GCP Professional Cloud Ar - Free Practice Quiz

Question 1 of 60

A company's production Cloud Spanner instance experiences latency spikes under heavy read traffic. They want to offload read requests without impacting write throughput or consistency for reads that can tolerate slight staleness. What is the recommended approach? (Google Cloud Professional Cloud Architect, 2023)

A Add more nodes to the Spanner instance to scale read capacity B Use stale reads with bounded staleness (e.g., MAX_STALENESS 15 seconds) â€” these reads are served from local replicas without acquiring locks, reducing latency and write contention C Create a Spanner database replica in a separate region for read traffic D Export data to BigQuery hourly and route read-heavy analytics queries there

1 / 60

Question 2 of 60

A financial services company uses Cloud Composer to orchestrate daily data pipelines. The Composer environment is becoming a cost concern. Which optimization reduces Cloud Composer costs most effectively? (Google Cloud Professional Cloud Architect, 2023)

A Upgrade to a larger Composer environment size to improve pipeline efficiency B Use Cloud Composer 2 with autoscaling, which scales workers to zero between runs â€” unlike Composer 1 which maintains a minimum worker count regardless of workload C Run all DAG tasks in parallel to reduce pipeline wall-clock time and environment uptime D Replace Cloud Composer with Cloud Scheduler and Cloud Functions for all DAG logic

2 / 60

Question 3 of 60

An architect is designing a data lake on Google Cloud. Raw data from multiple sources lands in Cloud Storage, and multiple teams run different processing jobs. How should the data lake be organized to balance access control, cost, and discoverability? (Google Cloud Professional Cloud Architect, 2023)

A Use a single flat bucket with all data; rely on IAM Conditions on object prefixes for access control B Use a zone-based design (raw, curated, analytics) with separate buckets per zone; apply IAM at the bucket or prefix level; use Data Catalog for metadata and discoverability C Use Cloud Bigtable as the data lake storage layer for its wide-column schema flexibility D Store each team's data in separate projects with separate Cloud Storage buckets and no shared metadata

3 / 60

Question 4 of 60

A company is migrating a monolith to microservices on GKE. During the transition, some functionality remains in the monolith (on-premises). Traffic must be routed to either the new GKE service or the legacy monolith based on request path. Which solution supports this traffic management? (Google Cloud Professional Cloud Architect, 2023)

A Cloud DNS weighted routing records splitting traffic between GKE and on-premises endpoints B Cloud Load Balancing with URL map rules routing /api/v2/* to GKE backend services and legacy paths to the on-premises backend via a hybrid NEG (network endpoint group) or Cloud VPN-connected backend C Cloud Endpoints with a traffic-splitting rule defined in the OpenAPI specification D Apigee with API proxies conditionally routing to either backend based on the 'X-Version' header

4 / 60

Question 5 of 60

An e-commerce company experiences a 10x traffic surge every Black Friday. Their application runs on GKE Standard. They want to pre-provision nodes before the anticipated surge to avoid cold-start delays during the event. Which GKE feature enables this? (Google Cloud Professional Cloud Architect, 2023)

A Set the cluster autoscaler minimum node count to 10x normal capacity permanently B Create a separate node pool with the required node count before the event and use scheduled cluster autoscaler scaling or Node Auto Provisioning with over-provisioning pods to maintain a buffer C Node auto-provisioning with surge upgrade settings applied 24 hours before the event D Enable Spot VM node pools that are pre-provisioned from idle Google capacity

5 / 60

Question 6 of 60

A company needs to implement a disaster recovery strategy for a Cloud SQL PostgreSQL instance with an RPO of 1 hour and RTO of 4 hours. Which configuration achieves these targets most cost-effectively? (Google Cloud Professional Cloud Architect, 2023)

A Enable synchronous replication to a cross-region read replica and promote it manually on failover B Enable automated backups with a 1-hour transaction log backup frequency and configure point-in-time recovery (PITR) â€” in a disaster, restore to within 1 hour; provision a new instance (RTO within 4 hours) C Deploy two identical Cloud SQL instances in different regions, syncing data via Cloud Datastream D Enable high availability (HA) within the same region â€” HA provides automatic failover within minutes

6 / 60

Question 7 of 60

Your organization has multiple Google Cloud projects and wants to enforce a consistent set of firewall rules across all VPCs without using Shared VPC. Which Google Cloud feature provides hierarchical firewall rule management? (Google Cloud Professional Cloud Architect, 2023)

A VPC firewall rule priorities set to 0 (highest) in each project to override local rules B Hierarchical Firewall Policies â€” defined at the organization or folder level, they are evaluated before VPC-level firewall rules and can deny or allow traffic that project-level rules cannot override (using 'goto_next' to delegate to project rules or 'deny'/'allow' to enforce centrally) C Cloud Identity-Aware Proxy organization-level access policies for all HTTP services D Cloud Armor security policies applied at the organization level to all load balancers

7 / 60

Question 8 of 60

A team is designing a Cloud Run service that processes user-uploaded files from Cloud Storage. The processing is CPU-intensive and takes up to 5 minutes per file. Which design addresses Cloud Run's request timeout limit? (Google Cloud Professional Cloud Architect, 2023)

A Use Cloud Run with a default 60-second timeout; have clients poll for completion via Firestore B Increase the Cloud Run service request timeout to up to 60 minutes; for processing beyond 60 minutes, use Cloud Tasks to enqueue the job and have a Cloud Run job (not service) process it asynchronously C Use GKE instead of Cloud Run for any job exceeding 30 seconds D Implement a streaming HTTP response that keeps the connection alive until processing completes

