Google Cloud Platform Certified – Associate Cloud Engineer Google Cloud Platform Certified – Associate Cloud Engineer - Practise Exam - 01 1 / 50 You want to allow users in your domain to create and manage GCP projects, but restrict billing account usage. What should you do? Grant project creator role at org level and billing user at project level Grant billing admin role to all users Set an organization policy for billing account usage Use folder-level IAM to restrict billing 2 / 50 Your organization mandates all network traffic must go through an inspection layer. How can you enforce this on GCP? Use VPC Service Controls Use Shared VPC with firewall rules Configure a route to send traffic through a Cloud NAT Set up a proxy VM with custom routes and tags 3 / 50 You want to reduce cold start times for a Cloud Run service with unpredictable traffic. What should you configure? Set max_instances Set minimum instances > 0 Use memory-optimized settings Deploy to a multi-region Cloud Run 4 / 50 Your team needs to share GCS buckets with an external vendor. You want to avoid managing IAM for each external user. What should you do? Make the bucket public Use signed URLs with expiration Share the object-level ACLs with their emails Add their domain to your GCP org 5 / 50 You are seeing increased costs in BigQuery. You want to monitor and control this. What should you do? Set quotas on queries per user Enable cost alerts and use partitioned tables Use Cloud Armor Export logs to GCS 6 / 50 You want to enforce that only approved VM images are used in your GCP project. What should you do? Use OS patch management Use Compute Engine image policies Enable VM Manager Use Organization Policy constraints 7 / 50 Your app runs in multiple zones within a region. You want to balance traffic and maintain session affinity. What should you use? Global HTTP Load Balancer TCP Load Balancer with client IP affinity Internal Load Balancer Cloud CDN with geo-based routing 8 / 50 You want to detect unexpected VM restarts. What should you use? Stackdriver Debugger Uptime checks Cloud Monitoring logs and alerting on system events Cloud Audit Logs with filtering on instance names 9 / 50 You accidentally deleted a VPC network. How can you minimize disruption to production services? Restore the network using gcloud restore Use Cloud DNS to redirect traffic Recreate the network and reassign static IPs Restore from VPC snapshots 10 / 50 You want to ensure all objects uploaded to a GCS bucket are encrypted with your organization’s customer-managed keys. What should you do? Set a bucket-level policy requiring CMEK encryption Enable default encryption using Cloud KMS on the bucket Use signed URLs and attach CMEK keys Assign the Cloud KMS Admin role to bucket writers 11 / 50 Your VM app needs credentials to access GCS securely. Which approach follows least privilege and avoids key rotation issues? Embed service account key JSON in the app Use Compute Engine default service account with editor role Use a custom service account with limited permissions and attach it to the VM Store keys in Secret Manager and read them on app start 12 / 50 You’ve enabled VPC Flow Logs in a project, but you’re seeing no entries in Logging. What is the most likely reason? The VM instances are in a different VPC The VPC flow logs are not exported to BigQuery The flow logs are disabled for the subnet The firewall is denying traffic before it’s logged 13 / 50 You’re setting up a CI/CD pipeline. You want to ensure builds only run after code review approval. What’s the best way to implement this in Cloud Build? Configure GitHub webhook to trigger build immediately Use Cloud Build with manual approval steps Use Cloud Build triggers based on Git tags Use GitHub branch protection and Cloud Build PR triggers 14 / 50 A VM instance cannot access external services despite being in a VPC with internet access. What’s the most likely issue? The instance does not have an external IP The VPC does not have default routes NAT gateway is not configured for the subnet The firewall is allowing all egress 15 / 50 You need to automate the deployment of a serverless app that listens to Pub/Sub messages and writes data to BigQuery. What is the best approach? Cloud Functions triggered by Pub/Sub, writing directly to BigQuery Cloud Run with HTTP trigger, pulling Pub/Sub via client SDK App Engine Standard with scheduled jobs GKE application using a pull-based Pub/Sub model 16 / 50 Your team uses multiple GCP projects. You want to centralize network management while maintaining project-level billing and resource independence. What should you do? Use Shared VPC with host and service projects Set up VPC peering across all projects Create VPNs between all project networks Use a single project and separate by regions 17 / 50 Your company runs a Java application on GCE. It frequently crashes under heavy load. You want to identify the root cause and resolve it. Which approach is best? Enable Cloud Debugger and analyze stack traces Use Cloud Trace and Cloud Profiler to find performance bottlenecks View logs in Cloud Audit Logs Enable autoscaling and increase CPU 18 / 50 You want to automate the creation of resources across multiple environments (dev, staging, prod) with configuration stored in Git. What is the most efficient solution? Use Deployment Manager with parameterized templates Write shell scripts and trigger them using Cloud Scheduler Use gcloud CLI with manual inputs for each environment Use Compute Engine snapshots and custom images 19 / 50 You are