GCP Professional Cloud Ar - Free Practice Quiz

Question 1 of 60

A financial services firm requires a multi-region active-active architecture for a transaction processing system. They need zero data loss (RPO=0) and near-instant failover (RTO<30s) with strong consistency across regions. Which architecture meets all three requirements while minimizing operational complexity? (Google Cloud Professional Cloud Architect, 2023)

A Multi-region Cloud SQL with synchronous replication and a global load balancer promoting the read replica automatically on failure B Multi-region Firestore with strong consistency reads and a global external load balancer for active-active traffic C Cloud Spanner with a multi-region configuration (e.g., nam6) â€” Spanner's TrueTime protocol ensures external consistency (RPO=0) with synchronous multi-region replication; a global HTTP(S) load balancer detects instance unhealthy within seconds and re-routes traffic without manual promotion D Bigtable multi-cluster replication with the application performing application-level conflict resolution for concurrent writes

1 / 60

Question 2 of 60

An organization is designing a data mesh architecture on Google Cloud. Domain teams own their data products (BigQuery datasets) and must be able to share data with other domains without a central data team intermediary. How should cross-domain access be architected at scale? (Google Cloud Professional Cloud Architect, 2023)

A Use a single organization-wide BigQuery project where all domains contribute tables to a shared dataset; enforce ownership via column-level access policies B Central data engineering team creates and manages authorized views for all inter-domain data access C Implement Analytics Hub â€” data producers publish BigQuery datasets as listings in an Analytics Hub exchange; consumers subscribe and receive a linked dataset (read-only view) in their own project; IAM controls who can subscribe; no central intermediary for data sharing D Use VPC Service Controls perimeters per domain; route cross-domain data via Pub/Sub streams rather than direct dataset access

2 / 60

Question 3 of 60

A company's security operations team needs real-time detection of threats across 50 Google Cloud projects, with sub-minute latency between event occurrence and security alert. They receive 2 billion log events per day. Which architecture achieves this scale without data loss? (Google Cloud Professional Cloud Architect, 2023)

A Use Security Command Center Event Threat Detection which analyzes logs centrally at sub-minute latency without additional infrastructure B Export all logs to Chronicle SIEM which natively ingests 2B events/day at sub-minute latency C Use organization-level log sinks to aggregate all project logs into a single Pub/Sub topic; deploy a Cloud Dataflow streaming pipeline that reads from the topic, applies threat detection logic (signature matching, anomaly detection), and writes alerts to Cloud Monitoring and a Firestore incident store â€” Dataflow's auto-scaling handles 2B events/day without message loss D Deploy a Splunk instance on GKE with a Pub/Sub input plugin; scale Splunk indexers using Kubernetes HPA

3 / 60

Question 4 of 60

A multinational company must comply with the EU AI Act's requirements for high-risk AI systems, including model explainability, human oversight logging, and bias detection. They train and serve models on Vertex AI. Which Vertex AI features address these requirements? (Google Cloud Professional Cloud Architect, 2023)

A Vertex AI Feature Store for feature lineage, AutoML for automated bias correction, and Cloud Logging for request logging B Vertex AI Pipelines for reproducible training, TensorFlow Model Analysis for metrics, and BigQuery ML for fairness constraints C Vertex AI Explainable AI (feature attributions via SHAP/XRAI) for explainability; Vertex AI Model Monitoring for skew and drift detection (bias monitoring); Cloud Audit Logs for API call logging as the human oversight audit trail; Model Registry for versioned model governance D Vertex AI Vizier for hyperparameter optimization that automatically minimizes bias metrics during training

4 / 60

Question 5 of 60

A company has a hybrid architecture where on-premises Spark jobs must read from and write to Cloud Storage and BigQuery. They need consistent, low-latency access and want to minimize egress costs. The on-premises data center is connected via a 10Gbps Dedicated Interconnect. Which network configuration minimizes egress charges while enabling the access? (Google Cloud Professional Cloud Architect, 2023)

A Route all traffic through a Cloud VPN tunnel; Cloud VPN has lower egress costs than Interconnect B Use Cloud Storage Transfer Service to stage data locally before Spark jobs process it C Enable Private Google Access for on-premises over the Interconnect, routing API calls (storage.googleapis.com, bigquery.googleapis.com) through the Interconnect via Cloud Router advertisement â€” network traffic to Google APIs over Interconnect does not incur internet egress charges D Use DirectPath (gRPC) from on-premises to bypass the VPC and reduce latency

5 / 60

Question 6 of 60

A company runs a complex microservices application on GKE with service-to-service communication secured by Anthos Service Mesh mTLS. A security audit requires that all inter-service communication logs (source, destination, latency, response code) be retained for 2 years for forensic purposes. How should this be implemented without impacting application performance? (Google Cloud Professional Cloud Architect, 2023)

A Add structured logging code to each microservice to log inter-service call metadata B Configure Cloud Trace to capture all spans and export them to BigQuery for long-term retention C Configure Anthos Service Mesh telemetry export to Cloud Logging using Stackdriver adapter; create an organization-level log sink exporting ASM access logs to Cloud Storage with a 2-year retention policy and object lock; ASM logs service-to-service calls at the Envoy proxy layer without application code changes D Enable Cloud Monitoring metrics for Istio and create custom dashboards per service pair

6 / 60

Question 7 of 60

A gaming company needs a leaderboard that processes 100,000 score updates per second globally, serves real-time rank queries in under 10ms, and maintains the top 10,000 players sorted by score. Which architecture best meets these requirements? (Google Cloud Professional Cloud Architect, 2023)

A Cloud Bigtable with a row key of inverted score for natural sort order, queried via the HBase API B BigQuery with a continuous streaming insert pipeline and a REST API querying the table with ORDER BY score LIMIT 10000 C Cloud Spanner (writes) + Memorystore for Redis with sorted sets (ZADD/ZRANK) for real-time leaderboard serving â€” Spanner handles consistent writes; a Dataflow pipeline maintains the Redis sorted set in near-real-time; Redis ZADD is O(log N) and ZRANK is O(log N), meeting the 10ms latency requirement D Cloud Firestore with a score-ordered collection query and local reads enabled

