process messages as they arrive.
C. Set up RabbitMQ on a single compute engine instance. Use App Engine cron service to publish messages directly to RabbitMQ topic. Deploy an application in Compute Engine to subscribe to the topic and process messages as they arrive.
D. Use App Engine cron service to publish messages directly to a Cloud Pub/Sub topic. Deploy an application in Compute Engine to subscribe to the topic and process messages as they arrive.

  1. You have configured all applications running on App Engine Flex to push their logs to separate BigQuery tables for storage. Your company wants to minimize costs and has asked you to implement a solution for purging logs older than 45 days. What should you do?

A. Set expiration time on all tables to 45 days.
B. The default expiration settings in BigQuery automatically delete logs older than 45 days.
C. Remove logs older than 45 days by running a custom bq script.
D. Update the tables to be partitioned by ingestion date and set partition expiration to 45 days.

  1. Your company needs to migrate a compute workload to App Engine service. The workload still relies on an on-premises database, but the security team has set up firewall rules that prevent the on-premises database from being publicly accessible. What should you do?

A. Use App Engine Standard service and connect to the on-premises database through Cloud VPN tunnel.
B. Use App Engine Flexible service and connect to the on-premises database through Cloud VPN tunnel.
C. Use App Engine Flexible service and enable the App Engine firewall rules to allow access to the on-premises database.
D. Use App Engine Standard service and enable the App Engine firewall rules to allow access to the on-premises database.

  1. Your company has retained 20 GB of audit logs in a NAS drive in the data centre and would like to migrate these to Cloud Storage. The compliance department requires you to encrypt the files using your customer-supplied encryption keys. How can you achieve this?

A. Create the bucket and upload files to it using gsutil and supply the encryption key using the –encryption-key parameter.
B. Upload the files using gsutil and supply the encryption key using the –encryption-key parameter.
C. Modify gcloud configuration to include the encryption key. Upload the files using gsutil.
D. Modify .boto configuration to include the encryption key. Upload the files using gsutil.

  1. Your mission-critical stock market recommendations application requires in-transit encryption end to end and relies on URL path-based routing. The application has users all over the world. Your company wants to migrate this application to Google cloud and has asked for your recommendation? Which GCP load balancer architecture would you recommend?

A. Use SSL Proxy Load Balancer with Global Forwarding Rules.
B. Use URL Maps with Google cross-region Load Balancer.
C. Use URL Maps with Google HTT(s) Load Balancer.
D. Use SSL Proxy Load Balancer with Managed Instance Groups (MIG).

  1. Your company has deployed a stateless application on a single Google Compute Engine instance. The application is used heavily by all employees during business hours, and there is minimal usage at other times. The application is experiencing slowness and performance issues during peak business hours. You have been asked by your manager to address the performance issues. What should you do?

A. 1. Use gcloud compute images create to create an image of the persistent disk. 2. Use gcloud compute instance-templates create to create an instance template from the image. 3. Create a Managed Instances Group (MIG) based on the instance template and enable autoscaling.
B. 1. Use gcloud compute disks snapshot to create a snapshot of the persistent disk. 2. Use gcloud compute instance-templates create to create an instance template from the snapshot. 3. Create a Managed Instances Group (MIG) based on the instance template and enable autoscaling.
C. 1. Use gcloud compute instance-templates create to create an instance template from the persistent disk. 2. Use gcloud compute images create to create an image of the template. 3. Create a Managed Instances Group (MIG) based on the image and enable autoscaling.
D. 1. Use gcloud compute disks snapshot to create a snapshot of the persistent disk. 2. Use gcloud compute images create to create an image from the snapshot. 3. Create a Managed Instances Group (MIG) based on the image and enable autoscaling.

  1. You host your company’s static website in the App Engine Flex service. You are leveraging Google’s Cloud CDN (Content Delivery Network) to cache content close to your users. Your company wants to optimise the CDN costs and has asked you to identify a way to improve the cache hit ratio. What should you do?

A. Update cache keys to remove the protocol (HTTP/HTTPS).
B. Move static content to a Cloud Storage Bucket, set up a load balancer for the bucket and direct requests from Google CDN to the load balancer.
C. Set cache expiration time to a lower value.
D. Set caching location header HTTP: Cache-Region to a GCP region closest to users.