8 / 60

Question 9 of 60

A company's BigQuery analytics costs are high because data scientists frequently run expensive, unoptimized queries on large tables. Which controls reduce BigQuery costs without preventing analysis? (Google Cloud Professional Cloud Architect, 2023)

A Partition all tables by ingestion time and deny queries that don't include a LIMIT clause B Use BigQuery slot reservations with per-user quotas, require partition filter clauses on large partitioned tables, and implement column-level access controls to prevent full table scans â€” these reduce both accidental cost overruns and data exposure C Switch BigQuery billing from on-demand to flat-rate reservations for all users regardless of usage patterns D Export all tables to Cloud Storage and run queries via Dataproc to avoid BigQuery charges

9 / 60

Question 10 of 60

A startup is concerned about their GCP bill but wants to maintain high availability. Their application runs on GKE and traffic is minimal overnight (10pm-6am). How can they reduce costs during off-peak hours? (Google Cloud Professional Cloud Architect, 2023)

A Delete the GKE cluster each night and recreate it each morning using Cloud Build B Scale the GKE deployment replicas to a minimum during off-peak hours using Horizontal Pod Autoscaler (HPA) with KEDA for time-based scaling or a Cloud Scheduler-triggered job that adjusts HPA min replicas â€” node autoscaler will then scale down nodes C Use Spot VM node pools for all workloads to reduce costs at the risk of disruption at any time D Move to GKE Autopilot which automatically reduces billing to zero between requests

10 / 60

Question 11 of 60

A healthcare company is designing a HIPAA-compliant pipeline that ingests, processes, and stores patient data. The pipeline uses Dataflow. Which data handling practices are required for HIPAA compliance on GCP? (Google Cloud Professional Cloud Architect, 2023)

A Store all intermediate data in Memorystore for Redis to prevent disk writes of PHI B Ensure a BAA is in place; restrict Dataflow workers to a specific VPC with no external IPs; enable CMEK for pipeline temp storage; disable access to pipeline worker metadata from within the pipeline; and use Cloud DLP to de-identify PHI before storage in non-PHI-authorized systems C Use only Cloud-managed encryption; customer-managed keys are not required for HIPAA D Enable Cloud DLP on all Pub/Sub messages before they reach Dataflow

11 / 60

Question 12 of 60

A company is running a stateless web application behind a Global External Application Load Balancer. They notice users in Asia are experiencing significantly higher latency than users in the US. The application is only deployed in us-central1. What is the correct architectural change? (Google Cloud Professional Cloud Architect, 2023)

A Enable Cloud CDN on the load balancer to cache API responses for Asian users B Add a regional deployment in asia-southeast1 with backend services added to the existing global load balancer and configure geographic-based traffic steering so Asian users are routed to the nearest healthy backend C Increase the number of Cloud Run instances in us-central1 to reduce processing time D Use Cloud Interconnect from Asia to reduce latency to the single US region

12 / 60

Question 13 of 60

An organization uses workload identity federation to authenticate CI/CD pipelines from GitHub Actions to Google Cloud without using service account keys. How does this work? (Google Cloud Professional Cloud Architect, 2023)

A GitHub Actions generates a Google service account key and stores it in GitHub Secrets for each workflow run B GitHub Actions presents a short-lived OIDC token (identity token) to Google's STS; STS validates it against the GitHub OIDC provider and issues a federated credential that the pipeline uses to impersonate a Google service account â€” no key material is stored C GitHub Actions authenticates using the organization's domain on Cloud Identity via SAML federation D Google issues a permanent access token to the GitHub organization that all Actions workflows share

13 / 60

Question 14 of 60

A company wants to implement a 'never trust, always verify' zero-trust access model for their internal web applications deployed on GCP, without requiring users to be on a VPN. Which Google Cloud service enables this? (Google Cloud Professional Cloud Architect, 2023)

A Cloud VPN with split tunneling to route only corporate traffic through the VPN B Cloud Identity-Aware Proxy (IAP) â€” it authenticates users and checks authorization before proxying requests to the backend, enforcing context-aware access policies (user identity, device posture) without a VPN C VPC Service Controls to restrict API access to specific identity groups D Cloud Armor with IP allowlisting for corporate office egress IPs

14 / 60

Question 15 of 60

A company's Dataflow streaming pipeline is experiencing data skew â€” some keys have millions of events while others have few. This causes certain workers to become bottlenecks. Which Dataflow technique addresses this? (Google Cloud Professional Cloud Architect, 2023)

A Increase the number of Dataflow workers so each has fewer keys to process B Use a two-phase aggregation: first aggregate using a salted key (appending a random suffix) to spread hot keys across workers, then re-aggregate by the original key â€” this distributes the hot key's work across multiple workers C Enable Dataflow Shuffle service to distribute all events uniformly across workers D Use a fixed window of 1 second to reduce the number of events processed per window

15 / 60

Question 16 of 60

A team is designing a microservices architecture on GKE. They want to secure service-to-service communication with mutual TLS without modifying application code. Which solution achieves this? (Google Cloud Professional Cloud Architect, 2023)

