PCA Cheat Sheet
Designing & Planning Architecture
Business Requirements
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Split every business goal into a functional and a non-functional requirement
A business goal becomes architectable only when you separate what the system must do (the functional requirement) from how well it must do it (the non-functional requirements: availability, latency, recovery, compliance). The non-functional requirement is what drives the service choice, so on a case study the binding constraint is usually a non-functional one even when the stem leads with a feature. Name it first, then the right Google Cloud product follows from it.
Trap Picking the service from the stated feature instead of the non-functional constraint; a global storefront that needs strong global consistency is a Spanner question, not just any regional database that also serves storefronts.
- Read the exam case study for the requirement, not the surface feature
Altostrat, Cymbal, EHR Healthcare, and KnightMotives stems wrap the testable constraint in a business narrative. Underline the numbers and the must/never clauses, because those are the requirements; the surrounding prose is context. The correct answer is the one that satisfies the binding constraint, so extracting it is the first move on any case-study question.
- The tighter the RTO and RPO, the more the architecture costs
Recovery targets set the cost: Google states that the smaller the RTO and RPO, the more the application costs to run, because faster recovery needs warmer, more-replicated infrastructure. Use the stated tolerance to pick the cheapest pattern that still meets it, and resist gold-plating a workload to a stricter tier than the business asked for.
Trap Defaulting every workload to a hot, multi-region active design; a workload whose owners accept a few hours of downtime is over-provisioned and over-billed by that choice.
- Choose a disposition per workload: build, buy, modify, or deprecate
Each existing system gets a disposition. Build a cloud-native service only when no managed option meets the functional requirement; buy a managed service or SaaS when one already does, because it offloads operational work; modify (refactor or containerize) an app that has value but does not fit as-is; deprecate a capability the business no longer needs, which is the cheapest outcome. The default lean is buy and modify over build.
Trap Reaching for a custom build when a managed service already meets the requirement; building adds the run-and-staff burden a buy decision avoids and is justified only when no managed product fits.
- Prefer buying a managed service to cut operational load
A managed or SaaS service that meets the requirement carries the lowest operational load, because Google runs the platform while you run only your data and configuration. That offload is itself a design goal: it frees the team you would otherwise have to staff to operate a self-built equivalent. Build custom only when the functional requirement has no managed answer.
- Deprecating an unneeded capability is the cheapest disposition
Before deciding how to move a workload, ask whether the business still needs it at all. Retiring a capability nobody uses removes its entire run cost immediately, which beats any migration of it. Disposition analysis starts with the still-needed question, not with how to rehost.
- Cloud spend is mostly OpEx, so compare on total cost of ownership
Most cloud resources are billed as OpEx (you pay as you consume) rather than the up-front CapEx of buying hardware. The decision-grade comparison you put to a business owner is therefore total cost of ownership over time, not a one-time sticker price. This shift is what lets a pay-as-you-go option beat owned hardware once utilization and lifecycle are counted.
- The cost-optimization pillar's first principle is align spend with business value
Google's cost optimization pillar rests on four principles: align cloud spending with business value, foster a culture of cost awareness, optimize resource usage, and optimize continuously. "Align spending with business value" is the exam's favourite: a cheaper option that misses a non-functional requirement is not cost-optimal, because it fails the requirement it existed to satisfy. Cost-optimal means cheapest among the options that actually meet the requirements.
Trap Picking the lowest-price option that breaks a stated requirement; cost optimization means cheapest that still meets every requirement, not cheapest overall.
- The Well-Architected Framework has exactly six pillars
The Google Cloud Well-Architected Framework defines six pillars: operational excellence; security, privacy, and compliance; reliability; cost optimization; performance optimization; and sustainability. The exam guide names familiarity with this framework as a key requirement for the role, so mapping each business goal to the pillar it stresses surfaces the non-functional requirements behind it.
Trap Counting five pillars or dropping sustainability; sustainability is a full, named pillar of the framework alongside the other five.
- Agree the KPI and its baseline before launch, and instrument for it
An architecture is judged against success measurements the business already tracks, such as key performance indicators (conversion rate, cost per transaction, p99 latency) and return on investment. Define the KPI and capture its baseline before launch so there is a measurable target, and design observability in from the start so the signal is actually collected. A solution that meets its functional spec but reports no agreed metric cannot prove value.
Trap Bolting on metrics after launch with no pre-launch baseline; without the baseline you cannot show the change a KPI is supposed to measure.
- Name the integration pattern: synchronous API, async messaging, or batch
How a solution exchanges data with external systems is a requirement that constrains the network, messaging, and storage choices downstream, so decide it during requirements analysis. A synchronous request/response API suits an immediately-needed answer and is governed with an API management layer such as Apigee; asynchronous messaging with Pub/Sub decouples a fast producer from slower consumers and absorbs spikes; a scheduled batch transfer fits large, periodic, latency-tolerant loads.
Trap Reaching for a synchronous API to connect a fast producer to a slow or bursty consumer; that couples their rates, so asynchronous messaging is the pattern that absorbs the spike.
- Surface data-movement volume and latency tolerance during requirements
Data-movement needs (volume, frequency, one-time versus ongoing, on-premises source versus cloud-native) feed directly into later design choices, so capture the volume and latency tolerance early. A one-time bulk ingest of very large data is a transfer-appliance decision, while an ongoing low-latency event stream is a streaming-pipeline decision. The requirements stage's job is to make those numbers explicit, not to pick the tool.
- Treat security, compliance, and data residency as hard requirements from the first decision
Regulatory rules (HIPAA for health records, PCI DSS for card data, data sovereignty for a region-bound business) are non-functional requirements that constrain the design from the start, exactly like an availability target. Fold them in at requirements time rather than retrofitting, because a residency or compliance rule can rule out an entire region or service that an otherwise-cheaper answer relied on.
Trap Choosing the cheapest or most elegant option and adding compliance later; a data-residency rule can invalidate the region or service that option depended on, forcing a redesign.
- Work case-study options by eliminating any that break a hard requirement
The recognizable stem states a business outcome plus a constraint and asks for the option that best meets the requirements. Distractors typically each break one requirement: one is cheaper but misses the RTO, one is elegant but violates a compliance rule, one over-provisions for a need never stated. Eliminate every option that breaks a hard requirement, then pick the cheapest survivor.
Technical Requirements
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Network, Storage & Compute Design
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A VPC is a global resource; its subnets are regional
A VPC network, with its routes and firewall rules, is global and not tied to any region, while each subnet lives in exactly one region. One VPC therefore spans every region you use: you add a regional subnet wherever workloads sit and they share one routing fabric over internal IP. This is why GCP needs no separate network per region the way some clouds do.
Trap Assuming you must build a separate VPC per region; the VPC is global and you only add a regional subnet per region.
- Reaching another VPC or on-premises still needs an explicit connection
A global VPC removes per-region network sprawl, but it does not auto-connect to a different VPC or to on-premises. Joining a separate network requires VPC Network Peering for VPC-to-VPC, or Cloud VPN / Cloud Interconnect for hybrid. Connectivity within one VPC is automatic over internal IP; connectivity between distinct networks is not.
Trap Assuming two separate VPCs can reach each other by internal IP without peering; distinct networks need an explicit connection.
- Use a global external Application Load Balancer for internet-facing multi-region HTTP(S)
Application Load Balancers are proxy-based Layer 7 load balancers with content-based routing. The global external variant fronts an internet-facing app with backends across multiple regions behind a single anycast IP. Choose it whenever the requirement is HTTP/HTTPS-aware routing for a public web app at global scale.
Trap Picking a Network Load Balancer for an HTTP app that needs URL or header-based routing; that L4 balancer cannot see Layer 7 content.
9 questions test this
- Cymbal Retail is deploying a new global e-commerce application that will serve HTTP/HTTPS traffic to customers worldwide. The application…
- You are designing a load-balanced solution for a web application that requires session affinity at the HTTP layer. The application uses…
- Altostrat Media is building a global video streaming metadata API using Cloud Run. To reduce latency, they plan to deploy Cloud Run…
- Altostrat Media is expanding their video streaming platform globally to serve customers in North America, Europe, and Asia-Pacific. They…
- Cymbal Retail is deploying a new e-commerce application that serves customers globally. The application has backends in us-central1 and…
- Cymbal Retail is deploying a new e-commerce platform that will serve customers globally. The application uses HTTP/HTTPS traffic, and the…
- Cymbal Retail is expanding their e-commerce platform from North America to serve customers in Europe and Asia. They need to minimize…
- Cymbal Retail is deploying a global e-commerce platform that must serve customers across North America, Europe, and Asia-Pacific regions.…
- KnightMotives Automotive is deploying a new version of their vehicle configuration API. The team wants to gradually shift traffic from the…
- A passthrough Network Load Balancer is Layer 4 and preserves the client source IP
Network Load Balancers operate at Layer 4 for TCP and UDP. The passthrough variant forwards packets without terminating the connection, so it preserves the original client source IP and is regional in scope. Reach for it when the workload needs raw TCP/UDP or must see the real client IP, rather than HTTP-aware routing.
Trap Assuming an Application Load Balancer preserves the client source IP; as a proxy it terminates the connection, so the backend sees the proxy.
- Private Service Connect reaches a service over a private IP without exposing the network
Private Service Connect (PSC) lets a consumer reach Google APIs or a published service over an internal IP inside its own VPC, so traffic stays off the public internet. It is service-oriented: consumer traffic can reach only the service's endpoint, not an entire network. That is the line between PSC and VPC Network Peering, which joins whole networks bidirectionally.
Trap Using VPC Peering to expose one managed service privately; peering grants reachability to the entire peered network, whereas PSC exposes a single endpoint.
5 questions test this
- KnightMotives Automotive's security team requires that ML inference for their vehicle diagnostics system must not traverse the public…
- EHR Healthcare has trained a custom TensorFlow model for medical image analysis using Vertex AI. The model must be accessible only from…
- Altostrat Media is integrating a custom ML model into their existing on-premises media processing pipeline. The model will be deployed on…
- EHR Healthcare is implementing a medical image classification system using Vertex AI. Due to strict data privacy requirements, all…
- EHR Healthcare is deploying a custom-trained medical imaging model on Vertex AI for real-time diagnostic assistance. Due to HIPAA…
- Choose the most managed compute rung the workload tolerates
GCP compute runs a ladder from most control to most managed: Compute Engine, GKE, Cloud Run, Cloud Run functions, ordered by degree of abstraction. Each step up removes operational work like patching, scaling, and capacity planning, so the default move is to pick the highest rung that still meets the workload's needs rather than defaulting to VMs.
Trap Defaulting to Compute Engine VMs for a stateless container app that Cloud Run would run with no infrastructure to manage.
- Use Compute Engine when you need OS control, GPUs, or licensed software
Compute Engine gives full OS-level control, custom system packages, GPU and TPU attachment, no request timeout, and background processes. Google lists licensed and legacy software (relational databases, SAP HANA, ERP) as its use cases. It is the right rung when the workload needs the operating system itself, not just a place to run a container.
- Use Cloud Run for stateless HTTP services that should scale to zero
Cloud Run runs stateless, container-based HTTP services and APIs, scales to zero when idle (the last instance is removed), and bills only for what is used. It is request-driven, so it is the default for web apps and APIs but not for a long-running background daemon or a process that needs local persistent state.
Trap Putting a long-running background process or a stateful daemon on Cloud Run; it is request-driven, so use Compute Engine or GKE instead.
- Use GKE for many coordinated containers; Autopilot is the managed default
GKE is the choice when containerized workloads need full Kubernetes orchestration: many coordinated services, custom controllers, or complex multi-service deployments. It runs in two modes: Autopilot, where Google manages the node infrastructure and you pay for the resources your workloads request, and Standard, where you manage the node pools yourself. Autopilot is the recommended default.
Trap Reaching for GKE to run a single stateless service; Cloud Run carries no cluster to manage, so GKE only pays off when you actually need orchestration.
- Use Cloud Run functions for short, event-driven tasks
Cloud Run functions (formerly Cloud Functions) is the most managed compute rung: short, event-driven functions triggered by HTTP, Cloud Storage, or Pub/Sub events. It fits glue logic such as reacting to an uploaded file or a published message, not long-running services.
- Run only interruption-tolerant work on Spot VMs
Spot VMs run on spare Compute Engine capacity at up to roughly 91% off on-demand, but Google can reclaim them at any time after a brief best-effort shutdown notice. They suit fault-tolerant, interruption-tolerant work like batch jobs and CI, where a lost node just reruns; they are the current generation of the older preemptible VMs. For steady, always-on workloads, a committed-use discount on reserved capacity is the cost play instead.
Trap Putting stateful databases or user-facing servers on Spot VMs; a reclaim can terminate them at any time and lose in-flight work.
5 questions test this
- Altostrat Media needs to run GPU-accelerated video transcoding workloads on GKE. The workloads are batch-oriented and can tolerate…
- Your company runs a batch processing application that can tolerate interruptions and typically completes jobs within 4-6 hours. The…
- Altostrat Media is migrating a video transcoding service to Google Cloud. The service requires sustained high CPU performance and can…
- Your organization runs batch processing workloads on GKE that are fault-tolerant and can be interrupted without significant impact. The…
- EHR Healthcare needs to run a nightly batch processing job that analyzes large datasets for medical research. The job is fault-tolerant and…
- Use a custom machine type to right-size vCPU and memory independently
Custom machine types let you set vCPU and memory independently rather than rounding up to a predefined shape, which removes waste when a workload's CPU-to-memory ratio does not match a standard size (for example memory-heavy but CPU-light). It changes only sizing, not the workload's behavior, so it trades a little sizing effort for a lower bill.
- Pick a Cloud Storage class by access frequency, not by data size
Cloud Storage's four classes (Standard, Nearline, Coldline, Archive) share the same low-latency access and eleven-nines (99.999999999%) annual durability, and differ only in cost and minimum storage duration: Standard none, Nearline 30 days, Coldline 90 days, Archive 365 days. Colder classes cost less to store but more to retrieve, so the class follows how often you read the data.
Trap Choosing Archive for data read often to save on storage cost; its higher retrieval cost and 365-day minimum make frequent access expensive.
3 questions test this
- KnightMotives Automotive stores vehicle telemetry data in Cloud Storage using Coldline storage class. The data must be retained for 2 years…
- EHR Healthcare generates daily backup files that must be retained for exactly 7 years to comply with healthcare regulations. The backups…
- Cymbal Retail stores customer transaction data in Cloud Storage buckets with Standard storage class. The data is actively accessed for 30…
Filestore is fully managed NFS file storage with POSIX semantics, file locking, and concurrent multi-writer access, mountable by many VMs or GKE pods at once. Reach for it when a lift-and-shift app or an HPC or rendering fleet needs a shared file system, which Persistent Disk (single-VM block) and raw Cloud Storage (object) cannot provide.
Trap Using Cloud Storage or a Persistent Disk where the requirement is a shared POSIX file system across many clients; that is Filestore's job.
