GCP Professional Cloud Architect Practice Exam Part 3

Source:

Actual Exam Version:

  1. Your company wants to migrate all on-premises applications to Google Cloud and plans to do this in several phases over the next two years. During this period, workloads split between the on-premises data centre and Google Cloud need to communicate with each other. Your GCP network has a single VPC. How should you set up the network to enable communication between applications running in Google cloud and on-premises data centre?

A. Configure both Primary and Secondary IP ranges of the VPC to not overlap with the on-premises VLAN.
B. Configure the VPC in GCP to use the same IP range as on-premises VLAN.
C. Configure the Secondary IP range of the VPC in GCP to use the same IP range as on-premises VLAN and use a non-overlapping range for the Primary range.
D. Configure the Primary IP range of the VPC in GCP to use the same IP range as on-premises VLAN and use a non-overlapping range for the Secondary range.

  1. Your company offers online news subscriptions for customers and processes their payments in a PCI-DSS compliant application running on Google cloud. Local regulations require you to store these logs for one year. Your compliance team has asked you for your recommendation on removing payment card data before storing the logs. What should you do?

A. Use Cloud Function to modify the log entry to redact payment card data.
B. Use the SHA1 algorithm to hash the log.
C. Encrypt all data using a master key.
D. Use Cloud Data Loss Prevention (DLP) API.

  1. Your on-premises data centre is at full capacity, but your company has forecasted considerable growth in Apache spark and Hadoop jobs. The existing jobs require lots of operational support, and your company doesn’t have resources, human resources or hardware, to accommodate the forecasted growth. You have been asked to recommend services in Google Cloud that your company could leverage to process these jobs while minimizing the cost, changes and operational overhead. Which GCP service(s) should you recommend?

A. Google Cloud Dataproc.
B. Google Kubernetes Engine (GKE).
C. Google Cloud Dataflow.
D. Google Compute Engine (GCE).

  1. New releases of an application that you manage are taking longer than expected, and you want to speed up the deployments. The application is deployed on GKE using this Dockerfile:

FROM ubuntu:20.04
COPY - /src
RUN apt-get update Fy && apt-get upgrade -y
RUN apt-get install -y python python-pip python-dev
RUN pip install -r requirements_new.txt
What should you do? (Select 2 answers)

A. Update GKE node pool to use larger machine types.
B. Change the order of steps to copy source files after installing dependencies.
C. Add RUN apt-get remove python to the Dockerfile to remove python after running pip install.
D. Installing dependencies is slowing down the docker build. Remove all dependencies from requirements_new.bxt.
E. Use a smaller image like the Alpine version instead of the full Ubuntu image.

  1. Your team developed a custom binary to install an application. Your change management team has asked you to install the binary after two weeks. You want to transfer the binary file to Cloud Shell instance today and access it in two weeks from any directory. Where should you store the binary file on Cloud Shell instance?

A. /opt
B. /usr/bin
C. SHOME/bin
D. /var/log

  1. Your company owns a mission-critical application that is used extensively for handling online credit card payments. Your data centre is due for a hardware refresh, and the company has instead decided to migrate all applications to Google Cloud. Your compliance team requires the application to be compliant with PCI DSS regulations. You want to know if Google Kubernetes Engine is suitable for hosting your application. What should you do?

A. In addition to the Kubernetes Engine and GCP, which are PCI-DSS compliant, the application itself should also be compliant with the regulations.
B. Google Cloud Platform is PCI-DSS compliant; therefore, any applications hosted on it are automatically compliant.
C. Kubernetes Engine is multi-tenant and not PCI DSS compliant.
D. Migrate the solution to App Engine Standard, which is the only GCP compute platform certified for PCI DSS.

  1. Your company plans to migrate several production applications to Google Cloud. You want to follow Google Recommended Practices to simplify IAM access controls for the whole organization. These are 20+ departments, each with different IAM requirements. You wish to set up these IAM controls centrally for ease of management. How should you design the resource hierarchy?