A Implement mTLS in each service's application code using Go's crypto/tls or Python's ssl module B Configure Kubernetes Network Policies to encrypt traffic between pods using Kubernetes native TLS C Deploy a service mesh â€” Anthos Service Mesh (Istio-based) or Cloud Service Mesh â€” which automatically injects Envoy sidecar proxies that handle mTLS between services transparently, without requiring application changes D Use Cloud Load Balancing with SSL certificates on each service's internal load balancer

16 / 60

Question 17 of 60

A company's application on Compute Engine writes logs to Cloud Logging. Security auditors require that log records cannot be deleted for 5 years. How should this be implemented? (Google Cloud Professional Cloud Architect, 2023)

A Enable log retention in Cloud Logging to 5 years (1825 days) â€” Cloud Logging supports retention up to 10 years B Export logs to BigQuery with a table snapshot taken annually for long-term retention C Export logs via a Log Sink to a Cloud Storage bucket with an object lock (retention policy) â€” once locked, objects cannot be deleted or modified for the configured period, meeting the immutability requirement D Enable Cloud Audit Logs for Cloud Logging API calls, creating an audit trail of any log deletion

17 / 60

Question 18 of 60

A company wants to run a GKE workload that requires root access to the host operating system for a legacy application. Which GKE configuration is needed and what is the security implication? (Google Cloud Professional Cloud Architect, 2023)

A Enable 'hostPID: true' in the pod spec â€” this grants root access to the host without additional configuration B Use GKE Autopilot which natively allows privileged containers when specified in the pod spec C Deploy the workload on a GKE Standard node pool with a privileged PodSecurityPolicy (or PodSecurity admission policy allowing privileged) applied to the namespace â€” understand that privileged containers can escape container isolation and compromise the host node D Mount the host root filesystem using a hostPath volume claim with ReadWrite access

18 / 60

Question 19 of 60

A team is planning a live migration of a VM from on-premises to Google Cloud. The application has a stringent SLA and cannot tolerate downtime longer than 30 minutes. Which migration approach minimizes downtime? (Google Cloud Professional Cloud Architect, 2023)

A Use gsutil to copy the VM disk image to Cloud Storage, then import it as a Compute Engine image â€” total downtime equals the disk copy time (hours for large disks) B Manually install the application on a new GCE VM and sync data, then switch DNS during a maintenance window C Use Migrate to Virtual Machines (M2VM) in 'streaming' mode â€” M2VM continuously replicates changes to GCP in the background; when ready, cutover migrates only the delta written since replication started, minimizing the downtime window to minutes D Use Migrate to Virtual Machines (M2VM) in 'offline' mode â€” shut down the VM, copy the full disk, start the GCE VM

19 / 60

Question 20 of 60

A company collects streaming telemetry from 1 million IoT devices. Events are published to Pub/Sub and processed by Dataflow. They observe that some device IDs produce incorrect results because events arrive out of order. Which Dataflow feature handles late and out-of-order data? (Google Cloud Professional Cloud Architect, 2023)

A Increase the Pub/Sub subscription ack deadline so messages wait longer before redelivery B Use processing-time windows instead of event-time windows to avoid out-of-order issues C Windowing with watermarks and allowed lateness â€” define event-time windows (e.g., 5-minute tumbling), set a watermark that estimates event completion, and configure allowed lateness to accept late arrivals within a configurable period, triggering recomputation of affected windows D Shard events by device ID into separate Pub/Sub topics to guarantee per-device ordering

20 / 60

Question 21 of 60

An organization wants to detect and alert on anomalous API call patterns in Google Cloud â€” such as a service account calling APIs it has never called before â€” using a managed service. Which product provides this behavioral threat detection? (Google Cloud Professional Cloud Architect, 2023)

A Cloud Audit Logs with custom log-based metrics and manually defined alert thresholds B Cloud Monitoring anomaly detection on API call rate metrics C Security Command Center's Event Threat Detection (ETD) â€” a managed service that analyzes Cloud Audit Logs in real time using Google's threat intelligence and machine learning to detect anomalous activity such as credential abuse, data exfiltration, and cryptomining D Chronicle SIEM with a custom UDM rule for service account behavior

21 / 60

Question 22 of 60

A company's GKE workload requires access to a Cloud SQL database. They want to use Workload Identity to avoid storing service account keys in Kubernetes Secrets. How does Workload Identity work? (Google Cloud Professional Cloud Architect, 2023)

A Workload Identity stores the service account JSON key in a Kubernetes Secret encrypted at rest and mounts it into the pod B Workload Identity uses the GKE master node's service account to delegate access to all pods in the cluster C Workload Identity maps a Kubernetes service account (KSA) to a Google service account (GSA) â€” pods authenticating with the KSA receive a short-lived Google identity token from the metadata server, allowing them to call Google APIs as the GSA without any key material D Workload Identity federates the pod's JWT with Cloud Identity to create a user identity for API calls

22 / 60

Question 23 of 60

A company is building a data platform on BigQuery. Multiple teams share a BigQuery project, and the analytics team's long-running queries sometimes starve the operations team's dashboard queries for slots. How should slot allocation be managed? (Google Cloud Professional Cloud Architect, 2023)

A Use on-demand pricing for all users and set a lower priority flag on analytics queries B Grant the operations team BigQuery Admin role so they can cancel competing analytics queries C Use BigQuery Editions (Reservations) with separate slot commitments per team assignment â€” operations team gets guaranteed slots unaffected by analytics team usage; autoscaling can handle spikes beyond the reservation D Create separate BigQuery projects per team so each gets an independent on-demand quota

