Professional Google Cloud Developer Exam Dumps and Braindumps

Free Google Cloud Developer Certification Topics Test

Despite the title of this article, this is not a Professional GCP Developer Certification Braindump in the traditional sense.

I do not believe in cheating.

Traditionally, the term “braindump” referred to someone taking an exam, memorizing the questions, and sharing them online for others to use. That practice is unethical and violates certification agreements. It provides no integrity, no real learning, and no professional growth.

This is not a dump of questions. All of these items come from my Google Cloud Developer Udemy course and from certificationexams.pro, which offers hundreds of free GCP Professional Developer Practice Questions.

Google Certified Developer Exam Simulator

Each question has been carefully written to align with the official Google Cloud Developer exam objectives.

They mirror the tone, logic, and technical depth of real exam scenarios, but none are copied from the actual test.

Every question is designed to help you learn, reason, and master Google Cloud concepts such as Cloud Run deployment, Cloud Functions integration, identity management, and performance optimization.

Google Cloud Certification Practice Exams

If you can answer these questions and understand why the incorrect options are wrong, you will not only pass the real Google Cloud exam but also gain a strong understanding of how to build, deploy, and maintain production-level cloud applications.

So if you want to call this your Google Developer Certification Exam Dump, that is fine, but remember that every question here is built to teach, not to cheat.

Each item includes detailed explanations, realistic examples, and insights that help you think like a professional developer during the exam. Study with focus, practice consistently, and approach your certification with integrity.

Success as a Google Cloud professional comes not from memorizing answers but from understanding how APIs, security, and automation work together to power scalable applications.

Use the Google Certified Developer Exam Simulator and GCP Certified Professional Developer Questions and Answers to prepare effectively and move closer to earning your certification.


Git, GitHub & GitHub Copilot Certification Made Easy

Want to get certified on the most popular AI, ML & DevOps technologies of the day? These five resources will help you get GitHub certified in a hurry.

Get certified in the latest AI, ML and DevOps technologies. Advance your career today.

Google Cloud Developer Certification Exam Dump

Question 1

Marquee Seats, an online ticketing company, is seeing a surge in traffic and your team’s REST API now processes about 90 thousand requests per minute. The API uses a Cloud SQL for PostgreSQL instance that shows high CPU and connection saturation, which leads to elevated latency and periodic timeouts. You want to improve API responsiveness and protect the database during spikes without a major rewrite. What should you do?

  • ❏ A. Enable Cloud SQL read replicas, route read traffic to replicas in the application, and enable connection pooling with the Cloud SQL connectors

  • ❏ B. Place Apigee in front of the API, introduce Memorystore for Redis to cache frequently read data, and add exponential backoff for request retries

  • ❏ C. Expose the API through Cloud Load Balancing, put Cloud CDN in front to cache responses, and implement exponential backoff for transient failures

  • ❏ D. Use Apigee to enforce rate limits and access control policies and insert Pub/Sub between the API and the backend to queue requests and smooth load

Question 2

On GKE, about 20 pods must read and write the same configuration file using shared storage with minimal code changes. What is the simplest approach?

  • ❏ A. Mount a Cloud Storage bucket inside the containers using gcsfuse

  • ❏ B. Create Filestore and mount as an NFS PersistentVolume

  • ❏ C. Use a ConfigMap volume for the shared config file

  • ❏ D. Run an NFS server on a Compute Engine VM and mount it as an NFS PersistentVolume

Question 3

A media analytics startup named LumaStream is implementing a Python Cloud Functions handler that is triggered by Pub/Sub messages. The QA team requires unit tests that validate the function logic and keep the tests isolated from Google Cloud services. What approach should you use so the unit tests remain fast and independent from external systems?

  • ❏ A. Run tests against the Pub/Sub emulator to verify function behavior locally

  • ❏ B. Use the unittest.mock library to stub Pub/Sub event payloads and client calls so the function can be tested without network access

  • ❏ C. Execute unit tests that publish to the production Pub/Sub topic during a scheduled window

  • ❏ D. Send messages to a separate Pub/Sub topic in a different project for testing

Question 4

Which Google Cloud deployment and database choice provides minimal operations and scales to zero and uses pay per use pricing for a public web app that can spike to about 900 requests per second and drop to zero?

  • ❏ A. GKE Standard and Firestore

  • ❏ B. App Engine Standard and Firestore

  • ❏ C. Cloud Run and Firestore

  • ❏ D. GKE Autopilot and Cloud SQL

Question 5

At scrumtuous.com you run a Google Kubernetes Engine cluster that hosts four internal microservices for separate teams, and you need to ensure engineers can access and manage only the resources for their own service while being blocked from other services in the same cluster. What approach should you implement to meet this requirement?

  • ❏ A. Apply Kubernetes Network Policies to restrict traffic flows between services

  • ❏ B. Use Google Cloud IAM to grant user access on a per application basis inside the cluster

  • ❏ C. Define Kubernetes namespaces and configure RBAC so that users have only namespace scoped permissions for their service

  • ❏ D. Configure Google Cloud VPC Service Controls to isolate the project hosting the cluster

Question 6

What is the recommended way to authenticate a Cloud Run service and local development so Google Cloud API access is secure and consistent across environments?

  • ❏ A. Store a single privileged service account key in Secret Manager and load it at startup

  • ❏ B. Use Application Default Credentials so runtime and local environments auto provide service account or user credentials

  • ❏ C. Create separate service account keys for each API and package the key files with the app

  • ❏ D. Use a single API key for all Google Cloud API requests

Question 7

After a zone outage in your region disrupted Google Kubernetes Engine workloads for mcnz.com, leadership asks you to redesign the cluster so that a single zone failure does not interrupt service for users. What configuration should you choose?

  • ❏ A. Create a multi-zonal GKE cluster

  • ❏ B. Use Cloud Run fully managed

  • ❏ C. Create a regional GKE cluster

  • ❏ D. Create a zonal GKE cluster with cluster autoscaler

Question 8

How should Compute Engine VMs obtain credentials to call Google Cloud APIs with least privilege and automatic rotation in a low maintenance way?

  • ❏ A. Fetch a service account key from Secret Manager and set an environment variable

  • ❏ B. Use OAuth client ID and store refresh tokens on the VM

  • ❏ C. Use VM service account with metadata server ADC

  • ❏ D. Create a P12 key and copy it to each instance before startup

Question 9

You are building a telemetry platform for Harbor City Lighting to track lamp health across several districts. About 15000 streetlight controllers send JSON readings and receive command responses with curl to a REST API every 45 seconds. The service runs in one Google Cloud region and uses Premium Tier networking. You need to connect the devices to the backend so that average daily latency is minimized with a focus on reducing Time to First Byte, which approach should you implement?

  • ❏ A. Host the backend on Compute Engine VMs and publish a round robin A record in Cloud DNS then have devices resolve and connect by name

  • ❏ B. Run the backend on a managed instance group and place an external Application Load Balancer in front then have devices call the load balancer

  • ❏ C. Run the backend in a managed instance group and expose it through an external passthrough Network Load Balancer then point devices to the load balancer

  • ❏ D. Place a global TCP Proxy Load Balancer in front of a managed instance group and connect the devices to the proxy address

Question 10

How should you expose multiple GKE Services through a single public IP with HTTPS and an automatically managed certificate while keeping operations simple?