- Choose Spanner over Cloud SQL only when global scale and HA are required
Cloud SQL is managed relational (MySQL, PostgreSQL, SQL Server) for a regional transactional app and is the default relational store. Spanner is relational with horizontal, globally-distributed scale and strong consistency at up to a 99.999% availability SLA, but it carries that cost. Pick Spanner only when global scale or horizontal write scale is a genuine requirement.
Trap Reaching for Spanner for a small single-region app; Cloud SQL fits, and Spanner's global-scale design is unnecessary cost there.
- Bigtable for high-throughput wide-column; Firestore for document data
Bigtable is a NoSQL wide-column store for high-throughput, low-latency single-keyed workloads such as time-series, IoT, and financial data, scaling to billions of rows. Firestore is a serverless NoSQL document database with realtime sync and offline support, aimed at mobile, web, and server apps. Match the data model: wide-column high-throughput points to Bigtable, document with sync points to Firestore.
Trap Choosing Firestore for a high-throughput time-series or IoT ingestion workload; that single-keyed high-write pattern is Bigtable's.
- Buy AI as high up the effort ladder as the requirement allows
GCP's AI build options rise in effort and differentiation: a pre-trained API or Gemini model called as-is (no training, no differentiation), AutoML trained on your own data with minimal ML expertise, then custom training on Vertex AI for full control and differentiation. Pick the highest rung that meets the need, because each rung below custom training removes data-science and infrastructure work.
Trap Building a custom model when a pre-trained API or Gemini already meets the need; custom training only pays off when differentiation requires it.
- Vertex AI is the unified AI platform; Model Garden catalogs the models
Vertex AI is the unified platform for building, training, deploying, and serving models on GCP, and Gemini (Google's generative model family) is reached as a managed service through it. Model Garden is Vertex AI's catalog of foundation models spanning Google, partner, and open models, so an architect compares and deploys from one place. Agent Builder assembles agentic applications on top of these models.
- Use AutoML when an API is too generic but you have no data-science team
AutoML trains a high-quality custom model on your own labelled data with minimal ML expertise and automated model-building. It fits the middle case: a pre-trained API is too generic for the task, yet there is no data-science team to do custom training. It needs your labelled data but not deep ML skills.
- Cloud NAT gives private VMs outbound internet without exposing them
Cloud NAT lets VMs with no external IP make outbound connections (downloads, third-party APIs) while blocking all unsolicited inbound. It is a regional resource, so you need a gateway per region; for Shared VPC create it in the host project. Use manual NAT IP allocation with reserved static IPs when a partner must allowlist your egress addresses, and a custom subnet list to NAT only specific subnets.
Trap Cloud NAT is regional and outbound-only — it does not give inbound access, and one gateway does not cover other regions.
7 questions test this
- Cymbal Retail is deploying a fleet of Compute Engine VM instances in a custom VPC network to process sensitive customer data. The VMs must…
- KnightMotives Automotive is deploying applications across three regions: us-central1, europe-west1, and asia-east1. Each region has VMs…
- EHR Healthcare has deployed Compute Engine VMs without external IP addresses in a custom mode VPC subnet. The VMs need to download software…
- Your company is deploying a multi-tier application in Google Cloud with web servers in one subnet and database servers in another subnet…
- You are designing the network architecture for a new application deployment at Cymbal Retail. The application requires VMs without external…
- Cymbal Retail is deploying a new e-commerce application across multiple service projects using a Shared VPC architecture. The application…
- KnightMotives Automotive has VMs in a VPC network in the us-east1 region. Some VMs are in subnet-a using the 10.10.0.0/24 range, and others…
- Enable Autoclass when access patterns are unknown; lifecycle rules when they are known
Autoclass automatically moves each object between Standard, Nearline, Coldline, and (optional terminal) Archive based on its actual access, with no manual policy, and waives retrieval and early-deletion fees. Choose it when access patterns are unpredictable or unmonitored. Use Object Lifecycle Management instead when access is well understood and you want explicit age-based transition or delete rules.
Trap Manual lifecycle rules still incur retrieval and early-deletion charges; only Autoclass removes them.
12 questions test this
- Your company stores application logs in Cloud Storage with varying access patterns. Some logs are accessed daily for operational…
- Your company stores media assets in Cloud Storage for a video streaming platform. The access patterns vary significantly: new videos are…
- Cymbal Retail stores product images and promotional videos in Cloud Storage. Some content is accessed frequently during promotional…
- A media company uploads video content to Cloud Storage with unpredictable access patterns. Some videos go viral with millions of views,…
- Your company stores backup data in Cloud Storage using Coldline storage class. A recent audit revealed that some backups were deleted after…
- Cymbal Retail stores product images in Cloud Storage. Images are frequently accessed for the first 30 days after upload, occasionally…
- Altostrat Media has video content stored in Cloud Storage that is accessed by users worldwide. Data access patterns are highly…
- EHR Healthcare stores medical imaging files (X-rays, MRIs, CT scans) that are frequently accessed during the first 30 days after creation,…
- KnightMotives Automotive collects terabytes of vehicle telemetry data daily that must be stored cost-effectively. Data access patterns are…
- Cymbal Retail stores customer transaction data in Cloud Storage buckets with Standard storage class. The data is actively accessed for 30…
- Altostrat Media stores video content that is streamed to users globally. New videos are highly popular for the first 7 days with frequent…
- Altostrat Media stores large volumes of user-generated content in Cloud Storage. The data access patterns are unpredictable - some content…
- When two lifecycle rules fire, Delete wins over SetStorageClass
If multiple Object Lifecycle Management conditions match the same object at once, Cloud Storage performs only one action, and a Delete action always takes precedence over a SetStorageClass transition. To keep objects from being deleted before an intended transition, set the delete rule's age higher than the transition ages.
- Bucket Lock with a locked retention policy is the WORM/immutable-storage answer
A bucket retention policy blocks deleting or overwriting objects until they reach the set age; locking it makes the policy permanent so the period cannot be shortened or removed by anyone, satisfying WORM and financial/healthcare retention mandates. Pair it with a colder storage class for cost and a lifecycle delete rule if objects should auto-delete after the period.
Trap An unlocked retention policy can still be removed or reduced by an admin — it must be locked to be immutable.
7 questions test this
- Your organization stores financial records in Cloud Storage that must be retained for 7 years without modification to meet SEC Rule 17a-4…
- A financial services company needs to store trading records in Cloud Storage to comply with SEC Rule 17a-4(f), which requires that records…
- A financial services company needs to store audit logs in Cloud Storage for 7 years to comply with SEC Rule 17a-4(f) regulations. The logs…
- EHR Healthcare must store patient medical records in Cloud Storage to comply with HIPAA regulations that require a minimum 7-year retention…
- EHR Healthcare must store patient medical records in Cloud Storage for a minimum of seven years to comply with regulatory requirements. The…
- EHR Healthcare generates daily backup files that must be retained for exactly 7 years to comply with healthcare regulations. The backups…
- EHR Healthcare needs to store medical imaging data that must be protected from modification or deletion for 7 years per HIPAA regulations.…
- Dual-region buckets give automatic regional failover; turbo replication backs a 15-min RPO
A dual-region (or configurable dual-region) bucket stores data redundantly across two named regions with automatic failover (RTO 0, no path change), useful when data must stay within a geography (e.g. the EU or NAM4 for the US). Turbo replication adds a 15-minute RPO for replication between the two regions.
Trap Turbo replication targets a 15-minute RPO between the two regions; standard dual-region replication is best-effort and can lag further behind.
- Pick the Persistent Disk by IOPS need; PD performance scales with size and vCPUs
Use pd-standard (HDD) for cheap sequential throughput, pd-balanced or pd-ssd for low-latency random database IOPS, and Extreme Persistent Disk (pd-extreme) to provision target IOPS independently of capacity for the highest-end databases. For pd-ssd/pd-balanced, IOPS scales with disk size and the VM's vCPU count, so resizing the disk (online, while attached to a running VM) raises its IOPS ceiling.
7 questions test this
- Cymbal Retail is migrating their transactional database to Compute Engine and requires consistent high IOPS performance with…
- Cymbal Retail is migrating a PostgreSQL database to a Compute Engine VM in the us-central1 region. The database handles high-volume…
- A company runs a stateful application on Compute Engine that uses a 500 GB balanced Persistent Disk. The application team reports that disk…
- Your organization is running a database workload on an N2 VM with a 200 GB pd-ssd Persistent Disk. The database team reports that read IOPS…
- You are designing a storage solution for a financial services application on Compute Engine. The application requires high IOPS performance…
- EHR Healthcare is deploying a new financial reporting database on Compute Engine. The database requires high IOPS performance for random…
- A data analytics company needs to select the appropriate Persistent Disk type for their Compute Engine workloads. They have two use cases:…
- BigQuery is the analytics warehouse; partition by date and cluster by filter columns
Use BigQuery for large-scale ad-hoc SQL, BI reporting, and complex joins over terabytes-to-petabytes — not Cloud SQL, which is for OLTP. Partition tables by a date column to prune scans on time-filtered queries and cluster on commonly filtered high-cardinality columns to cut data scanned, lowering both cost and latency.
Trap Cloud SQL handles transactional sub-second reads/writes; pushing analytical aggregations onto it instead of BigQuery is the wrong split.
4 questions test this
- Cymbal Retail is building a new analytics platform that requires storing 500 TB of historical transaction data. Business analysts need to…
- Your organization has a petabyte-scale data warehouse in BigQuery containing five years of sales transaction data. Analysts primarily query…
- Cymbal Retail is building a new customer analytics platform that stores billions of transaction records. Data analysts need to run queries…
- Cymbal Retail is migrating their transactional order processing system to Google Cloud. The application requires sub-second response times…
- Use Vertex AI batch prediction for accumulated data, online endpoints for low-latency
Batch prediction runs asynchronously against the model resource without deploying an endpoint, reading from and writing to BigQuery or Cloud Storage — the cost-effective choice for large overnight jobs where latency does not matter. Deploy to an online endpoint (with autoscaling) only when each request needs a low-latency synchronous response.
Trap An always-on endpoint for a nightly batch job wastes money; batch prediction needs no deployed endpoint.
7 questions test this
- Cymbal Retail's data science team has trained an AutoML tabular classification model to predict customer churn. The marketing team needs to…
- Cymbal Retail is integrating machine learning into their existing data analytics pipeline to personalize product recommendations. They have…
- A data analytics company processes customer feedback data hourly and needs to add sentiment classification using a Vertex AI AutoML model.…
- KnightMotives Automotive runs a nightly data pipeline that generates 500,000 vehicle diagnostic records. They need to classify each record…
- Cymbal Retail has developed an AutoML tabular model using Vertex AI to predict customer churn. The data science team runs this model…
- Cymbal Retail is planning to integrate machine learning predictions into their existing e-commerce platform. Their data science team has…
- Cymbal Retail has developed a product recommendation model using Vertex AI AutoML. The model needs to process millions of customer browsing…
- Node auto-provisioning lets GKE create right-sized node pools on demand
Node auto-provisioning extends the cluster autoscaler so GKE creates new node pools matching the hardware (CPU, memory, GPU/TPU) requested by pending Pods, instead of pre-defining every pool. You must set cluster-wide resource limits that cap total CPU, memory, and accelerators across all auto-provisioned pools.
Trap Plain cluster autoscaler only adds/removes nodes in existing pools; auto-provisioning is what creates the new pools.
4 questions test this
- Your company is implementing node auto-provisioning on an existing GKE Standard cluster to allow GKE to automatically create node pools…
- A company is running a GKE Standard cluster with multiple node pools. They want to enable autoscaling but are uncertain about the…
- Cymbal Retail is migrating its e-commerce microservices application to Google Kubernetes Engine (GKE). The application experiences…
- KnightMotives Automotive is deploying containerized workloads with diverse compute requirements on GKE. Some workloads require high-memory…
- PodDisruptionBudgets and the safe-to-evict:false annotation block node scale-down
The GKE cluster autoscaler will not remove an underutilized node if doing so would violate a PodDisruptionBudget or if a Pod carries cluster-autoscaler.kubernetes.io/safe-to-evict: false. Avoid restrictive PDBs on single-replica system Pods so they don't pin nodes, and reserve the annotation for Pods that genuinely must not be disrupted.
Trap A PDB on a single-replica Pod can block its node from being drained, keeping that node from scaling down.
4 questions test this
- A development team at Cymbal Retail is experiencing issues with their GKE cluster autoscaler not scaling down underutilized nodes. Upon…
- Altostrat Media is running a GKE Standard cluster with cluster autoscaler enabled. Operations noticed that certain nodes are not being…
- A company is running a GKE Standard cluster with cluster autoscaling enabled. They have deployed a critical application with three replicas…
- EHR Healthcare is running stateful database workloads on GKE alongside stateless API services. The cluster autoscaler is configured, but…
- Set Cloud Run minimum instances above zero to kill cold-start latency
Cold-start delays after idle periods come from scaling to zero; set minimum instances above zero to keep warm containers ready, and tune max concurrency so each instance absorbs more requests during spikes before new ones start. Startup CPU boost and caching connections in global scope further cut first-request latency.
4 questions test this
- EHR Healthcare is deploying a new patient appointment notification service on Cloud Run. The service must handle variable traffic with…
- EHR Healthcare is experiencing cold start latency issues with their Cloud Run service that handles patient appointment requests. The…
- Altostrat Media is deploying a latency-sensitive API on Cloud Run that processes real-time video metadata requests. During load testing,…
- Cymbal Retail is developing a microservices-based e-commerce platform using Cloud Run. During peak shopping seasons, their order processing…
- Hierarchical firewall policies enforce org/folder rules that lower levels cannot override
Hierarchical firewall policies attached at the organization or folder level are evaluated higher in the resource hierarchy and cannot be overridden by lower levels. Use allow/deny to enforce mandatory baseline rules across all projects, and the goto_next action to delegate the remaining decision to lower-level VPC firewall rules. In Shared VPC, a VM interface on a host-project network is governed by the host project's hierarchical firewall policy rules, not the service project's.
Trap A lower-level rule cannot override an allow/deny set higher up — only an explicit goto_next at the higher level hands the decision down.
4 questions test this
- KnightMotives Automotive is migrating their internal applications to Google Cloud using a Shared VPC architecture. The host project…
- KnightMotives Automotive is migrating a multi-tier application to Google Cloud using a Shared VPC architecture. The web tier VMs will be…
- A global enterprise is migrating multiple business units to Google Cloud. Each business unit operates independently in its own folder…
- Your organization has deployed multiple projects across several folders in Google Cloud. The security team wants to implement a centralized…
- Use service accounts or IAM-governed secure tags for firewall micro-segmentation
Base firewall rules on service accounts or IAM-governed secure tags rather than network tags so that assigning the identity requires IAM permission, preventing a developer from bypassing segmentation by tagging their own VM. Secure tags with network firewall policies enable identity-based micro-segmentation at the VM level.
Trap Network tags can be added by anyone who can edit the VM, so they don't stop a user from granting their VM unintended access; secure tags and service accounts are gated by IAM.
