




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Google Cloud Certified Associate Cloud Engineer Certification Exam Preparation Guide delivers foundational knowledge required to deploy, manage, and monitor Google Cloud solutions. The guide covers cloud concepts, project setup, compute services, storage, networking, IAM, security basics, and operational tasks. It includes hands-on scenarios, configuration examples, troubleshooting strategies, and practice exams aligned with Google Cloud certification objectives, making it ideal for early-career cloud professionals.
Typology: Exams
1 / 101
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which Google Cloud resource hierarchy level can contain both folders and projects? A) Organization B) Folder C) Project D) Billing Account Answer: A Explanation: The Organization is the top‑level node and can contain folders and projects directly. Question 2. In IAM, which type of role provides the most granular permissions? A) Primitive role B) Predefined role C) Custom role D) Owner role Answer: C Explanation: Custom roles are defined by the admin and can include only the specific permissions needed, offering the finest granularity. Question 3. Which IAM primitive role grants the ability to view resources but not modify them? A) Viewer B) Editor C) Owner D) Browser
Answer: A Explanation: The Viewer primitive role provides read‑only access to all resources in the scope. Question 4. What is the recommended method for authenticating applications running on Compute Engine instances without storing keys? A) Use a service account key file stored on the VM B) Enable workload identity federation C) Attach a service account to the instance and use Application Default Credentials D) Store credentials in Cloud Storage and read them at runtime Answer: C Explanation: Attaching a service account to the VM allows the instance to obtain short‑lived tokens automatically via ADC, eliminating key storage. Question 5. Which of the following is a best practice for managing service account keys? A) Create a new key for each application and store it indefinitely B) Rotate keys every 90 days and delete unused keys promptly C) Share a single key across multiple projects for simplicity D) Store keys in plaintext on local developer machines Answer: B Explanation: Regular rotation and prompt deletion of unused keys reduce the risk of compromised credentials. Question 6. To enable the Compute Engine API for a new project using the gcloud CLI, which command is correct? A) gcloud services enable compute.googleapis.com --project=PROJECT_ID
Explanation: Budgets can be configured with alerts that trigger email notifications when spend thresholds are crossed. Question 9. Which method provides the most granular analysis of GCP costs over time? A) Billing reports in the console B) Exporting billing data to Cloud Storage CSV files C) Exporting billing data to BigQuery and running custom queries D) Using the Cloud Billing API to fetch daily totals Answer: C Explanation: BigQuery allows you to query billing data with SQL, enabling detailed, time‑based, and resource‑specific analysis. Question 10. When selecting a compute service for a stateless web application that must scale automatically based on HTTP traffic, which is the best choice? A) Compute Engine with managed instance groups B) Google Kubernetes Engine Standard clusters C) Cloud Run D) Cloud Functions Answer: C Explanation: Cloud Run automatically scales containers to zero and up based on incoming HTTP requests, ideal for stateless web workloads. Question 11. Which Compute Engine pricing option provides the lowest cost for workloads that can tolerate interruptions? A) Standard VM
B) Spot VM (Preemptible) C) Sole‑tenant node D) Committed use discount Answer: B Explanation: Spot VMs are offered at steep discounts but can be terminated by Google at any time, suitable for fault‑tolerant workloads. Question 12. What is the primary advantage of using custom machine types in Compute Engine? A) Ability to run Windows Server images B) Ability to select exact vCPU and memory configurations for cost efficiency C) Automatic scaling without MIGs D) Enhanced security features Answer: B Explanation: Custom machine types let you tailor the vCPU and memory to match workload requirements, avoiding over‑provisioning. Question 13. Which Cloud Storage class is optimized for data that is accessed less than once a year? A) Standard B) Nearline C) Coldline D) Archive Answer: D