  • ❏ A. Kubernetes Ingress with a pre shared certificate

  • ❏ B. GKE Gateway gke-l7-global-external with ManagedCertificate

  • ❏ C. One LoadBalancer Service per backend

Question 11

A team at BrightWave Analytics is packaging a microservice for Google Kubernetes Engine and will push the image to Artifact Registry before running it on a GKE Autopilot cluster with four nodes. They want to minimize the container attack surface during the image build process. Which approach should they take?

  • ❏ A. Add an SSH server to the image to allow remote troubleshooting

  • ❏ B. Build the container from a minimal base such as distroless or scratch and include only the runtime dependencies that the service needs

  • ❏ C. Pin the base image to the latest tag so that it always pulls the newest packages

  • ❏ D. Install a package manager and common shell utilities in the image to make updates easier after deployment

Question 12

Which GCP relational database and key design ensure globally unique CustomerId and TransactionId for a multi region application?

  • ❏ A. Cloud SQL for PostgreSQL with composite key CustomerId and TransactionId and auto increment TransactionId

  • ❏ B. Cloud Spanner with composite key CustomerId and TransactionId and UUID TransactionId

  • ❏ C. Cloud Spanner with composite key CustomerId and TransactionId and sequential TransactionId

  • ❏ D. Cloud SQL with composite key CustomerId and TransactionId and UUID TransactionId

Question 13

A data processing virtual machine named worker-17 runs on Compute Engine in europe-west2 inside a private subnet called analytics-subnet. The instance does not have an external IP because the security team requires private-only networking. The VM must read objects from a specific Cloud Storage bucket in the same project. What configuration should you apply so the instance can reach Cloud Storage without assigning a public IP address?

  • ❏ A. Create a Cloud VPN tunnel from your VPC to the Cloud Storage service

  • ❏ B. Attach a temporary external IP to the instance and remove it after the transfer

  • ❏ C. Enable Private Google Access on the analytics-subnet where the VM is located

  • ❏ D. Configure VPC Network Peering between your VPC and a network for Cloud Storage

Question 14

In Cloud Spanner, how should you model Customers and Purchases and design indexes to quickly retrieve purchases filtered by customer_id and status?

  • ❏ A. Keep one wide table for customers and purchases and add a composite index on customer_id and status

  • ❏ B. Use Customers and Purchases tables and interleave Purchases under Customers with primary key customer_id and purchase_id then add a composite index on Purchases for customer_id and status

  • ❏ C. Create separate Customers and Purchases tables and add an index on status only in Purchases

  • ❏ D. Use a Purchases table keyed by purchase_id and add an index on customer_id only

Question 15

Blue Finch Media runs its public marketing site on Compute Engine and the growth team wants to compare conversion across four alternative page layouts in production while avoiding any changes to the code that is already on the virtual machines. You want to direct a specific portion of user traffic to each layout with minimal operational effort and with built in routing controls. What should you do?

  • ❏ A. Keep the site on Compute Engine and configure an external HTTP(S) Load Balancer with four backend services that use weighted distribution

  • ❏ B. Deploy the site to Cloud Run and apply per revision traffic splitting so four tagged revisions each receive a chosen share of requests

  • ❏ C. Deploy the site to Cloud Run as four separate services and rotate DNS records to spread traffic

  • ❏ D. Rewrite the website into four HTTP Cloud Functions and place them behind an HTTP load balancer

Question 16

With the BigQuery Storage Write API, what is the simplest way to prevent duplicate rows while streaming about 3 million events per day into BigQuery?

  • ❏ A. Use a buffered write stream

  • ❏ B. Use a pending write stream and finalize periodically

  • ❏ C. Use a committed stream in the BigQuery Storage Write API

  • ❏ D. Use tabledata.insertAll with insertId

Question 17

At WillowCart you are building a backend interface for Android and iOS clients. All requests must use HTTPS and the team wants to reduce cellular data consumption by keeping payloads very small. The mobile apps should integrate smoothly with generated client libraries so development remains efficient. Which API approach should you adopt to meet these goals?

  • ❏ A. RESTful HTTP APIs

  • ❏ B. GraphQL

  • ❏ C. gRPC with Protocol Buffers

  • ❏ D. MQTT

Question 18

Which Git workflow aligns with Google-recommended practices for fast and stable delivery?

  • ❏ A. GitFlow with long lived develop and release branches

  • ❏ B. Fork based workflow with late integration

  • ❏ C. Trunk based development with frequent merges to main

Question 19

Riverton Media is consolidating observability for a Google Kubernetes Engine fleet that runs 24 microservices across two regions. The team wants to standardize application logs so they can be parsed consistently and analyzed with minimal operational overhead using Google-recommended practices. Which approaches should the team implement to meet these goals? (Choose 2)

  • ❏ A. Instrument services to call the Cloud Logging API directly to produce structured entries

  • ❏ B. Write application logs to standard output as JSON lines so Cloud Logging ingests them as structured entries

  • ❏ C. Publish logs to Pub/Sub and stream normalize with Dataflow before loading into BigQuery

  • ❏ D. Create a log sink that routes application logs to BigQuery for interactive analysis

  • ❏ E. Export application logs to Cloud Storage for analytics

Question 20

A Cloud Run service intermittently returns 5xx errors about four to six times per hour during peaks. How can you use Cloud Logging and Cloud Monitoring to detect spikes and receive alerts automatically?

  • ❏ A. Export logs to BigQuery

  • ❏ B. Log-based metric with Monitoring alert

  • ❏ C. Cloud Trace

  • ❏ D. Cloud Monitoring uptime check

Question 21

The team at mcnz.com runs a customer portal on App Engine Standard and needs to roll out a new release during peak business hours while keeping the site available and monitoring error rates for about 45 minutes. What should you do to introduce the new version while maintaining availability?

  • ❏ A. Delete the current serving version, deploy the update, then route all traffic to the new version

  • ❏ B. Create a new App Engine service for the release and update Cloud DNS to point the domain to the new service

  • ❏ C. Deploy the new version to the same App Engine service and move traffic to it gradually using App Engine traffic splitting

  • ❏ D. Deploy the new version and immediately send all traffic to it

Question 22

How should you configure cross project Pub/Sub publish access with least privilege from an API in project foo to a topic in project bar?

  • ❏ A. Grant Pub/Sub Editor on project bar to the application identity in project foo

  • ❏ B. Create a dedicated service account in project foo and grant Pub/Sub Publisher on the specific topic in project bar then run the app as that account

  • ❏ C. Use the default Compute Engine service account in project foo and grant Pub/Sub Publisher on the topic in project bar

  • ❏ D. Create a service account in project bar and use a downloaded key in project foo to publish

Question 23

A fintech firm named Northwind Brokerage runs a crypto exchange that must notify customers when their orders are filled. The matching engine publishes an event that the notification service consumes so that it can send confirmations through email and mobile apps. The platform must handle up to 45,000 events per second and it must ensure that each notification is delivered exactly once while allowing the notification workers to scale horizontally. How should you configure Cloud Pub/Sub topics and subscriptions?