6 questions test this
- Altostrat Media is deploying a media processing application on Google Cloud. The application uses Compute Engine VMs organized into…
- Altostrat Media is deploying a multi-tier streaming application where the web tier receives traffic from the internet, processes it, and…
- Cymbal Retail is deploying a three-tier e-commerce application on Google Cloud. The application consists of web frontend servers,…
- Cymbal Retail is deploying a three-tier e-commerce application on Google Cloud. The application has web servers in the frontend subnet,…
- Cymbal Retail is deploying a new three-tier e-commerce application on Google Cloud with web, application, and database tiers. The security…
- KnightMotives Automotive is deploying microservices on Google Cloud and wants to implement micro-segmentation using firewall rules. The…
Migration Planning
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Future Improvements
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Managing & Provisioning Infrastructure
Network Topologies
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Cloud VPN runs over the public internet; Cloud Interconnect is a private link
The on-premises connectivity choice splits first on the path. Cloud VPN builds encrypted IPsec tunnels across the public internet, so it is quick to deploy and needs no physical gear, but bandwidth is per-tunnel and limited. Cloud Interconnect carries traffic over a private physical circuit that never touches the internet, giving far higher throughput at the cost of physical provisioning. When a scenario forbids internet transit or demands tens of gigabits, the answer is Interconnect; when speed-to-deploy and encryption matter more than raw bandwidth, it is VPN.
Trap Reaching for Cloud VPN when the requirement says traffic must not cross the public internet; VPN tunnels are internet-bound, only Interconnect keeps the path private.
- Use HA VPN and build two interfaces for the 99.99% SLA
HA VPN is the recommended Cloud VPN product for new designs; Classic VPN is the legacy option and only reaches a 99.9% SLA. HA VPN earns a 99.99% availability SLA for most topologies when configured with two interfaces connected to two peer devices; other configurations drop to 99.9%. Throughput is per-tunnel, roughly 1 to 3 Gbps (up to 250,000 packets per second), so you add tunnels to scale, which is why VPN suits modest bandwidth and Interconnect wins for tens of gigabits.
Trap Choosing Classic VPN for a new high-availability connection; it tops out at a 99.9% SLA, while a two-interface HA VPN reaches 99.99%.
- Dedicated Interconnect needs a colocation facility; Partner Interconnect uses a service provider
Both forms of Cloud Interconnect give a private path, and they differ only in who owns the last mile. Dedicated Interconnect runs your own 10-Gbps or 100-Gbps circuits into a Google colocation facility and is the most cost-effective choice for high bandwidth when you can reach one. Partner Interconnect uses a supported service provider to bridge the gap when you cannot reach a Google facility, with VLAN attachments from 50 Mbps to 50 Gbps. The deciding question is physical reach to a colocation facility.
Trap Recommending Dedicated Interconnect for an organization with no access to a Google colocation facility; that gap is exactly what Partner Interconnect exists to cover.
- Dedicated Interconnect circuits are 10, 100, or 400 Gbps; VLAN attachments scale 50 Mbps to 50 Gbps
Dedicated Interconnect provisions physical circuits at 10 Gbps, 100 Gbps, or 400 Gbps, and you can bundle up to 8 circuits per Interconnect for higher aggregate capacity. You then carve each circuit into VLAN attachments sized anywhere from 50 Mbps to 50 Gbps, which is how you map the physical capacity to individual VPC networks. Knowing the circuit sizes separates Interconnect (tens to hundreds of gigabits) from VPN (a few gigabits per tunnel) in a bandwidth question.
- Cross-Cloud Interconnect connects Google Cloud to another cloud, not to on-premises
When the far side is AWS, Microsoft Azure, OCI, or Alibaba Cloud rather than your data center, the product is Cross-Cloud Interconnect: a dedicated physical link that Google provisions to the other provider's network, at 10 Gbps or 100 Gbps (up to 400 Gbps on AWS and OCI). It is the multicloud answer. Dedicated Interconnect terminates at your own colocation equipment for on-premises reach, and VPN is internet-bound and bandwidth-limited, so neither fits a cloud-to-cloud requirement.
Trap Choosing Dedicated Interconnect to link Google Cloud to AWS; Dedicated Interconnect reaches your own colo, while Cross-Cloud Interconnect is the product built to land in another cloud provider.
- Direct and Carrier Peering reach Google APIs and Workspace, not VPC internal IPs
Direct Peering and Carrier Peering connect your network to Google's edge to reach Google APIs and Google Workspace, but they give no access to VPC resources over internal IPs and carry no SLA. So if a scenario only needs Workspace or public Google API access, peering can suffice without standing up Interconnect or VPN. If it needs to reach resources inside a VPC, peering is the wrong tool; use Cloud Interconnect or HA VPN instead.
Trap Using Direct or Carrier Peering to reach VM instances inside a VPC by internal IP; peering only reaches Google APIs and Workspace, with no VPC access and no SLA.
- VPC Network Peering is non-transitive
VPC Network Peering links exactly two VPC networks and exchanges their subnet routes so resources communicate over internal IPs at same-network latency. The defining limitation is that peering is not transitive: if net-a peers with net-b and net-a peers with net-c, net-b and net-c still cannot reach each other. Every pair needs its own peering, so a many-network mesh becomes unmanageable, which is precisely when you move to Network Connectivity Center.
Trap Assuming that peering net-a to net-b and net-a to net-c connects net-b and net-c; peering is non-transitive, so that path does not exist.
4 questions test this
- Your company has three development teams using separate Google Cloud projects with their own VPC networks: project-a with vpc-a, project-b…
- Your organization uses vpc-central to provide shared services to multiple project VPCs through VPC Network Peering. The vpc-central network…
- Your organization has three VPC networks: network-a, network-b, and network-c. Network-a is connected to network-b via VPC Network Peering,…
- Cymbal Retail has implemented a hub-and-spoke network architecture using VPC Network Peering. The hub VPC (network-a) in project-central…
- VPC Peering exchanges routes only, never firewall rules, and forbids overlapping ranges
Peered VPC networks stay administratively separate: peering exchanges subnet routes but does not share firewall rules, policies, or IAM, so each network keeps its own controls. Subnet ranges also cannot overlap, no range may match, contain, or fit within a range in the peered network. These constraints explain why peering is a routing link, not a merged network, and why security must be configured per network on both sides.
Trap Expecting firewall rules to carry across a peering so a rule on one side protects the other; peering exchanges routes only, each network enforces its own firewalls.
3 questions test this
- You are configuring VPC Network Peering between two VPC networks in different Google Cloud projects to enable private communication between…
- You have established VPC Network Peering between vpc-frontend in project-a and vpc-backend in project-b. Security team members in project-a…
- You are architecting a multi-project solution where project-a has vpc-a using the 10.10.0.0/16 subnet range, and project-b has vpc-b using…
- Network Connectivity Center gives transitive any-to-any connectivity via hub-and-spoke
When more than two networks must all reach each other, Network Connectivity Center (NCC) is the answer. NCC is a hub-and-spoke orchestration framework: spokes attach to a central hub and communicate transitively through it, supplying the any-to-any reachability that VPC Peering cannot. A spoke can be a VPC network or a hybrid link such as an HA VPN tunnel, a Cloud Interconnect VLAN attachment, or a router appliance, so one hub becomes the backbone for VPC-to-VPC, on-premises, and multicloud traffic together.
Trap Adding more VPC peerings to give many networks full any-to-any reachability; peering is non-transitive, so the mesh grows quadratically. NCC's hub provides transitivity instead.
Shared VPC does not connect separate networks; it places resources from many projects onto one VPC owned by a host project. The host project owns the subnets, routes, and firewalls, and service projects attach to it and deploy resources that use internal IPs from that shared network. The purpose is administrative separation of duties: a central network team controls the network while application teams deploy into it without managing it, the least-privilege split for enterprise networking.
Trap Reaching for VPC Peering when the requirement is one centrally-administered network for many project teams; peering keeps networks separately administered, while Shared VPC centralizes control under a host project.
Shared VPC has firm structural limits worth memorizing. A service project can attach to only one host project at a time, a project cannot be both a host and a service project, and all projects must belong to the same organization. Establishing the configuration requires the Shared VPC Admin role at the organization level. These constraints often decide whether a proposed Shared VPC layout is even valid.
- Application Load Balancers are Layer 7; Network Load Balancers are Layer 4
Cloud Load Balancing splits first on protocol layer. Application Load Balancers operate at Layer 7 and route HTTP and HTTPS by host, path, and headers, and can terminate TLS. Network Load Balancers operate at Layer 4 for TCP, UDP, and other IP protocols without reading the payload. So path-based or host-based HTTP routing requires an Application Load Balancer, while a raw TCP or UDP service requires a Network Load Balancer.
Trap Putting an Application Load Balancer in front of non-HTTP TCP or UDP traffic; Application LBs only handle HTTP and HTTPS, so Layer 4 traffic needs a Network Load Balancer.
- Use a passthrough Network Load Balancer to preserve the client source IP
Network Load Balancers come in two flavors. A passthrough Network Load Balancer forwards packets without terminating the connection, so the backend sees the original client source IP, which matters when the application logs or authorizes by client address. A proxy Network Load Balancer terminates the client connection and opens a new one to the backend, which is what you want for TLS offload on non-HTTP traffic but which hides the real source IP behind the load balancer.
Trap Choosing a proxy Network Load Balancer when the backend must see the real client IP; the proxy terminates the connection, so only a passthrough load balancer preserves the source IP.
- The global external Application Load Balancer fronts worldwide backends behind one anycast IP
Load balancers are offered as global or regional. The global external Application Load Balancer serves backends in regions around the world behind a single anycast IP address on the Premium network tier, so one address routes each user to the nearest healthy backend. A regional load balancer keeps backends in one region, which is the right call when data residency or a single-region service constrains the design. Choose global for worldwide reach, regional when geography is pinned.
- Use an internal load balancer for VPC and cloud-adjacent on-premises clients
The last load-balancer axis is exposure. An external load balancer accepts traffic from the public internet; an internal load balancer serves clients inside the VPC and cloud-adjacent on-premises clients reaching it over Cloud Interconnect or HA VPN. So an on-premises client arriving over Interconnect that needs to reach an HTTP service in your VPC by an internal address wants an internal Application Load Balancer, not an external one.
Trap Exposing a service that only serves VPC and on-premises clients through an external load balancer; an internal load balancer keeps it off the internet and still serves cloud-adjacent clients over Interconnect or VPN.
- VPC firewall rules are stateful, so return traffic is allowed automatically
VPC firewall rules are stateful: when a connection is allowed in one direction, the return traffic for that connection is permitted automatically, so you never write a separate rule for replies. The network also ships with two implied rules you cannot delete, an implied allow-egress that lets instances reach any destination and an implied deny-ingress that blocks all inbound until a rule allows it. Rules carry a priority from 0 to 65535 where lower wins, defaulting to 1000.
Trap Writing a separate inbound rule to permit the replies to an allowed outbound connection; the firewall is stateful, so return traffic on an established connection is already allowed.
- Apply org-wide controls with hierarchical firewall policies, not per-VPC rules
VPC firewall rules are scoped to a single network and are not shared across networks, even peered ones. When a control must apply across many networks at once, such as a company-wide block or a baseline health-check allow, hierarchical firewall policies attach at the organization or folder level and apply to every VPC beneath that node, which a project owner cannot override. Use hierarchical policies for centralized governance; keep per-VPC rules for network-specific needs.
Trap Trying to enforce an organization-wide firewall baseline by editing each VPC's own rules; that does not scale or prevent override. Hierarchical firewall policies at the org or folder level apply to every network below.
- Private Service Connect reaches managed services and Google APIs over internal IPs, no peering
The strongest access control is to never expose a service publicly. Private Service Connect (PSC) lets a consumer reach managed services and Google APIs such as Cloud Storage and BigQuery over internal IP addresses inside their own VPC, with traffic staying entirely within Google Cloud, no public internet path and no VPC peering required. It is how you give an application private access to a published service or a Google API without widening the attack surface.
Trap Setting up VPC Peering or a public endpoint to let a VPC consume a managed service privately; Private Service Connect gives that private internal-IP access without peering and without exposing the service to the internet.
- Set the VPC to Global dynamic routing mode to reach regions other than the Cloud Router's
A Cloud Router in Regional dynamic routing mode (the default) only advertises and learns routes for subnets in its own region. When VLAN attachments or VPN tunnels must carry traffic to or from resources in a different region than the Cloud Router, switch the VPC network to Global dynamic routing mode so routes propagate across all regions.
Trap Regional mode is the default, so cross-region Interconnect/VPN silently fails until you flip the whole VPC to Global — it is a VPC-wide setting, not a per-attachment one.
5 questions test this
- A multinational company has provisioned a Dedicated Interconnect connection in us-central1 and needs to create VLAN attachments to reach…
- Your company has established a Dedicated Interconnect connection in the us-west1 region. You need to create VLAN attachments that allow…
- Your organization has a VPC network with subnets deployed in us-east1 and us-west1 regions. You have configured an HA VPN gateway in…
- Cymbal Retail is deploying Dedicated Interconnect connections to achieve 99.99% availability for their mission-critical workloads. Their…
- Cymbal Retail has a Dedicated Interconnect connection and wants to create VLAN attachments that can reach subnets in a different Google…
- Cloud Router load-balances across attachments only with equal MED in the same region; lower MED wins
Advertised route priority is the BGP MED value, and a lower MED is preferred. To spread egress across multiple Interconnect VLAN attachments or VPN tunnels, place them in the same region and advertise the same prefix with identical MED so Cloud Router uses ECMP (a five-tuple hash). For active-passive failover instead, give the primary a lower MED and the standby a higher MED.
Trap ECMP hashes per flow, so a single TCP stream always pins to one tunnel — lopsided traffic is not a misconfiguration; test with multiple concurrent flows.
4 questions test this
- EHR Healthcare has provisioned a Dedicated Interconnect connection with a single 100-Gbps link. They need to create VLAN attachments to…
- You are troubleshooting connectivity issues for KnightMotives Automotive's HA VPN deployment. Two VPN tunnels are configured with BGP…
- You want to configure ECMP load balancing for egress traffic across multiple VLAN attachments on your Dedicated Interconnect connections.…
- Your organization wants to configure an active-passive HA VPN deployment where traffic prefers the primary tunnel but fails over to a…
- Cloud Router needs a private ASN different from the peer; Partner Interconnect forces ASN 16550
For HA VPN and Dedicated Interconnect, the Cloud Router must use a private ASN (16-bit 64512-65534 or 32-bit 4200000000-4294967294) that differs from the peer ASN, since Google Cloud only runs eBGP. Partner Interconnect is the exception: its Cloud Router must use the Google-owned ASN 16550.
Trap Partner Interconnect rejects a private ASN — 16550 is mandatory there, unlike Dedicated Interconnect which takes your private ASN.
