Was :
$81
Today :
$45
Was :
$99
Today :
$55
Was :
$117
Today :
$65
Why Should You Prepare For Your Google Cloud Certified - Associate Cloud Engineer With MyCertsHub?
At MyCertsHub, we go beyond standard study material. Our platform provides authentic Google Associate-Cloud-Engineer Exam Dumps, detailed exam guides, and reliable practice exams that mirror the actual Google Cloud Certified - Associate Cloud Engineer test. Whether you’re targeting Google certifications or expanding your professional portfolio, MyCertsHub gives you the tools to succeed on your first attempt.
Verified Associate-Cloud-Engineer Exam Dumps
Every set of exam dumps is carefully reviewed by certified experts to ensure accuracy. For the Associate-Cloud-Engineer Google Cloud Certified - Associate Cloud Engineer , you’ll receive updated practice questions designed to reflect real-world exam conditions. This approach saves time, builds confidence, and focuses your preparation on the most important exam areas.
Realistic Test Prep For The Associate-Cloud-Engineer
You can instantly access downloadable PDFs of Associate-Cloud-Engineer practice exams with MyCertsHub. These include authentic practice questions paired with explanations, making our exam guide a complete preparation tool. By testing yourself before exam day, you’ll walk into the Google Exam with confidence.
Smart Learning With Exam Guides
Our structured Associate-Cloud-Engineer exam guide focuses on the Google Cloud Certified - Associate Cloud Engineer's core topics and question patterns. You will be able to concentrate on what really matters for passing the test rather than wasting time on irrelevant content. Pass the Associate-Cloud-Engineer Exam – Guaranteed
We Offer A 100% Money-Back Guarantee On Our Products.
After using MyCertsHub's exam dumps to prepare for the Google Cloud Certified - Associate Cloud Engineer exam, we will issue a full refund. That’s how confident we are in the effectiveness of our study resources.
Try Before You Buy – Free Demo
Still undecided? See for yourself how MyCertsHub has helped thousands of candidates achieve success by downloading a free demo of the Associate-Cloud-Engineer exam dumps.
MyCertsHub – Your Trusted Partner For Google Exams
Whether you’re preparing for Google Cloud Certified - Associate Cloud Engineer or any other professional credential, MyCertsHub provides everything you need: exam dumps, practice exams, practice questions, and exam guides. Passing your Associate-Cloud-Engineer exam has never been easier thanks to our tried-and-true resources.
Google Associate-Cloud-Engineer Sample Question Answers
Question # 1
You are planning to move your company's website and a specific asynchronous background job to Google Cloud Your website contains only static HTML content The background job is started through an HTTP endpoint and generates monthly invoices for your customers. Your website needs to be available in multiple geographic locations and requires autoscaling. You want to have no costs when your workloads are not In use and follow recommended practices. What should you do?
A. Move your website to Google Kubemetes Engine (GKE). and move your background job to Cloud Functions B. Move both your website and background job to Compute Engine. C. Move both your website and background job to Cloud Run. D. Move your website to Google Kubemetes Engine (GKE), and move your background job to Compute Engine
Answer: C
Question # 2
Your company runs a variety of applications and workloads on Google Cloud and you are responsible for managing cloud costs. You need to identify a solution that enables you to perform detailed cost analysis You also must be able to visualize the cost data in multiple ways on the same dashboard What should you do?
A. Use the cost breakdown report with the available filters from Cloud Billing to visualize the data B. Enable the Cloud Billing export to BigQuery. and use Looker Studio to visualize the data C. Run Queries in Cloud Monitoring Create dashboards to visualize the billing metrics D. Enable Cloud Monitoring metrics export to BigQuery and use Looker to visualize the data
Answer: B
Question # 3
You are the Google Cloud systems administrator for your organization. User A reports that they received an error when attempting to access the Cloud SQL database in their Google Cloud project, while User B can access the database. You need to troubleshoot the issue for User A, while following Google-recommended practices. What should you do first?
A. Confirm that network firewall rules are not blocking traffic for User A. B. Review recent configuration changes that may have caused unintended modifications to permissions. C. Verify that User A has the Identity and Access Management (IAM) Project Owner role assigned. D. Review the error message that User A received.
Answer: D
Explanation
Question # 4
Your company stores data from multiple sources that have different data storage requirements. These data include: 1. Customer data that is structured and read with complex queries 2. Historical log data that is large in volume and accessed infrequently 3. Real-time sensor data with high-velocity writes, which needs to be available for analysis but can tolerate some data loss You need to design the most cost-effective storage solution that fulfills all data storage requirements. What should you do?
A. Use Spanner for all data. B. Use Cloud SQL for customer data, Cloud Storage (Coldline) for historical logs, and BigQuery for sensor data. C. Use Cloud SQL for customer data, Cloud Storage (Archive) for historical logs, and Bigtable for sensor data. D. Use Firestore for customer data, Cloud Storage (Nearline) for historical logs, and Bigtable for sensor data.
Answer: C
Explanation:
Question # 5
You are planning to migrate your containerized workloads to Google Kubernetes Engine (GKE). You need to determine which GKE option to use. Your solution must have high availability, minimal downtime, and the ability to promptly apply security updates to your nodes. You also want to pay only for the compute resources that your workloads use without managing nodes. You want to follow Google-recommended practices and minimize operational costs. What should you do?
A. Configure a Standard multi-zonal GKE cluster. B. Configure an Autopilot GKE cluster. C. Configure a Standard zonal GKE cluster. D. Configure a Standard regional GKE cluster.
