Google Professional-Cloud-Architect Exam Dumps

For this question, refer to the EHR Healthcare case study. EHR has single Dedicated Interconnectconnection between their primary data center and Googles network. This connectionsatisfiesEHR’s network and security policies:• On-premises servers without public IP addresses need to connect to cloud resourceswithout public IP addresses• Traffic flows from production network mgmt. servers to Compute Engine virtualmachines should never traverse the public internet.You need to upgrade the EHR connection to comply with their requirements. The newconnection design must support business critical needs and meet the same network andsecurity policy requirements. What should you do?

A. Add a new Dedicated Interconnect connection
B. Upgrade the bandwidth on the Dedicated Interconnect connection to 100 G
C. Add three new Cloud VPN connections
D. Add a new Carrier Peering connection

Answer: A

For this question, refer to the EHR Healthcare case study. You are responsible fordesigning the Google Cloud network architecture for Google Kubernetes Engine. You wantto follow Google best practices. Considering the EHR Healthcare business and technicalrequirements, what should you do to reduce the attack surface?

A. Use a private cluster with a private endpoint with master authorized networksconfigured.
B. Use a public cluster with firewall rules and Virtual Private Cloud (VPC) routes.
C. Use a private cluster with a public endpoint with master authorized networks configured.
D. Use a public cluster with master authorized networks enabled and firewall rules.

Answer: A

For this question, refer to the EHR Healthcare case study. You need to define the technicalarchitecture for securely deploying workloads to Google Cloud. You also need to ensurethat only verified containers are deployed using Google Cloud services. What should youdo? (Choose two.)

A. Enable Binary Authorization on GKE, and sign containers as part of a CI/CD pipeline.
B. Configure Jenkins to utilize Kritis to cryptographically sign a container as part of a CI/CD pipeline.
C. Configure Container Registry to only allow trusted service accounts to create and deploycontainers from the registry.
D. Configure Container Registry to use vulnerability scanning to confirm that there are novulnerabilities before deploying the workload.

Answer: A

For this question, refer to the EHR Healthcare case study. You are a developer on the EHRcustomer portal team. Your team recently migrated the customer portal application toGoogle Cloud. The load has increased on the application servers, and now the applicationis logging many timeout errors. You recently incorporated Pub/Sub into the applicationarchitecture, and the application is not logging any Pub/Sub publishing errors. You want toimprove publishing latency. What should you do?

A. Increase the Pub/Sub Total Timeout retry value.
B. Move from a Pub/Sub subscriber pull model to a push model.
C. Turn off Pub/Sub message batching.
D. Create a backup Pub/Sub message queue.

Answer: C

For this question, refer to the EHR Healthcare case study. In the past, configuration errorsput public IP addresses on backend servers that should not have been accessible from theInternet. You need to ensure that no one can put external IP addresses on backendCompute Engine instances and that external IP addresses can only be configured onfrontend Compute Engine instances. What should you do?

A. Create an Organizational Policy with a constraint to allow external IP addresses only onthe frontend Compute Engine instances.
B. Revoke the compute.networkAdmin role from all users in the project with front endinstances.
C. Create an Identity and Access Management (IAM) policy that maps the IT staff to thecompute.networkAdmin role for the organization.
D. Create a custom Identity and Access Management (IAM) role named GCE_FRONTENDwith the compute.addresses.create permission.

Answer: A

For this question, refer to the EHR Healthcare case study. You are responsible for ensuringthat EHR's use of Google Cloud will pass an upcoming privacy compliance audit. Whatshould you do? (Choose two.)

A. Verify EHR's product usage against the list of compliant products on the Google Cloudcompliance page.
B. Advise EHR to execute a Business Associate Agreement (BAA) with Google Cloud.
C. Use Firebase Authentication for EHR's user facing applications.
D. Implement Prometheus to detect and prevent security breaches on EHR's web-based applications.
E. Use GKE private clusters for all Kubernetes workloads.

Answer: A,B

You need to upgrade the EHR connection to comply with their requirements. The newconnection design must support business-critical needs and meet the same network andsecurity policy requirements. What should you do?