4 questions test this
- Your organization is setting up Partner Interconnect to connect your on-premises data center to Google Cloud. You need to create a Cloud…
- Altostrat Media is creating a Cloud Router to establish BGP sessions with their on-premises data center through HA VPN. Their on-premises…
- Your organization is configuring an HA VPN gateway to connect your on-premises data center to Google Cloud. You need to create a Cloud…
- Your organization is configuring Partner Interconnect VLAN attachments to connect your on-premises data center to Google Cloud. The network…
- Network tags are VPC-local; use service accounts or secure tags for cross-network and hierarchical targeting
Network tags in a VPC firewall rule resolve only to instances in that same VPC, so they never match VMs reached through VPC Peering, and hierarchical firewall policies reject network tags entirely. To target VMs in those cases, use target service accounts or IAM-governed secure tags instead.
Trap A peered VM carrying the same network-tag string is not matched by the other network's rules, and a 'forgot the target tag' allow rule silently lets a lower-priority deny-all win.
4 questions test this
- Your company uses hierarchical firewall policies at the folder level to enforce security standards for development and production…
- You are configuring firewall rules for a multi-tier application in Google Cloud. The application has web servers, application servers, and…
- A security administrator has created VPC firewall rules in network-a using network tags to control traffic between VMs. Network-a is now…
- You have established VPC Network Peering between vpc-frontend in project-a and vpc-backend in project-b. Security team members in project-a…
Storage Systems
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Compute Systems
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Pick the highest compute rung that still meets the workload's hard constraints
Google Cloud's compute products order by abstraction from most control to most managed: Compute Engine (VMs), GKE (managed Kubernetes), Cloud Run (serverless containers), and Cloud Run functions (serverless functions). Each step up hands more operations (patching, node sizing, capacity) to Google, so the cost- and operations-optimal answer is the highest rung whose hard constraints you still satisfy. A real OS-level requirement pins you lower; the absence of one lets you climb.
Trap Reflexively choosing the most-managed option without checking constraints; a licensed OS or custom kernel forces Compute Engine no matter how convenient Cloud Run looks.
- Use Cloud Run for stateless, request-driven container services
Cloud Run runs any container that serves requests, autoscales on incoming traffic, and scales to zero when idle so you pay only while serving. It is the default for stateless HTTP services and APIs with bursty or intermittent load, because an idle service costs nothing and there is no cluster to manage.
Trap Standing up a GKE cluster for a single stateless service just to get autoscaling; that adds cluster management Cloud Run removes.
- Use Cloud Run functions for short event-driven code
Cloud Run functions (the current name for Cloud Functions) runs short snippets triggered by HTTP, Cloud Storage, or Pub/Sub events, with no server and no container build pipeline of your own. Reach for it when the workload is event glue rather than a long-running service; a full container service or VM is more than the job needs.
- Use GKE only when you genuinely need Kubernetes orchestration
GKE is the rung for multi-service systems that need Kubernetes-level control: service meshes, complex networking, DaemonSets, GPUs, or fine-grained scheduling. If the workload is a single request-driven service, Cloud Run gives scale-to-zero with no cluster; reserve GKE for true orchestration needs so you do not pay the cluster-management cost for nothing.
Trap Choosing Cloud Run for a multi-service platform that needs a service mesh, DaemonSets, or fine-grained scheduling; Cloud Run runs containers but offers no cluster-level orchestration.
- Default to GKE Autopilot; choose Standard only for node-level control
GKE Autopilot has Google provision, scale, secure, and upgrade the nodes, and bills only for the CPU and memory your running Pods request. Standard makes you size and manage node pools and pay per node whether or not Pods fill them. Autopilot is the recommended default for least operational overhead; pick Standard only when you need node-level control such as privileged DaemonSets, a specific machine family or sole-tenant placement, or GPU configurations Autopilot does not expose.
Trap Choosing Standard for least operational overhead; Standard hands node management and per-node billing back to you, the opposite of low-overhead.
- Tune Cloud Run with concurrency and minimum instances
Concurrency sets how many requests one Cloud Run instance handles at once: higher concurrency packs more requests per instance and lowers cost for lightweight requests, while concurrency of 1 isolates each request for CPU-heavy or non-thread-safe code. Minimum instances keeps a number of instances warm to avoid cold starts, trading the scale-to-zero saving for predictable first-request latency.
8 questions test this
- Your company is running a single-threaded Python application on Cloud Run with 4 vCPUs configured to handle memory-intensive image…
- EHR Healthcare is deploying a latency-sensitive Cloud Run service that connects to a Cloud SQL database with a maximum of 100 concurrent…
- Cymbal Retail has deployed a single-threaded Python application to Cloud Run that requires 8 GB of memory to process data-intensive product…
- Cymbal Retail is experiencing slow response times for their Cloud Run service during traffic spikes. Analysis shows that cold starts are…
- Altostrat Media is running a single-threaded image processing application on Cloud Run. Due to memory requirements, they must use 4 vCPUs…
- You are configuring a latency-sensitive Cloud Run service that connects to Cloud SQL and establishes database connections during container…
- Your organization is deploying a Python-based data processing Cloud Run service. Each request requires approximately 2 GiB of memory to…
- Your team at Cymbal Retail is deploying a single-threaded Node.js application to Cloud Run that requires 8 GiB of memory for in-memory…
- The managed instance group, not the VM, is the unit of scale and resilience
A managed instance group (MIG) builds identical VMs from an instance template and provides what a lone VM cannot: autohealing (recreate a VM that fails its health check), regional multi-zone placement (survive a zone failure), autoscaling, and automated rolling updates. Any production VM tier that must survive failure or absorb load belongs in a regional MIG behind a load balancer.
Trap Deploying hand-placed individual VMs for a tier that must self-heal or scale; an unmanaged VM has no autohealing, multi-zone spread, or autoscaling.
- MIG autoscaling runs on CPU, load-balancer capacity, or a Monitoring metric
The MIG autoscaler scales the group toward a target on one signal: average CPU utilization, serving capacity reported by an attached load balancer, or a Cloud Monitoring metric such as queue depth. You set the target value plus minimum and maximum instance counts, and it adds or removes VMs to hold the target.
- MIG autohealing replaces a VM that fails an application health check
Autohealing uses an application-based health check to detect a VM that is running but not serving correctly, and recreates it automatically. This catches a hung-but-running instance that CPU-based scaling would miss entirely, so a scenario about a VM that keeps serving errors and should be replaced automatically points at MIG autohealing, not at the autoscaler.
Trap Relying on the autoscaler to replace a hung VM; CPU-based scaling does not detect an unhealthy-but-running instance, only autohealing's health check does.
- Use custom machine types when the CPU-to-memory ratio does not fit a preset
Compute Engine custom machine types let you set vCPU and memory independently rather than rounding up to the next predefined shape, removing waste when a workload's CPU-to-memory ratio does not match a standard size. They change sizing only, not workload behavior.
Trap Rounding up to a larger predefined machine type to get enough memory; that overprovisions vCPU you do not need and pays for waste a custom type avoids.
- Use sole-tenant nodes when a license requires dedicated physical hardware
Sole-tenant nodes are physical Compute Engine servers that host only one project's VMs, satisfying bring-your-own-license terms for per-core or per-processor software such as Windows Server, SQL Server, or Oracle that mandate dedicated hardware. They report the physical server ID a VM runs on so you can track core and processor usage for license compliance. Standard multi-tenant VMs are cheaper but cannot meet a dedicated-hardware license requirement.
Trap Putting BYOL per-core software on standard multi-tenant VMs; the license term requiring dedicated hardware is not met, regardless of cost.
- Run only interruption-tolerant work on Spot VMs
Spot VMs use Compute Engine spare capacity for up to roughly 91% off on-demand, but Google can reclaim them at any time after a short best-effort shutdown notice; they are the current generation of preemptible VMs. That fits fault-tolerant, restartable work like batch processing, big-data jobs, CI fleets, and stateless web tiers behind a MIG, where a lost node just reruns. The same discount class is available as Spot Pods on GKE.
Trap Running a stateful, non-restartable job on Spot without checkpointing; one reclaim mid-task loses the in-flight state.
- Cut the cost of steady, always-on workloads with committed-use discounts, not Spot
For a predictable workload you know will run continuously, a one- or three-year committed-use discount lowers the rate while keeping full availability. Spot targets interruptible work and can be reclaimed, so it is the wrong cost lever for steady or production load. Sustained-use discounts also apply automatically with no commitment the longer an eligible VM runs in a billing month, and they are mutually exclusive with committed-use on the same usage.
Trap Offering Spot as the way to save money on a steady, always-on or production-database workload; Spot can vanish on a reclaim, which that workload cannot absorb.
- Patch a VM fleet centrally with VM Manager OS patch management
VM Manager's OS patch management reports patch compliance across the whole Compute Engine fleet and runs scheduled or on-demand patch jobs against many Linux and Windows VMs at once through the OS Config agent. The architecture answer for keeping a large fleet current is centralized patch orchestration, because SSHing into each VM to update it does not scale and drifts out of compliance.
Trap Managing patches by logging into each VM individually; it does not scale and leaves the fleet out of compliance, which is exactly what VM Manager exists to prevent.
- Climbing the ladder removes OS patching as your responsibility
On Cloud Run and GKE Autopilot, Google patches the underlying operating system, so OS patch management disappears from your operational burden. This is a concrete reason to climb the compute ladder when a workload allows it: the patching duty you would carry on Compute Engine VMs is one of the operations handed to Google on the managed rungs.
- Use Google Cloud VMware Engine to run an existing VMware estate as-is
Google Cloud VMware Engine (GCVE) runs the native VMware stack (vSphere, vSAN, NSX) on dedicated bare-metal nodes inside Google Cloud, so an organization can lift a vSphere estate into the cloud without re-architecting and keep its existing VMware tooling, operations, and licensing. Choose it when the requirement is to preserve the VMware operating model rather than to modernize onto native compute.
Trap Choosing GCVE when the goal is to modernize onto native managed services; it keeps the old VMware operating model instead of moving off it.
- GCVE preserves VMware; Migrate to VMs converts to native Compute Engine
GCVE runs VMware itself on dedicated nodes, whereas Migrate to Virtual Machines converts source VMs into native Compute Engine instances. The choice turns on intent: preserve the VMware stack and tooling (GCVE) versus land workloads as native VMs you then manage and optimize like any other Compute Engine instance (Migrate to VMs).
Trap Picking Migrate to VMs when the requirement is to keep running the native VMware stack; it drops the VMware layer by converting to Compute Engine VMs.
- Use the optimize-utilization autoscaler profile to scale GKE nodes down more aggressively
The cluster autoscaler's optimize-utilization profile removes underused nodes faster and bin-packs Pods onto already-loaded nodes, cutting cost at the price of slightly slower scheduling during spikes. The default balanced profile keeps more spare capacity for responsiveness.
Trap The profile only controls how aggressively nodes are removed; it does not protect critical Pods — annotate those separately so they are not evicted.
4 questions test this
- Your GKE cluster runs a mix of production critical services and batch processing workloads. You want to configure cluster autoscaling to…
- A development team at Altostrat Media is configuring a GKE cluster for a new video rendering pipeline that processes jobs during peak hours…
- Cymbal Retail is running batch analytics workloads on GKE Standard clusters using Spot VM node pools to reduce costs. The operations team…
- A media company is running a GKE Standard cluster with variable workloads that experience predictable daily traffic patterns. During…
- Pods block GKE scale-down via safe-to-evict:false, restrictive PodDisruptionBudgets, or kube-system Pods without a PDB
The cluster autoscaler will not remove a node whose Pods cannot be safely drained. A node stays up if a Pod has the cluster-autoscaler.kubernetes.io/safe-to-evict: false annotation, if a PodDisruptionBudget would be violated (e.g. maxUnavailable: 0), or if it runs kube-system Pods that lack a PDB. Loosen the PDB or add one to let scale-down proceed.
Trap Low utilization alone does not trigger scale-down — an idle node sticks around until every Pod on it is evictable.
4 questions test this
- Your GKE cluster runs a mix of production critical services and batch processing workloads. You want to configure cluster autoscaling to…
- Your organization is running a GKE Standard cluster with multiple node pools serving different workloads. You notice that the cluster…
- EHR Healthcare runs a GKE cluster with cluster autoscaler enabled. The operations team observes that nodes with low utilization are not…
- You are managing a GKE Standard cluster with autoscaling enabled. The cluster autoscaler is not scaling down underutilized nodes as…
Vertex AI ML Workflows
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Prebuilt AI APIs
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security & Compliance
Security Design
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Match the risk to the security layer, then the service is forced
Google Cloud security is defense in depth across four independent layers, and most PCA scenarios resolve once you name which layer owns the stated risk. Identity (IAM) answers who can act, the resource hierarchy plus Organization Policy answers what configurations are allowed, VPC Service Controls and context-aware access answer from where and under what conditions, and Cloud KMS, Secret Manager, and Sensitive Data Protection answer how the data itself is guarded. The layers are independent by design, so picking the layer first stops you from reaching for an IAM answer to a perimeter problem.
- A deny policy overrides any allow because IAM evaluates deny first
IAM always checks relevant deny policies before allow policies, so a matching deny blocks a permission no matter what role granted it, including an inherited Owner role. Allow policies are additive only and cannot subtract a permission, which is why removing access a principal inherits from a parent requires a separate deny policy rather than editing the allow. Deny policies attach at the organization, folder, or project level and support exceptionPrincipals so you can deny broadly while exempting break-glass accounts.
Trap Editing the allow policy to take away a permission a principal inherits from a folder; allow policies only add, so the inherited grant survives and you need a deny policy.
- Grant predefined or custom roles, not basic roles, for least privilege
IAM grants roles, which are bundles of permissions, to principals rather than granting permissions directly. Basic roles (Owner, Editor, Viewer) are coarse and project-wide and are almost always too broad for production. Prefer Google's predefined roles scoped to a service and job, and drop to a custom role when even a predefined role grants more than the task needs. Least privilege is the recurring correct answer whenever a scenario says a principal can do more than required.
Trap Granting Editor to give a service write access; Editor is a project-wide basic role that also permits far more than the one resource, breaking least privilege.
5 questions test this
- Cymbal Retail's security team needs to enforce the principle of least privilege for their developers who manage Cloud SQL instances. The…
- Your organization has recently standardized on Google Cloud and needs to implement least privilege access across 50 projects spanning…
- A multinational financial services company is migrating to Google Cloud. The security team wants to ensure that developers only have the…
- A multinational company is implementing least privilege access across their Google Cloud organization. Their security team has determined…
- A data engineering team at EHR Healthcare needs access to BigQuery datasets across multiple projects. Some team members require full…
- The resource hierarchy is org > folders > projects > resources, single-parent
The hierarchy has four levels: organization at the root, optional folders for grouping, then projects, then resources, and every resource except the organization has exactly one parent, making it a strict tree. Both IAM allow policies and Organization Policy constraints inherit downward, so where a project sits decides what it inherits. A project moved under a folder automatically picks up that folder's policies, which is why a clean hierarchy mirroring teams and environments is itself a control.
- Organization Policy governs what is configurable; IAM governs who can act
Organization Policy sets constraints on how resources can be configured and inherits down the hierarchy, where IAM sets who can take actions. They are complementary, not substitutes: IAM answers who, Organization Policy answers what. A constraint set at a folder applies to every project beneath it, so it is the tool for enforcing a rule across many projects at once rather than configuring each project by hand.