Answer: B
Explanation:
Question # 6
You are planning to migrate a database and a backend application to a Standard Google Kubernetes Engine (GKE) cluster. You need to prevent data loss and make sure there are enough nodes available for your backend application based on the demands of your workloads. You want to follow Googlerecommended practices and minimize the amount of manual work required. What should you do?
A. Run your database as a StatefulSet. Configure cluster autoscaling to handle changes in the demands of your workloads. B. Run your database as a single Pod. Run the resize command when you notice changes in the demands of your workloads. C. Run your database as a Deployment. Configure cluster autoscaling to handle changes in the demands of your workloads. D. Run your database as a DaemonSet. Run the resize command when you notice changes in the demands of your workloads.
Answer: A
Explanation:
Question # 7
Your company has many legacy third-party applications that rely on a shared NFS server for file sharing between these workloads. You want to modernize the NFS server by using a Google Cloud managed service. You need to select the solution that requires the least amount of change to the application. What should you do?
A. Configure Firestore. Configure all applications to use Firestore instead of the NFS server. B. Deploy a Filestore instance. Replace all NFS mounts with a Filestore mount. C. Create a Cloud Storage bucket. Configure all applications to use Cloud Storage client libraries instead of the NFS server. D. Create a Compute Engine instance and configure an NFS server on the instance. Point all NFS mounts to the Compute Engine instance.
Answer: B
Explanation:
Question # 8
You are deploying an application to Cloud Run. Your application requires the use of an API that runs on Google Kubernetes Engine (GKE). You need to ensure that your Cloud Run service can privately reach the API on GKE, and you want to follow Google-recommended practices. What should you do?
A. Deploy an ingress resource on the GKE cluster to expose the API to the internet. Use Cloud Armor to filter for IP addresses that can connect to the API. On the Cloud Run service, configure the application to fetch its public IP address and update the Cloud Armor policy on startup to allow this IP address to call the API on ports 80 and 443. B. Create an egress firewall rule on the VPC to allow connections to 0.0.0.0/0 on ports 80 and 443. C. Create an ingress firewall rule on the VPC to allow connections from 0.0.0.0/0 on ports 80 and 443. D. Deploy an internal Application Load Balancer to expose the API on GKE to the VPC. Configure Cloud DNS with the IP address of the internal Application Load Balancer. Deploy a Serverless VPC Access connector to allow the Cloud Run service to call the API through the FQDN on Cloud DNS.
Answer: D
Explanation:
The requirement is for private communication between a Cloud Run service and a GKE API, following
best practices.
Option A exposes the GKE API to the public internet, which violates the "privately reach"
requirement. Relying on dynamic IP allowlisting with Cloud Armor is complex and less secure than
private networking.
Options B and C configure overly permissive firewall rules (allowing all egress or ingress) and do not
establish the necessary private network path between Cloud Run (which normally runs outside your
VPC) and the GKE cluster within your VPC.
Option D describes the standard Google-recommended pattern for this scenario:
Internal Application Load Balancer (ILB): Expose the GKE service (API) using an ILB. This gives the
service a private IP address accessible only within the VPC network (or connected networks).
Cloud DNS: Create a private DNS zone and record pointing a fully qualified domain name (FQDN) to
the ILB's private IP address. This allows services to reach the API via a stable name instead of an IP.
Serverless VPC Access Connector: This connector creates a bridge allowing serverless services like
Cloud Run to send traffic into your VPC network.
Cloud Run Configuration: Configure the Cloud Run service to use the VPC Access connector. The application code can then call the GKE API using its private FQDN registered in Cloud DNS.
This setup ensures traffic flows entirely over private networks (within the VPC via the ILB and
through the VPC Access connector), meeting the private communication requirement securely and
reliably.
Reference:
Serverless VPC Access: "Serverless VPC Access lets your serverless environment send requests to
You assist different engineering teams in deploying their infrastructure on Google Cloud. Your company has defined certain practices required for all workloads. You need to provide the engineering teams with a solution that enables teams to deploy their infrastructure independently without having to know all implementation details of the company's required practices. What should you do?
A. Create a service account per team, and grant the service account the Project Editor role. Ask the teams to provision their infrastructure through the Google Cloud CLI (gcloud CLI), while impersonating their dedicated service account. B. Provide training for all engineering teams you work with to understand the companys required practices. Allow the engineering teams to provision the infrastructure to best meet their needs. C. Configure organization policies to enforce your companys required practices. Ask the teams to provision their infrastructure by using the Google Cloud console. D. Write Terraform modules for each component that are compliant with the companys required practices, and ask teams to implement their infrastructure through these modules.
Answer: D
Explanation:
The goal is to enable teams to deploy infrastructure independently while ensuring compliance with
company practices, without requiring teams to understand the underlying details of those practices.
Option A provides deployment capability but doesn't enforce practices. The Editor role is overly
broad, and using the gcloud CLI directly requires knowledge of how to configure resources
compliantly.
Option B requires teams to learn all the practices, contradicting the requirement that they don't
need to know the implementation details.
Option C (Organization Policies) is useful for setting constraints (e.g., disallowing public IPs,
restricting regions), but it doesn't provide pre-configured, deployable components that embody best
practices. Teams still need to figure out how to build compliant resources within the policy
constraints.
Option D (Terraform Modules): This approach encapsulates the company's required practices within
reusable infrastructure-as-code modules. Engineering teams can then use these modules as building
blocks, providing only the necessary input parameters (like application name orsize). The module
handles the compliant implementation details internally. This allows teams to deploy independently
and ensures compliance without needing deep knowledge of every practice.