deploying a multi-tier application with a web frontend and a backend API. You want to restrict access to the API to only frontend VMs in the same project. What should you use? Firewall rules with source tags IAM roles with backend service bindings Internal TCP load balancer with network tags VPC peering between services 20 / 50 Your development team accidentally terminated a VM instance hosting critical logs. Deletion protection was not enabled. The disk was not encrypted using CMEK. What is the most effective way to recover the logs? Use gcloud compute instances restore Use Stackdriver logs to extract disk data Re-attach the persistent disk (if available) to a new VM instance Use Cloud Backup & DR to restore the disk 21 / 50 You need to inspect all resources used in a GCP project, including IAM roles and service usage. What’s the best tool? Cloud Console gcloud asset inventory Cloud Shell Cloud Audit Logs 22 / 50 You need to deploy a web app and want to use a PaaS offering that automatically scales, supports multiple languages, and needs no infrastructure management. What should you use? Cloud Run App Engine Compute Engine Kubernetes Engine 23 / 50 Your VM is failing due to insufficient permissions to write logs. What’s the likely cause? VM has no internet access Logs API is disabled Service account lacks logging permissions VM uses the wrong zone 24 / 50 Your company wants to encrypt data stored in BigQuery with customer-managed keys (CMEK). What do you do? Use Cloud KMS and configure CMEK for the dataset Enable default encryption Enable IAM for BigQuery Use client-side encryption 25 / 50 You are migrating a MySQL database to Cloud SQL with minimum downtime. What should you use? Import SQL dump manually Use Database Migration Service Use Datastream Use gcloud sql import 26 / 50 You are using Cloud Functions and need it to trigger on new file uploads to a bucket. What do you use? Cloud Scheduler Pub/Sub push messages Cloud Storage trigger Eventarc 27 / 50 You are setting up a new VPC and want full control over IP range and subnet placement. What should you choose? Default VPC Legacy Network Custom Mode VPC Auto Mode VPC 28 / 50 You want to restrict API access on GCP only to your internal team members. What should you configure? IAM roles for project members only API Gateway with IP-based access control Cloud Armor rules Service usage API quota 29 / 50 A colleague accidentally deleted a Cloud Storage bucket. You want to recover the data. What should you do? Use the Object Lifecycle feature. Use versioning if it was enabled before deletion. Use the Trash folder in the bucket. Restore using Cloud Backup & DR by default. 30 / 50 You want to deploy your app using Cloud Deployment Manager. Which file format should you use for the configuration? YAML JSON XML INI 31 / 50 Your developer needs to test an application on a GKE cluster with minimal cost and resources. What is the best option? Create a regional Standard GKE cluster. Use Autopilot GKE cluster with basic configuration. Use GCE VMs instead of GKE Use Kubernetes on-prem and connect via VPN. 32 / 50 Your team is using multiple service accounts for automation. You want to audit which service account accessed a specific GCP resource. What should you use? Cloud Audit Logs Cloud Profiler Cloud Monitoring Billing Reports 33 / 50 You are deploying a new application to Cloud Run. It needs access to a Cloud SQL database. What’s the most secure and simple way to provide this access? Use public IP address of Cloud SQL and allow all traffic. Use a VPC connector and a service account with appropriate roles. Use direct database user/password in environment variables Expose Cloud SQL through a load balancer. 34 / 50 A colleague deleted a Compute Engine instance accidentally. You want to prevent this in the future. What should you do? Set instance labels to ‘undeletable’. Assign the viewer role to all users. Enable deletion protection on the instance. Disable user access to the Compute Engine API 35 / 50 You want to enable billing export for detailed cost analysis using BigQuery. What should you do? Enable billing export to BigQuery in the billing account settings. Enable billing alerts and link them to BigQuery datasets. Use Cloud Monitoring to export logs to BigQuery. Create a billing report in Cloud Console and export it manually. 36 / 50 You are asked to ensure your VM instance in Compute Engine always gets the same public IP address after restarts. What should you do? Use an ephemeral IP address and promote it to static after each restart. Assign a reserved static external IP address to the instance. Assign a static internal IP address and create a NAT rule Assign a custom domain to the instance and configure DNS 37 / 50 Your company has implemented a CI/CD pipeline using Cloud Build. You want to ensure only approved images are deployed to production. What should you do? Enable Binary Authorization and enforce policy on GKE. Use Cloud Logging to review build history. Use Artifact Registry and disable versioning. Enable build triggers to deploy images automatically. 