Trap Reaching for an IAM role to stop projects from creating resources in the wrong region; resource location is an Organization Policy constraint, not a permission.
- Enforce data residency with the Organization Policy resource-location constraint
When data must stay in a region or jurisdiction, set the resource-location constraint in Organization Policy at the org or folder level so every project below can only create resources in approved locations. Because the constraint inherits, you write it once high in the tree instead of per project, and new or moved projects pick it up automatically. This is governance, not an access decision, so no IAM change is involved.
- Disable service account key creation with an Organization Policy to enforce keyless access
An Organization Policy constraint can disable service account key creation across the hierarchy, turning no-downloaded-keys from a guideline into an enforced default. This pushes teams to Workload Identity Federation for external workloads and impersonation inside Google Cloud, removing the long-lived credential a leaked key represents. Pair it with break-glass exceptions only where a tool genuinely cannot federate.
- VPC Service Controls blocks data exfiltration even from callers with valid IAM
A VPC Service Controls service perimeter draws a boundary around projects and the Google-managed services in them, allowing free communication inside and blocking all communication across the boundary by default. The point that makes it the exfiltration answer is that it is independent of IAM: a caller holding valid IAM permissions is still blocked when the request crosses the perimeter. Controlled exceptions are ingress and egress rules, and you build the perimeter in dry-run mode first to log what would be blocked before enforcing.
Trap Tightening IAM roles to stop a stolen credential from copying data to an outside project; the credential is still valid, so only a VPC Service Controls perimeter stops the cross-boundary API call.
29 questions test this
- EHR Healthcare wants to enable secure data exchange between two separate VPC Service Controls perimeters. The analytics team in Perimeter A…
- Your organization has two separate service perimeters in VPC Service Controls: one protecting sensitive BigQuery datasets in Project A and…
- A financial services company is implementing VPC Service Controls to protect sensitive customer data stored in Cloud Storage and BigQuery.…
- A financial services company is migrating sensitive customer data to Google Cloud and must implement controls to prevent data exfiltration…
- Cymbal Retail is deploying a new data analytics platform using BigQuery and Cloud Storage. Before enforcing VPC Service Controls…
- EHR Healthcare needs to implement data sovereignty controls for patient data stored in Cloud Storage. The security team requires that data…
- Your organization has two separate service perimeters: Perimeter-A contains analytics projects with sensitive BigQuery datasets, and…
- EHR Healthcare has two separate teams managing sensitive data in different service perimeters. The analytics team needs to share…
- Your company is planning to implement VPC Service Controls to protect sensitive data in BigQuery and Cloud Storage. Before enforcing the…
- EHR Healthcare stores patient records in Cloud Storage buckets in the europe-west2 region. Regulatory requirements mandate that this data…
- Cymbal Retail is implementing VPC Service Controls to protect their BigQuery data warehouse containing customer purchase history. Before…
- Cymbal Retail has two separate teams: a data engineering team and a marketing analytics team. Each team has their own Google Cloud projects…
- Cymbal Retail is implementing VPC Service Controls to protect their BigQuery datasets containing sensitive customer information. Before…
- Cymbal Retail stores sensitive customer payment data in Cloud Storage and BigQuery within a regulated environment. The security team needs…
- Your organization has two separate teams managing different VPC Service Controls perimeters: one for the production environment and one for…
- Your organization stores highly sensitive healthcare data in Cloud Storage buckets within the 'us-central1' region. The compliance team is…
- Cymbal Retail is implementing VPC Service Controls to protect sensitive customer data stored in BigQuery and Cloud Storage. Before…
- Your organization is deploying VPC Service Controls to protect sensitive data in Cloud Storage and BigQuery. Before enforcing the…
- A healthcare organization needs to allow BigQuery jobs inside a VPC Service Controls perimeter to export query results to a Cloud Storage…
- EHR Healthcare is implementing VPC Service Controls to protect patient health information stored in BigQuery and Cloud Storage. Before…
- Altostrat Media needs to allow a partner organization outside their VPC Service Controls perimeter to read specific BigQuery datasets for…
- Cymbal Retail has a Shared VPC architecture with a host project containing the VPC network and multiple service projects running workloads.…
- Altostrat Media is designing a VPC Service Controls architecture for their multi-project Google Cloud environment. They need to protect…
- A healthcare company is configuring VPC Service Controls to protect their Vertex AI and Cloud Storage resources. They need to allow their…
- You are implementing VPC Service Controls for a new analytics platform. Before enforcing the perimeter in production, you want to validate…
- Cymbal Retail is deploying a new VPC Service Controls perimeter to protect BigQuery datasets containing customer PII. Before enforcing the…
- KnightMotives Automotive operates a multi-perimeter architecture with a data perimeter containing sensitive manufacturing data and a…
- Cymbal Retail has two business units that store sensitive customer data in separate Google Cloud projects within different VPC Service…
- EHR Healthcare is deploying a new patient records system using BigQuery and Cloud Storage across three different business units. Each…
- A service perimeter governs Google API access; a firewall governs VM traffic
VPC Service Controls and VPC firewall rules sound interchangeable but operate at different layers: a service perimeter controls API access to Google-managed services, while VPC firewall rules and hierarchical firewall policy filter packet-level network traffic between VMs. Per-instance network filtering is a firewall job; stopping data from leaving via a Google API is a perimeter job. Reading the layer keeps these apart.
Trap Using a VPC firewall rule to stop data exfiltration through the BigQuery or Cloud Storage API; firewalls do not see Google API access, so the perimeter is required.
- Identity-Aware Proxy gates app and SSH access by identity and context, no VPN
IAP provides a central authorization layer at the application level, so a user must hold the right IAM role and satisfy context conditions to reach an HTTPS app, rather than relying on a network-level VPN or open firewall port. IAP also does TCP forwarding for SSH and RDP to VMs, removing the need for bastion hosts and public IPs. This is the practical form of zero trust: trust nothing by network location, verify identity and context on every request.
Trap Opening a firewall port or standing up a VPN to expose an internal app when the scenario wants zero-trust access; IAP authorizes at the application layer by identity and context instead.
- Context-aware access adds device, IP, and location conditions on top of identity
Context-aware access lets you allow a request only when extra conditions hold, such as a managed device, a corporate IP range, or an approved region, layered on top of the IAM identity check. It is applied to applications through IAP and is bundled with endpoint and threat protections as Chrome Enterprise Premium (formerly BeyondCorp Enterprise). The model is that a valid identity is necessary but not sufficient; the access context must also pass.
6 questions test this
- A financial services company has deployed VPC Service Controls to protect Cloud Storage buckets containing customer financial records in…
- A global financial services company needs to allow their security operations team to access BigQuery audit logs protected by a VPC Service…
- EHR Healthcare stores patient records in Cloud Storage buckets in the europe-west2 region. Regulatory requirements mandate that this data…
- Altostrat Media has implemented VPC Service Controls to protect their video production data. External contractors who work remotely need to…
- A financial services company is using VPC Service Controls to protect their Cloud Storage buckets and BigQuery datasets. A new requirement…
- A healthcare company is configuring VPC Service Controls to protect their Vertex AI and Cloud Storage resources. They need to allow their…
- Encryption at rest is automatic with AES-256 and envelope encryption
Google encrypts all customer content at rest by default with AES-256, using envelope encryption where each data-encryption key (DEK) is wrapped by a key-encryption key (KEK), with no customer action required. With the default, Google owns and you cannot view or manage the KEK. The architectural decision is never whether to encrypt at rest but who controls the key, which is what CMEK changes.
- Use CMEK when you must own, rotate, or destroy the encryption key
Customer-managed encryption keys (CMEK) in Cloud KMS are keys you own, letting you set a rotation period, trigger rotations, and disable or destroy a key version. Disabling or destroying the CMEK makes the data it protected unreadable, which is the deliberate crypto-shredding technique for guaranteed data destruction. Reach for default encryption when there is no key-control requirement; reach for CMEK when compliance or revocation demands customer control of the key.
Trap Choosing CMEK to protect data while it is being processed in memory; CMEK controls keys for data at rest, but data in use needs Confidential VMs.
10 questions test this
- EHR Healthcare must store patient data encryption keys in hardware security modules that meet FIPS 140-2 Level 3 certification requirements…
- A financial services company needs to ensure that their Cloud Logging data meets strict encryption requirements for regulatory compliance.…
- Your organization processes credit card transactions and must comply with PCI DSS requirements for cryptographic key management. The…
- Your organization processes payment card data and must comply with PCI DSS requirements, which mandate regular key rotation for encryption…
- Cymbal Retail stores sensitive payment card data in Cloud Storage and BigQuery. To meet PCI DSS compliance requirements, the security team…
- Cymbal Retail processes credit card transactions and must comply with PCI DSS requirements for regular key rotation. They want to implement…
- Cymbal Retail is subject to strict financial regulations that require cryptographic keys to be stored and processed in hardware security…
- KnightMotives Automotive has strict data sovereignty requirements mandating that all audit logs must be encrypted using keys that the…
- A financial services company at Cymbal Retail requires encryption keys stored in FIPS 140-2 Level 3 certified hardware security modules for…
- Your company operates in a regulated financial services industry and must comply with PCI DSS requirements that mandate regular encryption…
- Cloud HSM for FIPS 140-2 Level 3 keys, Cloud EKM for keys outside Google
CMEK has protection-level options that form a ladder of control. Cloud HSM stores the key in a FIPS 140-2 Level 3 hardware security module when a hardware-backed key is mandated by policy or regulation. Cloud EKM (External Key Manager) keeps the key in an external system outside Google Cloud entirely, for when the key must never reside in Google. Plain CMEK is a software-protected key in KMS, sufficient when you need control but not a specific hardware or off-cloud requirement.
Trap Picking Cloud EKM when the requirement is only a hardware-backed key; EKM is for keys held outside Google, while a FIPS 140-2 Level 3 hardware key inside Google is Cloud HSM.
12 questions test this
- A financial services company is implementing customer-managed encryption keys using Cloud KMS to protect sensitive data in Cloud Storage…
- A healthcare company subject to HIPAA regulations requires that all cryptographic operations for protecting patient data be performed…
- EHR Healthcare must store encryption keys for patient health records in hardware-backed security modules to meet HIPAA and regulatory…
- EHR Healthcare must store patient data encryption keys in hardware security modules that meet FIPS 140-2 Level 3 certification requirements…
- Your organization must comply with FIPS 140-2 Level 3 requirements for all cryptographic operations on sensitive government workloads. You…
- Cymbal Retail stores sensitive payment card data in Cloud Storage and BigQuery. To meet PCI DSS compliance requirements, the security team…
- EHR Healthcare is migrating sensitive patient health information to Google Cloud and must meet HIPAA compliance requirements. The security…
- EHR Healthcare is migrating their electronic health record system to Google Cloud. The security team requires all encryption keys used for…
- EHR Healthcare must store patient health information in Google Cloud and comply with HIPAA regulations that require cryptographic…
- Cymbal Retail is implementing a defense-in-depth security strategy for their e-commerce platform on Google Cloud. They need to use Cloud…
- Cymbal Retail is subject to strict financial regulations that require cryptographic keys to be stored and processed in hardware security…
- A financial services company at Cymbal Retail requires encryption keys stored in FIPS 140-2 Level 3 certified hardware security modules for…
- Store application secrets in Secret Manager, never in code or config
Secret Manager centrally stores API keys, passwords, and certificates, versions them, gates access with IAM, and logs access to Cloud Audit Logs. Putting a secret in source code, an environment variable, or a config file makes it leak with the repo or image, which is exactly the risk Secret Manager removes. The exam answer to where the database password lives is Secret Manager.
- Prefer Workload Identity Federation over downloading a service account key
A downloaded service account key is a long-lived bearer credential and a top cause of cloud breaches when it leaks, so the design goal is to never create one. For a workload outside Google Cloud (on-premises, AWS, Azure, GitHub Actions, any OIDC or SAML 2.0 provider), Workload Identity Federation exchanges the external token at Google's Security Token Service for a short-lived federated token, with no key to store. External identities are managed in a workload identity pool, ideally one per environment.
Trap Downloading a service account key and shipping it to an external CI system because it looks simplest; the key is a standing credential, and federation gives short-lived tokens with nothing to leak.
- Use service account impersonation, not keys, for access inside Google Cloud
Inside Google Cloud, attach a service account to the resource (VM, GKE workload, Cloud Run service) so it gets credentials automatically, or use service account impersonation so a principal temporarily acts as the service account and receives a short-lived token. Neither approach ever creates a key file. Impersonation also gives an audit trail of who acted as the service account, which a shared exported key cannot.
- Binary Authorization admits only attested container images at deploy time
Binary Authorization is a deploy-time software supply-chain control that lets only container images conforming to a policy deploy to GKE, Cloud Run, and Cloud Service Mesh; non-conforming images are blocked and the violation is logged. Conformance is proven by an attestation, a signed statement from a trusted attestor that the image cleared a stage such as the approved build pipeline or vulnerability scanning. Run the policy in dry-run mode first to surface what would be blocked, mirroring the shift-left principle of catching defects before production.
Trap Relying on Artifact Analysis vulnerability scanning alone to keep bad images out of production; scanning reports findings but does not block a deploy, whereas Binary Authorization enforces the gate.
3 questions test this
- KnightMotives Automotive is rolling out a new Binary Authorization policy across their GKE clusters. Before enforcing the policy in…
- Cymbal Retail is implementing Binary Authorization for their GKE clusters. They want to test their new policy in production to identify…
- A financial services company is preparing to enforce Binary Authorization policies on their production GKE clusters. Before enabling…
- Admin Activity audit logs are always on; Data Access logs are off by default
Cloud Audit Logs answer who did what, where, and when, and are the backbone of security auditing. Admin Activity audit logs are always written and cannot be disabled, while Data Access audit logs are off by default and must be explicitly enabled because they can be high volume. A scenario that needs to prove who read sensitive data, not just who changed configuration, requires turning on Data Access logs.
Trap Assuming Data Access logs already capture who read a dataset; they are off by default, so reads go unlogged until you explicitly enable them.
Separation of duties keeps one person or team from holding end-to-end control. Shared VPC implements it for networking: a host project owns the subnets, routes, and firewall rules while service projects attach and run workloads, so a central network team controls the network and workload owners cannot change it. The same principle at the policy layer gives the Organization Policy Administrator role to a governance team distinct from the project owners who deploy.
- After key rotation the new version encrypts; old enabled versions still decrypt, and existing data is not re-encrypted
When you rotate a Cloud KMS key, the new key version becomes the primary version used for new encryption operations, but all enabled previous versions stay available so existing ciphertext keeps decrypting. Rotation never re-encrypts data already at rest, so to move existing data onto the new version you must explicitly decrypt and re-encrypt it (and only then disable or destroy the old versions).
Trap Assuming rotation automatically re-encrypts existing objects or that old versions are disabled — they remain active (and billable) until you act.