A) Allows VMs without external IPs to reach Google APIs via internal IPs B) Grants VMs unrestricted internet access C) Enables VPC peering with other projects D) Forces all traffic through Cloud NAT Answer: A Explanation: Private Google Access lets resources that lack external IP addresses reach Google services using internal IP routes. Question 17. Which load balancer type should you choose for a global, HTTP(S)‑based application that needs cross‑region traffic distribution? A) Network Load Balancer (Regional) B) Internal TCP/UDP Load Balancer C) HTTP(S) Load Balancer (Global) D) SSL Proxy Load Balancer Answer: C Explanation: The global HTTP(S) Load Balancer distributes traffic across multiple regions and provides advanced L7 features. Question 18. When configuring a VPN tunnel between an on‑premises network and a GCP VPC, which protocol is used for the data plane? A) GRE B) IPsec C) BGP D) L2TP Answer: B
Explanation: Cloud VPN uses IPsec to encrypt and transport traffic between the on‑premises gateway and GCP. Question 19. Which connectivity option provides the highest bandwidth and lowest latency link between a data center and Google Cloud? A) Cloud VPN over the public internet B) Cloud Interconnect (Partner) C) Cloud Interconnect (Dedicated) D) Cloud NAT Answer: C Explanation: Dedicated Interconnect offers up to 100 Gbps private, low‑latency connections directly into Google’s network. Question 20. Which command creates an instance template named “web‑template” with a Debian image and a startup script? A) gcloud compute instance-templates create web-template --image-family debian- 11 -- metadata startup-script='#!/bin/bash …' B) gcloud compute instances create-template web-template --image debian- 11 --startup- script='…' C) gcloud compute templates create web-template --image-family debian- 11 --metadata-from- file startup-script=script.sh D) gcloud compute instance-templates make web-template --image-family debian- 11 -- metadata startup-script='…' Answer: A Explanation: The gcloud compute instance-templates create command with --metadata startup-script attaches a startup script to the template.
D) Exposes the deployment as a LoadBalancer service Answer: B Explanation: kubectl apply is declarative; it creates resources if missing or patches them to match the manifest. Question 24. Which Kubernetes object is responsible for automatically scaling the number of pod replicas based on CPU utilization? A) Deployment B) Horizontal Pod Autoscaler (HPA) C) ReplicaSet D) StatefulSet Answer: B Explanation: HPA monitors metrics like CPU and adjusts the replica count of a Deployment accordingly. Question 25. When deploying a Cloud Function that triggers on a Cloud Storage object creation, which event type should you specify? A) google.storage.object.finalize B) google.storage.object.delete C) google.pubsub.topic.publish D) google.cloud.scheduler.job.execute Answer: A Explanation: google.storage.object.finalize fires when a new object is successfully created in Cloud Storage.
Question 26. Which command uploads a local directory data/ to a Cloud Storage bucket gs://my-bucket/backup/ using parallel composite uploads? A) gsutil cp - r data/ gs://my-bucket/backup/ B) gsutil - m cp - r data/ gs://my-bucket/backup/ C) gsutil rsync - r data/ gs://my-bucket/backup/ D) gsutil mv data/ gs://my-bucket/backup/ Answer: B Explanation: The -m flag enables multi‑threaded, parallel composite uploads for faster transfer. Question 27. Which service is best suited for one‑time bulk data transfer from an on‑premises data center to Cloud Storage? A) Cloud Dataflow B) Transfer Appliance C) Storage Transfer Service D) Cloud Pub/Sub Answer: C Explanation: Storage Transfer Service can move large amounts of data over the network in a managed, scheduled way. Question 28. In Cloud Monitoring, what is an “uptime check” used for? A) Measuring latency of internal API calls B) Verifying that an endpoint is reachable and responding within a threshold C) Collecting custom metrics from an application D) Auditing IAM policy changes
A) Cloud Trace B) Cloud Profiler C) Cloud Scheduler D) Cloud Shell Answer: A Explanation: Cloud Trace records latency data for individual requests and presents them in a trace timeline. Question 32. If you need to profile CPU usage of a Java application running on Compute Engine, which service should you enable? A) Cloud Trace B) Cloud Profiler C) Cloud Debugger D) Cloud Scheduler Answer: B Explanation: Cloud Profiler continuously collects CPU and memory usage profiles for supported runtimes, including Java. Question 33. Which of the following is a recommended practice for creating snapshots of Compute Engine disks? A) Create snapshots daily without naming conventions B) Use snapshot schedules and include labels for retention policies C) Store snapshots in the same zone as the source disk only D) Delete snapshots after 24 hours to save space Answer: B