Using standardized, compliant modules is a common pattern for enabling self-service infrastructure
deployment while maintaining standards and governance.
Reference:
Terraform Modules: "Modules are containers for multiple resources that are used together...
Modules allow complex resources to be abstracted away behind a clean interface." -
Your organization has decided to deploy all its compute workloads to Kubernetes on Google Cloud and two other cloud providers. You want to build an infrastructure-as-code solution to automate the provisioning process for all cloud resources. What should you do?
A. Build the solution by using YAML manifests, and provision the resources. B. Build the solution by using Terraform, and provision the resources. C. Build the solution by using Python and the cloud SDKs from all providers to provision the resources. D. Build the solution by using Config Connector, and provision the resources.
Answer: B
Explanation:
The requirement is for an infrastructure-as-code (IaC) solution that can manage Kubernetes
resources and other cloud resources across multiple cloud providers (Google Cloud and two others).
Option A (YAML manifests): YAML manifests are primarily used for defining Kubernetes objects, not
for provisioning general cloud resources (like VPCs, IAM policies, databases) across different cloud
providers.
Option C (Python + SDKs): While possible, writing custom scripts using each provider's SDK requires
significant development effort to handle state management, dependencies, and provider differences.
It essentially reinvents much of what dedicated IaC tools provide and is not a standard IaC approach.
Option D (Config Connector): Config Connector allows managing Google Cloud resources using
Kubernetes-style manifests and APIs. It is specific to Google Cloud and cannot manage resources in
other cloud providers.
Option B (Terraform): Terraform is an open-source IaC tool explicitly designed for building, changing,
and versioning infrastructure safely and efficiently across multiple cloud providers and on-premises
data centers. It uses providers for different platforms (GCP, AWS, Azure, Kubernetes, etc.), allowing a
unified workflow to manage diverse resources across the required environments (Google Cloud,
other clouds, Kubernetes).
Terraform is the standard tool for multi-cloud IaC automation as described in the scenario.
Reference:
Terraform on Google Cloud: "Terraform is an open source infrastructure as code (IaC) tool...
Terraform lets you manage Google Cloud resources with declarative configuration files..." -
You are planning to migrate your on-premises VMs to Google Cloud. You need to set up a landing zone in Google Cloud before migrating the VMs. You must ensure that all VMs in your production environment can communicate with each other through private IP addresses. You need to allow all VMs in your Google Cloud organization to accept connections on specific TCP ports. You want to follow Google-recommended practices, and you need to minimize your operational costs. What should you do?
A. Create individual VPCs per Google Cloud project. Peer all the VPCs together. Apply organization policies on the organization level. B. Create individual VPCs for each Google Cloud project. Peer all the VPCs together. Apply hierarchical firewall policies on the organization level. C. Create a host VPC project with each production project as its service project. Apply organization policies on the organization level. D. Create a host VPC project with each production project as its service project. Apply hierarchical firewall policies on the organization level.
Answer: D
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The goal is to create a landing zone facilitating private IP communication across production projects
and apply organization-wide firewall rules, following best practices and minimizing operational costs.
Network Structure:Individual VPCs with Peering (A, B): While VPC Peering allows private
connectivity, managing a full mesh or complex peering topology across many projects becomes
operationally complex and can hit peering limits. It's not the recommended pattern for centralized
connectivity in a landing zone.
Shared VPC (C, D): This is the Google-recommended practice for scenarios where resources from
multiple projects need to communicate privately within a common VPC network. A central host
project owns the network, and service projects use it. This simplifies network administration and
Google Cloud security foundations guide: Often recommends Shared VPC and centralized firewall
management (using Hierarchical Firewalls or traditional firewalls with tags in the host project) as part
of a secure landing zone. - (Conceptual reference, specific document may vary)
Question # 12
You are deploying an application to Google Kubernetes Engine (GKE) that needs to call an external third-party API. You need to provide the external API vendor with a list of IP addresses for their firewall to allow traffic from your application. You want to follow Google-recommended practices and avoid any risk of interrupting traffic to the API due to IP address changes. What should you do?
A. Configure your GKE cluster with one node, and set the node to have a static external IP address. Ensure that the GKE cluster autoscaler is off. Send the external IP address of the node to the vendor to be added to the allowlist. B. Configure your GKE cluster with private nodes. Configure a Cloud NAT instance with static IP addresses. Provide these IP addresses to the vendor to be added to the allowlist. C. Configure your GKE cluster with public nodes. Write a Cloud Function that pulls the public IP addresses of each node in the cluster. Trigger the function to run every day with Cloud Scheduler. Send the list to the vendor by email every day. D. Configure your GKE cluster with private nodes. Configure a Cloud NAT instance with dynamic IP addresses. Provide these IP addresses to the vendor to be added to the allowlist.
Answer: B
Explanation:
The requirement is for a stable set of egress IP addresses from a GKE cluster for allowlisting by a third
party, following best practices.
Option A is not recommended: Using a single node lacks scalability and high availability. Relying on a
single node's static IP creates a single point of failure and doesn't align with GKE's design principles.
Disabling autoscaling hinders elasticity.
Option C is complex and unreliable: Public nodes typically have ephemeral external IPs (unless
manually configured per node, which is difficult to manage with autoscaling). Dynamically tracking
and emailing IPs daily is operationally burdensome and prone to race conditions where the allowlist
might lag behind IP changes.
Option D uses Cloud NAT but with dynamic IPs. Dynamic IPs change over time, making them
unsuitable for stable firewall allowlists.