9 questions test this
- Your organization uses Cloud KMS to manage encryption keys for multiple applications. After rotating a symmetric encryption key, the…
- Cymbal Retail is implementing customer-managed encryption keys (CMEK) using Cloud KMS for their payment processing system. Their security…
- Cymbal Retail rotates their Cloud KMS customer-managed encryption keys (CMEK) every 90 days as required by their security policy. After…
- A healthcare organization uses Cloud KMS to manage encryption keys for patient data stored across multiple Google Cloud services. After…
- Your organization processes payment card data and must comply with PCI DSS requirements, which mandate regular key rotation for encryption…
- Altostrat Media uses Cloud KMS to manage encryption keys for their video content library. After a security audit, they need to rotate one…
- Cymbal Retail uses Cloud KMS with CMEK to encrypt customer data in Cloud Storage. After rotating a symmetric encryption key to a new…
- Altostrat Media rotates their Cloud KMS encryption keys annually to comply with PCI DSS requirements. After completing a key rotation for…
- Your company operates in a regulated financial services industry and must comply with PCI DSS requirements that mandate regular encryption…
- Cloud KMS automatic rotation works only for symmetric keys; asymmetric keys must be rotated manually
Cloud KMS supports a scheduled automatic-rotation period (e.g. 90 days) only for symmetric encryption keys. Asymmetric keys used for signing or encryption require manual rotation because extra steps are needed first — such as distributing the new public key — so you create new versions and promote them by hand.
Trap Setting an automatic-rotation schedule on an asymmetric key and expecting it to rotate — it silently won't.
13 questions test this
- A financial services company is implementing customer-managed encryption keys using Cloud KMS to protect sensitive data in Cloud Storage…
- EHR Healthcare must implement automatic key rotation for symmetric encryption keys used to protect patient health records in Cloud Storage.…
- EHR Healthcare is implementing a new encryption key management strategy for patient health records stored in Cloud Storage. Their…
- Your organization processes credit card transactions and must comply with PCI DSS requirements for cryptographic key management. The…
- Your organization processes payment card data and must comply with PCI DSS requirements, which mandate regular key rotation for encryption…
- Your organization uses Cloud KMS to manage encryption keys for sensitive financial data. The compliance team requires automatic key…
- Cymbal Retail stores sensitive payment card data in Cloud Storage and BigQuery. To meet PCI DSS compliance requirements, the security team…
- Cymbal Retail processes credit card transactions and must comply with PCI DSS requirements for regular key rotation. They want to implement…
- A healthcare organization is using Cloud KMS with Cloud HSM to protect sensitive patient data. They need to implement automatic key…
- Cymbal Retail is implementing a defense-in-depth security strategy for their e-commerce platform on Google Cloud. They need to use Cloud…
- Your company has a compliance requirement that symmetric encryption keys must be rotated every 90 days. You need to configure automatic key…
- Your organization has implemented Cloud KMS for encrypting sensitive data across multiple Google Cloud services. Your security team…
- Your company operates in a regulated financial services industry and must comply with PCI DSS requirements that mandate regular encryption…
- Disable to reverse instantly; scheduled-for-destruction versions can be restored during the grace period, and policy can enforce a longer delay
Disabling a key version blocks all cryptographic use immediately and is fully reversible, so it is the right move for a suspected compromise. Destruction is delayed: a version sits in the scheduled-for-destruction state (30 days by default) and can be reverted to disabled with RestoreCryptoKeyVersion until that period expires. Enforce constraints/cloudkms.minimumDestroyScheduledDuration to require a longer minimum delay, and constraints/cloudkms.disableBeforeDestroy to force a version to be disabled before it can be scheduled for destruction.
Trap Destroying a key version to take it out of service — disabling is the reversible action; destruction risks permanent data loss after the grace period.
6 questions test this
- Your company stores customer data encrypted with Cloud KMS customer-managed encryption keys. A key version was accidentally scheduled for…
- Cymbal Retail is designing their encryption key management architecture using Cloud KMS with customer-managed encryption keys. The security…
- Your organization needs to ensure that Cloud KMS encryption keys cannot be destroyed within 60 days of scheduling destruction to prevent…
- A security audit at Altostrat Media identified that a Cloud KMS key version may have been compromised. You need to immediately prevent…
- Your organization uses Cloud KMS to manage encryption keys for multiple applications. After completing a key rotation, you want to reduce…
- Altostrat Media's security team wants to implement a multi-step key destruction process that requires cooperation between multiple roles…
- Single-tenant Cloud HSM gives dedicated, quorum-controlled hardware; Autokey defaults keys to HSM protection
Single-tenant Cloud HSM provisions a dedicated cluster of HSM partitions for one customer's exclusive use, each partition cryptographically isolated from others, with a quorum approval model using asymmetric control keys for critical administrative operations, while keeping the standard Cloud KMS API (no code changes). Cloud KMS Autokey automates CMEK provisioning and creates keys at the HSM protection level by default (AES-256-GCM, one-year rotation); to create CMEK in locations where Cloud HSM is unavailable you must create the key manually.
Trap Reaching for multi-tenant Cloud HSM when the requirement is dedicated isolation plus quorum control — that calls for single-tenant Cloud HSM.
5 questions test this
- KnightMotives Automotive is implementing Cloud KMS Autokey to simplify their encryption key management across multiple projects. The…
- Cymbal Retail is implementing Cloud KMS Autokey to simplify CMEK management across their Google Cloud environment. The security team wants…
- A multinational company has regulatory requirements that mandate cryptographic isolation between their encryption keys and keys of other…
- Altostrat Media needs to ensure their Cloud KMS encryption keys are protected by dedicated hardware security modules that are not shared…
- A healthcare company is deploying a new application on Google Cloud that handles protected health information (PHI). Compliance…
- Security Command Center threat detection splits across Event, Container, and VM Threat Detection
Security Command Center (Premium/Enterprise) detects threats with three distinct services: Event Threat Detection scans Cloud Logging for things like anomalous IAM grants and data exfiltration, Container Threat Detection analyzes GKE container runtime behavior, and Virtual Machine Threat Detection scans VM memory from the hypervisor (agentless) for malware such as cryptominers and rootkits. Match each requirement (logs / containers / VMs) to the corresponding service.
Trap Expecting one detector to cover all three layers — VM cryptomining needs VM Threat Detection, not Event or Container Threat Detection.
3 questions test this
- KnightMotives Automotive has activated Security Command Center Premium tier at the organization level. The security team wants to detect…
- EHR Healthcare has deployed a fleet of Compute Engine VMs running Linux to process sensitive patient data. The security team is concerned…
- EHR Healthcare wants to implement comprehensive threat detection across their Google Cloud environment. They need to detect malware in…
- Cloud Armor Adaptive Protection uses ML to detect L7 DDoS and emits Security Command Center findings with suggested WAF rules
Cloud Armor Adaptive Protection (Cloud Armor Enterprise) applies machine learning to baseline traffic on a backend service, detect Layer 7 (HTTP) DDoS attacks, and generate alerts with attack signatures, confidence scores, and suggested WAF rules. Findings surface in the Cloud Armor dashboard, Security Command Center (Application DDoS Attacks category), and Cloud Logging; deploy a suggested rule in preview mode first and enable auto-deploy only once you confirm legitimate traffic is unaffected.
Trap Confusing Adaptive Protection (L7/HTTP application DDoS on load balancers) with advanced network DDoS protection, which guards passthrough Network Load Balancers and public-IP VMs.
6 questions test this
- Your organization runs a critical e-commerce application behind a global external Application Load Balancer on Google Cloud. The security…
- Your company runs a global e-commerce platform behind an external HTTP(S) load balancer protected by Cloud Armor. You need to implement…
- KnightMotives Automotive uses Security Command Center Enterprise to monitor security across Google Cloud and AWS. The security operations…
- A gaming company is experiencing HTTP flood attacks against their globally distributed web application. Cloud Armor Adaptive Protection has…
- Cymbal Retail operates an e-commerce platform behind a global external Application Load Balancer. The security team has noticed unusual…
- Cymbal Retail's e-commerce platform running on Google Cloud has been experiencing increased Layer 7 DDoS attacks targeting their HTTP…
- Use one unified VPC-SC perimeter and always include the Shared VPC host project
Google recommends a single large common unified service perimeter over many small ones for the most effective exfiltration protection and lower management overhead; isolate any workload needing a service not supported by VPC Service Controls into a separate project (or move it out of the perimeter). With Shared VPC you must include the host project in the perimeter alongside the projects that belong to the Shared VPC — omitting the host project leaves their network endpoints outside the perimeter because the subnets belong to the host project.
Trap Putting only the service projects in the perimeter under Shared VPC — omitting the host project makes service-project VM traffic look external and gets blocked.
5 questions test this
- Your organization is designing a VPC Service Controls architecture for a multi-project environment with sensitive data workloads. The…
- KnightMotives Automotive is using Shared VPC with a host project and multiple service projects containing sensitive manufacturing data in…
- EHR Healthcare is configuring VPC Service Controls to protect patient data stored in BigQuery from data exfiltration. They use a Shared VPC…
- Cymbal Retail has a Shared VPC architecture with a host project containing the VPC network and multiple service projects running workloads.…
- Altostrat Media is designing a VPC Service Controls architecture for their multi-project Google Cloud environment. They need to protect…
Compliance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Technical & Business Processes
Technical Processes
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Cloud Build runs CI; Cloud Deploy promotes across environments
Split the pipeline by stage: Cloud Build is the continuous-integration service that runs your build config as steps in containers (fetching dependencies, running unit, static-analysis, and integration tests, and producing artifacts), while Cloud Deploy is the continuous-delivery service that promotes a release through an ordered sequence of target environments such as dev, staging, then prod. Cloud Deploy sits downstream of any CI tool that outputs container images, so the two pair naturally but are distinct responsibilities.
Trap Putting your unit or integration test suite in Cloud Deploy; Cloud Deploy runs Skaffold verify against a target, your behavioral tests belong in the Cloud Build steps.
- Cloud Build defines a build as containerized steps from a build config
A Cloud Build build is specified by a build config (typically cloudbuild.yaml) that lists steps, and each step runs in its own Docker container, so any tool packaged as an image can be a step. A build trigger starts a new build on code changes from Cloud Source Repositories, GitHub, or Bitbucket, and finished artifacts are pushed to Artifact Registry. That containerized-step model is why you can run tests, linters, and the build itself in one declarative file.
- Learn the Cloud Deploy nouns: pipeline, target, release, rollout
Cloud Deploy has four constructs. The delivery pipeline holds the promotion sequence (the order of targets). A target is one destination environment, a GKE cluster, a Cloud Run service, or a GKE attached cluster. A release is the rendered, deployable artifact built from your source, a skaffold.yaml, and specific container image references. A rollout binds a release to a target and performs the deploy. Promotion advances a release to the next target in the sequence.
- Gate production deploys with a Cloud Deploy required approval
To put a human checkpoint before a sensitive environment, set the target to require approval; promotion to that target then pauses until approved, and Cloud Deploy emits a Pub/Sub message an external system can consume. Use it on the prod target so no release reaches production unreviewed, while lower environments promote automatically.
- Cloud Deploy rollback redeploys the last good release
A rollback in Cloud Deploy triggers a new rollout against the last successfully deployed release on that target, so recovery from a bad deploy is a first-class operation rather than a manual re-run of the old pipeline. Cloud Deploy also supports canary deployments, rolling a release out to a percentage of traffic before full promotion, so risk is contained on the way in and a rollback is the fast exit if it goes wrong. Together they keep time-to-restore short for deployment-caused incidents.
- Measure delivery with the four DORA keys, read as two pairs
DORA research names four metrics: deployment frequency and lead time for changes measure velocity, while change failure rate and time to restore service measure stability. Read them as two pairs on purpose, because improving velocity while ignoring stability just ships failures faster. When a scenario asks whether a process change helped, the answer is to track these four, not commit counts or story points.
Trap Reporting only deployment frequency and lead time to claim success; without change failure rate and time to restore, a faster pipeline can be hiding a rising failure rate.
- Binary Authorization is a deploy-time gate that admits only attested images
Binary Authorization enforces that container images deployed to a supported platform (GKE, Cloud Run, Cloud Service Mesh, Google Distributed Cloud) conform to a policy you define, admitting only images that carry the required cryptographic attestations and rejecting the rest. An attestation records the image's registry path and digest and is signed by a required signer, proving a specific image passed a specific step. It is a software-supply-chain control and integrates with Cloud Build and Artifact Analysis.
Trap Reaching for an IAM role or firewall rule to keep untrusted images out of prod; neither inspects image provenance at deploy time, which is what Binary Authorization checks.
- Roll out a Binary Authorization policy in dry-run mode first
Before enforcing, set the policy to dry-run so it logs which deployments would be blocked without actually blocking them. That lets you confirm the policy admits everything legitimate and catches everything it should before flipping to enforcement, avoiding an outage caused by a too-strict policy.
Trap Enforcing a brand-new Binary Authorization policy directly in production; a single overly strict rule then blocks legitimate deploys instead of just logging them.
- Design disaster recovery backwards from RTO and RPO
Recovery time objective (RTO) is the maximum acceptable time the application can be offline; recovery point objective (RPO) is the maximum acceptable length of time during which data might be lost. Settle these business numbers first, then choose the cheapest DR pattern that meets both. The relationship is monotonic: the smaller (tighter) your RTO and RPO, the more your application costs to run.
- DR patterns scale by readiness: cold, warm, hot
Google's DR planning guide frames three patterns. Cold is backup and restore: recovery resources are provisioned only after a disaster, so it is cheapest and slowest. Warm keeps a scaled-down standby already running and scales it up on failover, the middle ground. Hot runs a full second deployment serving traffic, the fastest and the priciest. Match the pattern to the RTO and RPO rather than defaulting to the most resilient.
Trap Choosing a hot or active-active DR design when the stated RTO and RPO are loose; it meets the objective but over-provisions and overspends, where cold backup-and-restore would qualify.
- Service Catalog gives governed, self-service provisioning
When many teams need infrastructure, Service Catalog lets cloud admins curate a list of approved solutions (Terraform configurations, Deployment Manager templates, or reference links) that internal users discover and deploy themselves. Admins control distribution at different folder and project levels and bake in parameters and organization policies, so developers self-serve within guardrails the admin already approved. It is the middle path between a central-ops bottleneck and unrestricted access.
Trap Granting broad project owner or editor access so teams can provision freely; that removes the bottleneck but also the guardrails Service Catalog keeps, inviting drift and policy violations.
- Run a blameless postmortem after an incident to cut recurrence
The operational excellence pillar's manage-incidents-and-problems principle says to restore service first, then run a retrospective that identifies the systemic contributing causes without indicting any individual, on the assumption people acted reasonably on the information they had. The deliverable is action items that reduce the likelihood or impact of recurrence, which is what drives change failure rate and time to restore down over time.
Trap Running a root cause analysis that assigns individual blame; it discourages honest disclosure, so the real systemic causes stay hidden and the incident recurs.
- Validation happens twice: pre-build tests and a deploy-time gate
Testing software and infrastructure spans the pipeline in two distinct places. Pre-build validation runs as Cloud Build steps (unit, static analysis, integration), and a failing step fails the build so no artifact ships. The deploy-time gate checks provenance, not behavior: Binary Authorization admits only images with the required attestations. Knowing which gate a requirement maps to is the decision the exam tests.