A. Set up a single organization with multiple folders, one for each department.
B. Set up multiple organizations, one organization for each department.
C. Set up multiple folders within multiple organizations, one organization for each department.
D. Set up a single organization with multiple projects, one for each department.

  1. Your company is currently using a bespoke logging utility that gathers logs from all on-premises virtual machines and stores them in NAS. Your company plans to provision several new cloud-based products in Google Cloud, and the initial analysis has determined the existing logging utility is not compatible with some of the new cloud products. What should you do to ensure you can capture errors and view historical log data easily?

A. Review Application Logging best practices.
B. Review the logging requirements and use existing logging utility.
C. Patch the current logging utility to the latest version, and take advantage of new features.
D. Install Google Cloud logging agent on all VMs.

  1. Your company has a hybrid network architecture with workloads running primarily off the on-premises data centre and GCP as the failover location. One of the applications uses an on-premises MySQL database, and you have set up a Cloud SQL replica to replicate MySQL database to Google Cloud platform. You have Cloud Monitoring Alarms to monitor replication lag (latency) and replication loss (packet loss) for the replication from on-premises MySQL database to Cloud SQL. Both alarms have recently triggered, and your operations team have asked you to fix the issue. What should you do? (Select Two)

A. When replication fails, restore Google Cloud SQL to a working backup.
B. Update MySQL replication to use UDP protocol.
C. Configure multiple VPN tunnels to take over if Dedicated Interconnect fails.
D. Set up Google Cloud Dedicated Interconnect between the on- premises network and the GCP network.
E. Send the replication logs to Cloud Storage, use Cloud Function to replicate them to the Cloud SQL replica.

  1. Your company’s auditors carry out an annual audit every year and have asked you to provide them with all the IAM policy changes in Google Cloud since the last audit. You do not want to compromise on the security, and you want to expedite and streamline the audit analysis. How should you share the information requested by auditors?

A. Write a Cloud Function to poll relevant logs in Cloud Logging, extract the necessary data and push data to Cloud SQL Set up IAM rules to enable the audit team to query data from Cloud SQL instance.
B. Set up a sink destination to Google Cloud Storage bucket and export relevant logs from Cloud Logging. Set up IAM rules to enable the audit team access to log files in the bucket.
C. Set up alerts in Cloud Monitoring for each IAM policy change and send an email to the audit team.
D. Set up a sink destination to BigQuery and export relevant logs from Cloud Logging. In BigQuery, create views with the necessary data and restrict them to the audit team with ACLs.

  1. Your company has installed millions of loT devices in numerous towns and cities all over the world. The loT devices record chemical and radiation pollution levels every minute and push the readings to Google Cloud. Which GCP service should you use to store these readings?

A. Google BigQuery
B. Google Cloud Storage
C. Google Cloud Bigtable
D. Google Cloud SQL

  1. You work for an accountancy firm that supports accounting needs of several FTSE- 100 companies. Your customers expect high-quality agile service without compromising on release speed. Your company places a high value on being responsive to the requests and meeting the needs of customers small and big alike, without compromising on the security. Your company prides itself on placing security at the forefront of all other requirements. Taking into consideration the security requirements, how should you proceed with deploying a new update to the widely used accountancy application? (Choose 2 answers)

A. Update CI/CD pipeline to deploy changes only if unit-testing between components is successful.
B. Update CI/CD pipeline to ensure the application uses signed binaries from trusted repositories.
C. Ask the security team to review every code commit.
D. Update CI/CD pipeline to run a static source code security scan and deploy changes only if the scan doesn’t show up issues.
E. Update CI/CD pipeline to run a security vulnerability scan and deploy changes only if the scan doesn’t show up issues.

  1. Your company wants to migrate its payroll and accounting solution from on-premises data centre to Google cloud. The finance department has requested the disruption be kept to a minimum as this application is heavily used for preparing the annual accounts. The existing security principles prevent you from storing passwords in Google Cloud. How should you authenticate users of finance department while minimizing the disruption?