Option B is the Google-recommended practice: Configuring the GKE cluster with private nodes
enhances security as nodes don't have direct external IPs. Cloud NAT provides managed network
address translation for these private nodes to access the internet. By configuring Cloud NAT with a
static allocation of external IP addresses, all egress traffic from the private GKE nodes will appear to
originate from this stable, predictable set of IPs. This set can be given to the vendor for allowlisting
without worrying about node IP changes due to scaling or maintenance.
This approach decouples the application's egress IP from the individual nodes, providing stability and
adhering to the principle of least privilege (private nodes).
Reference:
Cloud NAT Overview: "Cloud NAT lets certain resources without external IP addresses create
You have an application that is currently processing transactions by using a group of managed VM instances. You need to migrate the application so that it is serverless and scalable. You want to implement an asynchronous transaction processing system, while minimizing management overhead. What should you do?
A. Install Kafka on VM instances to acknowledge incoming transactions. Use Cloud Run to process transactions. B. Install Kafka on VM Instances to acknowledge incoming transactions. Use VM Instances to process transactions. C. Use Pub/Sub to acknowledge incoming transactions. Use VM instances to process transactions. D. Use Pub/Sub to acknowledge incoming transactions. Use Cloud Run to process transactions.
Answer: D
Explanation:
The goal is to create a serverless, scalable, and asynchronous transaction processing system with
minimal management overhead.
Serverless Requirement:Options involving installing Kafka on VMs (A, B) or using VM instances for
processing (B, C) introduce management overhead associated with VMs (patching, scaling
configuration, OS management) and Kafka cluster management, violating the serverless and minimal
management criteria.
Asynchronous Requirement:Both Kafka and Pub/Sub can handle asynchronous messaging. However,
Pub/Sub is Google Cloud's fully managed, serverless messaging service, inherently minimizing
management overhead compared to self-managed Kafka on VMs.
Scalability and Processing:Cloud Run is a fully managed, serverless platform that automatically scales
based on traffic, suitable for processing transactions without managing underlying infrastructure. VM
(You host your website on Compute Engine. The number of global users visiting your website is rapidly expanding. You need to minimize latency and support user growth in multiple geographical regions. You also want to follow Google-recommended practices and minimize operational costs. Which two actions should you take? Choose 2 answers)
A. Deploy all of your VMs in a single Google Cloud region with the largest available CIDR range. B. Deploy your VMs in multiple Google Cloud regions closest to your users geographical locations. C. Use an external Application Load Balancer in Regional mode. D. Use an external Application Load Balancer in Global mode. E. Use a Network Load Balancer.
Answer: BD
Explanation:
To minimize latency for a global user base, it's crucial to serve users from regions geographically
close to them. Deploying VMs in multiple Google Cloud regions (Option B) achieves this by reducing
the network distance and thus the round-trip time for requests.
To support user growth and provide a single point of entry with global reach, a global external
Application Load Balancer (Option D) is the recommended choice for web applications. It distributes
traffic to backend instances across multiple regions based on user proximity, capacity, and health.
Application Load Balancers also offer features like SSL termination, content-based routing, and
security policies, which are important for modern web applications.
* Option A: Deploying in a single region, regardless of the CIDR range, will result in high latency for
users far from that region.
* Option C: A regional external Application Load Balancer only distributes traffic within a single
region, not across multiple global regions, thus not effectively minimizing latency for all global users.
* Option E: Network Load Balancers operate at Layer 4 and don't offer the application-level routing
and features of an Application Load Balancer, which are generally preferred for web applications.
While they can be global, Application Load Balancers are better suited for this scenario.
Reference to Google Cloud Certified - Associate Cloud Engineer Documents:
The concepts of multi-region deployments for low latency and the use of global load balancers
(specifically Application Load Balancers for web traffic) for global reach and traffic management are
core topics in the Compute Engine and Load Balancing sections of the Google Cloud documentation,
which are essential for the Associate Cloud Engineer certification. The best practices for global
application deployment are emphasized.
Question # 15
(You are managing a stateful application deployed on Google Kubernetes Engine (GKE) that can only have one replic a. You recently discovered that the application becomes unstable at peak times. You have identified that the application needs more CPU than what has been configured in the manifest at these peak times. You want Kubernetes to allocate the application sufficient CPU resources during these peak times, while ensuring cost efficiency during off-peak periods. What should you do?)
A. Enable cluster autoscaling on the GKE cluster. B. Configure a Vertical Pod Autoscaler on the Deployment. C. Configure a Horizontal Pod Autoscaler on the Deployment. D. Enable node auto-provisioning on the GKE cluster.
Answer: B
Explanation:
The Vertical Pod Autoscaler (VPA) in Kubernetes automatically adjusts the CPU and memory requests
and limits of the containers within a pod based on historical and real-time resource usage. In this
scenario, where a single-replica stateful application needs more CPU during peak times, VPA can
dynamically increase the CPU allocated to the pod when needed and potentially decrease it during
off-peak periods to optimize resource utilization and cost efficiency.
Option A: Cluster autoscaling adds or removes nodes in your GKE cluster based on the resource
requests of your pods. While it can help with overall cluster capacity, it oesn't directly address the
need for more CPU for a specific pod.
Option C: Horizontal Pod Autoscaler (HPA) scales the number of pod replicas based on observed CPU
utilization or other select metrics. Since the application can only have one replica, HPA is not
suitable.
Option D: Node auto-provisioning is similar to cluster autoscaling, automatically creating and
deleting node pools based on workload demands. It doesn't directly manage the resources of
individual pods.