7 / 60

Question 8 of 60

A company migrates a 10 TB PostgreSQL database to Cloud Spanner. During testing, they find that queries using PostgreSQL-specific features (LATERAL JOINs, arrays, recursive CTEs) fail on Spanner. What is the migration strategy for these incompatibilities? (Google Cloud Professional Cloud Architect, 2023)

A Use Cloud Spanner's PostgreSQL-compatible interface (Spanner PG dialect) â€” it supports all PostgreSQL syntax including LATERAL JOINs and recursive CTEs B Use Database Migration Service to automatically convert all PostgreSQL queries to Spanner-compatible SQL during migration C Assess each incompatible query: Spanner's PG dialect supports many PostgreSQL constructs but not all (e.g., complex recursive CTEs may need rewriting as iterative queries using application-side loops); use the Spanner migration tool to identify incompatible SQL and plan rewrites before migration D Deploy a PgBouncer proxy in front of Spanner to translate PostgreSQL syntax transparently

8 / 60

Question 9 of 60

An organization wants to implement a policy that prevents any VM in their GCP organization from using the N1 machine family (due to Spectre/Meltdown concerns) and mandates only N2 or C2 families. How can this be enforced as a hard constraint? (Google Cloud Professional Cloud Architect, 2023)

A Remove the compute.instances.create IAM permission from all users and require a dedicated deployment service account that enforces the machine type B Create a Cloud Monitoring alert when N1 VMs are created and trigger a Cloud Function to delete them C Use the 'compute.restrictMachineTypes' organization policy constraint to deny N1 machine types at the organization level â€” this prevents any project from creating VMs with N1 machine families D Set the 'compute.restrictCloudSQLInstances' organization policy â€” it covers VM machine types across the organization

9 / 60

Question 10 of 60

A company's Cloud Armor WAF is configured with OWASP rules, but legitimate requests from a high-volume partner API are being blocked because the partner's request payload contains SQL-like syntax in a JSON field (false positives). How should this be handled? (Google Cloud Professional Cloud Architect, 2023)

A Disable the SQLi detection rule globally to stop false positives for the partner B Add the partner's IP range to a Cloud Armor pre-configured rule override with decreased sensitivity C Create a Cloud Armor rule with a higher priority that matches the partner's IP range (or a request header they include) and applies a preconfigured-rule override to decrease the sensitivity level for SQLi detection only for those requests, while the lower-priority rule continues protecting all other traffic D Use Cloud Armor adaptive protection to automatically tune the SQLi rule for the partner's traffic pattern

10 / 60

Question 11 of 60

A company uses multiple Google Cloud projects managed by different teams. They want to ensure all projects comply with CIS Google Cloud Foundation Benchmark controls without manually auditing each project. Which approach provides continuous, automated compliance monitoring? (Google Cloud Professional Cloud Architect, 2023)

A Enable Cloud Asset Inventory weekly exports and manually compare against CIS controls B Run the CIS-CAT benchmark tool weekly on Compute Engine instances across all projects C Enable Security Command Center Premium's Security Health Analytics â€” it continuously monitors all projects against compliance standards (CIS GCP Benchmark, PCI DSS, HIPAA, ISO 27001) and generates findings for non-compliant resources, aggregated at the organization level in SCC D Use Forseti Security to scan projects for CIS compliance every 6 hours

11 / 60

Question 12 of 60

A team is designing a multi-tenant SaaS platform on Google Cloud where each tenant's ML model must be trained on their own data in complete isolation, with training jobs running on Vertex AI. Training costs must be attributable per tenant for billing. How should this architecture be designed? (Google Cloud Professional Cloud Architect, 2023)

A Train all tenant models in a single shared Vertex AI Training job with tenant ID as a feature â€” post-train per-tenant models using federated learning B Use a single Vertex AI managed dataset with tenant-ID row labels and train per-tenant models using Vertex AI AutoML data slicing C Provision a separate GCP project per tenant for Vertex AI Training jobs â€” training runs in the tenant's project; IAM isolation is at the project level; billing export from each project provides per-tenant cost attribution without cross-tenant data access risk D Use Vertex AI Workbench notebooks per tenant with quotas limiting compute usage

12 / 60

Question 13 of 60

A company's Cloud Run application needs to access a Memorystore Redis instance. Cloud Run services have no static IPs. The Memorystore Redis instance is on a VPC with authorized networks required. How should this connectivity be configured? (Google Cloud Professional Cloud Architect, 2023)

A Assign a static external IP to the Cloud Run service and add it to the Memorystore authorized networks list B Use Cloud Run's built-in Memorystore connector that establishes encrypted connections without VPC requirements C Connect the Cloud Run service to a VPC using a Serverless VPC Access connector â€” Cloud Run egress traffic routes through the connector to the VPC's private IP space where Memorystore Redis is reachable via its private IP; no external IPs or authorized network configuration needed D Deploy Cloud Run in the same region as Memorystore; Redis automatically allows same-region Cloud Run connections

13 / 60

Question 14 of 60

A company needs to implement a solution where their on-premises SIEM (Splunk) receives real-time security events from Google Cloud â€” including Cloud Audit Logs, VPC Flow Logs, and Cloud IDS findings â€” in a format compatible with their existing Splunk dashboards. What is the most scalable architecture? (Google Cloud Professional Cloud Architect, 2023)

A Configure Splunk's GCP Serverless Pull connector to poll Cloud Logging API every 30 seconds B Export logs directly from Cloud Logging to Splunk using HTTPS Event Collector (HEC) with Cloud Logging's Pub/Sub destination C Use log sinks to export Cloud Audit Logs and VPC Flow Logs to Pub/Sub; deploy a Splunk Add-on for Google Cloud (Cloud Functions or Dataflow template) that reads from Pub/Sub and posts to Splunk HEC â€” this pattern handles millions of events per day with managed scaling D Use Cloud Dataflow to read from Cloud Logging and write formatted events to Splunk's TCP syslog listener