  • ❏ A. Create one Cloud Pub/Sub topic and one push subscription for the notification service endpoint

  • ❏ B. Create one Cloud Pub/Sub topic for each matching engine instance and one push subscription per topic

  • ❏ C. Create one Cloud Pub/Sub topic and one pull subscription that all notification worker instances share

  • ❏ D. Create one Cloud Pub/Sub topic and one separate pull subscription for each notification worker instance

Question 24

Which gcloud command deploys a new App Engine version from local source so you can later split traffic?

  • ❏ A. gcloud run deploy service-name –source .

  • ❏ B. gcloud app deploy ./app.yaml

  • ❏ C. gcloud builds submit –tag gcr.io/PROJECT/IMAGE

  • ❏ D. gcloud app services update

Question 25

RivertonTickets is launching a REST API for its booking platform. The service exposes three endpoints which are /shows, /basket, and /payment. You must publish the API under one custom domain and you must be able to scale each endpoint independently of the others. What should you do?

  • ❏ A. Build one Cloud Function for all routes and publish it behind an external HTTPS load balancer

  • ❏ B. Provision one Cloud Run service and implement in service routing for the three endpoints behind a custom domain

  • ❏ C. Deploy a dedicated Cloud Function for each endpoint and present them through API Gateway on one custom domain

  • ❏ D. Expose three Cloud Functions directly using their autogenerated HTTPS URLs

Google Cloud Developer Certification Braindumps Answered

Question 1

Marquee Seats, an online ticketing company, is seeing a surge in traffic and your team’s REST API now processes about 90 thousand requests per minute. The API uses a Cloud SQL for PostgreSQL instance that shows high CPU and connection saturation, which leads to elevated latency and periodic timeouts. You want to improve API responsiveness and protect the database during spikes without a major rewrite. What should you do?

  • ✓ B. Place Apigee in front of the API, introduce Memorystore for Redis to cache frequently read data, and add exponential backoff for request retries

The correct choice is Place Apigee in front of the API, introduce Memorystore for Redis to cache frequently read data, and add exponential backoff for request retries. This combination reduces direct database reads with a fast in memory cache, shields the backend through an API management layer, and makes client retries cooperative during transient errors so the database is protected during spikes.

Putting Apigee in front lets you apply policies that smooth traffic and protect the service such as spike arrest and quotas. This helps reduce sudden surges that would otherwise drive up connection counts and CPU on Cloud SQL. Using Memorystore for Redis to cache hot read data offloads a large portion of repeated queries so the instance sees fewer connections and less CPU pressure which lowers latency. Implementing exponential backoff for retries prevents a retry storm when timeouts occur and gives the system time to recover which improves responsiveness without large application changes.

Enable Cloud SQL read replicas, route read traffic to replicas in the application, and enable connection pooling with the Cloud SQL connectors is less effective here because read replicas do not help write load and introduce replication lag that complicates consistency for a ticketing workflow. This option also requires application logic to split reads from writes and the connectors primarily solve secure connectivity rather than heavy duty pooling. Even with pooling, the database would still be stressed during spikes without a cache to reduce query volume.

Expose the API through Cloud Load Balancing, put Cloud CDN in front to cache responses, and implement exponential backoff for transient failures is not a good fit for dynamic API responses that depend on user specific data and rapidly changing inventory since those responses are usually not cacheable at the CDN edge. A load balancer and CDN do not meaningfully reduce database pressure for such APIs, so CPU and connection saturation would remain.

Use Apigee to enforce rate limits and access control policies and insert Pub/Sub between the API and the backend to queue requests and smooth load would break the synchronous request response pattern of the REST API and would add latency and complexity. Inserting a message queue between the API and a relational database is a significant redesign and is unsuitable for reads that must return current state to the caller.

When a database is the bottleneck for a read heavy API, think about adding a cache such as Redis and placing an API gateway in front to smooth spikes. Use exponential backoff for transient errors and be cautious with CDN for dynamic APIs and with Pub/Sub for synchronous flows.

Question 2

On GKE, about 20 pods must read and write the same configuration file using shared storage with minimal code changes. What is the simplest approach?

  • ✓ B. Create Filestore and mount as an NFS PersistentVolume

The correct option is Create Filestore and mount as an NFS PersistentVolume. It gives the pods a shared POSIX file system with ReadWriteMany so all 20 pods can read and write the same file with minimal or no changes to the application code.

This approach integrates natively with GKE through the Filestore CSI driver and presents a real file system rather than object storage. It supports concurrent access and common file semantics that most applications expect. You only provision a PersistentVolume and PersistentVolumeClaim and then mount it into the pods, which keeps the setup simple.

Mount a Cloud Storage bucket inside the containers using gcsfuse is not suitable for shared read write files because Cloud Storage is object storage and Cloud Storage FUSE does not provide full POSIX semantics or strong consistency for concurrent writers. This can cause correctness and performance issues when many pods write to the same file.

Use a ConfigMap volume for the shared config file is incorrect because ConfigMap volumes are mounted read only and pods cannot write changes into them. ConfigMaps are meant for distributing configuration, not for shared writable storage.

Run an NFS server on a Compute Engine VM and mount it as an NFS PersistentVolume would work but it is not the simplest choice. You would need to deploy, secure, patch, scale, and back up your own server, while the managed NFS service removes that operational burden.

When many pods must share writable files, look for storage that supports ReadWriteMany and POSIX semantics and prefer the managed option to reduce operational work.

Question 3

A media analytics startup named LumaStream is implementing a Python Cloud Functions handler that is triggered by Pub/Sub messages. The QA team requires unit tests that validate the function logic and keep the tests isolated from Google Cloud services. What approach should you use so the unit tests remain fast and independent from external systems?

  • ✓ B. Use the unittest.mock library to stub Pub/Sub event payloads and client calls so the function can be tested without network access

The correct option is Use the unittest.mock library to stub Pub/Sub event payloads and client calls so the function can be tested without network access.

Unit tests should run quickly and deterministically, and they should not require network access or live services. For a Python Cloud Functions handler that is triggered by Pub/Sub, you can construct a fake Pub/Sub event payload with a base64 encoded message and a simple context object, then call the function directly. You can patch any Google Cloud client usage with unittest.mock so that publishes, subscriptions, or other API calls are replaced with fakes. This keeps tests fast, isolated, and easy to run in any environment.

Run tests against the Pub/Sub emulator to verify function behavior locally is more appropriate for integration testing because it introduces an external dependency and environment setup, and it does not exercise the function purely in memory. This reduces speed and isolation which are key properties of unit tests.

Execute unit tests that publish to the production Pub/Sub topic during a scheduled window is risky and violates isolation since it depends on live infrastructure and can impact real systems. It also makes tests slower and flaky due to network and service variability.

Send messages to a separate Pub/Sub topic in a different project for testing still relies on external services and credentials and behaves like an integration test. It increases latency and flakiness and does not meet the requirement to keep unit tests independent from Google Cloud.