- Cloud Deploy uses Skaffold to render and deploy releases
Cloud Deploy relies on Skaffold for rendering, deployment, and verification, and a release is generated from your source plus a skaffold.yaml and references to specific container images. So a Cloud Deploy setup requires a skaffold configuration even though you may not run Skaffold by hand. The render step turns templates into the concrete manifest applied to each target.
- Cloud Deploy adds canary rollouts and hands-off promotion automation
Beyond a plain rollout, a Cloud Deploy delivery pipeline can run a canary that shifts traffic in phases (for example 25% then 50% then 100%); for GKE you declare a gatewayServiceMesh stanza referencing the HTTPRoute, Service, and Deployment rather than editing manifests. A canary needs an already-deployed version to split traffic against, so the very first release skips straight to the stable phase. Automation resources remove manual steps: promoteReleaseRule auto-promotes a release to the next target after a successful rollout, and advanceRolloutRule auto-advances a canary from one phase to the next after a wait time.
Trap A canary skipping to stable on the first deploy is expected, not a misconfiguration — there is no prior version to compare against.
4 questions test this
- Cymbal Retail is deploying a new microservices application to GKE using Cloud Deploy. The DevOps team wants to implement a canary…
- A development team at Cymbal Retail uses Cloud Deploy to manage their GKE application deployments across dev, staging, and production…
- Your company is deploying a microservices application to GKE using Cloud Deploy. The deployment team wants to implement a canary deployment…
- EHR Healthcare operates a patient portal application deployed on GKE using Cloud Deploy. The operations team wants to reduce manual…
Business Processes
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Managing Implementation
Deployment Advising
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Programmatic Access
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Reach for IaC when infrastructure must be repeatable and reviewable, not gcloud scripts
When a requirement stresses reproducibility, peer review, drift detection, or rebuilding an environment identically, the answer is Infrastructure as Code (IaC), where you declare the desired end state and a tool converges to it idempotently. An imperative gcloud command or shell script performs a single action and can fail or duplicate on rerun, so it fits a throwaway task, not a managed environment. The deciding keywords are version-controlled, reproducible, and rebuild-from-scratch.
Trap Reaching for a gcloud shell script to stand up infrastructure that must be reproducible and reviewed; an imperative script is not idempotent and is not the version-controlled source of truth IaC gives you.
- Declarative IaC is idempotent; imperative tools are not
IaC is declarative: you describe the end state once and the tool computes the diff, so applying the same configuration twice changes nothing the second time. A gcloud command or client-library call is imperative, performing one action when run, which is why rerunning it can create duplicates or error. This idempotence is the property questions point at when they ask which approach safely converges an environment to a known state.
- Prefer gcloud storage over the legacy gsutil for Cloud Storage
For Cloud Storage from the command line, use gcloud storage, not gsutil. Google states gsutil is not the recommended CLI: it is a legacy, minimally-maintained tool that does not support newer features like soft delete and managed folders, while gcloud storage is the successor and needs less manual tuning for fast transfers. When a question offers both gsutil cp and gcloud storage cp, the modern recommended choice is gcloud storage.
Trap Picking gsutil because its name looks like the canonical storage tool; it is the legacy CLI, and gcloud storage is what Google now recommends.
- The gcloud CLI bundles gcloud, gsutil, and bq
The Google Cloud CLI ships three command-line tools: gcloud for almost every service, gsutil as the original Cloud Storage tool, and bq for BigQuery. Mapping the service in the stem to its tool is the first step, then choosing the current recommended command (for storage, gcloud storage rather than gsutil).
- gcloud auth login and gcloud auth application-default login do different jobs
gcloud auth login authenticates the gcloud tool itself as you, for running gcloud commands. gcloud auth application-default login instead writes a local Application Default Credentials (ADC) file that your locally-run application code reads, and it does not change which account gcloud uses. Use the application-default variant when the goal is to let code on your laptop authenticate to Google APIs without a key file.
Trap Running gcloud auth login expecting your application code to pick up the credentials; that only authenticates the gcloud tool, while application code needs gcloud auth application-default login to populate ADC.
- ADC is the one auth strategy every client library uses
Application Default Credentials (ADC) is the strategy the authentication libraries use to find credentials automatically from the environment, so the same application code authenticates unchanged on a laptop and in production. Cloud Client Libraries resolve credentials through ADC rather than each inventing its own scheme, which is why you configure auth once via the environment, not per-service.
3 questions test this
- Your team is deploying a Python application to Cloud Run that needs to access Cloud Storage. The application uses the Cloud Client…
- Your team is developing a Python application that will run on Google Kubernetes Engine (GKE) and needs to access Cloud Storage and BigQuery…
- Your development team is building a Python application that will run on Google Kubernetes Engine (GKE) and interact with Cloud Storage and…
- Know the ADC search order, and that order is not a ranking
ADC checks three locations in a fixed sequence: the GOOGLE_APPLICATION_CREDENTIALS environment variable, then the credentials from gcloud auth application-default login, then the service account attached to the running resource via the metadata server. Google explicitly notes the order is not related to the relative merit of each location, so being checked first does not make the env var the recommended source. The first hit wins, but the preferred source for in-cloud code is the attached service account.
Trap Reading the search order as a quality ranking and treating GOOGLE_APPLICATION_CREDENTIALS as the recommended source because ADC checks it first; the docs say order is unrelated to merit.
- On Google Cloud, attach a service account instead of shipping a key file
For code running on Google Cloud (GKE, Cloud Run, Compute Engine), attach a service account and let ADC find it through the metadata server; Google calls this the preferred method for finding credentials. Downloaded service account keys are discouraged because of the security risk of a leaked long-lived credential, so they are a fallback for the rarer off-Google case, not the default. The keyless attached-service-account pattern removes any key to manage or rotate.
Trap Exporting a JSON service account key and setting GOOGLE_APPLICATION_CREDENTIALS on an in-cloud workload; that ships a leakable long-lived key when the attached service account would authenticate with none.
7 questions test this
- Your team is setting up a CI/CD pipeline in Cloud Build to deploy Terraform configurations to Google Cloud. The pipeline needs to…
- KnightMotives Automotive is running Terraform from Cloud Build to provision infrastructure across multiple Google Cloud projects. The…
- EHR Healthcare is setting up a CI/CD pipeline using Cloud Build to deploy Terraform configurations for their healthcare platform. The…
- Your team is deploying a Python application to Cloud Run that needs to access Cloud Storage. The application uses the Cloud Client…
- Your organization is implementing a CI/CD pipeline that runs Terraform deployments on Cloud Build. The pipeline needs to authenticate to…
- Your team is developing a Python application that will run on Google Kubernetes Engine (GKE) and needs to access Cloud Storage and BigQuery…
- Your development team is building a Python application that will run on Google Kubernetes Engine (GKE) and interact with Cloud Storage and…
- Cloud Client Libraries are recommended over the legacy Google API Client Libraries
For application code calling Google APIs, use the Cloud Client Libraries, which Google recommends where available: they are idiomatic per language and support gRPC. The older Google API Client Libraries provide access to the REST interface only, with no gRPC, and are auto-generated rather than idiomatic. Choose the legacy library only when a service offers no Cloud Client Library.
Trap Defaulting to the Google API Client Libraries; they are the legacy REST-only option, and Cloud Client Libraries are the recommended, gRPC-capable choice where available.
- Terraform is the default standalone IaC tool for Google Cloud
Terraform, Google's most commonly used provisioning tool, is the default IaC answer when the workflow is standalone and portable. You write HashiCorp Configuration Language (HCL) in .tf files, and the google and google-beta providers translate it to Google Cloud API calls (google-beta exists for beta APIs). The loop is terraform plan to preview the diff, then terraform apply to converge, producing a state file that tracks every resource.
- Store Terraform state in a shared remote backend, not on a laptop
Terraform's state file is the system of record mapping configuration to real resources, so a team must store it in a shared remote backend such as a Cloud Storage bucket rather than locally. A local-only state file blocks collaboration and risks corruption when two engineers apply concurrently, because each would work from a divergent copy of the truth.
Trap Leaving Terraform state on one engineer's machine for a team project; concurrent applies then race on divergent state and can corrupt or drift the deployment.
15 questions test this
- Your organization has separate Terraform configurations for networking and application infrastructure on Google Cloud. The application…
- Your organization has a networking team that manages VPC infrastructure using Terraform, storing state in a Cloud Storage bucket. The…
- A data platform team needs to reference outputs from a networking team's Terraform configuration to deploy Compute Engine instances in the…
- Your organization uses Terraform to manage infrastructure across development, staging, and production environments in Google Cloud.…
- Your organization has a central networking team that manages VPC infrastructure using Terraform, and application teams need to reference…
- Your company uses Terraform to manage infrastructure across development, staging, and production environments on Google Cloud. Multiple…
- Cymbal Retail is implementing infrastructure as code using Terraform for their Google Cloud deployments. The infrastructure team needs to…
- Cymbal Retail is implementing infrastructure automation using Terraform across development, staging, and production environments. Multiple…
- Cymbal Retail is implementing Terraform to manage their Google Cloud infrastructure across development, staging, and production…
- Your organization uses Terraform to manage infrastructure across development, staging, and production environments on Google Cloud.…
- Your organization manages a complex cloud infrastructure using Terraform with separate configurations for networking, compute, and database…
- Altostrat Media has multiple teams deploying Terraform configurations for their streaming platform on Google Cloud. The network team…
- A platform team manages foundational network infrastructure using Terraform, while application teams need to deploy their services into the…
- Your organization is standardizing on Infrastructure as Code (IaC) for all Google Cloud deployments. Multiple development teams will be…
- Your organization is implementing Terraform to manage Google Cloud infrastructure across development, staging, and production environments.…
- Config Connector manages Google Cloud resources as Kubernetes objects
Config Connector is a Kubernetes add-on, a set of Custom Resource Definitions (CRDs) and controllers, that lets you define Google Cloud resources as Kubernetes objects in YAML (the Kubernetes Resource Model) and apply them with kubectl, with a controller continuously reconciling the real resource to match. It fits a team already running GKE that wants one control plane for apps and infrastructure, but it presumes a cluster to host the controllers, so it is overhead for a team with no Kubernetes footprint.
Trap Adopting Config Connector for IaC with no existing GKE footprint; you then run a cluster solely to host its controllers, overhead that Terraform or Infrastructure Manager avoids.
- Local emulators let you develop offline but are not a release gate
The gcloud beta emulators command group ships local emulators for Bigtable, Datastore, Firestore, Pub/Sub, and Spanner, so you can build and run integration tests offline against a local stand-in with no cost or network. The limit, and the trap, is that an emulator approximates the service and can miss quotas, IAM behavior, and edge cases, so final validation must still run against the real API before release.
Trap Treating an emulator as proof the integration works in production; it approximates the service, so behaviors and limits the live API enforces can be absent.
- Cloud Shell comes preinstalled, authenticated, and with a persistent home directory
Cloud Shell is a browser-based environment where the gcloud CLI and common utilities are pre-installed, fully authenticated, and up to date, backed by a 5 GB persistent home directory that survives across sessions. It pairs a Terminal with a built-in Editor that has an integrated Cloud Code experience, so it suits quick interactive work or learning without any local setup.
- Cloud Code adds IDE support for Kubernetes and Cloud Run apps
Cloud Code provides IDE support across VS Code, IntelliJ, and the Cloud Shell Editor for the full development cycle of Kubernetes and Cloud Run applications, with run-ready samples, configuration snippets, advanced Kubernetes YAML support, and a Gemini Code Assist extension. It targets developers building and deploying container workloads, distinct from gcloud (commands) and the client libraries (runtime API access).
- Authenticate external CI/CD with Workload Identity Federation, not service account keys
When an external workload (GitHub Actions, GitLab, Jenkins, Terraform Cloud, on-prem CI/CD) must act as a Google Cloud service account without downloaded keys, use Workload Identity Federation: the external identity provider's OIDC/SAML token is exchanged for short-lived Google Cloud credentials that impersonate the service account. This eliminates long-lived key files and is the recommended pattern for workloads running outside Google Cloud.
Trap Attaching a service account covers workloads running on Google Cloud; external/off-Google-Cloud systems use Workload Identity Federation instead.
6 questions test this
- A DevOps engineer is setting up a CI/CD pipeline using GitHub Actions to deploy infrastructure to Google Cloud. The pipeline needs to…
- Your company uses Terraform Cloud to manage Google Cloud infrastructure. The security team requires that no service account keys be…
- KnightMotives Automotive is deploying Terraform infrastructure using Cloud Build pipelines that run outside of Google Cloud in their…
- EHR Healthcare is setting up a CI/CD pipeline using Cloud Build to deploy Terraform configurations for their healthcare platform. The…
- Your organization is setting up a CI/CD pipeline on Jenkins servers hosted outside of Google Cloud. The pipeline needs to deploy…
- Your organization is implementing a CI/CD pipeline that runs Terraform deployments on Cloud Build. The pipeline needs to authenticate to…
- Share outputs between Terraform configurations via terraform_remote_state
When one Terraform configuration (e.g. networking) must expose values like VPC and subnet IDs to another configuration (e.g. application) managed separately, have the producing config declare those values as outputs in its root module and store state in a remote backend such as Cloud Storage. The consuming config reads them with the terraform_remote_state data source pointing at that backend. This is Google's recommended way to reference another root module's outputs.
Trap Reading or copying another team's state file directly to share its values, instead of exposing them as outputs consumed through the terraform_remote_state data source.
7 questions test this
- Your organization has separate Terraform configurations for networking and application infrastructure on Google Cloud. The application…
- Your organization has a networking team that manages VPC infrastructure using Terraform, storing state in a Cloud Storage bucket. The…
- A data platform team needs to reference outputs from a networking team's Terraform configuration to deploy Compute Engine instances in the…
- Your organization has a central networking team that manages VPC infrastructure using Terraform, and application teams need to reference…
- Your organization manages a complex cloud infrastructure using Terraform with separate configurations for networking, compute, and database…
- Altostrat Media has multiple teams deploying Terraform configurations for their streaming platform on Google Cloud. The network team…
- A platform team manages foundational network infrastructure using Terraform, while application teams need to deploy their services into the…
- Use google_*_iam_member to avoid Terraform IAM drift
google_project_iam_member (and the matching _iam_member resources) add individual bindings additively without touching other roles. google_project_iam_policy is authoritative: it overwrites the entire IAM policy, removing roles that Google Cloud services manage automatically, which makes Terraform show constant IAM changes (drift) on every plan. Prefer the non-authoritative _iam_member resources for adding bindings.
Trap _iam_policy is authoritative and overwrites everything (causing drift); _iam_member is additive and only manages the binding you declare.
Operations Excellence
Operational Excellence Pillar
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Observability
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Match the symptom to the signal: metric, log, trace, profile, or grouped error
Google Cloud Observability is one suite of five products, each answering a different question. "Is it up and how full" is a metric in Cloud Monitoring; "what happened on this event" is a log in Cloud Logging; "where did latency go across services" is a trace in Cloud Trace; "which function burns CPU or memory" is a profile in Cloud Profiler; "how often is this exception firing" is Error Reporting. On the exam the skill is routing the scenario to the right product, not configuring it.