14 / 60

Question 15 of 60

A company uses Terraform to manage 200 GCP projects. They want to enforce that every new project must have Cloud Logging export to a central BigQuery dataset enabled within 5 minutes of project creation. What is the most reliable architecture? (Google Cloud Professional Cloud Architect, 2023)

A Use Cloud Asset Inventory asset feeds to detect new projects and trigger a Cloud Function that creates the log sink B Create a Cloud Scheduler job that runs every 5 minutes and uses Terraform to check all projects and create missing log sinks C Use an organization-level log sink with an org-wide aggregation that automatically captures logs from all projects (including new ones) â€” no per-project configuration needed; new projects are included automatically when created under the organization D Configure Cloud Build to run Terraform apply on each new project as a post-provisioning step

15 / 60

Question 16 of 60

A company's Dataflow pipeline processes sensitive PII and must ensure that no PII is logged in Dataflow worker logs or Cloud Logging. However, Dataflow sometimes logs pipeline element contents in error messages. How should this be addressed? (Google Cloud Professional Cloud Architect, 2023)

A Configure Cloud Logging log exclusion filters to drop all Dataflow worker logs B Set the Dataflow pipeline's log level to ERROR to suppress informational logs containing PII C Enable Dataflow worker private IPs and disable Cloud Logging access to prevent log exfiltration D Implement a custom Coder in Apache Beam that wraps PII elements â€” the wrapper's toString() method returns a redacted representation; since Dataflow uses toString() for logging, PII is never written to logs; apply the Coder to all PCollection steps containing PII

16 / 60

Question 17 of 60

A company operates in a regulated industry and must ensure their GCP organization uses only services that have achieved FedRAMP High authorization. They need an automated mechanism to block provisioning of non-FedRAMP services. How should this be implemented? (Google Cloud Professional Cloud Architect, 2023)

A Enable Cloud Asset Inventory monitoring to alert when non-FedRAMP services are created and manually remove them B Create a BigQuery scheduled query that checks service usage across all projects and reports violations C Deploy a custom admission webhook on all GKE clusters to intercept resource creation and check service type D Use the 'gcp.restrictServiceUsage' organization policy constraint with an allowed list of FedRAMP High authorized service APIs â€” when a project attempts to enable a non-listed API, the enable call is rejected at the API enablement layer

17 / 60

Question 18 of 60

A company wants to implement chaos engineering practices for their GKE application. They want to automatically inject failures (pod termination, network latency, CPU stress) and measure system resilience without writing custom tooling. Which Google Cloud approach supports this? (Google Cloud Professional Cloud Architect, 2023)

A Use GKE Autopilot's built-in chaos testing mode that periodically terminates random pods B Configure Cloud Scheduler to run kubectl delete pod at random intervals across namespaces C Use Anthos Config Management to apply fault-injection virtual services via Istio policy D Use Chaos Monkey-compatible tools (Chaos Mesh, Litmus Chaos) deployed on GKE â€” these Kubernetes-native chaos frameworks support pod failure, network chaos, and resource stress injection; combine with Cloud Monitoring SLO burn rate alerts to measure resilience impact

18 / 60

Question 19 of 60

A company needs to meet PCI DSS v4.0 requirements for cardholder data environment (CDE) isolation on Google Cloud. Which combination of controls satisfies the network segmentation requirements? (Google Cloud Professional Cloud Architect, 2023)

A Cloud HSM for payment card key management combined with VPC peering to connect CDE to production B VPC firewall rules restricting port 443 access to CDE instances; CMEK for all CDE data at rest; quarterly penetration testing C Shared VPC with a dedicated subnet for CDE and network tags restricting access; Cloud Armor on the CDE load balancer D Dedicated GCP projects for CDE with VPC Service Controls perimeter around CDE APIs (Cloud SQL, Cloud Storage); Private Service Connect for internal API access; no external IPs on CDE VMs; Cloud NAT for outbound-only internet; Hierarchical Firewall Policies enforcing microsegmentation between CDE and non-CDE subnets; Cloud IDS for east-west traffic inspection

19 / 60

Question 20 of 60

An organization wants to implement infrastructure drift detection â€” automatically comparing the actual GCP resource state against the Terraform state file and alerting when they diverge. Which architecture achieves this? (Google Cloud Professional Cloud Architect, 2023)

A Run 'terraform plan' manually before each deployment to detect drift B Use Config Connector with Terraform; Config Connector reconciles GCP resources with the desired state defined in Kubernetes CRDs, automatically detecting and correcting drift C Enable Cloud Audit Log export to BigQuery and write SQL queries to compare resource configurations over time D Use Cloud Asset Inventory with an asset feed that triggers a Cloud Function on resource changes; the function compares the changed resource against the Terraform state file stored in Cloud Storage and publishes a drift alert to Cloud Monitoring if they differ

20 / 60

Question 21 of 60

A team is optimizing the cost of their analytics workload on BigQuery. The workload has predictable daily usage (100 slots continuously for 8 hours) plus occasional burst queries requiring up to 1,000 slots for 30 minutes daily. Which BigQuery pricing configuration minimizes cost? (Google Cloud Professional Cloud Architect, 2023)

A On-demand pricing for all queries â€” simpler billing and no slot management overhead B Purchase 1,000 slot hourly commitments to handle both baseline and peak without limitation C Purchase 1,000 slots on a 1-year commitment; idle slots represent wasted spend D Purchase 100-slot standard commitments (1-year) for baseline; use BigQuery Editions autoscaling for burst capacity (paying only for burst slot-seconds consumed) â€” baseline is cheaper with committed discounts; bursts pay as-you-go at autoscale rates only when used

21 / 60

Question 22 of 60

A company has deployed a GKE application that consistently experiences latency p99 > 500ms under high CPU. CPU requests are set to 250m but usage spikes to 800m. Increasing CPU limits does not help because the Kubernetes cluster is already CPU-saturated. What is the correct remediation sequence? (Google Cloud Professional Cloud Architect, 2023)