When a question asks for fast and isolated tests for event driven code, prefer mocking event payloads and client calls and reserve emulators or real resources for integration tests.

Question 4

Which Google Cloud deployment and database choice provides minimal operations and scales to zero and uses pay per use pricing for a public web app that can spike to about 900 requests per second and drop to zero?

  • ✓ C. Cloud Run and Firestore

Cloud Run and Firestore is the correct choice because it is fully managed, scales to zero when idle, and uses pay per use pricing while handling spiky public web traffic such as around 900 requests per second.

Cloud Run automatically scales container instances based on incoming requests and can scale down to zero when there is no traffic. You are billed for the resources used while requests are being served which aligns with pay per use. Its request concurrency and rapid autoscaling let it absorb short lived spikes without pre provisioning capacity and it requires minimal operational effort.

Firestore is a serverless NoSQL database that scales automatically with traffic and charges per document operations and storage. There are no servers to manage and when there is no activity you only pay for any stored data.

GKE Standard and Firestore is not ideal for minimal operations because you must manage Kubernetes primitives and cluster configuration and it does not natively scale web workloads to zero. Although Firestore is serverless the compute layer would still carry operational burden and is not pay per request.

App Engine Standard and Firestore can scale automatically and may scale to zero with the right settings, yet it is billed by instance time rather than strictly by request and often requires warm instances to reduce cold starts. It is also more opinionated on runtimes and has fewer flexibility benefits than a fully managed container service for this spiky pattern.

GKE Autopilot and Cloud SQL reduces cluster management but it is still Kubernetes and typical web deployments keep at least one replica running which prevents true scale to zero by default. Cloud SQL is an instance based database that does not scale to zero and incurs cost even when idle, which breaks the pay per use requirement.

When a question stresses scale to zero and pay per use for a spiky public app, prefer fully managed serverless compute and a serverless database. Think of services like Cloud Run for compute and Firestore for data, and avoid options that keep instances running or require Kubernetes management.

Question 5

At scrumtuous.com you run a Google Kubernetes Engine cluster that hosts four internal microservices for separate teams, and you need to ensure engineers can access and manage only the resources for their own service while being blocked from other services in the same cluster. What approach should you implement to meet this requirement?

  • ✓ C. Define Kubernetes namespaces and configure RBAC so that users have only namespace scoped permissions for their service

The correct option is Define Kubernetes namespaces and configure RBAC so that users have only namespace scoped permissions for their service. This approach creates strong logical boundaries inside one cluster and limits what each engineer can do to only the resources for their own team.

This approach works because namespaces partition cluster resources by team or service while Kubernetes RBAC provides fine grained authorization within those boundaries. You create a namespace per microservice and bind users or groups to Roles in that namespace using RoleBindings. Users can then deploy and manage objects like Deployments and Services in their own namespace and they cannot view or modify resources in other namespaces. This directly satisfies the requirement without needing additional clusters.

Apply Kubernetes Network Policies to restrict traffic flows between services is not sufficient because it only filters pod to pod network communication. It does not control who can read or change Kubernetes objects through the API, so it cannot enforce per team management permissions.

Use Google Cloud IAM to grant user access on a per application basis inside the cluster is incorrect because IAM governs access to the cluster endpoint and Google Cloud resources, and by itself it does not provide per namespace authorization on Kubernetes objects. You still need Kubernetes RBAC to scope permissions inside the cluster.

Configure Google Cloud VPC Service Controls to isolate the project hosting the cluster does not address in cluster authorization. VPC Service Controls protect access to Google APIs to reduce data exfiltration risk and they do not limit which team can operate on Kubernetes resources within the cluster.

When a question is about who can perform which actions on Kubernetes resources, think namespace scoped RBAC. If it is about controlling pod to pod traffic, think Network Policies. If it concerns protecting access to Google APIs and reducing data exfiltration, think VPC Service Controls. Match the control to the layer being secured.

Question 6

What is the recommended way to authenticate a Cloud Run service and local development so Google Cloud API access is secure and consistent across environments?

  • ✓ B. Use Application Default Credentials so runtime and local environments auto provide service account or user credentials

The correct option is Use Application Default Credentials so runtime and local environments auto provide service account or user credentials.

Application Default Credentials let your code obtain credentials in a consistent way without managing keys. On Cloud Run the runtime automatically provides the service account identity through the metadata server and client libraries pick it up with no extra configuration. For local development you can provide user or a local service account credentials through Application Default Credentials, which keeps the same code path across environments and avoids long lived secrets. This approach benefits from automatic token refresh and aligns with least privilege through IAM roles on the service account.

Store a single privileged service account key in Secret Manager and load it at startup is not recommended because it relies on a long lived key that can be leaked or misused. A single privileged key also violates least privilege and is unnecessary on Cloud Run where the platform already provides short lived credentials through the runtime identity.

Create separate service account keys for each API and package the key files with the app increases operational risk and complexity. Embedding keys in images or artifacts makes rotation hard and expands the blast radius. This contradicts the goal of avoiding service account keys and using short lived credentials provided by the platform.

Use a single API key for all Google Cloud API requests is incorrect because API keys do not convey identity, they do not support IAM authorization, and many Google Cloud client libraries require OAuth based credentials. This would weaken security and reduce compatibility.

When you see Cloud Run and local development together, look for Application Default Credentials. Prefer answers that avoid long lived keys and that rely on the runtime service account in production with gcloud provided user credentials in development.

Question 7

After a zone outage in your region disrupted Google Kubernetes Engine workloads for mcnz.com, leadership asks you to redesign the cluster so that a single zone failure does not interrupt service for users. What configuration should you choose?

  • ✓ C. Create a regional GKE cluster

The correct option is Create a regional GKE cluster.

A regional GKE cluster places replicas of the control plane in multiple zones within the same region and also distributes nodes across zones. This provides both control plane and workload resilience so the cluster remains functional and user traffic continues even if an entire zone fails.

Create a multi-zonal GKE cluster spreads nodes across zones but the control plane remains in a single zone which can still become unavailable during a zone outage and cause management or scheduling disruption that may interrupt service.

Use Cloud Run fully managed changes the platform rather than redesigning the Kubernetes cluster and can require application changes. The requirement is to redesign GKE to withstand a zone outage rather than to migrate to a different service.

Create a zonal GKE cluster with cluster autoscaler keeps the cluster in a single zone and only adjusts capacity. Autoscaling does not protect against a full zone outage so user service can still be interrupted.

When a question asks to survive a single zone failure, prefer a regional GKE cluster because the control plane and nodes are spread across zones. Beware of multi zonal clusters that still have a single zone control plane.

Question 8

How should Compute Engine VMs obtain credentials to call Google Cloud APIs with least privilege and automatic rotation in a low maintenance way?

  • ✓ C. Use VM service account with metadata server ADC

The correct option is Use VM service account with metadata server ADC.

This approach attaches a service account to the instance and relies on the metadata server to mint short lived access tokens. Client libraries using Application Default Credentials automatically obtain and refresh these tokens which removes the need to distribute or rotate keys. Least privilege is achieved by granting only the minimal IAM roles to the attached service account so you keep privileges tightly scoped while the platform handles automatic rotation.