A. Add a new Dedicated Interconnect connection.
B. Upgrade the bandwidth on the Dedicated Interconnect connection to 100 G.
C. Add three new Cloud VPN connections.
D. Add a new Carrier Peering connection.

Answer: D

For this question, refer to the EHR Healthcare case study. You need to define the technicalarchitecture for hybrid connectivity between EHR's on-premises systems and GoogleCloud. You want to follow Google's recommended practices for production-levelapplications. Considering the EHR Healthcare business and technical requirements, whatshould you do?

A. Configure two Partner Interconnect connections in one metro (City), and make sure theInterconnect connections are placed in different metro zones.
B. Configure two VPN connections from on-premises to Google Cloud, and make sure theVPN devices on-premises are in separate racks.
C. Configure Direct Peering between EHR Healthcare and Google Cloud, and make sureyou are peering at least two Google locations.
D. Configure two Dedicated Interconnect connections in one metro (City) and twoconnections in another metro, and make sure the Interconnect connections are placed indifferent metro zones.

Answer: D

For this question, refer to the Helicopter Racing League (HRL) case study. Your team is incharge of creating apayment card data vault for card numbers used to bill tens of thousands of viewers,merchandise consumers,and season ticket holders. You need to implement a custom card tokenization service thatmeets the followin grequirements:• It must provide low latency at minimal cost. • It must be able to identify duplicate credit cards and must not store plaintext cardnumbers.• It should support annual key rotation.Which storage approach should you adopt for your tokenization service?

A. Store the card data in Secret Manager after running a query to identify duplicates.
B. Encrypt the card data with a deterministic algorithm stored in Firestore using Datastore mode.
C. Encrypt the card data with a deterministic algorithm and shard it across multiple Memorystore instances.
D. Use column-level encryption to store the data in Cloud SQL.

Answer: B

For this question, refer to the Helicopter Racing League (HRL) case study. A recent financeaudit of cloudinfrastructure noted an exceptionally high number of Compute Engine instances areallocated to do videoencoding and transcoding. You suspect that these Virtual Machines are zombie machinesthat were not deletedafter their workloads completed. You need to quickly get a list of which VM instances areidle. What should youdo?

A. Log into each Compute Engine instance and collect disk, CPU, memory, and networkusage statistics foranalysis.
B. Use the gcloud compute instances list to list the virtual machine instances that have theidle: true label set.
C. Use the gcloud recommender command to list the idle virtual machine instances.
D. From the Google Console, identify which Compute Engine instances in the managedinstance groups areno longer responding to health check probes.

Answer: C

For this question, refer to the Helicopter Racing League (HRL) case study. Recently HRLstarted a new regionalracing league in Cape Town, South Africa. In an effort to give customers in Cape Town abetter userexperience, HRL has partnered with the Content Delivery Network provider, Fastly. HRLneeds to allow trafficcoming from all of the Fastly IP address ranges into their Virtual Private Cloud network(VPC network). You area member of the HRL security team and you need to configure the update that will allowonly the Fastly IPaddress ranges through the External HTTP(S) load balancer. Which command should youuse?

A. glouc compute firewall rules update hlr-policy \--priority 1000 \target tags-sourceiplist fastly \--allow tcp:443
B. gcloud compute security policies rules update 1000 \--security-policy hlr-policy \--expression "evaluatePreconfiguredExpr('sourceiplist-fastly')" \--action " allow"
C. gcloud compute firewall rules updatesourceiplist-fastly \priority 1000 \allow tcp: 443
D. gcloud compute priority-policies rules update1000 \security policy from fastly--src- ip-ranges"-- action " allow"

Answer: B

For this question, refer to the Helicopter Racing League (HRL) case study. HRL wantsbetter predictionaccuracy from their ML prediction models. They want you to use Google’s AI Platform soHRL can understandand interpret the predictions. What should you do?