A Enable GKE Autopilot â€” it automatically right-sizes pod CPU based on usage patterns B Switch from CPU-based HPA to memory-based HPA to better track resource pressure C Add cluster autoscaling maximum node count increase â€” new nodes will provide CPU capacity for the saturated pods D First, profile the application to verify CPU bottleneck vs. I/O or network; then increase CPU requests to match actual usage (triggering cluster autoscaler to add nodes); tune HPA target utilization to maintain headroom; if CPU is not the actual bottleneck, optimize the application code or switch to GKE multi-dimensional autoscaling (CPU + memory + custom metrics)

22 / 60

Question 23 of 60

A company wants to achieve SOC 2 Type II compliance on Google Cloud. Which Google-provided documentation artifact demonstrates that Google's infrastructure controls are operating effectively over a defined period? (Google Cloud Professional Cloud Architect, 2023)

A Google Cloud's GDPR Data Processing Agreement covering data subject rights B Google Cloud's ISO 27001 certificate covering Compute Engine and Cloud Storage only C Google's SSAE 18 SOC 1 report â€” the financial controls audit, equivalent to SOC 2 for security D Google's SOC 2 Type II report (available via Google Cloud Compliance Reports Manager) â€” a third-party auditor attests that Google's controls for security, availability, processing integrity, confidentiality, and privacy have operated effectively over the audit period; customers can use this as evidence that the cloud layer's controls are in place

23 / 60

Question 24 of 60

A company is processing genomics data pipelines that generate 100 TB of intermediate data per run. The pipeline runs on Dataflow. Intermediate data is written to Cloud Storage between pipeline stages. How should Cloud Storage storage class be configured to minimize cost given that intermediate data is deleted within 24 hours? (Google Cloud Professional Cloud Architect, 2023)

A Use Standard storage class â€” the high availability is required for inter-stage data resilience during the pipeline run B Use Nearline storage â€” 30-day minimum storage charge applies even for 24-hour data, making it more expensive than Standard for short-lived objects C Use Standard storage but immediately move to Archive class after creation using Lifecycle Management D Use Standard storage class for intermediate data (deleted within 24 hours) â€” Nearline, Coldline, and Archive have minimum storage durations (30, 90, 365 days) and charge for the full minimum even if deleted earlier; Standard has no minimum, so 24-hour intermediate data costs only 24/720 Ã— Standard rate

24 / 60

Question 25 of 60

A company's analytics team runs BigQuery queries that frequently JOIN two large tables (10 TB each). Query costs are high because both tables are scanned in full on every join. How can this be optimized without changing the query logic? (Google Cloud Professional Cloud Architect, 2023)

A Enable BigQuery BI Engine to cache join results in memory for repeated queries B Use BigQuery Reservations to ensure sufficient slots so the join completes faster, reducing cost C Create authorized BigQuery views that pre-filter both tables before the join is applied D Cluster and partition both tables on the join key; use RANGE partitioning or DATE partitioning on the time dimension and CLUSTER BY on the join key â€” partition pruning and clustering both reduce bytes scanned, reducing both query time and cost

25 / 60

Question 26 of 60

A company uses Cloud Run for their API backend. They observe that the service occasionally returns errors during traffic spikes because new instances are starting up ('cold starts') while existing instances are fully utilized. What is the most effective configuration change to minimize cold start impact? (Google Cloud Professional Cloud Architect, 2023)

A Set the Cloud Run service's minimum instances to 0 and rely on Pub/Sub pre-warming messages B Increase the Cloud Run service's request timeout to give cold-starting instances more time to respond C Use Cloud Armor to rate-limit incoming traffic to the maximum number of current warm instances D Set minimum-instances > 0 on the Cloud Run service to maintain a pool of warm instances; this eliminates cold starts for predictable baseline traffic while the service still scales up additional instances during spikes beyond the warm pool

26 / 60

Question 27 of 60

A company's GKE cluster runs in a VPC. They need to connect a Cloud SQL instance to a pod without exposing the Cloud SQL instance publicly and without using the Cloud SQL Proxy sidecar pattern. Which approach achieves this? (Google Cloud Professional Cloud Architect, 2023)

A Use a Kubernetes Service of type ExternalName pointing to the Cloud SQL public IP with SSL required B Use Cloud SQL Auth Proxy as a DaemonSet on each GKE node so pods connect via localhost to the node's proxy C Enable VPC peering between the Cloud SQL VPC and the GKE VPC for connectivity D Enable Cloud SQL Private IP (VPC-native) for the Cloud SQL instance in the same VPC as GKE; use Private Service Connect or direct private IP to connect from pods â€” no sidecar required, pods connect directly to the Cloud SQL private IP

27 / 60

Question 28 of 60

A company's security policy requires that all secrets rotated in Secret Manager trigger automatic rotation of the corresponding configuration in all running Cloud Run services without manual redeployment. How should this be implemented? (Google Cloud Professional Cloud Architect, 2023)

A Use Cloud Run's built-in secret rotation detection that polls Secret Manager every 60 seconds B Configure Cloud Run to use the 'latest' secret version pointer so it automatically uses the new version without redeployment C Use Cloud Scheduler to trigger nightly redeployments of all Cloud Run services D Configure a Pub/Sub notification on Secret Manager rotation events; a Cloud Run job subscribed to the topic calls the Cloud Run Admin API to update the secret version reference and trigger a new revision deployment â€” or, redesign the service to read secrets dynamically at request time (not at startup) using the Secret Manager API, avoiding redeployment entirely

28 / 60

Question 29 of 60

A company wants to implement immutable infrastructure for their GKE node pools â€” no SSH access, no manual OS modifications, and node OS images rebuilt on every deployment. Which GKE features support this? (Google Cloud Professional Cloud Architect, 2023)

A Use GKE Standard with OS Login disabled and SSH key metadata removed from node metadata B Use GKE Autopilot which prevents SSH access by default and manages node images C Enable BeyondCorp remote access for GKE nodes and require all SSH access to go through IAP for TCP tunneling D Use GKE with Container-Optimized OS (COS) nodes with Shielded GKE Nodes enabled, Block Project-wide SSH Keys enabled, OS Login enforced via organization policy, and node auto-upgrade with surge upgrades â€” COS is a minimal, immutable OS; Shielded nodes verify boot integrity; auto-upgrade replaces nodes with new images rather than patching in place