Reference to Google Cloud Certified - Associate Cloud Engineer Documents:
The functionality and use cases of the Vertical Pod Autoscaler (VPA) are detailed in the Google
Kubernetes Engine documentation, specifically within the resource management and autoscaling
sections. Understanding how VPA can dynamically adjust pod resources is relevant to the Associate
Cloud Engineer certification.
Question # 16
(Your companys developers use an automation that you recently built to provision Linux VMs in Compute Engine within a Google Cloud project to perform various tasks. You need to manage the Linux account lifecycle and access for these users. You want to follow Google-recommended practices to simplify access management while minimizing operational costs. What should you do?)
A. Enable OS Login for all VMs. Use IAM roles to grant user permissions. B. Enable OS Login for all VMs. Write custom startup scripts to update user permissions. C. Require your developers to create public SSH keys. Make the owner of the public key the root user. D. Require your developers to create public SSH keys. Write custom startup scripts to update user permissions.
Answer: A
Explanation:
OS Login is a Google-recommended practice for managing access to Linux VMs in Compute Engine. It
centralizes user account management by linking the Linux user accounts on the VMs to Google Cloud
identities. You then use IAM roles to grant users the necessary permissions to access the VMs (e.g.,
roles/compute.osLogin or roles/compute.osAdminLogin). This simplifies management as you control
access through IAM policies rather than managing individual SSH keys on each VM, thus minimizing
operational costs.
Option B: While enabling OS Login is a good first step, writing custom startup scripts to manage user
permissions adds complexity and operational overhead, contradicting the goal of simplification and
minimizing costs.
Option C: Requiring developers to manage their own SSH keys and making the owner root is a
significant security risk and not a recommended practice. It also doesn't centralize management.
Option D: This approach also involves managing individual SSH keys and custom scripts, which
increases operational overhead and doesn't leverage the centralized management benefits of OS
Login.
Reference to Google Cloud Certified - Associate Cloud Engineer Documents:
OS Login and its benefits for simplified and secure Linux VM access management are detailed in the
Compute Engine documentation, which is a key area for the Associate Cloud Engineer certification.
The integration with IAM for permission control is a central aspect of this service.
Question # 17
(You are migrating your on-premises workload to Google Cloud. Your company is implementing its Cloud Billing configuration and requires access to a granular breakdown of its Google Cloud costs. You need to ensure that the Cloud Billing datasets are available in BigQuery so you can conduct a detailed analysis of costs. What should you do?)
A. Enable the BigQuery API and ensure that the BigQuery User IAM role is selected. Change the BigQuery dataset to select a data location. B. Create a Cloud Billing account. Enable the BigQuery Data Transfer Service API to export pricing data. C. Enable Cloud Billing data export to BigQuery when you create a Cloud Billing account. D. Enable Cloud Billing on the project and link a Cloud Billing account. Then view the billing data table in the BigQuery dataset.
Answer: C
Explanation:
The most direct and recommended way to get a granular breakdown of your Google Cloud costs in
BigQuery is to enable Cloud Billing data export to BigQuery when you create or manage your Cloud
Billing account. This automatically sets up a daily export of your billing data to a BigQuery dataset
you specify.
Option A: Enabling the BigQuery API and managing IAM roles are necessary for interacting with
BigQuery, but they don't automatically populate it with Cloud Billing data. Selecting a data location is
also important for BigQuery datasets but is a separate step from enabling billing export.
Option B: The BigQuery Data Transfer Service is used for transferring data from various sources into
BigQuery, but for Cloud Billing data, the direct export feature is the standard and simpler method.
Option D: Enabling Cloud Billing and linking an account makes billing data available in the Cloud
Billing console, but it doesn't automatically export it to BigQuery for detailed analysis. You need to
explicitly configure the BigQuery export.
Reference to Google Cloud Certified - Associate Cloud Engineer Documents:
The process of setting up Cloud Billing export to BigQuery is clearly documented in the Google Cloud
Billing documentation, which is a fundamental area for the Associate Cloud Engineer certification.
Understanding how to access and analyze billing data is crucial for cost management.
Question # 18
(You are deploying a web application using Compute Engine. You created a managed instance group (MIG) to host the application. You want to follow Google-recommended practices to implement a secure and highly available solution. What should you do?)
A. Use a proxy Network Load Balancer for the MIG and an A record in your DNS private zone with the load balancer's IP address. B. Use a proxy Network Load Balancer for the MIG and a CNAME record in your DNS public zone with the load balancer's IP address. C. Use an Application Load Balancer for the MIG and a CNAME record in your DNS private zone with the load balancer's IP address. D. Use an Application Load Balancer for the MIG and an A record in your DNS public zone with the load balancer's IP address.
Answer: D
Explanation:
For a web application (typically using HTTP/HTTPS), an Application Load Balancer is the
recommended choice as it operates at Layer 7, providing features like content-based routing, SSL
termination, and improved security. To expose the application publicly, you would need to use a
public DNS zone. An A record in a public DNS zone maps a domain name to the public IP address of
the Application Load Balancer. Using a CNAME record would also work but is generally
recommended for aliasing one domain name to another, not directly to an IP address.
Option A & B: Network Load Balancers operate at Layer 4 (TCP/UDP) and lack the application-level
features of an Application Load Balancer. Private DNS zones are for internal name resolution within
your VPC, not for public access.
Option C: While an Application Load Balancer is the correct type, using a private DNS zone wouldn't
make the web application publicly accessible.
Reference to Google Cloud Certified - Associate Cloud Engineer Documents:
The best practices for load balancing web applications on Google Cloud, including the use of
Application Load Balancers for Layer 7 traffic and the configuration of public DNS records (A or
CNAME) for public access, are detailed in the Google Cloud Load Balancing and Cloud DNS
documentation, both important for the Associate Cloud Engineer certification.