- Cloud Observability is the rebranded Stackdriver suite
Google Cloud Observability is the current name for what was branded Stackdriver; the documentation still lives under the cloud.google.com/stackdriver path. Stems may use either name for the same metrics, logging, and tracing suite, so treat Stackdriver Monitoring/Logging as today's Cloud Monitoring/Cloud Logging.
- Cloud Trace answers where latency goes across services, not whether a service is slow
When a request fans out across microservices and you need to find which hop ate the time, use Cloud Trace: it records the request as a trace of spans (one timed unit of work each) and shows aggregate latency on a heatmap. A Cloud Monitoring dashboard tells you the service is slow; only trace spans tell you where, so reach for Trace whenever the scenario crosses service boundaries.
Trap Reaching for a Cloud Monitoring latency dashboard to locate the slow hop; it shows that the service is slow in aggregate but not which downstream call is responsible.
12 questions test this
- Your company has deployed a microservices-based e-commerce application on Google Kubernetes Engine (GKE). Users are reporting intermittent…
- Your SRE team is investigating an incident where users report intermittent slow responses from your microservices application deployed on…
- Cymbal Retail is implementing SRE practices for their order processing system running on GKE. The system must meet a latency SLO where 95%…
- Your company operates a microservices-based e-commerce platform on Google Kubernetes Engine (GKE) with 15 services. Users are experiencing…
- Your development team deployed a Go microservice on GKE that processes financial transactions. After analyzing Cloud Profiler data, you…
- Cymbal Retail operates a microservices-based e-commerce platform on GKE. SRE teams report that customers experience intermittent high…
- Cymbal Retail is experiencing intermittent slowdowns in their checkout service running on Cloud Run. The SRE team needs to identify which…
- Your organization runs a distributed e-commerce application instrumented with OpenTelemetry. During a checkout service investigation using…
- Your company operates a microservices-based e-commerce platform running on GKE. Users are reporting intermittent slow response times during…
- Your organization has deployed a microservices application on Google Kubernetes Engine (GKE) where services communicate via HTTP and gRPC.…
- Your company runs a microservices application on GKE. Users report intermittent slowness, but overall average latency metrics appear…
- Your team manages a distributed e-commerce platform and has defined latency-based SLOs using Cloud Monitoring. After a deployment, you…
- Cloud Profiler finds CPU and memory hotspots in production at under 5% overhead
When a service is CPU- or memory-bound and you cannot reproduce it locally, attach Cloud Profiler: it continuously samples production using statistical profiling and attributes CPU and heap usage to source-code lines. Collection overhead is under 5%, and amortized across replicas commonly under 0.5%, so it is safe to leave on always. It supports Go, Java, Node.js, and Python.
5 questions test this
- A Java application running on Compute Engine is experiencing higher than expected CPU utilization, causing increased costs. You need to…
- Your SRE team notices that a Go-based API service deployed on Cloud Run is experiencing gradually increasing response times after each…
- Your SRE team has identified that a Java application running on Compute Engine is experiencing high CPU utilization during peak hours,…
- Altostrat Media is running a video processing pipeline on GKE. The SRE team notices that some requests take significantly longer than…
- A company running a Python application on GKE wants to implement continuous profiling in production to proactively identify performance…
- Error Reporting groups recurring crashes from logs automatically
When the same exception keeps crashing an app and you want it counted and grouped without extra instrumentation, use Error Reporting: it reads log entries, recognizes stack traces, and groups errors by exception type and the top stack frames, then can notify you of new ones. It samples up to 1,000 errors per hour and estimates counts beyond that, so very high-volume counts are approximate.
Trap Building a custom log-based counter to detect duplicate exceptions; Error Reporting already groups by exception type and top frames out of the box.
3 questions test this
- Your organization uses Error Reporting to monitor application errors across multiple services running on Compute Engine. The operations…
- Your company runs a microservices application on Cloud Run. The development team needs to receive immediate notifications when new types of…
- Your team runs a microservices-based application on Cloud Run and needs to implement an incident response workflow. You want to be notified…
- Every log entry passes through the Log Router before it is stored
Logs do not land anywhere by themselves: the Log Router evaluates sinks, and each sink has an inclusion filter plus a destination. A sink can write to a log bucket, a BigQuery dataset, a Cloud Storage bucket, or a Pub/Sub topic. This single model is the answer to most routing questions: to send logs somewhere new you create or edit a sink, not a per-log setting.
- Pick the sink destination by purpose: BigQuery for SQL, Storage for archive, Pub/Sub for streaming
When logs must be queried with SQL or joined with other data, route a sink to BigQuery. When they must be archived cheaply for years or held for compliance, route to a Cloud Storage bucket. When they must stream into a third-party SIEM or custom pipeline, route to a Pub/Sub topic. The default keep-and-search destination is a Cloud Logging log bucket.
- The _Required log bucket keeps audit logs 400 days and cannot be changed
Admin Activity and other required audit logs go to the _Required bucket, which retains them for 400 days, a period fixed by Google and not configurable. Everything else lands in the _Default bucket at 30 days by default, which you can change. Knowing the 400-day fixed value is the testable specific behind most audit-retention questions.
Trap Assuming you can shorten or extend the _Required bucket's 400-day retention; it is fixed, so to keep audit logs longer you route them out via a sink.
- Custom log buckets retain between 1 and 3650 days
A user-defined log bucket (and the _Default bucket in a project) can have its retention set anywhere from 1 day to 3650 days (ten years). Raise it toward 3650 for compliance holds, or lower it to control cost. The _Default starts at 30 days; only custom or _Default project buckets are configurable, while folder- and organization-level _Default buckets are not.
- Extending _Default retention does not move audit logs
Audit logs sit in the fixed-400-day _Required bucket, so changing the _Default bucket's retention does nothing for them. To keep audit logs beyond 400 days you must route them via a sink to a custom log bucket (up to 3650 days) or to Cloud Storage. This is the classic audit-retention trap on the exam.
Trap Raising _Default retention to keep audit logs longer; audit logs live in _Required, so they are unaffected and still expire at 400 days.
- Log-based metrics turn matching log entries into Cloud Monitoring time series
A log-based metric converts log entries that match a filter into a metric you can chart and alert on like any other. A counter metric counts matching entries (for example, lines containing a specific error). A distribution metric extracts a number from each entry and builds a histogram (for example, parsing a latency value). This is how you page on "more than N of this error per minute" without a custom pipeline.
4 questions test this
- Your company requires that the security operations team receives immediate notifications when specific security events are logged, such as…
- Your team at Cymbal Retail needs to track request latency patterns from application logs that contain response times in the format 'Request…
- An application running on Compute Engine generates structured JSON logs that include custom latency values for each API request. You need…
- Your organization runs a critical e-commerce application on Google Cloud. The operations team needs to track API response latency values…
- An alerting policy is a condition plus notification channels plus documentation
A Cloud Monitoring alerting policy bundles a condition (the metric, threshold, and aggregation), one or more notification channels (email, PagerDuty, Slack, Pub/Sub, Cloud Mobile App), and documentation that appears in the notification. When the condition is met it opens an incident and notifies the channels. Notification channels are reusable objects you attach to many policies.
- Alert on user-felt symptoms anchored to an SLO, not on every internal cause
Page on the four golden signals that map to user pain (latency, traffic, errors, saturation), not on raw causes like a single CPU spike. Tie the alert threshold to an SLO so a page means a real error-budget burn, which directly cures alert fatigue. Cause-level metrics belong on dashboards for diagnosis, not on pagers. This is the answer when a stem describes on-call drowning in pages with no user impact.
Trap Adding more per-resource metric thresholds to fix alert fatigue; that multiplies cause-level noise, while SLO-anchored symptom alerts reduce it.
- The four golden signals are latency, traffic, errors, and saturation
Google SRE's four golden signals are latency (time to serve a request, tracked separately for successes and errors), traffic (demand on the system), errors (rate of failed requests), and saturation (how full the most-constrained resource is). They are the default set of things to monitor and alert on for any user-facing service, and the SRE-flavored questions expect you to name all four.
- An SLI is a measurement, an SLO is a target you set below 100%
An SLI (service level indicator) is a quantitative measurement of one aspect of service behavior, usually a ratio of good events to total. An SLO (service level objective) is a target value for that SLI over a window, expressed in nines and set below 100% on purpose because perfect uptime is unattainable and not worth its cost. Cloud Monitoring service monitoring computes SLOs against the SLI.
- An SLA is a contract with a penalty; it is looser than the internal SLO
An SLA (service level agreement) promises an SLO to a customer and carries a consequence such as a refund or credit if breached; the test for whether something is an SLA is "what happens if it is missed." Because a breach costs money, the SLA target is deliberately set looser than the internal SLO that protects it, giving the team headroom before the contract is at risk.
Trap Treating the SLA and the internal SLO as the same number; the SLA is set looser so the team has margin before a contractual penalty triggers.
- Error budget is (1 minus the SLO) times eligible events
The error budget is the allowed failure margin that falls out of the SLO: (1 minus the SLO) times the eligible events in the compliance period. A 99.9% SLO over a million requests yields a budget of 1,000 failures. It is the acceptable amount of unreliability a team may spend on shipping features and taking risk; while budget remains the team ships, once it is exhausted the policy freezes risky launches and pours effort into stability. This is the lever for balancing velocity against reliability.
- Compliance periods are rolling (1 to 30 days) or calendar-based
A Cloud Monitoring SLO measures over a compliance period that is either rolling (a continuous trailing window of 1 to 30 days where the oldest data drops out each day) or calendar-based (a fixed week or month that resets on a boundary). Rolling gives a continuously updating view; calendar matches reporting cycles. Pick rolling for steady operational alerting, calendar when the SLO must align with monthly business reporting.
- Request-based SLOs measure request ratios; windows-based SLOs measure good-window ratios
A request-based SLO is the ratio of good requests to total (for example, latency under 100 ms for 95% of requests). A windows-based SLO is the ratio of good time windows to total (for example, the 95th-percentile latency is under 100 ms for 99% of 10-minute windows). Windows-based smooths over bursty traffic and is the choice when you care that the service was healthy over intervals rather than per individual request.
6 questions test this
- Cymbal Retail is implementing SLO monitoring for their product catalog API deployed on GKE. They want to measure that 99% of requests…
- You are designing SLIs for a web application running on GKE. The application serves API requests with varying latency requirements. Your…
- Your organization operates a Cloud Run service that handles customer checkout transactions. The service must respond to 99% of requests…
- Your development team runs a microservices application on Google Kubernetes Engine and wants to track service latency using SLOs. The…
- EHR Healthcare is deploying a patient records API and needs to establish SLIs that measure user experience. The API returns health data to…
- Your company runs a customer-facing e-commerce application on Google Kubernetes Engine (GKE). The operations team needs to implement SLO…
- Burn-rate alerts page when the error budget drains too fast
A burn-rate alert fires when the error budget is being consumed faster than the SLO allows, rather than at a fixed metric threshold. This makes the page mean a real, accelerating reliability problem the user feels, and lets a slow steady burn pass without paging. It is the SLO-native form of symptom-based alerting and the recommended alerting strategy in Cloud Monitoring service monitoring.
7 questions test this
- Your organization operates a Cloud Run service that handles customer checkout transactions. The service must respond to 99% of requests…
- Altostrat Media has a streaming service with a 99.5% availability SLO measured over a 30-day rolling compliance period. The operations team…
- KnightMotives Automotive is implementing SRE practices for their connected vehicle platform running on Cloud Run. The platform team needs…
- Your company operates a customer-facing API deployed on Cloud Run. You have defined an SLO requiring 99.5% availability over a rolling…
- Altostrat Media operates a video streaming service with an external HTTP(S) load balancer. They have defined a 99.5% availability SLO with…
- Your company runs a customer-facing e-commerce application on Google Kubernetes Engine (GKE). The operations team needs to implement SLO…
- Altostrat Media operates a video streaming service and uses Cloud Monitoring to track SLOs. They have configured an SLO with a 99%…
- A metrics scope lets one project see metrics from many projects and AWS accounts
To centralize observability across an estate, configure a Cloud Monitoring metrics scope: a scoping project can view metrics from many Google Cloud projects, and even AWS accounts, on shared dashboards. This is the standard answer when the requirement is one pane of glass across an organization's projects, rather than logging into each project separately.
Trap Creating a separate dashboard inside every project and switching between them; a single metrics scope already aggregates all of their metrics in one scoping project.
- Uptime checks probe HTTP, HTTPS, and TCP endpoints from outside
Cloud Monitoring uptime checks probe HTTP, HTTPS, and TCP endpoints from Google's global locations to confirm responsiveness, and you alert when a check fails. They are the answer for blackbox external availability monitoring of a public endpoint, complementing the whitebox metrics the service emits about itself.
- Instrument with OpenTelemetry, not product-specific SDKs
Cloud Trace and the Cloud Observability agents prefer OpenTelemetry, the vendor-neutral instrumentation standard, over product-specific tracing SDKs. Instrumenting with OpenTelemetry (it speaks OTLP) means the same code survives a future tooling or vendor change, which is the recommended choice whenever a design must avoid lock-in to one tracing backend.
5 questions test this
- Your company has deployed a microservices-based e-commerce application on Google Kubernetes Engine (GKE). Users are reporting intermittent…
- Cymbal Retail is implementing SRE practices for their order processing system running on GKE. The system must meet a latency SLO where 95%…
- Your company operates a microservices-based e-commerce platform on Google Kubernetes Engine (GKE) with 15 services. Users are experiencing…
- Your company operates a microservices-based e-commerce platform running on GKE. Users are reporting intermittent slow response times during…
- Your organization has deployed a microservices application on Google Kubernetes Engine (GKE) where services communicate via HTTP and gRPC.…
- A log-based alerting policy notifies on a single matching log entry, no metric required
A log-based alerting policy fires a notification when a log entry matching its query filter appears, evaluating individual entries in near real time without first creating a metric. It is the right tool for rare-but-important events such as a specific error message or audit-log security event that needs immediate per-occurrence notification, and it can extract fields from the entry as labels for context.
Trap Reaching for a log-based metric plus a metric-threshold alert to get per-occurrence notification of a rare event; a metric counts and trends over time, while the log-based alerting policy fires immediate notification that one specific entry occurred.
5 questions test this
- Your e-commerce application running on GKE experiences intermittent performance issues. You need to be notified immediately when a specific…
- Your company requires that the security operations team receives immediate notifications when specific security events are logged, such as…
- EHR Healthcare runs a patient portal application on Compute Engine. The operations team wants to receive immediate notifications whenever a…
- Your company's e-commerce application on GKE is experiencing intermittent 500 errors. The operations team needs to be notified immediately…
- KnightMotives Automotive wants to be notified when specific security events occur in their Google Cloud audit logs, such as when a human…
Release Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Production Support
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Quality Control
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Production Reliability
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.