Fetch a service account key from Secret Manager and set an environment variable is not low maintenance and does not provide automatic rotation. It still relies on a long lived key that you must distribute and rotate yourself. Loading a JSON key from Secret Manager and pointing ADC to it with an environment variable keeps the same risks and management burden.

Use OAuth client ID and store refresh tokens on the VM uses user credentials rather than a service account which complicates least privilege and auditing. Refresh tokens are long lived secrets that must be stored and protected and they can be revoked unexpectedly, so this is not a recommended server to server pattern on Compute Engine.

Create a P12 key and copy it to each instance before startup requires distributing long lived credentials to every VM and has no automatic rotation. P12 service account keys are deprecated which makes this choice even less suitable and less likely to be correct on newer exams.

When a question emphasizes least privilege and automatic rotation for Compute Engine, prefer the instance service account with the metadata server and Application Default Credentials and avoid any answer that stores long lived keys or refresh tokens on the VM.

Question 9

You are building a telemetry platform for Harbor City Lighting to track lamp health across several districts. About 15000 streetlight controllers send JSON readings and receive command responses with curl to a REST API every 45 seconds. The service runs in one Google Cloud region and uses Premium Tier networking. You need to connect the devices to the backend so that average daily latency is minimized with a focus on reducing Time to First Byte, which approach should you implement?

  • ✓ B. Run the backend on a managed instance group and place an external Application Load Balancer in front then have devices call the load balancer

The correct option is Run the backend on a managed instance group and place an external Application Load Balancer in front then have devices call the load balancer.

An external Application Load Balancer provides a global anycast entry point that terminates TCP and TLS at Google Front Ends close to each device. Requests then traverse the Premium Tier backbone to the regional backend in the managed instance group. This edge termination and connection pooling reduce round trips for handshakes and lower Time to First Byte. It natively supports HTTP and HTTPS which matches a curl based REST API and it adds health checks and autoscaling so the platform remains responsive as load fluctuates.

Host the backend on Compute Engine VMs and publish a round robin A record in Cloud DNS then have devices resolve and connect by name is not suitable because DNS round robin does not direct clients by latency or health and there is no edge termination. Devices would complete TCP and TLS handshakes directly with the regional VMs across the public internet which increases handshake latency and TTFB and complicates failover.

Run the backend in a managed instance group and expose it through an external passthrough Network Load Balancer then point devices to the load balancer is regional and operates at layer four without proxying at the edge. There is no global anycast entry and no HTTP awareness which means distant devices still incur long round trips to the region so TTFB remains higher.

Place a global TCP Proxy Load Balancer in front of a managed instance group and connect the devices to the proxy address targets generic TCP services rather than HTTP based APIs. Although it is global, it lacks HTTP features and optimizations that matter for REST endpoints. The recommended choice for HTTP workloads is the external Application Load Balancer for the best latency and TTFB.

Match the protocol to the load balancer layer. For HTTP or HTTPS APIs where reducing TTFB and global latency matters, choose the global external Application Load Balancer which terminates at the edge and uses Premium Tier. Reserve TCP or Network Load Balancers for non HTTP protocols.

Question 10

How should you expose multiple GKE Services through a single public IP with HTTPS and an automatically managed certificate while keeping operations simple?

  • ✓ B. GKE Gateway gke-l7-global-external with ManagedCertificate

The correct option is GKE Gateway gke-l7-global-external with ManagedCertificate.

This approach uses the Gateway API with the global external class to create a single external HTTP and HTTPS load balancer for your cluster. You attach multiple routes that direct traffic by hostnames or paths to different Services so everything is fronted by one public IP. HTTPS termination is handled at the load balancer and a Google managed certificate can be provisioned and renewed automatically which keeps operations simple and reduces toil.

Kubernetes Ingress with a pre shared certificate does not meet the requirement for an automatically managed certificate because a pre shared certificate is created and rotated by you. While Ingress can consolidate Services behind one IP the certificate lifecycle is not automated in this choice.

One LoadBalancer Service per backend allocates a separate external IP for each Service which fails the single public IP requirement and increases operational overhead. It also leaves certificate management to each Service or an additional proxy layer which is not simple.

When you see requirements for a single public IP fronting many Services with automatic certificates think of host and path based routing at layer seven. In modern GKE that usually means the Gateway API with the global external class rather than multiple LoadBalancer Services or a pre shared cert.

Question 11

A team at BrightWave Analytics is packaging a microservice for Google Kubernetes Engine and will push the image to Artifact Registry before running it on a GKE Autopilot cluster with four nodes. They want to minimize the container attack surface during the image build process. Which approach should they take?

  • ✓ B. Build the container from a minimal base such as distroless or scratch and include only the runtime dependencies that the service needs

The correct option is Build the container from a minimal base such as distroless or scratch and include only the runtime dependencies that the service needs.

This approach reduces the number of packages and binaries in the image which shrinks the potential vulnerability surface. It avoids shells and package managers that attackers often abuse and it produces a smaller image that is quicker to scan, pull, and start in GKE. Keeping only what the service needs follows the principle of least privilege during the build process and supports reproducible and maintainable images.

Add an SSH server to the image to allow remote troubleshooting is incorrect because running SSH inside containers is an anti pattern and increases exposure. Troubleshooting should rely on kubectl exec, logs, and ephemeral debug containers rather than keeping a network service like SSH in production images.

Pin the base image to the latest tag so that it always pulls the newest packages is incorrect because latest is mutable and nondeterministic which can introduce unexpected changes and vulnerabilities. You should pin by digest or a specific version and update through a new build to keep images reproducible and controlled.

Install a package manager and common shell utilities in the image to make updates easier after deployment is incorrect because adding these tools widens the attack surface and encourages in place changes. Images should be immutable and updates should be made during a rebuild rather than after deployment.

When a question asks about minimizing container attack surface, look for minimal base images that omit shells and package managers, avoid SSH in containers, and prefer immutable images pinned by digest rather than the mutable latest tag.

Question 12

Which GCP relational database and key design ensure globally unique CustomerId and TransactionId for a multi region application?

  • ✓ B. Cloud Spanner with composite key CustomerId and TransactionId and UUID TransactionId

The correct option is Cloud Spanner with composite key CustomerId and TransactionId and UUID TransactionId.

With Cloud Spanner you get multi region synchronous replication and externally consistent transactions, which means globally consistent writes. A composite primary key on CustomerId and TransactionId ensures that each pair is unique, and using a UUID for the TransactionId provides globally unique values across regions and services.

A UUID for the TransactionId also avoids monotonically increasing keys. This helps Cloud Spanner distribute writes within the key range and reduces the risk of end of range hotspots, which is important for high throughput multi region workloads.

Cloud SQL for PostgreSQL with composite key CustomerId and TransactionId and auto increment TransactionId is not suitable because Cloud SQL is a regional service with a single writable primary and asynchronous replicas, so it does not provide globally distributed strong consistency. An auto increment sequence would not guarantee globally unique values in an active active multi region design.