23 / 60

Question 24 of 60

A global company needs to process transactions with single-digit millisecond latency for users in North America, Europe, and Asia. The data must be consistent across all regions. Which Google Cloud database and configuration meets this requirement? (Google Cloud Professional Cloud Architect, 2023)

A BigQuery with multi-region dataset configuration for analytics-level consistency B Cloud SQL with cross-region read replicas in each continent; write to the primary only C Cloud Spanner with a multi-region instance configuration (e.g., nam-eur-asia1) â€” Spanner replicates synchronously across regions with TrueTime-based external consistency, and reads are served from the nearest read-only replica for low latency D Firestore in native mode with multi-region configuration and strong consistency enabled

24 / 60

Question 25 of 60

A company wants to analyze their Google Cloud spending and identify cost optimization opportunities. They want cost data broken down by team, project, and resource labels. Which tool provides this? (Google Cloud Professional Cloud Architect, 2023)

A Cloud Monitoring dashboards with billing metrics grouped by project B Cloud Billing budget alerts set per project with label-based filtering C BigQuery exports of Cloud Billing data â€” export billing data to BigQuery and query it with SQL, filtered and grouped by labels, projects, services, and SKUs for granular cost analysis D Google Cloud Pricing Calculator for estimating future costs by service type

25 / 60

Question 26 of 60

A company migrating to GCP wants to use their existing Active Directory groups to grant GCP IAM roles, so that adding a user to an AD group automatically grants them the corresponding GCP access. Which setup enables this? (Google Cloud Professional Cloud Architect, 2023)

A Use gcloud CLI scripts that poll Active Directory and update IAM bindings hourly B Grant IAM roles to individual users in GCP and sync AD user lists manually C Sync AD groups to Google Cloud Identity using GCDS, then grant GCP IAM roles to the Cloud Identity groups â€” adding users to AD groups via normal AD processes automatically flows through to GCP access D Use Workload Identity Federation to map AD group memberships to GCP IAM conditions

26 / 60

Question 27 of 60

Your Cloud Run service must write data to a Firestore database and also publish messages to Pub/Sub within the same request. If either operation fails, neither should commit. Which pattern supports distributed transaction-like behavior? (Google Cloud Professional Cloud Architect, 2023)

A Use Firestore transactions that also include Pub/Sub publish calls within the same transaction object B Implement a two-phase commit protocol manually in the Cloud Run service code C Use the transactional outbox pattern: write the Firestore document and an 'outbox event' record within a single Firestore transaction; a Firestore trigger-based Cloud Function publishes the outbox event to Pub/Sub and marks it sent â€” if the Pub/Sub publish fails, it retries until success D Wrap both calls in a try/except and rollback Firestore if the Pub/Sub publish fails

27 / 60

Question 28 of 60

A company has 500 TB of on-premises data that must be transferred to Cloud Storage within 5 days. The available internet bandwidth is 200 Mbps (shared). What is the recommended transfer method? (Google Cloud Professional Cloud Architect, 2023)

A Run gsutil -m cp with 64 parallel threads to maximize the internet connection utilization B Use Storage Transfer Service with the on-premises agent over the 200 Mbps connection C Use Google Transfer Appliance â€” a physical device shipped to the customer's data center; they load the data offline and ship it back to Google, which then uploads to Cloud Storage without consuming internet bandwidth D Use Cloud VPN to encrypt the transfer and maximize security over the 200 Mbps link

28 / 60

Question 29 of 60

A company is building a real-time fraud detection system that must score transactions within 50ms. The ML model requires features from historical transaction data (stored in BigQuery) and real-time transaction data (in Pub/Sub). How should the feature serving layer be designed? (Google Cloud Professional Cloud Architect, 2023)

A Query BigQuery directly on each prediction request â€” BigQuery's slots will complete aggregation in under 50ms B Use Vertex AI Feature Store with online serving for all features; batch materialize BigQuery features hourly C Pre-compute and store historical features in Bigtable or Memorystore (Redis); on each transaction, fetch pre-computed historical features from the cache (<5ms) and combine with real-time features for the prediction request â€” meeting the 50ms latency SLA D Use Dataflow to join Pub/Sub events with BigQuery historical data in real time before prediction

29 / 60

Question 30 of 60

A team discovers that their GKE cluster's nodes are running workloads from multiple teams on shared nodes. They want to ensure team-A workloads never run on the same node as team-B workloads for compliance reasons. Which Kubernetes mechanism enforces this? (Google Cloud Professional Cloud Architect, 2023)

A Kubernetes NetworkPolicy â€” restrict pod-to-pod communication so team-A pods cannot talk to team-B pods B ResourceQuota per namespace limits team-A's resource usage so it cannot consume team-B's node capacity C Node taints and pod tolerations with pod affinity anti-affinity rules â€” label nodes per team, taint them with 'team=A:NoSchedule', and configure team-A pods to only tolerate team-A taints; team-B pods cannot be scheduled on team-A nodes D PodSecurityPolicy preventing cross-namespace pod scheduling

30 / 60

Question 31 of 60

A company uses Cloud Endpoints with an OpenAPI specification to manage their REST API. They want to add authentication requiring callers to present a JWT issued by their identity provider. Which Cloud Endpoints feature enables this? (Google Cloud Professional Cloud Architect, 2023)