A. Run Google Cloud Directory Sync to create user identities in Google.
B. Require users to update their Google password to be same as their corporate password.
C. Replicate passwords from AD to Google Identity with G Suite Password Sync.
D. Use SAML to federate authentication to the on-premises Identity Provider (IdP).

  1. You work for a world’s leading global business publication which has over a million daily customers. Customers can get in touch with your customer service team either on phone, email or chat. You are redesigning the chat application on Google Cloud, and you want to ensure chat messages can’t be spoofed any anyone. What should you do?

A. Add HTTP headers to the messages to identify the originating user and the destination.
B. Use Public Key Infrastructure (PKI) to set up 2 Way SSL between client-side and server-server.
C. Use block-based encryption with a complex shared key to encrypt messages on client-side before relaying them over the network.
D. Encrypt the message on client-side with the user’s private key.

  1. You recently deployed an update to a payroll application running on Google App Engine service, and several users started complaining about the slow performance. What should you do?

A. Rollback to the previous version. Roll forward to the new version at midnight when there is less traffic and look through Cloud Logging to debug the issue in the production environment. If necessary, enable Cloud Trace in your application for debugging.
B. Work with your telco partner to debug the performance issue.
C. Rollback to the previous version. Then, deploy the new version in a non-production environment and look through Cloud Logging to debug the issue. If necessary, enable Cloud Trace in your application for debugging.
D. Identify the cause in VPC flow logs before rolling back to the previous version.

  1. Your company needs to move large quantities of analytics data every day from the on-premises data centre to Google Cloud. For the data transfers to happen within the agreed SLA, you require a network connection that is at least 20 Gbps. How should you design the connection between your on-premises network and GCP to enable this transfer within SLA?

A. Use Dedicated Interconnect between the on-premises network and the GCP network.
B. Use Dedicated Interconnect between the on-premises network and the GCP CDN edge.
C. Use a single Cloud VPN tunnel between the on-premises network and the GCP network.
D. Use a single Cloud VPN tunnel between the on-premises network and the GCP CDN edge.

  1. Local health care regulations require your company to persist raw logs from all applications across all GCP projects for 5 years. What should you do?

A. Export logs from all projects to Google Cloud Storage.
B. Export logs from all projects to BigQuery.
C. Store logs in each project for 5 years.
D. Store logs in each project as per the default retention policies.

  1. Your company developed an enhancement to a popular weather charting application. The enhancement offers several new features which the company hopes will establish itself as the market leader in weather charting. The enhancement has been validated internally by testing team and business users. The change management board is keen on testing these features with new customers in the production environment while allowing existing users to be served by the old version. Additionally, to prevent impact to existing users, you have been asked to identify how this can be implemented while retaining the existing DNS records and TLS certificates. What should you do?

A. Configure the Load Balancer for URL path-based routing and route to the appropriate version for each API path.
B. Add a new load balancer to serve traffic for the new version.
C. Configure requests from existing customers to use the new version endpoint.
D. Redirect requests on the old version to the new version.

  1. Your company plans to migrate an existing application to Google Cloud. The application relies on URL path-based routing for its functionality. A requirements analyst has collected the following additional requirements from various teams. 1. The business owners of the application consider this as mission-critical for the work, and the application should scale based on traffic. 2. The application support team requires multiple isolated test environments to replicate live issues. 3. The enterprise architect has recommended basing the solution on open-source technology to allow portability to other Cloud providers in future. 4. The operations team have advised enabling continuous integration/delivery and being able to deploy application bundles using dynamic templates. 5. The application must retain its logs for 10 years while optimizing the storage costs. As the Cloud migration architect of your company, which combination of services should you consider for this application?

A. GKE, Cloud Storage, Jenkins, and Cloud Load Balancing.
B. GKE, Cloud Storage, Jenkins, and Helm.
C. GKE, Cloud Logging and Cloud Deployment Manager.
D. GKE, Cloud Logging and Cloud Load Balancing.