Cloud Spanner with composite key CustomerId and TransactionId and sequential TransactionId is less appropriate because a sequential TransactionId can cause hotspotting on write paths, which limits scalability for high traffic partitions even though the database is globally distributed.

Cloud SQL with composite key CustomerId and TransactionId and UUID TransactionId still relies on a regional primary, so even though a UUID can provide uniqueness for the TransactionId, the service does not meet the multi region strong consistency requirement.

Map requirements to capabilities. If the question stresses multi region and strong consistency then think Cloud Spanner. If the primary key has a high traffic prefix then avoid sequential suffixes and prefer UUID or a hashed component to reduce hotspots.

Question 13

A data processing virtual machine named worker-17 runs on Compute Engine in europe-west2 inside a private subnet called analytics-subnet. The instance does not have an external IP because the security team requires private-only networking. The VM must read objects from a specific Cloud Storage bucket in the same project. What configuration should you apply so the instance can reach Cloud Storage without assigning a public IP address?

  • ✓ C. Enable Private Google Access on the analytics-subnet where the VM is located

The correct option is Enable Private Google Access on the analytics-subnet where the VM is located.

Private Google Access allows Compute Engine VMs that do not have external IP addresses to reach Google APIs and services such as Cloud Storage using Google’s private network. It is enabled at the subnet level so turning it on for analytics-subnet lets worker-17 access the bucket without any public IP. Traffic to Google APIs is routed to the restricted VIP so the instance remains private and the security requirement is met.

Create a Cloud VPN tunnel from your VPC to the Cloud Storage service is incorrect because you cannot build a VPN directly to a Google managed service. Cloud VPN connects networks, not individual Google APIs like Cloud Storage.

Attach a temporary external IP to the instance and remove it after the transfer is incorrect because it violates the private-only requirement and briefly exposes the VM to the internet. It is also unnecessary when you can keep the instance private by using Private Google Access.

Configure VPC Network Peering between your VPC and a network for Cloud Storage is incorrect because there is no peering target for Cloud Storage. VPC Network Peering connects two VPC networks and it does not provide access to Google managed services.

When a VM without an external IP must reach Google services, look for Private Google Access at the subnet level. Remember that VPN and VPC peering connect networks and do not provide access to Google APIs, and adding a public IP violates no external IP requirements.

Question 14

In Cloud Spanner, how should you model Customers and Purchases and design indexes to quickly retrieve purchases filtered by customer_id and status?

  • ✓ B. Use Customers and Purchases tables and interleave Purchases under Customers with primary key customer_id and purchase_id then add a composite index on Purchases for customer_id and status

The correct option is Use Customers and Purchases tables and interleave Purchases under Customers with primary key customer_id and purchase_id then add a composite index on Purchases for customer_id and status.

Cloud Spanner optimizes parent and child relationships when the child table is interleaved under the parent and when the child primary key begins with the parent key. Defining Purchases with a primary key of customer_id and purchase_id groups each customer’s purchases together and improves locality for reads and writes that are scoped to a single customer.

Queries that filter by customer_id and status are best served by a composite secondary index on those two columns with customer_id as the leading column. This lets Spanner perform a selective index scan to return matching purchases quickly without scanning unrelated rows.

Keep one wide table for customers and purchases and add a composite index on customer_id and status is not recommended because it denormalizes the data and duplicates customer attributes across purchase rows, and it prevents the use of interleaving that improves locality for a natural parent child relationship.

Create separate Customers and Purchases tables and add an index on status only in Purchases is inefficient for the stated access pattern because a status only index cannot also filter by customer_id, so the database would scan many rows for that status and then filter by customer afterward.

Use a Purchases table keyed by purchase_id and add an index on customer_id only misses the modeling and indexing goals because the table cannot be interleaved under Customers when the key is purchase_id, and an index on customer_id alone does not efficiently support filtering by both customer_id and status.

When a query filters by multiple columns choose a composite index with the equality filtered column first, and in Spanner look for interleaving when child rows are accessed by their parent to gain locality and predictable performance.

Question 15

Blue Finch Media runs its public marketing site on Compute Engine and the growth team wants to compare conversion across four alternative page layouts in production while avoiding any changes to the code that is already on the virtual machines. You want to direct a specific portion of user traffic to each layout with minimal operational effort and with built in routing controls. What should you do?

  • ✓ B. Deploy the site to Cloud Run and apply per revision traffic splitting so four tagged revisions each receive a chosen share of requests

The correct option is Deploy the site to Cloud Run and apply per revision traffic splitting so four tagged revisions each receive a chosen share of requests.

Cloud Run supports per revision traffic splitting with precise percentages and no application code changes are required to achieve this. You can deploy four revisions, tag them for clarity, then assign an exact share of traffic to each revision. This provides built in routing controls with minimal operational effort and makes it easy to adjust or roll back the distribution as experiment results come in.

Keep the site on Compute Engine and configure an external HTTP(S) Load Balancer with four backend services that use weighted distribution is not suitable because the external HTTP(S) Load Balancer does not provide simple percentage based weighting across multiple backend services. It primarily routes by host, path or header rules and would require custom logic to approximate percentage splits which adds operational complexity.

Deploy the site to Cloud Run as four separate services and rotate DNS records to spread traffic is not appropriate because DNS based distribution is imprecise due to resolver and client caching. It lacks fine grained and immediate control over traffic percentages and does not provide the built in, reliable routing and quick adjustment needed for controlled experiments.

Rewrite the website into four HTTP Cloud Functions and place them behind an HTTP load balancer does not meet the requirement to avoid changes to the existing code and moves the workload to an event driven model that is not designed for serving full web applications. It also increases operational effort without delivering accurate percentage based traffic splitting.

When you see a need for percentage based routing with no code changes and minimal effort, think of serverless platforms with built in traffic splitting such as Cloud Run revisions or App Engine versions rather than load balancers or DNS tricks.

Question 16

With the BigQuery Storage Write API, what is the simplest way to prevent duplicate rows while streaming about 3 million events per day into BigQuery?

  • ✓ C. Use a committed stream in the BigQuery Storage Write API

The correct option is Use a committed stream in the BigQuery Storage Write API.

With a committed stream you get immediate visibility of data and you can prevent duplicates by setting a per stream row offset on each append. If a retry sends the same offset, BigQuery accepts only the first write, which delivers exactly once ingestion behavior without extra cleanup jobs. At a volume of about three million events per day this approach is simple to run and you do not need to manage finalization or batch commits.

Use a buffered write stream can also apply offsets to avoid duplicates, yet it adds operational steps such as managing flush points and stream lifecycle. This is unnecessary overhead when the goal is straightforward streaming with duplicate protection.

Use a pending write stream and finalize periodically is intended for transactional or batch style ingestion where you must finalize and then commit the data. This increases complexity and latency and does not match continuous streaming needs at this scale.

Use tabledata.insertAll with insertId belongs to the older streaming insert API. Although it can deduplicate with insertId, it has tighter quotas and is superseded by the Storage Write API for new solutions, and the question explicitly asks about the Storage Write API.