A Enable Cloud Endpoints request logging and manually validate JWTs in the backend service B Use VPC Service Controls to restrict API access to callers with valid JWT credentials C Configure Cloud Armor with a custom WAF rule that inspects the Authorization header for valid JWT format D Define a securityDefinitions section in the OpenAPI spec with type: oauth2 or type: apiKey pointing to the JWKS URI of the IdP â€” Cloud Endpoints validates the JWT signature on every request before forwarding to the backend

31 / 60

Question 32 of 60

A team needs to store ML model artifacts, Docker container images, and Python packages in a single, managed repository on Google Cloud. Which service supports all three artifact types? (Google Cloud Professional Cloud Architect, 2023)

A GitHub Packages connected to Cloud Build for all artifact types B Cloud Storage with separate buckets per artifact type and signed URLs for access C Container Registry (GCR) for Docker images, PyPI server on Compute Engine for Python packages D Artifact Registry â€” a managed service that supports Docker images, Helm charts, Maven/Gradle packages, npm, Python packages, and generic binary artifacts in a single repository service with regional and multi-region storage

32 / 60

Question 33 of 60

A company wants to implement column-level access control in BigQuery so that analysts can query a table but cannot see the 'ssn' and 'salary' columns. Which BigQuery feature enables this? (Google Cloud Professional Cloud Architect, 2023)

A Create a view that excludes the restricted columns and grant access to the view only â€” this is the only option for column restriction B Create a BigQuery authorized function that masks column values based on the caller's IAM role C Use row-level access policies that filter rows where ssn is not null D Use BigQuery column-level security with policy tags â€” assign policy tags to the 'ssn' and 'salary' columns, create a data policy with fineGrainedReader role for authorized users, and the columns are masked or access-denied for unauthorized users in any query

33 / 60

Question 34 of 60

An organization receives security findings from Cloud Security Command Center and wants to automatically remediate specific finding types â€” such as 'Public bucket ACL' findings â€” without human intervention. What architecture achieves this? (Google Cloud Professional Cloud Architect, 2023)

A Configure SCC to email the security team who manually fixes findings within 4 hours B Use Cloud Asset Inventory to scan for public buckets hourly and trigger a Cloud Function remediation job C Use Cloud Scheduler to run a Security Health Analytics check hourly and remediate via Terraform D Configure a Pub/Sub notification channel on SCC; create a Cloud Function subscribed to the Pub/Sub topic that parses the finding type and invokes the remediation action (e.g., removing allUsers IAM binding from the bucket) â€” fully automated, event-driven remediation

34 / 60

Question 35 of 60

A company uses Cloud SQL for PostgreSQL. They notice slow queries on a table with 100 million rows. EXPLAIN ANALYZE shows a sequential scan despite an index existing on the queried column. What is the most likely cause? (Google Cloud Professional Cloud Architect, 2023)

A Cloud SQL does not support B-tree indexes on tables larger than 50 million rows B The table is partitioned and the query does not specify the partition key C The index statistics are outdated and the query planner incorrectly estimates index selectivity D The query's WHERE clause uses a function on the indexed column (e.g., WHERE LOWER(email) = 'x') which prevents index use; the fix is to create a functional index on LOWER(email) or rewrite the query to use the column directly

35 / 60

Question 36 of 60

A team is building a streaming analytics pipeline using Dataflow that computes a running average of sensor readings per device over a sliding 10-minute window with 1-minute slides. Which windowing configuration in Apache Beam achieves this? (Google Cloud Professional Cloud Architect, 2023)

A GlobalWindows with a trigger firing every minute and a combining function for the average B TumblingWindows of 10 minutes â€” non-overlapping windows that start every 10 minutes C SessionWindows with a gap duration of 1 minute â€” groups bursts of activity into sessions D SlidingWindows(size=Duration.standardMinutes(10), period=Duration.standardMinutes(1)) applied to the PCollection of sensor readings keyed by device ID â€” each element appears in 10 overlapping 1-minute-period windows

36 / 60

Question 37 of 60

A company needs to process 50 million records nightly in BigQuery, transforming and loading data from Cloud Storage to a reporting dataset. Which approach minimizes cost and complexity? (Google Cloud Professional Cloud Architect, 2023)

A Run a Dataflow batch job that reads from Cloud Storage, transforms, and writes to BigQuery nightly B Load data into Cloud SQL first, then use federated queries from BigQuery for transformation C Use Cloud Data Fusion nightly ETL pipelines with a SQL transformation step D Use a BigQuery scheduled query that reads from external tables (Cloud Storage) and inserts transformed results into a native BigQuery table â€” eliminates Dataflow infrastructure and costs for this simple transformation pattern

37 / 60

Question 38 of 60

An architect is designing a hybrid cloud setup where on-premises applications access Google Cloud services (BigQuery, Cloud Storage) via private IPs without traversing the internet. Which combination of features enables this? (Google Cloud Professional Cloud Architect, 2023)

A Cloud VPN with Cloud CDN caching Google API responses at the on-premises edge B Cloud Interconnect with public peering to Google's API endpoints C Shared VPC with on-premises network attached as a service project D Cloud Interconnect (or Cloud VPN) with Private Google Access for on-premises â€” this extends Private Google Access over the interconnect/VPN so on-premises hosts can reach Google API endpoints (storage.googleapis.com, bigquery.googleapis.com) via private IPs over the dedicated link

