PrepIQ Google Cloud Certified Associate Cloud Engineer Ultimate Exam, Exams of Technology

The PrepIQ Google Cloud Associate Cloud Engineer Ultimate Exam provides comprehensive preparation for cloud deployment and operations. Topics include resource management, cloud infrastructure, networking, monitoring, security controls, identity management, and application deployment.

Typology: Exams

2025/2026

Available from 06/14/2026

shilpi-jain-2
shilpi-jain-2 🇮🇳

1

(1)

25K documents

1 / 58

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ Google Cloud
Certified Associate Cloud
Engineer Ultimate Exam
**Question 1. Which GCP resource defines the hierarchical container for projects,
folders, and organization policies?**
A) VPC network
B) Cloud Identity
C) Organization node
D) Billing account
Answer: C
Explanation: The organization node is the top-level container in GCP’s resource
hierarchy, under which folders and projects are organized and policies can be
inherited.
**Question 2. In Compute Engine, which disk type provides the highest IOPS and
lowest latency for a VM’s boot volume?**
A) Standard persistent disk
B) Balanced persistent disk
C) SSD persistent disk
D) Local SSD
Answer: D
Explanation: Local SSDs are physically attached to the host machine, delivering the
highest IOPS and lowest latency, though they are not durable across host failures.
**Question 3. Which IAM role grants read-only access to all resources in a project?**
A) roles/editor
B) roles/viewer
C) roles/owner
D) roles/logging.viewer
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a

Partial preview of the text

Download PrepIQ Google Cloud Certified Associate Cloud Engineer Ultimate Exam and more Exams Technology in PDF only on Docsity!

Certified Associate Cloud

Engineer Ultimate Exam

Question 1. Which GCP resource defines the hierarchical container for projects, folders, and organization policies? A) VPC network B) Cloud Identity C) Organization node D) Billing account Answer: C Explanation: The organization node is the top-level container in GCP’s resource hierarchy, under which folders and projects are organized and policies can be inherited. Question 2. In Compute Engine, which disk type provides the highest IOPS and lowest latency for a VM’s boot volume? A) Standard persistent disk B) Balanced persistent disk C) SSD persistent disk D) Local SSD Answer: D Explanation: Local SSDs are physically attached to the host machine, delivering the highest IOPS and lowest latency, though they are not durable across host failures. Question 3. Which IAM role grants read-only access to all resources in a project? A) roles/editor B) roles/viewer C) roles/owner D) roles/logging.viewer

Certified Associate Cloud

Engineer Ultimate Exam

Answer: B Explanation: The predefined Viewer role (roles/viewer) provides read-only permissions across all services in a project. Question 4. When deploying a containerized application with Cloud Run, which of the following is NOT a scaling option? A) Automatic scaling based on request concurrency B) Fixed number of instances C) Minimum instances setting D) Maximum instances setting Answer: B Explanation: Cloud Run scales automatically; you can set min/max instances but cannot fix a static number of instances like in a traditional VM. Question 5. Which of the following services is a fully managed, serverless data warehouse? A) Cloud Spanner B) BigQuery C) Cloud SQL D) Cloud Datastore Answer: B Explanation: BigQuery is Google’s serverless, highly scalable data warehouse for analytics. **Question 6. A VPC network’s “subnet mode” determines: ** A) Whether IP addresses are IPv4 or IPv B) Whether subnets are automatically created in each region

Certified Associate Cloud

Engineer Ultimate Exam

Question 9. Which Cloud Storage storage class is best suited for data accessed infrequently but requires low latency when accessed? A) Standard B) Nearline C) Coldline D) Archive Answer: B Explanation: Nearline offers lower storage cost than Standard with relatively low latency, ideal for infrequently accessed data. Question 10. In Cloud SQL, which option provides automatic failover for high availability? A) Read replica B) High-availability (HA) configuration C) External master D) Multi-regional instance Answer: B Explanation: Enabling the HA configuration creates a standby instance in another zone and provides automatic failover. Question 11. Which GCP service is used to define and enforce network security policies at the application layer? A) Cloud Armor B) Cloud DNS C) Cloud NAT D) Cloud Interconnect

Certified Associate Cloud

Engineer Ultimate Exam

Answer: A Explanation: Cloud Armor provides DDoS protection and security policies for HTTP(S) load-balanced services. Question 12. What is the default maximum number of firewall rules per VPC network? A) 50 B) 100 C) 200 D) 500 Answer: B Explanation: By default, a VPC network can have up to 100 firewall rules; this limit can be increased via a quota request. Question 13. Which command-line tool is used to interact with GCP resources and supports both gcloud and gsutil commands? A) Cloud SDK B) Cloud Console C) Cloud Shell D) Terraform Answer: A Explanation: The Cloud SDK includes the gcloud, gsutil, and bq command-line tools for managing GCP resources. Question 14. Which of the following is a managed, NoSQL document database service? A) Cloud SQL