When a question emphasizes the simplest way with the Storage Write API and needs real time visibility, prefer stream types that commit immediately and avoid options that require finalize or batch commits.

Question 17

At WillowCart you are building a backend interface for Android and iOS clients. All requests must use HTTPS and the team wants to reduce cellular data consumption by keeping payloads very small. The mobile apps should integrate smoothly with generated client libraries so development remains efficient. Which API approach should you adopt to meet these goals?

  • ✓ C. gRPC with Protocol Buffers

The correct option is gRPC with Protocol Buffers.

gRPC uses HTTP over HTTP 2 with TLS which satisfies the requirement that all requests use HTTPS. Its binary messages encoded with Protocol Buffers are much smaller than JSON so it helps reduce cellular data consumption. The ecosystem provides first class code generation for Android and iOS which gives strongly typed client libraries and makes development efficient.

RESTful HTTP APIs typically exchange JSON which is text heavy and larger on the wire. While you can compress responses and generate clients from OpenAPI, payloads are usually bigger than Protocol Buffers and the type safety and performance are not as strong as gRPC.

GraphQL can reduce overfetching, yet responses and requests are still commonly JSON over HTTP which increases byte size compared to binary encoding. Client code generation exists but is less standardized across platforms than the generators provided by gRPC and Protocol Buffers.

MQTT is a publish and subscribe messaging protocol and not an HTTP API approach. It does not align with a requirement that all requests use HTTPS and it is better suited for IoT messaging rather than generating mobile app client libraries for standard request and response APIs.

Match the requirement keywords to protocol traits. If you see needs for HTTPS, very small payloads with binary encoding, and strong client library generation across platforms, then prefer gRPC with Protocol Buffers over text based APIs.

Question 18

Which Git workflow aligns with Google-recommended practices for fast and stable delivery?

  • ✓ C. Trunk based development with frequent merges to main

The correct option is Trunk based development with frequent merges to main. This Google recommended workflow supports fast and stable delivery.

It promotes small batch changes that integrate to the main branch many times each day. Continuous integration with automated tests and code review provides rapid feedback and keeps the main branch releasable. Feature flags allow incomplete work to be merged safely which reduces risk and keeps deployments frequent. Short lived branches minimize merge conflicts and improve lead time while maintaining stability.

The option GitFlow with long lived develop and release branches is not aligned with fast delivery because it encourages long lived branches and delayed integration. This often results in larger merges, stale code, and longer cycle time which works against rapid integration and release.

The option Fork based workflow with late integration increases divergence and postpones integration until late in the process. This slows feedback and raises merge risk because large batches accumulate before merging which undermines speed and stability.

When a question compares branching strategies, favor trunk based with small frequent merges supported by strong continuous integration. Be cautious of long lived branches and late integration as they usually signal slower and riskier delivery.

Question 19

Riverton Media is consolidating observability for a Google Kubernetes Engine fleet that runs 24 microservices across two regions. The team wants to standardize application logs so they can be parsed consistently and analyzed with minimal operational overhead using Google-recommended practices. Which approaches should the team implement to meet these goals? (Choose 2)

  • ✓ B. Write application logs to standard output as JSON lines so Cloud Logging ingests them as structured entries

  • ✓ D. Create a log sink that routes application logs to BigQuery for interactive analysis

The correct options are Write application logs to standard output as JSON lines so Cloud Logging ingests them as structured entries and Create a log sink that routes application logs to BigQuery for interactive analysis.

Write application logs to standard output as JSON lines so Cloud Logging ingests them as structured entries aligns with Google’s recommended practice for GKE. Containers write logs to stdout and stderr and Cloud Logging automatically collects them. When each line is a valid JSON object, Cloud Logging preserves the fields as structured payloads, which enables consistent schemas across services, powerful querying, field filtering, label extraction, and low operational overhead without custom client code.

Create a log sink that routes application logs to BigQuery for interactive analysis enables managed export through the Log Router with filters to select only application logs. This gives you interactive SQL analysis, partitioning and clustering for performance and cost control, and an easy path to organization wide analytics while keeping the pipeline simple and operated by Google.

Instrument services to call the Cloud Logging API directly to produce structured entries is unnecessary in GKE and increases coupling and operational burden. Logging to stdout as JSON achieves structured logs with less code, fewer credentials to manage, and better resilience.

Publish logs to Pub/Sub and stream normalize with Dataflow before loading into BigQuery adds complexity and cost for a use case that Cloud Logging already solves through native structured ingestion and managed sinks. This pipeline is appropriate only for specialized transformations that are not needed here.

Export application logs to Cloud Storage for analytics is more suitable for archival and batch processing. It does not provide interactive analytics or schema aware querying without additional processing, so it does not meet the goal of minimal operational overhead.

Favor stdout JSON for GKE application logs to get structured logging automatically and use Log Router sinks for analytics destinations. If the goal is interactive analysis, prefer a sink to a warehouse rather than building custom pipelines to reduce operational overhead.

Question 0

A Cloud Run service intermittently returns 5xx errors about four to six times per hour during peaks. How can you use Cloud Logging and Cloud Monitoring to detect spikes and receive alerts automatically?

  • ✓ B. Log-based metric with Monitoring alert

The correct choice is Log-based metric with Monitoring alert.

This approach uses Cloud Logging to define a metric that counts or rates entries matching HTTP 5xx responses for the Cloud Run service. You then create a Cloud Monitoring alerting policy on that metric to notify when the error rate exceeds a threshold in a short window during peaks. This lets you detect spikes automatically and receive notifications through your chosen channels.

Export logs to BigQuery is intended for analytics and longer term storage, so it is not suitable for real time spike detection or for triggering Monitoring alerts without additional tooling.

Cloud Trace focuses on latency and distributed tracing. It does not provide a straightforward way to count error spikes from logs or to alert on them directly.

Cloud Monitoring uptime check performs external synthetic probes. It does not analyze your logs and may miss short intermittent spikes, which makes it less reliable for detecting bursts of 5xx errors originating from application logs.

When a scenario asks you to detect patterns in application logs and alert automatically, think of creating a logs based metric and attaching an alerting policy to it. Tune the filter and alignment window to match the error frequency described.

Question 1

The team at mcnz.com runs a customer portal on App Engine Standard and needs to roll out a new release during peak business hours while keeping the site available and monitoring error rates for about 45 minutes. What should you do to introduce the new version while maintaining availability?

  • ✓ C. Deploy the new version to the same App Engine service and move traffic to it gradually using App Engine traffic splitting

The correct option is Deploy the new version to the same App Engine service and move traffic to it gradually using App Engine traffic splitting.

This approach keeps the current and new versions running at the same time and lets you shift a small percentage of users to the new release. You can watch error rates for about 45 minutes and either increase the share if healthy or immediately revert by sending traffic back to the stable version. Because both versions are live, the site remains available throughout the rollout.

Delete the current serving version, deploy the update, then route all traffic to the new version is risky because it introduces downtime while you redeploy and removes the ability to compare behavior between versions. It also prevents a controlled observation window during peak hours.