29 / 60

Question 30 of 60

A company needs to provide their data science team with secure, managed notebook environments that have access to BigQuery and Vertex AI, while ensuring notebooks are never publicly accessible and all egress goes through the corporate network. Which configuration achieves this? (Google Cloud Professional Cloud Architect, 2023)

A Deploy Jupyter notebooks on Compute Engine with a startup script installing required libraries and IAP for browser-based access B Use Colab Enterprise with a shared runtime that routes traffic through a central proxy VM C Deploy Vertex AI Workbench instances with public endpoints protected by Cloud Armor and VPC connector for BigQuery access D Deploy Vertex AI Workbench managed instances in a private subnet with no public IPs; use IAP for secure browser-based access (no public endpoint); configure a VPC connector for BigQuery API access; route internet egress through Cloud NAT â€” notebooks have private IPs, IAP provides authentication, and all outbound traffic is controlled

30 / 60

Question 31 of 60

An architect is designing a cost-efficient Dataflow streaming pipeline for a media company that ingests 1 million events per second during live event broadcasts (12 hours) and near-zero traffic between events. The pipeline must process events within 5 seconds. What autoscaling and pricing configuration minimizes cost? (Google Cloud Professional Cloud Architect, 2023)

A Enable Dataflow Runner v2 with horizontal autoscaling; use Streaming Engine (worker CPU offloaded to managed streaming infrastructure); set max workers high for peak and trust autoscaling to scale to zero between events â€” Streaming Engine eliminates per-worker persistent disk overhead during scale-down; combined with Flex Resources (Spot VMs for Dataflow workers) for cost reduction during peak B Use Dataflow batch jobs triggered by hourly Cloud Scheduler jobs to process accumulated Pub/Sub messages C Deploy the pipeline on Dataproc Serverless for Spark Streaming with autoscaling D Use Cloud Functions triggered by each Pub/Sub message for event-by-event processing at any throughput

31 / 60

Question 32 of 60

A company wants to run their containerized workloads on Google Cloud with the lowest possible infrastructure cost and can tolerate occasional interruptions (the workload is batch processing with checkpointing). Which compute option is most cost-effective? (Google Cloud Professional Cloud Architect, 2023)

A GKE Autopilot with Spot pods â€” Autopilot supports a spot=true node selector that places pods on Spot VM nodes, providing up to 80% discount; Autopilot manages node provisioning, eliminating cluster operations overhead while using Spot pricing B GKE Standard with preemptible/Spot VMs â€” up to 80% cost reduction over on-demand for batch workloads that support interruption and checkpointing C Cloud Run with minimum instances set to 0 for automatic scale-to-zero cost savings D Compute Engine with committed use discounts on preemptible instances (double discount)

32 / 60

Question 33 of 60

A company's Pub/Sub subscription has a large unprocessed message backlog because their consumer application fell behind. Their consumer is a Cloud Run service. They need to increase processing throughput as quickly as possible. What is the correct approach? (Google Cloud Professional Cloud Architect, 2023)

A Increase Cloud Run's concurrency setting and max-instances, ensuring the consumer calls Pub/Sub acknowledge in parallel (not sequentially) â€” Cloud Run instances process multiple messages concurrently when using push subscriptions or parallel pull; increasing max-instances allows horizontal scaling to drain the backlog B Increase the Cloud Run service's memory allocation â€” more memory allows parallel message processing C Create additional Pub/Sub subscriptions to the same topic to increase parallel consumption D Enable Pub/Sub message ordering on the subscription so the consumer processes messages more efficiently

33 / 60

Question 34 of 60

A company is designing a solution that needs to perform real-time anomaly detection on network traffic within a GCP VPC without introducing additional latency or routing complexity. Which Google Cloud product provides passive network traffic analysis? (Google Cloud Professional Cloud Architect, 2023)

A Cloud IDS (Intrusion Detection System) in detection mode â€” it passively mirrors VPC traffic to Google-managed IDS instances running Palo Alto Networks threat detection without affecting traffic flow or introducing latency in the data path; it generates findings in SCC when threats are detected B VPC Flow Logs with Cloud Monitoring alerts detecting traffic volume anomalies C Cloud IDS active inspection in blocking mode using Snort signatures for all VPC traffic D Cloud Armor adaptive protection analyzing request patterns at the load balancer layer

34 / 60

Question 35 of 60

A company is migrating from GCP's legacy Container Registry (GCR) to Artifact Registry. They have CI/CD pipelines hardcoded to push to gcr.io and pull from gcr.io. How can they migrate transparently without updating all pipeline configurations immediately? (Google Cloud Professional Cloud Architect, 2023)

A Enable the Artifact Registry redirect feature for GCR â€” gcr.io requests are automatically routed to the corresponding Artifact Registry repository with the same registry host, making the migration transparent to existing pipelines; they can then migrate pipelines to native Artifact Registry URLs over time B Manually recreate all GCR images in Artifact Registry and update all pipeline configurations simultaneously C Use Cloud Build substitution variables to dynamically switch between GCR and AR based on an environment variable D Export GCR images to Cloud Storage and import them into Artifact Registry via the gcloud command

35 / 60

Question 36 of 60

A company's multi-region Cloud Run deployment serves user requests. They notice that requests from Europe are sometimes routed to their US-east region instead of their europe-west region, causing high latency. The Global External Application Load Balancer is configured with both backends. What is most likely causing the incorrect routing? (Google Cloud Professional Cloud Architect, 2023)

A The Cloud Run service in europe-west1 is unhealthy and failing health checks, causing the load balancer to fall back to the US backend â€” correcting the european service health (fixing the app bug, scaling up, or adjusting health check parameters) will restore regional routing B The Cloud CDN cache is serving stale routing decisions from an older backend configuration C The Global Load Balancer uses anycast routing which always routes to the lowest-RTT backend regardless of geographic proximity D Cloud Armor is blocking European IPs and redirecting them to the US backend

36 / 60

Question 37 of 60

A company needs to perform workload right-sizing across 500 Compute Engine VMs to reduce waste. They want to identify over-provisioned VMs (CPU and memory consistently below 20%) and get specific machine type recommendations. Which Google Cloud feature provides this automatically? (Google Cloud Professional Cloud Architect, 2023)