38 / 60

Question 39 of 60

A company is planning a cloud migration and wants to assess which on-premises workloads are suitable for Google Cloud and estimate their cloud cost. Which Google Cloud tool provides this migration assessment? (Google Cloud Professional Cloud Architect, 2023)

A Cloud Asset Inventory for discovering on-premises VM configurations via agent B Migrate to Virtual Machines for performing the migration after assessment C StratoZone (discontinued) or equivalent partner tools â€” no native GCP tool exists for migration assessment D Google Cloud Migrate to Virtual Machines assessment features or the StratoZone platform (now part of Google) â€” collects on-premises VM inventory, rightsizing recommendations, and GCP pricing estimates to guide migration planning

39 / 60

Question 40 of 60

A company's Cloud Run service handles sensitive HTTP requests. They want to ensure that only requests originating from their internal GKE cluster (in the same VPC) are accepted, blocking all internet traffic. Which configuration achieves this? (Google Cloud Professional Cloud Architect, 2023)

A Deploy Cloud Run in a VPC connector with private IP and use Kubernetes NetworkPolicy to restrict access B Add a Cloud Armor security policy blocking all external IP ranges C Configure a VPC firewall rule denying ingress from 0.0.0.0/0 to the Cloud Run service IP D Set Cloud Run ingress to 'internal' â€” only requests from within the VPC (or connected networks via VPC peering/Interconnect/VPN) reach the service; internet traffic is rejected at Google's network edge

40 / 60

Question 41 of 60

A company runs a batch analytics job on Dataproc every night using a persistent cluster. The cluster sits idle for 22 hours a day. How should the architecture be changed to reduce costs? (Google Cloud Professional Cloud Architect, 2023)

A Enable Dataproc autoscaling to scale the cluster to 0 workers during idle periods â€” Dataproc autoscaling has a minimum of 2 workers B Move the job to BigQuery ML which uses no Dataproc clusters C Switch to preemptible workers for all nodes in the persistent cluster D Use ephemeral Dataproc clusters â€” create a cluster at job start, run the job, delete the cluster on completion; combined with Dataproc Serverless (Spark) or Dataproc Workflow Templates for orchestration, this eliminates idle cluster costs

41 / 60

Question 42 of 60

An organization wants to ensure that no personally identifiable information (PII) is stored in plain text in BigQuery tables created by any team. Which proactive control enforces this? (Google Cloud Professional Cloud Architect, 2023)

A Run a Cloud DLP inspection scan daily and alert the security team when PII is detected in BigQuery B Create BigQuery column access policies on all tables containing PII fields C Grant only masked views of BigQuery tables to all users using BigQuery authorized views D Use Cloud DLP in inspection and de-identification pipeline mode â€” all data written to BigQuery passes through a Dataflow pipeline running Cloud DLP de-identification transforms (masking, tokenization, bucketing) before insertion, ensuring no plain-text PII reaches BigQuery

42 / 60

Question 43 of 60

A team wants to accelerate their ML model training on Vertex AI by running distributed training across multiple GPUs. They need the training code to coordinate gradient updates efficiently. Which distributed training framework does Vertex AI Training natively support for TensorFlow and PyTorch? (Google Cloud Professional Cloud Architect, 2023)

A Apache Spark ML with GPU-attached Dataproc clusters for distributed gradient descent B Ray on GKE for distributed hyperparameter tuning across GPU nodes C OpenMPI for CPU-based distributed training only; GPU training must be single-node D Vertex AI Training supports TensorFlow's tf.distribute.MirroredStrategy and MultiWorkerMirroredStrategy (for multi-node), and PyTorch's torch.distributed with ReduceOps â€” these are configured in the training code and executed across the Vertex AI worker pool with automatic environment variable injection

43 / 60

Question 44 of 60

A company is adopting a GitOps model for their GKE deployments. They want Kubernetes manifests stored in a Git repository to be automatically applied to the cluster whenever changes are merged to the main branch. Which Google Cloud feature provides native GitOps for GKE? (Google Cloud Professional Cloud Architect, 2023)

A Anthos Config Management (ACM) policy controller for applying OPA policies on Git push B Cloud Build with kubectl apply in a build step triggered by a Git push C Cloud Deploy with a delivery pipeline configured to watch a Git repository for changes D Config Sync (part of Google Cloud's GKE fleet management) â€” it continuously syncs Kubernetes configurations from a Git repository (Cloud Source Repositories, GitHub, GitLab) to one or more GKE clusters, automatically applying changes on commit

44 / 60

Question 45 of 60

A company's Cloud Storage bucket contains 10 PB of object data. They need to find all objects larger than 1 GB that were last modified more than 2 years ago for potential deletion. How can they efficiently query this metadata? (Google Cloud Professional Cloud Architect, 2023)

A Run 'gsutil ls -l gs://bucket' and parse the output â€” efficient for any bucket size B Enable Cloud Monitoring storage metrics and filter objects by size and age in the Metrics Explorer C Use Cloud Asset Inventory which exports Cloud Storage object metadata to BigQuery D Use Cloud Storage Inventory Reports â€” enable the feature to generate daily CSV or ORC reports of all object metadata (size, last modified, storage class) written to BigQuery or Cloud Storage, then query with SQL

45 / 60

Question 46 of 60

A team uses Terraform to manage Google Cloud infrastructure. They want to store Terraform state remotely in a way that supports state locking to prevent concurrent modifications. Which backend is recommended for GCP? (Google Cloud Professional Cloud Architect, 2023)