  1. Your company stores logs from all applications and all projects in a centralized location. You are the Cyber Security Team Lead, and you have been asked to identify ways to prevent bad actors from tampering these logs. What can you do to verify that the logs are authentic?

A. Store logs in multiple locations.
B. Sign the log entry digitally and store the signature.
C. Store log entries in JSON format in a Cloud Storage Bucket.
D. Store logs in a database such as Cloud SQL or Cloud Spanner. Use IAM and ACLs to restrict who can modify the data.

  1. You have deployed several batch jobs on preemptible Google Compute Engine Linux virtual machines. The batch jobs run overnight and can be restarted if interrupted. When interrupted, you want the instance to run a script to shutdown the batch job properly. What should you do?

A. Configure a shutdown script with xinetd service in Linux. Add a metadata tag with key as shutdown-script-url and value as service url.
B. When provisioning the VM, add a metadata tag with key as shutdown-script and value as the path to a local shutdown script.
C. Add a shutdown script to /etc/rc.6.d/directory.
D. Configure a shutdown script with xinetd service in Linux.

  1. Your company has hybrid network architecture with workloads running primarily off the on-premises data centre and GCP as the failover location. One of the applications uses an on-premises MySQL database, and you have set up a Cloud SQL replica to replicate MySQL database to Google Cloud platform. At peak times, the updates to MySQL database are massive, and you need to ensure these changes can be reliably replicated to Cloud SQL. Your network administrator has recommended private address space communication between On-premises network and the GCP network. What network topology should you use?

A. Use Cloud VPN.
B. Set up a custom VPN server on a Google Compute Engine instance to connect to the on-premises network. Route all traffic through this server.
C. Use TLS & NAT translation gateway.
D. Use Dedicated Interconnect.

  1. Your company has accumulated vast quantities of logs in Cloud Storage over the last 4 years. Local regulations require your company to persist logs for 90 days. Your company wants to cut costs by deleting logs older than 90 days. You want to minimize operational overhead and implement a solution that works for existing logs and new log entries. What should you do?

A. Write a custom script to retrieve all logs (IS -Irt gs:///) in the bucketand delete logs older than 90 days. Schedule the script using cron.
B. Enable a lifecycle management rule to delete logs older than 90 days by pushing the lifecycle configuration in JSON format to the bucket using gsutil.
C. Write a custom script to retrieve top-level logs (t5 -It gs:///
) in the bucket and delete logs older than 90 days. Schedule the script using cron.
D. Enable a lifecycle management rule to delete logs older than 90 days by pushingthe lifecycle configuration in XML format to the bucket using gsutil.

  1. You have recently deconstructed a huge monolith application into multiple microservices. At the application layer, all microservices are stateless and rely on a Cloud SQL instance to store and retrieve data. You have been asked by the security team to securely store the credentials to enable secure communication between the microservices and Cloud SQL instance. Where should you store them?

A. Store the database credentials in application source code.
B. Store the database credentials as environment variables in each microservice.
C. Store the database credentials in a file in Cloud Storage and restrict access through object ACL
D. Store the database credentials in GCP Secrets Management.

  1. Your company owns several brands for online news publications and plans to migrate them to Google Cloud. All news publication applications have the same architecture – a web tier, an application (API) tier and a database tier – all in the same VPC. Each brand has a separate web tier, but all brands share the same application tier and database tier. You are the network administrator for your company, and you are asked to enable communication from Web tiers to application tier and from application tier to database tier. The security team has forbidden communication between web tiers and database tier. What should you do?

A. Add network tags to each tier. Configure firewall rules based on network tags to allow the desired traffic.
B. Install a firewall service on the individual VMs and configure to allow the desired traffic.
C. Add network tags to each tier. Configure firewall routes based on network tags to allow the desired traffic.
D. Set up different subnets for each tier.

  1. Your company installs and services elevators and escalators. The elevators and escalators have several sensors that record several discrete items of information every second. Your company wants to use this information to detect service/maintenance needs accurately. What type of database should you use to store these items of information?

A. NoSQL
B. Relational.
C. Comma Separated File.
D. NAS.