A VM Recommender (part of Active Assist) â€” automatically analyzes VM CPU and memory utilization over a 30-day window and generates specific machine type change recommendations (e.g., downgrade from n2-standard-8 to n2-standard-4) with projected cost savings, accessible via Cloud Console or Recommender API B Use Cloud Asset Inventory to list all VM machine types and manually compare against Cloud Monitoring metrics C Cloud Monitoring with custom dashboards showing average CPU per VM â€” use this to identify underutilized VMs manually D Use Compute Engine rightsizing recommendations available in the Billing console under Cost Optimization

37 / 60

Question 38 of 60

A company's Cloud Spanner database stores financial transactions. Auditors require that all data modifications include the user ID and timestamp of the modification for a complete audit trail. How should this be implemented in Spanner without modifying every write query? (Google Cloud Professional Cloud Architect, 2023)

A Use Spanner commit timestamps â€” add a 'last_modified_at' column with ALLOW_COMMIT_TIMESTAMP; Spanner automatically sets this to the commit time on every write; combine with a session variable for user ID propagated via client library request tag for attribution B Use Spanner change streams with a Dataflow pipeline to capture all data modifications and write to a BigQuery audit table C Add database-level triggers in Spanner to automatically update audit columns on every write D Enable Spanner Data Access audit logs â€” they automatically capture the modified data values in the log entry

38 / 60

Question 39 of 60

A company wants to implement a data governance framework on BigQuery using Data Catalog, including automatic tagging of sensitive columns based on content, business glossary integration, and lineage tracking. What is the complete toolset? (Google Cloud Professional Cloud Architect, 2023)

A Cloud DLP auto-tagging integration with Data Catalog policy tags for content-based classification; Data Catalog business glossary for semantic tagging; Dataplex Lineage (formerly Data Catalog lineage) for pipeline-level lineage tracking between BigQuery tables B BigQuery column-level security for sensitive column marking; Data Catalog for dataset documentation; Cloud Audit Logs for lineage approximation via query history C Security Command Center for sensitive data finding; Data Catalog for metadata; BigQuery INFORMATION_SCHEMA for lineage queries D Data Catalog automatic tagging via scheduled Cloud DLP jobs; Cloud Asset Inventory for lineage; Resource Manager for data governance policy enforcement

39 / 60

Question 40 of 60

A company receives requirements to implement a 'right to erasure' (GDPR Article 17) capability for user data stored across Cloud Spanner, BigQuery, and Cloud Storage. Which approach is most practical at scale? (Google Cloud Professional Cloud Architect, 2023)

A Implement crypto-shredding: encrypt each user's data with a unique DEK (data encryption key); store DEKs in Cloud KMS wrapped by a user-specific key; for erasure, delete the user's KMS key â€” making all their data cryptographically inaccessible across all systems without locating and deleting each record B Manually delete user records from each system when an erasure request is received, with a 30-day SLA C Export all user data to BigQuery, identify user records, delete them from BigQuery, and rely on BigQuery streaming insert TTL for automatic deletion D Use Cloud DLP to identify and redact user data across all systems on erasure request

40 / 60

Question 41 of 60

A company's GKE cluster runs workloads from multiple product teams. Each team's namespace should have CPU and memory limits, and teams should not be able to schedule more resources than allocated. Which Kubernetes mechanism enforces resource quotas per namespace? (Google Cloud Professional Cloud Architect, 2023)

A ResourceQuota objects applied per namespace defining maximum total CPU requests, memory requests, and pod count â€” when a team tries to schedule resources exceeding their quota, the API server rejects the request B PodSecurityPolicy that limits the total compute resources a pod can request C LimitRange objects that restrict maximum resource requests on individual containers within a namespace D HorizontalPodAutoscaler with maximum replica counts limiting aggregate resource consumption

41 / 60

Question 42 of 60

An architect needs to design a solution for migrating a stateful Hadoop workload to GCP. The workload uses HDFS for storage, runs MapReduce and Hive jobs, and must coexist with BigQuery for reporting. Which migration path maintains compatibility while modernizing storage? (Google Cloud Professional Cloud Architect, 2023)

A Migrate storage from HDFS to Cloud Storage (GCS connector for Hadoop provides HDFS-compatible API); run Hive and MapReduce jobs on ephemeral Dataproc clusters reading/writing from GCS; use the Hive metastore service; report from Cloud Storage via BigQuery external tables or scheduled loads â€” this separates compute (ephemeral Dataproc) from storage (GCS) for cost efficiency B Replace all Hadoop jobs with BigQuery SQL; no intermediate step needed C Use Cloud Dataproc with HDFS for storage; Hive metastore on Cloud SQL D Migrate Hadoop to GKE using Docker containers for each Hadoop daemon; use GCS FUSE for HDFS replacement

42 / 60

Question 43 of 60

A company needs to implement a Kubernetes admission controller that validates all pod specifications against their security policies (no root containers, required resource limits, allowed image registries) before admission. Which Kubernetes mechanism enables this without external tooling? (Google Cloud Professional Cloud Architect, 2023)

A GKE's built-in Policy Controller (Anthos) using OPA Gatekeeper constraints, or Kubernetes' native Pod Security Standards (Baseline/Restricted) applied via PodSecurity admission plugin namespace labels â€” these enforce pod security requirements as a validating admission webhook before pods are created B GKE NetworkPolicy objects enforcing pod security by blocking unauthorized inter-pod communication C Kubernetes RBAC policies preventing developers from creating pods with root containers D GKE Shielded Nodes with Secure Boot preventing non-whitelisted container images from running

43 / 60

Question 44 of 60

A company is designing a 'lakehouse' architecture on Google Cloud where raw data landed in Cloud Storage is processed by both SQL analysts (BigQuery) and ML engineers (Vertex AI). The schema must be consistent across both access paths. Which format and approach ensures schema consistency? (Google Cloud Professional Cloud Architect, 2023)