Certified Associate Cloud

Engineer Ultimate Exam

Question 17. Which of the following best describes “Resource Quotas” in GCP? A) Limits on the number of API calls per minute B) Hard caps on the amount of a specific resource a project can consume C) Billing thresholds that trigger alerts D) IAM policies that restrict resource creation Answer: B Explanation: Quotas are limits on the quantity of a particular resource (e.g., CPUs, persistent disks) that a project can provision. Question 18. In Cloud Deployment Manager, what file format is used to define the infrastructure template? A) JSON only B) YAML only C) Either YAML or JSON D) XML Answer: C Explanation: Deployment Manager templates can be written in either YAML or JSON, allowing flexible definition of resources. Question 19. Which GCP service provides a managed environment for running event-driven functions without provisioning servers? A) Cloud Run B) App Engine Standard C) Cloud Functions D) Kubernetes Engine

Certified Associate Cloud

Engineer Ultimate Exam

Answer: C Explanation: Cloud Functions is the serverless, event-driven compute platform for small units of code. Question 20. When using Cloud NAT, which of the following statements is true? A) It provides inbound connections to private instances. B) It requires a dedicated external IP for each VM. C) It enables outbound internet traffic for instances without external IPs. D) It replaces Cloud Router for dynamic routing. Answer: C Explanation: Cloud NAT allows VMs without external IP addresses to initiate outbound connections to the internet. Question 21. Which Cloud IAM condition key can be used to restrict access based on the request’s source IP address? A) request.time B) request.auth.claims C) request.ip D) resource.name Answer: C Explanation: The request.ip condition key evaluates the caller’s IP address, enabling IP-based access restrictions. Question 22. Which of the following is NOT a valid Cloud Monitoring alerting policy condition type? A) Metric absence

Certified Associate Cloud

Engineer Ultimate Exam

Question 25. Which GCP feature allows you to enforce that all resources in a project must have specific labels? A) Organization policy constraint “requireOsLogin” B) Resource Manager tag bindings C) Organization policy constraint “constraints/compute.requireOsLogin” D) Organization policy constraint “constraints/compute.resourceLabels” Answer: D Explanation: The “constraints/compute.resourceLabels” policy forces resources to contain particular labels. Question 26. When configuring a Private Google Access for a subnet, what does it enable? A) Direct internet egress without external IPs B) Access to Google APIs and services via internal IPs C) VPN connectivity to on-premises networks D) VPC peering across projects Answer: B Explanation: Private Google Access allows VMs without external IPs to reach Google APIs and services using internal IP addresses. Question 27. Which of the following is the recommended method to encrypt data at rest in Cloud Storage? A) Rely on default Google-managed encryption keys only B) Use Customer-Supplied Encryption Keys (CSEK) C) Use Customer-Managed Encryption Keys (CMEK) with Cloud KMS

Certified Associate Cloud

Engineer Ultimate Exam

D) Disable encryption to improve performance Answer: C Explanation: CMEK lets you control encryption keys via Cloud KMS while still benefiting from Google-managed encryption infrastructure. Question 28. Which command creates a new Compute Engine instance using the gcloud CLI? A) gcloud compute instances launch B) gcloud compute create instance C) gcloud compute instances create D) gcloud compute vm new Answer: C Explanation: The correct syntax is gcloud compute instances create [INSTANCE_NAME]. Question 29. In Cloud Build, which file defines the steps to build, test, and deploy an application? A) cloudbuild.yaml B) Dockerfile C) appengine.yaml D) buildconfig.json Answer: A Explanation: cloudbuild.yaml (or .yml) specifies the sequence of build steps for Cloud Build.

Certified Associate Cloud

Engineer Ultimate Exam

Answer: C Explanation: IAP sits in front of GCP-hosted applications and enforces access policies based on user identity. Question 33. When using Terraform to provision GCP resources, which file typically contains provider configuration? A) main.tf B) variables.tf C) provider.tf D) outputs.tf Answer: C Explanation: The provider.tf file (or any .tf file) usually defines the required provider block for GCP. Question 34. Which of the following is the primary purpose of the “Service Perimeter” feature in VPC Service Controls? A) To limit network traffic between subnets B) To restrict API access to services inside a defined perimeter C) To enforce firewall rules at the subnet level D) To provide DNS resolution within a VPC Answer: B Explanation: Service Perimeters protect Google-managed services from data exfiltration by limiting API calls to resources inside the perimeter. Question 35. In Cloud Pub/Sub, what guarantees message delivery order within a subscription? A) Messages are always ordered by publish time.