A Use a Cloud Storage backend â€” Terraform's GCS backend stores state files in a bucket and uses Cloud Storage object locks or a GCS-native locking mechanism to prevent concurrent apply operations B Use Terraform Cloud as the backend â€” it provides state locking, remote execution, and history C Store state in a Compute Engine persistent disk mounted to the Terraform executor VM D Store state in a Cloud Firestore document â€” Firestore provides built-in document locking

46 / 60

Question 47 of 60

A healthcare app processes patient data on GKE. A security audit reveals that some pods have been granted excessive IAM permissions via their node's service account (the compute default service account with Editor role). What is the correct fix? (Google Cloud Professional Cloud Architect, 2023)

A Enable Workload Identity on the GKE cluster, create per-workload service accounts with only the permissions each workload needs, and remove the compute default service account or replace it with a custom minimal-permission node service account B Grant the compute default service account the Viewer role instead of Editor to reduce scope C Delete and recreate the GKE cluster with no service account attached to nodes D Remove all service accounts from the GKE nodes and use application-level API key authentication

47 / 60

Question 48 of 60

An organization uses a hub-and-spoke network topology in Google Cloud. The hub VPC hosts shared services (AD, DNS, NAT). Spoke VPCs must communicate with the hub but not with each other. Which network architecture enforces this? (Google Cloud Professional Cloud Architect, 2023)

A Use VPC peering between each spoke and the hub VPC only â€” VPC peering is not transitive, so spoke-to-spoke communication is blocked by default; firewall rules on the hub VPC further restrict which hub services spokes can access B Use a Transit VPC with Cloud VPN tunnels between all spokes and the hub for transitive routing C Enable VPC Flow Logs on spoke VPCs and deny any flows between spoke CIDR ranges D Use Shared VPC with the hub as host project and spokes as service projects â€” service projects cannot communicate peer-to-peer in this model

48 / 60

Question 49 of 60

A company wants to implement a canary deployment for a Cloud Run service, sending 5% of traffic to the new revision and 95% to the current stable revision, with automatic rollback if error rate on the new revision exceeds 1%. Which setup achieves this? (Google Cloud Professional Cloud Architect, 2023)

A Configure Cloud Run traffic splitting (5% new revision, 95% current) and create a Cloud Monitoring alert on Cloud Run error rate metric for the new revision tag; use a Cloud Function or Cloud Run job triggered by the alert to update traffic splitting back to 100% on the stable revision B Use Cloud Armor traffic splitting rules to split 5% of requests to the canary revision C Deploy the canary as a separate Cloud Run service behind a Global Load Balancer with weighted backend services D Use Cloud Deploy canary strategy which automatically monitors Cloud Run error rates and rolls back

49 / 60

Question 50 of 60

A company stores sensitive customer records in Cloud Spanner. They need to provide a read-only view of customer data to a third-party analytics firm with email addresses redacted. Which design minimizes data exposure? (Google Cloud Professional Cloud Architect, 2023)

A Use Cloud Spanner fine-grained access controls with data boost â€” create a read-only user with access restricted to specific columns, excluding email; alternatively, use a BigQuery federated query over Spanner with a view that masks the email column B Create a separate Cloud Spanner database copy with emails masked for the analytics firm C Export the data to BigQuery and grant the analytics firm access to a view with REGEXP_REPLACE masking the email field D Use Cloud DLP to scan and redact emails before the analytics firm queries Cloud Spanner

50 / 60

Question 51 of 60

A team is designing a pub/sub system where multiple downstream consumers must each independently process all events, but message processing order must be maintained per partition key (device ID). Which Pub/Sub configuration supports this? (Google Cloud Professional Cloud Architect, 2023)

A Create one Pub/Sub topic with message ordering enabled (ordering key = device ID) and a separate subscription per consumer â€” each subscription has independent message delivery with ordering preserved per device ID within each subscription B Create one topic with a separate subscription per consumer and use message attributes for device ID; Pub/Sub guarantees ordering globally across all subscribers C Create separate topics per consumer and publish a copy of each message to all topics D Create one Pub/Sub topic with one subscription shared by all consumers â€” use a load balancer to distribute messages by device ID

51 / 60

Question 52 of 60

A company's GKE cluster is running production workloads and has received a Kubernetes security advisory for a critical CVE in the control plane. They need to apply the patch without any workload downtime. What should they do? (Google Cloud Professional Cloud Architect, 2023)

A Upgrade the GKE cluster master to the patched version using the GKE upgrade mechanism â€” master upgrades in GKE have no downtime for running workloads; the API server is unavailable for a few minutes but pods continue to run B Recreate the cluster from scratch with the patched version and migrate workloads using blue-green C Manually SSH into the master node and apply the OS patch directly D Drain all nodes and upgrade the cluster to the patched version in a maintenance window

52 / 60

Question 53 of 60

An architect is designing a system where a Cloud Function must call a third-party API that rate-limits requests to 100 per second. Under bursty load, Cloud Functions may scale to hundreds of instances, each making concurrent API calls, exceeding the rate limit. How should this be addressed? (Google Cloud Professional Cloud Architect, 2023)

A Place the API calls in a Cloud Tasks queue with a rate limit of 100 dispatches per second â€” Cloud Tasks throttles the call rate regardless of how many Cloud Function instances are running B Set the Cloud Function's maximum instances to 1 to prevent concurrent execution C Use Cloud Scheduler to batch and send API calls once per second from a single Cloud Function D Implement exponential backoff retry in the Cloud Function to handle 429 rate-limit errors