Create a new App Engine service for the release and update Cloud DNS to point the domain to the new service is not appropriate because DNS changes propagate slowly and cannot provide precise traffic control. App Engine services are intended to separate components, and domain mapping occurs at the application level, so this would not give a safe and gradual rollout.

Deploy the new version and immediately send all traffic to it does not meet the requirement to monitor error rates before full cutover and increases the risk of an outage during peak business hours.

When a question asks for a gradual rollout with no downtime, prefer native traffic management features such as App Engine traffic splitting. Be cautious of options that rely on DNS changes or that replace or delete the serving version.

Question 2

How should you configure cross project Pub/Sub publish access with least privilege from an API in project foo to a topic in project bar?

  • ✓ B. Create a dedicated service account in project foo and grant Pub/Sub Publisher on the specific topic in project bar then run the app as that account

Only Create a dedicated service account in project foo and grant Pub/Sub Publisher on the specific topic in project bar then run the app as that account is correct. This follows least privilege because the identity is unique to the workload and the permission is limited to only publishing on the single topic in the other project.

This approach grants the Publisher role on the topic resource so it allows sending messages without granting administrative or subscriber capabilities. Cross project access works by granting IAM on the target resource to a principal from another project and running the application with that service account ensures the issued tokens identify the correct principal. This avoids broad project level roles and avoids unnecessary keys.

Grant Pub/Sub Editor on project bar to the application identity in project foo is incorrect because it assigns a broad role at the project scope which allows managing topics and subscriptions across the project. That violates least privilege for a simple publish requirement.

Use the default Compute Engine service account in project foo and grant Pub/Sub Publisher on the topic in project bar is incorrect because the default service account is shared and often over privileged and it is not a distinct identity per workload. Best practice is to create a dedicated service account for each application to keep permissions narrowly scoped.

Create a service account in project bar and use a downloaded key in project foo to publish is incorrect because distributing long lived service account keys increases risk and is discouraged. Prefer direct IAM grants to the workload identity and avoid user managed keys.

When you see cross project access questions think in terms of least privilege. Choose a dedicated identity per workload and grant the smallest role on the narrowest resource. Avoid default service accounts and user managed keys when a direct IAM grant to the workload identity will work.

Question 3

A fintech firm named Northwind Brokerage runs a crypto exchange that must notify customers when their orders are filled. The matching engine publishes an event that the notification service consumes so that it can send confirmations through email and mobile apps. The platform must handle up to 45,000 events per second and it must ensure that each notification is delivered exactly once while allowing the notification workers to scale horizontally. How should you configure Cloud Pub/Sub topics and subscriptions?

  • ✓ C. Create one Cloud Pub/Sub topic and one pull subscription that all notification worker instances share

The correct option is Create one Cloud Pub/Sub topic and one pull subscription that all notification worker instances share.

One topic centralizes events from the matching engine and a single pull subscription that all workers share lets many instances receive messages in parallel without duplication across workers. Cloud Pub/Sub distributes messages across subscribers of the same subscription which supports horizontal scaling to the required throughput of 45,000 events per second. When you enable exactly once delivery on the subscription and acknowledge only after persisting and sending the notification you ensure each event is processed only once per subscription.

Create one Cloud Pub/Sub topic and one push subscription for the notification service endpoint is less suitable because push delivery provides less control over flow and concurrency at very high rates and you must still handle retries and idempotency to approximate single delivery.

Create one Cloud Pub/Sub topic for each matching engine instance and one push subscription per topic fragments the stream and complicates operations and scaling and it does not improve delivery guarantees. It also increases cost and coordination without benefit for this pattern.

Create one Cloud Pub/Sub topic and one separate pull subscription for each notification worker instance causes fan out where every subscription receives every message which means each order would be delivered to every worker. This violates the requirement that one worker handle a given message exactly once.

Match the subscription pattern to the delivery semantics. One subscription can load balance across many workers while many subscriptions mean fan out and duplicate deliveries. For strict guarantees enable exactly once when available and keep consumers idempotent.

Question 4

Which gcloud command deploys a new App Engine version from local source so you can later split traffic?

  • ✓ B. gcloud app deploy ./app.yaml

The correct option is gcloud app deploy ./app.yaml.

This command reads your app.yaml, uploads the local source in the current directory, builds as needed, and creates a new App Engine version. Once the version exists you can later split traffic between versions using App Engine traffic management commands or the console.

gcloud run deploy service-name –source . targets Cloud Run rather than App Engine. It deploys a new Cloud Run revision and does not create an App Engine version, so it is not suitable when you need App Engine traffic splitting.

gcloud builds submit –tag gcr.io/PROJECT/IMAGE submits source to Cloud Build to produce and push a container image, historically to Container Registry which is being deprecated in favor of Artifact Registry. It does not deploy to App Engine and does not create a version that you can use for traffic splitting.

gcloud app services update updates service settings and can manage aspects like traffic allocation across existing versions, yet it does not deploy a new version from local source. You must deploy a version first before you can update service configuration.

When a question mentions App Engine and a new version from local source, look for the App Engine deploy command. Traffic splitting comes after the deploy, so separate the creation of a version from the action that splits traffic.

Question 5

RivertonTickets is launching a REST API for its booking platform. The service exposes three endpoints which are /shows, /basket, and /payment. You must publish the API under one custom domain and you must be able to scale each endpoint independently of the others. What should you do?

  • ✓ C. Deploy a dedicated Cloud Function for each endpoint and present them through API Gateway on one custom domain

The correct option is Deploy a dedicated Cloud Function for each endpoint and present them through API Gateway on one custom domain.

This approach lets you place all paths under a single host name by using API Gateway custom domains while routing each path to its own backend function. Each function scales independently based on its own traffic pattern which satisfies the requirement to scale each endpoint on its own. API Gateway provides a unified entry point, path based routing, authentication, and quotas while the functions provide isolated, per endpoint compute and autoscaling.

Build one Cloud Function for all routes and publish it behind an external HTTPS load balancer does not meet the independent scaling requirement because a single function would scale as one unit for all routes. You would lose the ability to tune or observe scaling behavior per endpoint.

Provision one Cloud Run service and implement in service routing for the three endpoints behind a custom domain places all endpoints in one service which means they share concurrency and scaling characteristics. That does not allow each endpoint to scale independently.

Expose three Cloud Functions directly using their autogenerated HTTPS URLs would produce separate system generated domains for each function. This fails the requirement to publish the API under one custom domain.

When you see requirements for one custom domain and independent scaling per endpoint think of a gateway in front of multiple backends. Map each path to its own service and keep a single host name at the edge.

Jira, Scrum & AI Certification

Want to get certified on the most popular software development technologies of the day? These resources will help you get Jira certified, Scrum certified and even AI Practitioner certified so your resume really stands out..

You can even get certified in the latest AI, ML and DevOps technologies. Advance your career today.

Cameron McKenzie Cameron McKenzie is an AWS Certified AI Practitioner, Machine Learning Engineer, Copilot Expert, Solutions Architect and author of many popular books in the software development and Cloud Computing space. His growing YouTube channel training devs in Java, Spring, AI and ML has well over 30,000 subscribers.