Question # 19
(Your company is modernizing its applications and refactoring them to containerized microservices. You need to deploy the infrastructure on Google Cloud so that teams can deploy their applications. The applications cannot be exposed publicly. You want to minimize management and operational overhead. What should you do?)
A. Provision a Standard zonal Google Kubernetes Engine (GKE) cluster. B. Provision a fleet of Compute Engine instances and install Kubernetes. C. Provision a Google Kubernetes Engine (GKE) Autopilot cluster. D. Provision a Standard regional Google Kubernetes Engine (GKE) cluster.
Answer: C
Explanation:
GKE Autopilot is a mode of operation in GKE where Google manages the underlying infrastructure,
including nodes, node pools, and their upgrades. This significantly reduces the management and
operational overhead for the user, allowing teams to focus solely on deploying and managing their
containerized applications. Since the applications are not exposed publicly, the zonal or regional
nature of the cluster primarily impacts availability within Google Cloud, and Autopilot is available for
both. Autopilot minimizes the operational burden, which is a key requirement.
Option A: A Standard zonal GKE cluster requires you to manage the nodes yourself, including sizing,
scaling, and upgrades, increasing operational overhead compared to Autopilot.
Option B: Manually installing and managing Kubernetes on a fleet of Compute Engine instances
involves the highest level of management overhead, which contradicts the requirement to minimize
it.
Option D: A Standard regional GKE cluster provides higher availability than a zonal cluster by
replicating the control plane and nodes across multiple zones within a region. However, it still
requires you to manage the underlying nodes, unlike Autopilot.
Reference to Google Cloud Certified - Associate Cloud Engineer Documents:
The different modes of GKE operation, including Standard and Autopilot, and their respective
management responsibilities and benefits, are clearly outlined in the Google Kubernetes Engine
documentation, a core topic for the Associate Cloud Engineer certification. The emphasis on reduced
operational overhead with Autopilot is a key differentiator.
Question # 20
(You are migrating your companys on-premises compute resources to Google Cloud. You need to deploy batch processing jobs that run every night. The jobs require significant CPU and memory for several hours but can tolerate interruptions. You must ensure that the deployment is cost-effective. What should you do?)
A. Containerize the batch processing jobs and deploy them on Compute Engine. B. Use custom machine types on Compute Engine. C. Use the M1 machine series on Compute Engine. D. Use Spot VMs on Compute Engine.
Answer: D
Explanation:
Spot VMs (formerly known as preemptible VMs) are Compute Engine virtual machine instances that
are available at a much lower price than standard Compute Engine instances. However, Compute
Engine might preempt (stop) these instances if it needs to reclaim those resources for other tasks.
This makes Spot VMs ideal for batch processing jobs that are fault-tolerant and can handle
interruptions, as they can be restarted when resources become available again. This directly
addresses the requirement for a cost-effective solution for interruptible workloads.
Option A: While containerization offers portability and consistency, it doesn't inherently provide cost
savings for compute resources. You would still need to choose a cost-effective underlying compute
option.
Option B: Custom machine types allow you to tailor the CPU and memory configuration of your VMs,
which can optimize costs to some extent by avoiding over-provisioning. However, they don't offer
the significant cost reduction that Spot VMs provide.
Option C: The M1 machine series is a specific family of Compute Engine instances optimized for
memory-intensive workloads. While potentially suitable for the job's requirements, it doesn't
inherently address the cost-effectiveness requirement as directly as Spot VMs, which are priced
lower regardless of the machine series.
Reference to Google Cloud Certified - Associate Cloud Engineer Documents:
The concept and use cases for Spot VMs are explicitly covered in the Compute Engine section of the
Google Cloud documentation, which is a key area for the Associate Cloud Engineer certification. The
cost savings and suitability for fault-tolerant workloads are highlighted as primary benefits.
Question # 21
(You have an application running inside a Compute Engine instance. You want to provide the application with secure access to a BigQuery dataset. You must ensure that credentials are only valid for a short period of time, and your application will only have access to the intended BigQuery dataset. You want to follow Google-recommended practices and minimize your operational costs. What should you do?)
A. Attach a custom service account to the instance, and grant the service account the BigQuery Data Viewer IAM role on the project. B. Attach a new service account to the instance every hour, and grant the service account the BigQuery Data Viewer IAM role on the dataset. C. Attach a custom service account to the instance, and grant the service account the BigQuery Data Viewer IAM role on the dataset. D. Attach a new service account to the instance every hour, and grant the service account the BigQuery Data Viewer IAM role on the project.
Answer: C
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The core requirements are secure access to a specific BigQuery dataset from a Compute Engine
instance, using short-lived credentials, adhering to Google's best practices, and minimizing
operational overhead.
A. Project-level IAM role: Granting the BigQuery Data Viewer role at the project level gives the
service account broad access to all BigQuery datasets within that project. This violates the principle
of least privilege, a fundamental security best practice, as the application should only have access to
the designated dataset.
B. Hourly new service account with dataset-level role: While this aims to achieve short-lived
credentials, the operational burden of creating, attaching, and managing IAM policies for a new
service account every hour is significant and not a Google-recommended practice for routine access.
It introduces unnecessary complexity and potential for errors.