53 / 60

Question 54 of 60

A team wants to enable fine-grained access to BigQuery tables based on a user's department attribute stored in their Cloud Identity profile. Which IAM feature enables attribute-based access control in Google Cloud? (Google Cloud Professional Cloud Architect, 2023)

A IAM Conditions with custom attributes from Cloud Identity â€” conditions can express 'grant access only if the requester has attribute X' in the policy binding, enabling ABAC in addition to role-based control B BigQuery row-level security policies using SESSION_USER() function matching to user department C BigQuery column-level security with policy tags that reference Cloud Identity attributes D Organization Policy Service with IAM condition-based constraints tied to Cloud Identity groups

54 / 60

Question 55 of 60

A company is evaluating whether to use Vertex AI Pipelines or Cloud Composer for orchestrating their ML training workflows. Under what conditions is Vertex AI Pipelines the better choice? (Google Cloud Professional Cloud Architect, 2023)

A When the workflow is primarily ML-focused (data preparation, training, evaluation, model registration, deployment) and the team wants Kubeflow Pipelines-compatible YAML/Python DSL with built-in ML metadata tracking, lineage, and Vertex AI integration B When workflows require triggers based on Cloud Storage file uploads â€” only Vertex AI Pipelines supports event-driven ML workflow triggering C When the team needs a Hive and Spark-based workflow orchestration engine optimized for ML D When workflows include non-ML steps like database backups and report generation â€” Vertex AI Pipelines handles these better than Composer

55 / 60

Question 56 of 60

A SaaS provider hosts a service on Google Cloud and provides it to multiple enterprise customers. Each customer requires strict data isolation â€” no customer can access another's data even in a shared service tier. Which data isolation architecture is most appropriate for a single-codebase multi-tenant SaaS? (Google Cloud Professional Cloud Architect, 2023)

A Tenant-isolated projects: each customer's data resides in a dedicated GCP project with dedicated storage resources; the application uses customer-to-project routing; centralized management is maintained through a fleet management layer B Row-level security in a shared BigQuery dataset with a 'tenant_id' column filtered by the authenticated user's JWT claim C VPC Service Controls with one perimeter per customer sharing the same Cloud Spanner instance D Separate Cloud Storage buckets per customer in a single project with per-bucket IAM policies

56 / 60

Question 57 of 60

A company's security team requires that all API calls made to Google Cloud APIs from their organization be logged in Cloud Audit Logs, including data read operations on BigQuery and Cloud Storage. By default, what must be configured to enable data access logs? (Google Cloud Professional Cloud Architect, 2023)

A Data Access audit logs are disabled by default (except for BigQuery which logs data reads by default). They must be explicitly enabled per service in the IAM & Admin > Audit Logs configuration for the organization, folder, or project B Data access logs are enabled by default for all services and require no additional configuration C Data access logs require the Security Command Center Premium tier to be activated D Data access logs are captured automatically only when Cloud DLP is enabled on the resource

57 / 60

Question 58 of 60

A company wants to run database read workloads on cheaper infrastructure without impacting the primary database. Cloud Spanner is their primary store. Which Spanner feature allows read offloading to lower-cost replicas? (Google Cloud Professional Cloud Architect, 2023)

A Enable Spanner Data Boost which allocates a dedicated compute slice for read-only queries using the Spanner API without consuming primary instance compute B Use Cloud Spanner Data Boost (preview) â€” dedicated compute capacity for analytics queries that runs independently from OLTP on the same Spanner database with no impact on production transactions C Create a Cloud Spanner secondary database instance in a different region for read queries D Use Datastream to replicate Spanner data to BigQuery for analytics reads

58 / 60

Question 59 of 60

A company's Pub/Sub subscription processes credit card transactions. An occasional message causes a poison pill â€” the consumer crashes on processing, the message is nacked, redelivered, and crashes the consumer again infinitely. Which Pub/Sub feature breaks this cycle? (Google Cloud Professional Cloud Architect, 2023)

A Configure a dead-letter topic (DLQ) on the subscription â€” after a configurable number of delivery attempts (e.g., 5), unacknowledged messages are forwarded to the dead-letter topic for inspection and manual or automated remediation B Enable Pub/Sub message ordering so the poison pill is processed only once C Configure the subscription with a retry policy with exponential backoff to slow down redelivery D Increase the subscription acknowledgement deadline to give the consumer more time to process the message

59 / 60

Question 60 of 60

An architect needs to choose between Cloud NAT and Cloud VPN for enabling internet access for VMs without external IPs. When is Cloud NAT the correct choice? (Google Cloud Professional Cloud Architect, 2023)

A Cloud NAT provides outbound-only internet access for VMs without external IPs, translating private IPs to a shared external IP for outbound connections; use Cloud NAT when VMs need to make outbound internet calls (software updates, API calls) without being reachable from the internet â€” Cloud VPN is for private connectivity to on-premises or other cloud networks B Cloud NAT provides inbound internet access for VMs on private IPs similar to port forwarding C Cloud NAT and Cloud VPN are interchangeable â€” use whichever the team is more familiar with D Cloud NAT is for connecting on-premises networks to GCP; Cloud VPN is for giving VMs internet access

60 / 60

GCP Professional Cloud Architect Intermediate Quiz