A Store data in open table formats (Apache Iceberg or Delta Lake) on Cloud Storage; use BigQuery's Iceberg support (managed open table format) and Vertex AI datasets referencing the same Cloud Storage tables â€” schema, partitioning, and metadata are defined once in the table format and respected by both access paths B Store raw data in CSV format; define schema in a Cloud Spanner table acting as schema registry C Use proprietary binary formats for Vertex AI and BigQuery respectively, with a conversion job maintaining consistency D Use Avro format with a Schema Registry on Confluent Cloud; BigQuery and Vertex AI validate against the registry on read

44 / 60

Question 45 of 60

A company wants to migrate their Oracle Data Warehouse (100 TB, complex ETL, PL/SQL packages) to BigQuery. What is the recommended phased migration approach that minimizes risk? (Google Cloud Professional Cloud Architect, 2023)

A Use BigQuery Migration Service's assessment and translation tools: (1) run SQL translation to convert PL/SQL ETL logic to BigQuery SQL; (2) use the batch migration tool to load initial data; (3) validate query results and performance; (4) run Oracle and BigQuery in parallel for a defined period; (5) cut over reporting tools to BigQuery when parity is confirmed B Use Database Migration Service to continuously replicate Oracle to BigQuery until cutover C Export all Oracle data to CSV files and load to BigQuery in a single cutover weekend D Install an Oracle JDBC connector on Dataproc and use Spark SQL to read from Oracle and write to BigQuery without code translation

45 / 60

Question 46 of 60

A company's Cloud VPN tunnels between on-premises and GCP are hitting bandwidth limits during business hours. They need a solution that provides more bandwidth than Cloud VPN supports and maintains the private connectivity requirement. What should they migrate to? (Google Cloud Professional Cloud Architect, 2023)

A Add more Cloud VPN tunnels (ECMP) â€” up to each Cloud VPN gateway is limited to ~3 Gbps total regardless of tunnel count â€” ECMP across multiple gateways helps but not linearly B Migrate to Cloud Dedicated Interconnect â€” a single 10 Gbps or 100 Gbps connection; multiple connections can be aggregated (LACP) to 200 Gbps+; Dedicated Interconnect provides private, non-internet connectivity at bandwidths far exceeding Cloud VPN's 3 Gbps per tunnel limit C Use Cloud CDN to cache frequently accessed GCP data and reduce VPN bandwidth consumption D Upgrade to Cloud VPN HA with 2 tunnels each supporting 10 Gbps

46 / 60

Question 47 of 60

A company is building a streaming ML feature pipeline. Features must be computed from raw events within 100ms of event arrival for real-time model serving. The feature computation involves windowed aggregations (e.g., last-10-minute sum). Which architecture achieves sub-100ms feature freshness? (Google Cloud Professional Cloud Architect, 2023)

A Pub/Sub â†’ Dataflow batch pipeline running every 5 minutes â†’ BigQuery for feature storage B Pub/Sub â†’ Dataflow streaming pipeline (with timer-based or element-triggered window aggregations) â†’ Bigtable or Memorystore for feature storage; Dataflow processes events within milliseconds; Bigtable serves feature lookups in under 5ms â€” total latency from event to feature availability is well under 100ms for a properly configured pipeline C Pub/Sub â†’ Cloud Functions with 30-second timeout for windowed aggregations â†’ Firestore for storage D Event stream â†’ Dataproc Spark Structured Streaming â†’ BigQuery for feature store

47 / 60

Question 48 of 60

A company's SRE team needs to implement SLOs for a Cloud Run service: 99.9% availability and p99 latency < 200ms over a 30-day rolling window. How should SLOs be implemented on Google Cloud? (Google Cloud Professional Cloud Architect, 2023)

A Set Cloud Armor rate limits and configure Cloud Monitoring uptime checks as availability SLOs B Create Cloud Monitoring SLOs on the Cloud Run service using the SLO API or Console â€” define a request-based availability SLI (good requests / total requests) with 99.9% target and a latency-based SLI (requests completing < 200ms / total requests) with 99th percentile target over a 30-day window; Cloud Monitoring tracks error budget burn rate and alerts when it is at risk C Use Cloud Trace to measure p99 latency and Cloud Monitoring uptime checks for availability; configure Prometheus SLI exporters on each Cloud Run instance D Build a BigQuery dashboard querying Cloud Run access logs to track SLO compliance

48 / 60

Question 49 of 60

A company is designing a disaster recovery strategy for their GKE application across two Google Cloud regions. They require RTO < 15 minutes and RPO < 5 minutes. How should backup, state, and failover be designed? (Google Cloud Professional Cloud Architect, 2023)

A Run the application in the primary region only; deploy an identical cluster in the DR region using a Terraform template; on disaster, run Terraform apply and restore data from Cloud Storage backups B Use a two-region active-passive setup: primary GKE cluster (active) + standby GKE cluster (passive) with scaled-down deployments; use Cloud Spanner or Cloud Storage with cross-region replication for stateful data (RPO~0 for Spanner); GKE Backup (Backup for GKE) for cluster configuration snapshots; a Global Load Balancer detects primary failure via health check and routes traffic to the standby within minutes (RTO < 15 min) C Use GKE multi-cluster Ingress to deploy to both regions simultaneously â€” this is active-active with no failover needed D Use a Cloud Storage bucket in one region and configure GKE cluster auto-recovery to rebuild itself from the bucket on node failure

49 / 60

Question 50 of 60

A company wants to implement a zero-downtime blue-green deployment for a stateful Cloud Spanner-backed application. The new version requires a schema change (adding a non-null column with a default value). How should the deployment be sequenced? (Google Cloud Professional Cloud Architect, 2023)

A Perform the schema change and code deployment simultaneously in a single maintenance window B Sequence the deployment as: (1) add the new column as nullable (backward-compatible); (2) deploy the new version (both old and new versions can write to the now-nullable column); (3) backfill existing rows with the default value; (4) add NOT NULL constraint after backfill; (5) switch all traffic to the new version â€” Spanner schema changes are always online (no table lock) and this sequence ensures the old version continues to function during transition C Use Cloud Spanner's schema change rollback feature to revert if the deployment fails D Deploy the new code version to the green environment, then run the schema change migration, then switch traffic