Explanation: Scheduling snapshots and labeling them helps automate retention and organization, making recovery easier. Question 34. In GKE, which command lists all pods across all namespaces? A) kubectl get pods --all-namespaces B) kubectl list pods - A C) kubectl get all pods --all D) kubectl show pods --namespace=* Answer: A Explanation: The --all-namespaces flag tells kubectl get pods to display pods from every namespace. Question 35. When performing a rolling update of a Deployment in GKE, what ensures zero downtime? A) Setting strategy.type=Recreate B) Using a maxSurge and maxUnavailable configuration in the rollingUpdate strategy C) Deleting old pods before creating new ones D) Scaling the Deployment to zero before updating Answer: B Explanation: RollingUpdate with appropriate maxSurge and maxUnavailable allows new pods to start before old ones terminate, maintaining service availability. Question 36. Which Cloud Run feature enables you to shift a percentage of traffic to a new revision while keeping the old revision serving the majority? A) Autoscaling
Question 39. Which organization policy constraint prevents the creation of resources in regions outside of us-central1 and europe-west1? A) constraints/compute.requireOsLogin B) constraints/iam.allowedPolicyMemberDomains C) constraints/compute.restrictResourceLocations D) constraints/resourceLocations Answer: C Explanation: constraints/compute.restrictResourceLocations limits where new resources can be created based on allowed locations. Question 40. How can you view all Admin Activity audit logs for a specific project in the Cloud Console? A) Navigate to Logging > Logs Explorer and filter by logName:"cloudaudit.googleapis.com%2Factivity" B) Open IAM & Admin > Audit Logs and select “Admin Activity” C) Go to Monitoring > Metrics Explorer and select “admin_activity” D) Use Cloud Shell and run gcloud logging read "resource.type=project" Answer: A Explanation: In Logs Explorer, filtering on the cloudaudit.googleapis.com/activity log name shows all admin activity entries. Question 41. Which of the following is a valid method for implementing network segmentation within a VPC? A) Using multiple firewall rules with overlapping tags
B) Creating separate VPCs and connecting them via VPC peering C) Enabling Private Google Access on all subnets D) Assigning the same service account to all instances Answer: B Explanation: Separate VPCs provide logical isolation; VPC peering allows controlled communication between them. Question 42. What is the default egress behavior for a VPC firewall rule that has no denied rule matching the traffic? A) Allow all egress traffic B) Deny all egress traffic C) Follow the default deny rule for egress D) Follow the default allow rule for egress Answer: A Explanation: By default, VPC firewall rules allow egress traffic unless an explicit deny rule is configured. Question 43. Which Cloud IAM role allows a user to view billing reports but not modify billing settings? A) roles/billing.viewer B) roles/billing.admin C) roles/billing.user D) roles/viewer Answer: A Explanation: roles/billing.viewer provides read‑only access to billing data and reports.
D) TXT record Answer: B Explanation: AAAA records store IPv6 addresses for a domain name. Question 47. Which of the following is a benefit of using Cloud Armor with an HTTP(S) Load Balancer? A) Automatic DNS failover B) DDoS protection and security policy enforcement at edge locations C) Internal load balancing for private subnets D) Managed SSL certificate rotation Answer: B Explanation: Cloud Armor provides edge‑based DDoS mitigation and custom security policies for traffic handled by the load balancer. Question 48. What does the gcloud compute ssh command use under the hood to establish a connection? A) Direct TCP socket to the instance’s external IP B) Cloud IAP (Identity‑Aware Proxy) tunneling if no external IP is present C) VPN tunnel configured in the project D) Cloud NAT gateway Answer: B Explanation: When an instance lacks an external IP, gcloud compute ssh can tunnel through IAP to provide secure SSH access.
Question 49. Which Cloud IAM feature allows a service account to impersonate another service account? A) Service Account User role (roles/iam.serviceAccountUser) B) Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) C) Service Account Admin role (roles/iam.serviceAccountAdmin) D) Owner role Answer: A Explanation: roles/iam.serviceAccountUser permits a principal to act as another service account, enabling impersonation. Question 50. Which of these is NOT a valid reason to use a preemptible (Spot) VM? A) Batch data processing that can tolerate interruptions B) Critical, latency‑sensitive web serving C) Large‑scale scientific simulations with checkpointing D) Cost‑sensitive development environments Answer: B Explanation: Preemptible VMs can be terminated at any time, making them unsuitable for latency‑sensitive, always‑on services. Question 51. When creating a Cloud SQL instance, which flag enables automatic backups? A) --enable-backup B) --automated-backups=true C) --backup-start-time=hh:mm D) --maintenance-window=...