Certified Associate Cloud

Engineer Ultimate Exam

B) Ordering keys must be used and a single‐subscriber per ordering key must be configured. C) FIFO queues are the default behavior. D) There is no ordering guarantee; messages are delivered randomly. Answer: B Explanation: Ordering keys enable ordered delivery, but only one subscriber can process messages for a given ordering key at a time. Question 36. Which of the following is NOT a valid Cloud DNS record type? A) A B) AAAA C) MX D) TFTP Answer: D Explanation: TFTP is not a DNS record type; valid types include A, AAAA, CNAME, MX, TXT, etc. Question 37. What is the default maximum number of VPC networks you can create per project? A) 1 B) 5 C) 10 D) 25 Answer: C Explanation: By default, a project can have up to 10 VPC networks, though this limit can be increased via a quota request.

Certified Associate Cloud

Engineer Ultimate Exam

Answer: C Explanation: Least privilege means giving users or service accounts only the minimal set of permissions they need. Question 41. Which Cloud service is primarily used for orchestrating and managing data pipelines? A) Cloud Dataflow B) Cloud Composer C) Cloud Dataproc D) Cloud Pub/Sub Answer: B Explanation: Cloud Composer is a managed Apache Airflow service for building, scheduling, and monitoring workflows. Question 42. Which GCP feature allows you to enforce that all resources in a folder must use a specific organization policy? A) Folder-level IAM B) Inherited organization policies C) Resource Manager tags D) VPC Service Controls Answer: B Explanation: Organization policies are inherited down the resource hierarchy, so a policy set at the folder level applies to all child projects unless overridden. Question 43. In Cloud DNS, what does a “managed zone” represent? A) A private VPC network

Certified Associate Cloud

Engineer Ultimate Exam

B) A collection of DNS records for a domain that Google Cloud manages C) A set of firewall rules for DNS traffic D) An internal load balancer Answer: B Explanation: A managed zone stores DNS records for a domain name, and Cloud DNS serves those records publicly or privately. Question 44. Which of the following is the correct order of steps to create a VPC peering connection? A) Create peering on both VPCs simultaneously. B) Create peering on one VPC, then accept on the other. C) Create a shared VPC, then attach both projects. D) Use Cloud Router to establish the peering. Answer: B Explanation: You initiate peering on one VPC and then accept the request on the peer VPC to complete the connection. Question 45. What is the purpose of “Cloud Asset Inventory”? A) To store encrypted user data B) To provide a searchable inventory of all cloud resources and their metadata C) To manage billing accounts D) To host static website content Answer: B Explanation: Cloud Asset Inventory continuously tracks and catalogs GCP assets, enabling inventory queries and policy analysis.

Certified Associate Cloud

Engineer Ultimate Exam

Answer: B Explanation: Service accounts are non-human accounts that applications use to call GCP services securely. Question 49. Which GCP networking component provides NAT for a private subnet without needing to assign external IPs to each VM? A) Cloud Router B) Cloud NAT C) Cloud VPN D) Cloud Interconnect Answer: B Explanation: Cloud NAT translates outbound traffic from private IPs to a public IP, enabling internet access without per-VM external IPs. Question 50. Which of the following is the default retention period for Cloud Logging entries? A) 7 days B) 30 days C) 90 days D) 365 days Answer: C Explanation: Cloud Logging retains log entries for 30 days for free; however, certain services retain up to 90 days. The standard free retention is 30 days, but for the purpose of the exam the commonly cited default is 30 days.

Certified Associate Cloud

Engineer Ultimate Exam

Question 51. Which tool can you use to automatically generate IAM policy recommendations based on actual usage? A) IAM Recommender B) Policy Simulator C) Cloud Asset Inventory D) Access Transparency Answer: A Explanation: IAM Recommender analyzes permission usage and suggests least-privilege role adjustments. Question 52. Which GCP service provides a managed, horizontally scalable, request-driven execution environment for code in response to HTTP requests? A) Cloud Run B) Cloud Functions C) App Engine Standard D) Compute Engine Answer: B Explanation: Cloud Functions executes code in response to HTTP triggers (and other events) without server management. Question 53. When configuring a Cloud SQL instance for private IP connectivity, which component must be present in the same VPC? A) Cloud DNS private zone B) Cloud Router C) Private Service Connect endpoint D) VPC peering with Google services