C. Custom service account with dataset-level IAM role: This is the recommended and most efficient
approach. You create a dedicated Google Cloud service account specifically for this application. You
then grant this service account the necessary IAM role (e.g., BigQuery Data Viewer, or a more specific
custom role) directly on the target BigQuery dataset. When the Compute Engine instance runs as this
service account, the Google Cloud client libraries automatically handle the acquisition and rotation
of short-lived OAuth 2.0 access tokens from the instance's metadata server. This eliminates the need
to manage long-lived credentials (like service account keys) and ensures the application only has
access to the intended dataset. This adheres to the principle of least privilege and minimizes
operational costs.
D. Hourly new service account with project-level role: This option combines the high operational
overhead of frequently creating new service accounts with the security risk of granting overly
permissive project-level access. It is not a recommended practice.
Therefore, the most secure, cost-effective, and operationally efficient solution is to create a custom
service account, attach it to the Compute Engine instance, and grant it the appropriate BigQuery IAM
role specifically on the target dataset. The platform handles the short-lived credentials automatically.
Google Cloud Documentation Reference:
Creating and enabling service accounts for instances:
service-accounts - Emphasizes the importance of the principle of least privilege and avoiding
the management of long-lived service account keys when possible (relying on the metadata server
for short-lived tokens).
Question # 22
(Your company was recently impacted by a service disruption that caused multiple Dataflow jobs to get stuck, resulting in significant downtime in downstream applications and revenue loss. You were able to resolve the issue by identifying and fixing an error you found in the code. You need to design a solution with minimal management effort to identify when jobs are stuck in the future to ensure that this issue does not occur again. What should you do?)
A. Set up Error Reporting to identify stack traces that indicate slowdowns in Dataflow jobs. Set up alerts based on these log entries. B. Use the Personalized Service Health dashboard to identify issues with Dataflow jobs across regions. C. Update the Dataflow job configurations to send messages to a Pub/Sub topic when there are delays. Configure a backup Dataflow job to process jobs that are delayed. Use Cloud Tasks to trigger an alert when messages are pushed to the Pub/Sub topic. D. Set up Cloud Monitoring alerts on the data freshness metric for the Dataflow jobs to receive a notification when a certain threshold is reached.
Answer: D
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The goal is to proactively identify stuck Dataflow jobs with minimal management effort. Let's analyze
each option:
A. Error Reporting for slowdowns: Error Reporting primarily focuses on capturing and aggregating
exceptions and errors (stack traces). While a stuck job might eventually throw an error, it might also
just become unresponsive without generating explicit errors. Relying solely on Error Reporting might
not provide timely detection of stuck jobs. Identifying stack traces that indicate slowdowns can also
be complex and require significant manual configuration and analysis.
B. Personalized Service Health dashboard: The Personalized Service Health dashboard provides
information about Google Cloud service incidents that might be affecting your resources. While it
can alert you to broader Dataflow service outages, it won't specifically identify individual stuck jobs
due to application-level errors or logic within your Dataflow pipeline.
C. Pub/Sub messages for delays, backup job, and Cloud Tasks alerts: This approach involves
significant custom implementation and management. You would need to instrument your Dataflow
jobs to detect delays, send messages to Pub/Sub, manage a backup job, and configure Cloud Tasks
for alerting. This adds considerable operational overhead and complexity.
D. Cloud Monitoring alerts on data freshness metric: Dataflow provides built-in metrics, including
"data freshness" (or similar metrics like "system lag" or "processing time"), which indicate how far
behind the pipeline is in processing data. If a job gets stuck, the data freshness will deteriorate
beyond an acceptable threshold. Cloud Monitoring allows you to easily set up alerts based on these
built-in metrics. This requires minimal custom coding and leverages the platform's existing
monitoring capabilities, aligning with the "minimal management effort" requirement.
Therefore, setting up Cloud Monitoring alerts on relevant Dataflow metrics like data freshness is the
most efficient and recommended way to detect stuck Dataflow jobs with minimal management
a comprehensive list of Dataflow metrics that can be used for monitoring and alerting.
Question # 23
(Your company was recently impacted by a service disruption that caused multiple Dataflow jobs to get stuck, resulting in significant downtime in downstream applications and revenue loss. You were able to resolve the issue by identifying and fixing an error you found in the code. You need to design a solution with minimal management effort to identify when jobs are stuck in the future to ensure that this issue does not occur again. What should you do?)
A. Set up Error Reporting to identify stack traces that indicate slowdowns in Dataflow jobs. Set up alerts based on these log entries. B. Use the Personalized Service Health dashboard to identify issues with Dataflow jobs across regions. C. Update the Dataflow job configurations to send messages to a Pub/Sub topic when there are delays. Configure a backup Dataflow job to process jobs that are delayed. Use Cloud Tasks to trigger an alert when messages are pushed to the Pub/Sub topic. D. Set up Cloud Monitoring alerts on the data freshness metric for the Dataflow jobs to receive a notification when a certain threshold is reached.
Answer: D
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The goal is to proactively identify stuck Dataflow jobs with minimal management effort. Let's analyze
each option:
A. Error Reporting for slowdowns: Error Reporting primarily focuses on capturing and aggregating
exceptions and errors (stack traces). While a stuck job might eventually throw an error, it might also
just become unresponsive without generating explicit errors. Relying solely on Error Reporting might
not provide timely detection of stuck jobs. Identifying stack traces that indicate slowdowns can also
be complex and require significant manual configuration and analysis.
B. Personalized Service Health dashboard: The Personalized Service Health dashboard provides
information about Google Cloud service incidents that might be affecting your resources. While it
can alert you to broader Dataflow service outages, it won't specifically identify individual stuck jobs
due to application-level errors or logic within your Dataflow pipeline.