38 / 50 Your application stores data in Cloud Storage. You want to restrict access to a specific bucket so only your app can access it, while denying public access. What should you do? Enable uniform bucket-level access and use service account permissions Use ACLs to allow the app's IP address only Make the bucket private and enable signed URLs. Use object-level ACLs and add your app’s user email 39 / 50 You created a custom role in your project and want to assign it to a group of developers. What is the most efficient way to assign this role? Assign the role to each developer individually Assign the role to the Google group that contains the developers Copy the role to each developer’s account Use Cloud Identity to assign the role directly to each service 40 / 50 You are deploying a critical application on Google Kubernetes Engine (GKE). You want to ensure that the application is distributed across multiple zones for high availability. What should you do? Create multiple clusters in different zones and manually distribute your pods. Create a regional cluster and deploy your application to it. Create a zonal cluster with node auto-provisioning enabled. Deploy to a single zone cluster and use multi-zone Persistent Disks. 41 / 50 Your application requires a managed database with support for PostgreSQL. What should you use? Cloud SQL Cloud Spanner Firestore BigQuery 42 / 50 You have a development project with appropriate IAM roles defined. You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps. What should you do? Use gcloud iam roles copy and specify the production project as the destination project Use gcloud iam roles copy and specify your organization as the destination organization. In the Google Cloud Platform Console, use the 'create role from role' functionality. In the Google Cloud Platform Console, use the 'create role' functionality and select all applicable permissions. 43 / 50 You are deploying an application to App Engine. You want the number of instances to scale based on request rate. You need at least 3 unoccupied instances at all times. Which scaling type should you use? Manual Scaling with 3 instances Basic Scaling with min_instances set to 3 Basic Scaling with max_instances set to 3 Automatic Scaling with min_idle_instances set to 3 44 / 50 You have an application that looks for its licensing server on the IP 10.0.3.21. You need to deploy the licensing server on Compute Engine. You do not want to change the configuration of the application and want the application to be able to reach the licensing server. What should you do? Reserve the IP 10.0.3.21 as a static internal IP address using gcloud and assign it to the licensing server. Reserve the IP 10.0.3.21 as a static public IP address using gcloud and assign it to the licensing server. Use the IP 10.0.3.21 as a custom ephemeral IP address and assign it to the licensing server. Start the licensing server with an automatic ephemeral IP address, and then promote it to a static internal IP address 45 / 50 Several employees at your company have been creating projects with Cloud Platform and paying for it with their personal credit cards, which the company reimburses. The company wants to centralize all these projects under a single, new billing account. What should you do? Contact cloud-billing@google.com with your bank account details and request a corporate billing account for your company. Create a ticket with Google Support and wait for their call to share your credit card details over the phone. In the Google Platform Console, go to the Resource Manage and move all projects to the root Organization. In the Google Cloud Platform Console, create a new billing account and set up a payment method. 46 / 50 Your company uses Cloud Storage to store application backup files for disaster recovery purposes. You want to follow Google's recommended practices. Which storage option should you use? Multi-Regional Storage Regional Storage Nearline Storage Coldline Storage 47 / 50 You are using multiple configurations for gcloud. You want to review the configured Kubernetes Engine cluster of an inactive configuration using the fewest possible steps. What should you do? Use gcloud config configurations describe to review the output Use gcloud config configurations activate and gcloud config list to review the output Use kubectl config get-contexts to review the output. Use kubectl config use-context and kubectl config view to review the output. 48 / 50 You want to configure autohealing for network load balancing for a group of Compute Engine instances that run in multiple zones, using the fewest possible steps. You need to configure re-creation of VMs if they are unresponsive after 3 attempts of 10 seconds each. What should you do? Create an HTTP load balancer with a backend configuration that references an existing instance group. Set the health check to healthy (HTTP) Create an HTTP load balancer with a backend configuration that references an existing instance group. Define a balancing mode and set the maximum RPS to 10. Create a managed instance group. Set the Autohealing health check to healthy (HTTP) Create a managed instance group. Verify that the autoscaling setting is on. 49 / 50 You want to select and configure a cost-effective solution for relational data on Google Cloud Platform. You are working with a small set of operational data in one geographic location. You need to support point-in-time recovery. What should you do? Select Cloud SQL (MySQL). Verify that the enable binary logging option is selected. Select Cloud SQL (MySQL). Select the create failover replicas option. Select Cloud Spanner. Set up your instance with 2 nodes. Select Cloud Spanner. Set up your instance as multi-regional. 50 / 50 You need to create a custom VPC with a single subnet. The subnet's range must be as large as possible. Which range should you use? 0.0.0.0/0 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 Your score isThe average score is 0% 0% Restart quiz