A. Use Explainable AI.
B. Use Vision AI.
C. Use Google Cloud’s operations suite.
D. Use Jupyter Notebooks.

Answer: A

For this question, refer to the Helicopter Racing League (HRL) case study. HRL is lookingfor a cost-effectiveapproach for storing their race data such as telemetry. They want to keep all historicalrecords, train modelsusing only the previous season's data, and plan for data growth in terms of volume andinformation collected.You need to propose a data solution. Considering HRL business requirements and thegoals expressed byCEO S. Hawke, what should you do?

A. Use Firestore for its scalable and flexible document-based database. Use collections to aggregate race databy season and event.
B. Use Cloud Spanner for its scalability and ability to version schemas with zero downtime. Split race datausing season as a primary key.
C. Use BigQuery for its scalability and ability to add columns to a schema. Partition race data based on season.
D. Use Cloud SQL for its ability to automatically manage storage increases and compatibility with MySQL. Useseparate database instances for each season.

Answer: C

For this question, refer to the Helicopter Racing League (HRL) case study. The HRLdevelopment teamreleases a new version of their predictive capability application every Tuesday evening at 3a.m. UTC to arepository. The security team at HRL has developed an in-house penetration test CloudFunction called Airwolf.The security team wants to run Airwolf against the predictive capability application as soonas it is releasedevery Tuesday. You need to set up Airwolf to run at the recurring weekly cadence. Whatshould you do?

A. Set up Cloud Tasks and a Cloud Storage bucket that triggers a Cloud Function.
B. Set up a Cloud Logging sink and a Cloud Storage bucket that triggers a Cloud Function.
C. Configure the deployment job to notify a Pub/Sub queue that triggers a Cloud Function.
D. Set up Identity and Access Management (IAM) and Confidential Computing to trigger a Cloud Function.

Answer: A

You are monitoring Google Kubernetes Engine (GKE) clusters in a Cloud Monitoringworkspace. As a Site Reliability Engineer (SRE), you need to triage incidents quickly. Whatshould you do?

A. Navigate the predefined dashboards in the Cloud Monitoring workspace, and then addmetrics and create alert policies.
B. Navigate the predefined dashboards in the Cloud Monitoring workspace, create custommetrics, and install alerting software on a Compute Engine instance.
C. Write a shell script that gathers metrics from GKE nodes, publish these metrics to aPub/Sub topic, export the data to BigQuery, and make a Data Studio dashboard.
D. Create a custom dashboard in the Cloud Monitoring workspace for each incident, andthen add metrics and create alert policies.

Answer: A

You are designing a Data Warehouse on Google Cloud and want to store sensitive data inBigQuery. Your company requires you to generate encryption keys outside of GoogleCloud. You need to implement a solution. What should you do?

A. Generate a new key in Cloud Key Management Service (Cloud KMS). Store all data inCloud Storage using the customer-managed key option and select the created key. Set upa Dataflow pipeline to decrypt the data and to store it in a BigQuery dataset.
B. Generate a new key in Cloud Key Management Service (Cloud KMS). Create a datasetin BigQuery using the customer-managed key option and select the created key
C. Import a key in Cloud KMS. Store all data in Cloud Storage using the customermanagedkey option and select the created key. Set up a Dataflow pipeline to decrypt thedata and to store it in a new BigQuery dataset.
D. Import a key in Cloud KMS. Create a dataset in BigQuery using the customer-suppliedkey option and select the created key.

Answer: D

Your team is developing a web application that will be deployed on Google KubernetesEngine (GKE). Your CTO expects a successful launch and you need to ensure yourapplication can handle the expected load of tens of thousands of users. You want to testthe current deployment to ensure the latency of your application stays below a certainthreshold. What should you do?

A. Use a load testing tool to simulate the expected number of concurrent users and totalrequests to your application, and inspect the results.
B. Enable autoscaling on the GKE cluster and enable horizontal pod autoscaling on yourapplication deployments. Send curl requests to your application, and validate if the autoscaling works.
C. Replicate the application over multiple GKE clusters in every Google Cloud region.Configure a global HTTP(S) load balancer to expose the different clusters over a single global IP address.
D. Use Cloud Debugger in the development environment to understand the latencybetween the different microservices.