C. Pub/Sub messages for delays, backup job, and Cloud Tasks alerts: This approach involves
significant custom implementation and management. You would need to instrument your Dataflow
jobs to detect delays, send messages to Pub/Sub, manage a backup job, and configure Cloud Tasks
for alerting. This adds considerable operational overhead and complexity.
D. Cloud Monitoring alerts on data freshness metric: Dataflow provides built-in metrics, including
"data freshness" (or similar metrics like "system lag" or "processing time"), which indicate how far
behind the pipeline is in processing data. If a job gets stuck, the data freshness will deteriorate
beyond an acceptable threshold. Cloud Monitoring allows you to easily set up alerts based on these
built-in metrics. This requires minimal custom coding and leverages the platform's existing
monitoring capabilities, aligning with the "minimal management effort" requirement.
Therefore, setting up Cloud Monitoring alerts on relevant Dataflow metrics like data freshness is the
most efficient and recommended way to detect stuck Dataflow jobs with minimal management
a comprehensive list of Dataflow metrics that can be used for monitoring and alerting.
Question # 24
(You manage a VPC network in Google Cloud with a subnet that is rapidly approaching its private IP address capacity. You expect the number of Compute Engine VM instances in the same region to double within a week. You need to implement a Google-recommended solution that minimizes operational costs and does not require downtime. What should you do?)
A. Create a second VPC with the same subnet IP range, and connect this VPC to the existing VPC by using VPC Network Peering. B. Delete the existing subnet, and create a new subnet with double the IP range available. C. Use the Google Cloud CLI tool to expand the primary IP range of your subnet. D. Permit additional traffic from the expected range of private IP addresses to reach your VMs by configuring firewall rules.
Answer: C
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The problem states that a subnet is nearing its IP address capacity, and the requirement is to expand
it without downtime and with minimal operational cost, following Google-recommended practices.
A. Creating a second VPC with the same subnet IP range and peering: While VPC Network Peering
allows communication between VPCs, having overlapping IP ranges is generally not recommended
and can lead to routing complexities if not managed carefully. It also adds operational overhead of
managing two VPCs. This is not the most straightforward or cost-effective solution for simply
expanding IP capacity within the same logical network.
B. Deleting and recreating the subnet: Deleting a subnet that contains active VM instances will cause
downtime for those instances, violating a key requirement.
C. Using the Google Cloud CLI tool to expand the primary IP range of your subnet: Google Cloud
allows you to expand the primary IP range of an existing subnet after it's created, as long as there are
no conflicting subnets in the VPC. This operation does not require deleting the subnet or restarting
the existing VMs within it, thus avoiding downtime. It's a direct and cost-effective way to increase the
available IP address space within the existing subnet. This is a Google-recommended practice for
handling subnet capacity issues.
D. Permitting additional traffic with firewall rules: Firewall rules control network traffic based on IP
ranges, protocols, and ports. They do not increase the number of available private IP addresses
within the subnet. This option does not address the core issue of IP address exhaustion.
Therefore, expanding the primary IP range of the existing subnet using the Google Cloud CLI is the
recommended solution that meets all the requirements: addressing IP capacity, minimizing
(Your company uses a multi-cloud strategy that includes Google Cloud. You want to centralize application logs in a third-party software-as-a-service (SaaS) tool from all environments. You need to integrate logs originating from Cloud Logging, and you want to ensure the export occurs with the least amount of delay possible. What should you do?)
A. Use a Cloud Scheduler cron job to trigger a Cloud Function that queries Cloud Logging and sends the logs to the SaaS tool. B. Create a Cloud Logging sink and configure Pub/Sub as the destination. Configure the SaaS tool to subscribe to the Pub/Sub topic to retrieve the logs. C. Create a Cloud Logging sink and configure Cloud Storage as the destination. Configure the SaaS tool to read the Cloud Storage bucket to retrieve the logs. D. Create a Cloud Logging sink and configure BigQuery as the destination. Configure the SaaS tool to query BigQuery to retrieve the logs.
Answer: B
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The requirement is to export logs from Cloud Logging to a third-party SaaS tool with the least amount
of delay possible. Let's analyze each option:
A. Cloud Scheduler, Cloud Function, and querying Cloud Logging: This approach introduces a delay
based on the Cloud Scheduler's cron job frequency. The Cloud Function would periodically query
Cloud Logging, which might not capture the logs in real-time. This does not meet the "least amount
of delay possible" requirement.
B. Cloud Logging sink to Pub/Sub, SaaS tool subscribing to Pub/Sub: Cloud Logging sinks can be
configured to export logs in near real-time as they are ingested into Cloud Logging. Pub/Sub is a
messaging service designed for asynchronous and near real-time message delivery. By configuring
the sink to send logs to a Pub/Sub topic, and having the SaaS tool subscribe to this topic, logs can be
delivered to the SaaS tool with minimal delay. This aligns with the requirement for immediate
export.
C. Cloud Logging sink to Cloud Storage, SaaS tool reading Cloud Storage: Exporting logs to Cloud
Storage involves a batch-oriented approach. Logs are typically written to files periodically. The SaaS
tool would then need to poll or be configured to read these files, introducing a significant delay
compared to a streaming approach.
D. Cloud Logging sink to BigQuery, SaaS tool querying BigQuery: Similar to Cloud Storage, exporting
to BigQuery is more suitable for analytical purposes. The SaaS tool would need to periodically query
BigQuery, which introduces latency and is not the most efficient way to achieve near real-time log
delivery.
Therefore, configuring a Cloud Logging sink to Pub/Sub and having the SaaS tool subscribe to the
Pub/Sub topic provides the lowest latency for exporting logs.