Answer: B

An application development team has come to you for advice.They are planning to write and deploy an HTTP(S) API using Go 1.12. The API will have a very unpredictableworkload and must remain reliable during peaks in traffic. They want to minimizeoperational overhead for this application. What approach should you recommend?

A. Use a Managed Instance Group when deploying to Compute Engine
B. Develop an application with containers, and deploy to Google Kubernetes Engine (GKE)
C. Develop the application for App Engine standard environment
D. Develop the application for App Engine Flexible environment using a custom runtime

Answer: C

Your company has a Google Cloud project that uses BlgQuery for data warehousing Thereare some tables that contain personally identifiable information (PI!) Only the complianceteam may access the PH. The other information in the tables must be available to the datascience team. You want to minimize cost and the time it takes to assign appropriate accessto the tables What should you do?

A. 1 From the dataset where you have the source data, create views of tables that youwant to share, excluding Pll2 Assign an appropriate project-level IAM role to the members of the data science team3 Assign access controls to the dataset that contains the view
B. 1 From the dataset where you have the source data, create materialized views of tablesthat you want to share excluding Pll2 Assign an appropriate project-level IAM role to the members of the data science team 3.Assign access controls to the dataset that contains the view.
C. 1 Create a dataset for the data science team2 Create views of tables that you want to share excluding Pll3 Assign an appropriate project-level IAM role to the members of the data science team4 Assign access controls to the dataset that contains the view5 Authorize the view to access the source dataset
D. 1. Create a dataset for the data science team.2. Create materialized views of tables that you want to share, excluding Pll3. Assign an appropriate project-level IAM role to the members of the data science team4 Assign access controls to the dataset that contains the view5 Authorize the view to access the source dataset

Answer: C

You want to allow your operations learn to store togs from all the production protects inyour Organization, without during logs from other projects All of the production projects arecontained in a folder. You want to ensure that all logs for existing and new productionprojects are captured automatically. What should you do?

A. Create an aggregated export on the Production folder. Set the log sink to be a CloudStorage bucket in an operations project
B. Create an aggregated export on the Organization resource. Set the tog sink to be aCloud Storage bucket in an operations project.
C. Create log exports in the production projects. Set the log sinks to be a Cloud Storage bucket in an operations project.
D. Create tog exports in the production projects. Set the tog sinks to be BigQuery datasetsin the production projects and grant IAM access to the operations team to run queries onthe datasets

Answer: B

Your company has a support ticketing solution that uses App Engine Standard. The projectthat contains the App Engine application already has a Virtual Private Cloud(VPC) networkfullyconnected to the company’s on-premises environment through a Cloud VPN tunnel. Youwant to enable App Engine application to communicate with a database that is running in the company’s on-premises environment. What should you do?

A. Configure private services access
B. Configure private Google access for on-premises hosts only
C. Configure serverless VPC access
D. Configure private Google access

Answer: C

Your company is using Google Cloud. You have two folders under the Organization:Finance and Shopping. The members of the development team are in a Google Group.The development team group has been assigned the Project Owner role on the Organization. You want to prevent the development team from creating resources inprojects in the Finance folder. What should you do?

A. Assign the development team group the Project Viewer role on the Finance folder, andassign the development team group the Project Owner role on the Shopping folder.
B. Assign the development team group only the Project Viewer role on the Finance folder.
C. Assign the development team group the Project Owner role on the Shopping folder, andremove the development team group Project Owner role from the Organization.
D. Assign the development team group only the Project Owner role on the Shopping folder.

Answer: C

Your company uses the Firewall Insights feature in the Google Network Intelligence Center.You have several firewall rules applied to Compute Engine instances. You need to evaluatethe efficiency of the applied firewall ruleset. When you bring up the Firewall Insights page inthe Google Cloud Console, you notice that there are no log rows to display. What shouldyou do to troubleshoot the issue?

A. Enable Virtual Private Cloud (VPC) flow logging.
B. Enable Firewall Rules Logging for the firewall rules you want to monitor.C. Verify that your user account is assigned the compute.networkAdmin Identity andAccess Management (IAM) role.
D. Install the Google Cloud SDK, and verify that there are no Firewall logs in the commandline output.

Answer: B