50 / 60

Question 51 of 60

A company runs a global event-driven application using Pub/Sub and Cloud Run. They receive reports that some events appear to be processed twice. They are using Pub/Sub push subscriptions. What is the likely cause and the correct solution? (Google Cloud Professional Cloud Architect, 2023)

A Enable Pub/Sub exactly-once delivery by setting the subscription's exactly_once_delivery flag to true â€” this eliminates all duplicates B Pub/Sub guarantees at-least-once delivery â€” if the Cloud Run service does not return HTTP 200 within the ack deadline, Pub/Sub redelivers the message; the solution is to ensure Cloud Run processes and acknowledges messages within the deadline, and implement idempotent processing logic (e.g., using message ID as an idempotency key stored in Firestore or Bigtable to detect and skip duplicates) C Increase the Pub/Sub message retention period so messages are not redelivered D Use Pub/Sub ordered subscriptions which guarantee at-most-once delivery

51 / 60

Question 52 of 60

A startup wants to build a large-scale recommendation system that trains on petabytes of user interaction data daily. The training must complete within 4 hours. Which Google Cloud architecture supports this? (Google Cloud Professional Cloud Architect, 2023)

A BigQuery ML matrix factorization using a single BigQuery slot reservation B Vertex AI Training with a distributed training job across dozens of A100 GPU workers; data stored in Cloud Storage and streamed to GPUs using tf.data pipelines; Vertex AI handles cluster provisioning and teardown; training completes in parallel across workers using data parallelism (MirroredStrategy or parameter server) to meet the 4-hour deadline C Dataproc Spark ML with gradient boosted trees distributed across 500 worker nodes D Cloud Composer orchestrating sequential training steps across 10 n2-standard-96 Compute Engine instances

52 / 60

Question 53 of 60

A company deploys workloads to GKE and uses Helm charts for package management. They need to ensure that Helm releases deployed to production match exactly what passed through staging, with the container images cryptographically verified. Which supply chain security controls should be implemented? (Google Cloud Professional Cloud Architect, 2023)

A Use Helm chart SHA256 checksums stored in a Cloud Storage bucket and verify them manually before deployment B Implement Binary Authorization â€” configure a policy requiring attestations (e.g., signed by Cloud Build, signed by the QA team's attestor) before images can be deployed to GKE; images must have a valid attestation in Artifact Analysis (Grafeas) from each required attestor, ensuring only images that passed CI/CD stages are deployable in production C Configure Cloud Build to validate Helm chart YAML syntax before pushing to Artifact Registry D Enable Container Analysis vulnerability scanning in Artifact Registry and block deployment of images with critical CVEs via Cloud Build gates

53 / 60

Question 54 of 60

A company runs a multi-region GKE application with data stored in Cloud Spanner. During a regional failover test, the application successfully routes to the standby region but the Cloud Spanner connection strings are hardcoded to a regional endpoint. How should Spanner connectivity be designed for transparent failover? (Google Cloud Professional Cloud Architect, 2023)

A Store the active Spanner region endpoint in Firestore and have applications read it at startup, updating Firestore when a failover occurs B Use the Cloud Spanner global endpoint (spanner.googleapis.com) with the multi-region instance configuration â€” applications always connect to the global endpoint; Spanner's internal routing directs to the nearest replica for reads and to the leader region for writes; no application-layer failover logic is needed C Deploy a custom Spanner proxy on GKE that routes connections to the nearest healthy Spanner replica D Use Cloud DNS with health checks to switch the Spanner CNAME between regional endpoints automatically on failure

54 / 60

Question 55 of 60

A company's Cloud SQL for PostgreSQL instance experiences deadlocks during concurrent transaction processing. Analysis shows two transaction patterns: T1 locks rows A then B; T2 locks rows B then A. What is the correct application-level fix? (Google Cloud Professional Cloud Architect, 2023)

A Use SERIALIZABLE isolation level instead of READ COMMITTED â€” SERIALIZABLE prevents deadlocks by serializing all transactions B Enforce a canonical lock ordering across all transactions: both T1 and T2 must always acquire locks in alphabetical or numeric row ID order (always lock A before B) â€” this eliminates circular wait conditions, preventing deadlocks by ensuring only one transaction can make progress when both target the same resources C Add a 'SELECT FOR UPDATE SKIP LOCKED' to avoid waiting on locked rows D Increase the deadlock_timeout PostgreSQL parameter to give transactions more time to resolve

55 / 60

Question 56 of 60

An enterprise wants to implement data sovereignty controls ensuring that all data processing for European users happens exclusively within EU boundaries, including Vertex AI predictions, Dataflow processing, and Cloud Storage. Which combination of controls enforces this? (Google Cloud Professional Cloud Architect, 2023)

A Configure VPC Service Controls with an EU-only IP restriction and set all resource locations to EU regions B Enable Assured Workloads for EU regions â€” this automatically enforces data residency and sovereignty controls across all in-scope GCP services C Use organization policies (Resource Location Restriction) to deny resource creation outside EU regions for all GCP services; for Vertex AI, specify EU regional endpoints; for Dataflow, deploy workers in EU regions; for Cloud Storage, create buckets with EU location; use VPC Service Controls to prevent data access from outside EU-region endpoints D Apply Data Residency org policies and enable Cloud DLP to scan all cross-region transfers

56 / 60

Question 57 of 60

A company's Dataflow pipeline processes credit card transactions and uses a stateful DoFn (BagState) to accumulate state per customer ID between transactions. After scaling up to 1,000 workers, they observe state corruption â€” different workers are processing transactions for the same customer concurrently. What is the root cause and fix? (Google Cloud Professional Cloud Architect, 2023)

A Increase Dataflow worker CPU to prevent state processing race conditions B Stateful processing in Dataflow requires all elements for a given key to be processed by the same worker. If transactions are not keyed by customer ID before the stateful DoFn, the runner cannot guarantee key-level affinity â€” fix by applying .apply(ParDo.of(new StatefulFn())).perKey() only after grouping by customer ID (via GBK or keyed processing) C Disable Dataflow autoscaling â€” state corruption only occurs when worker count changes during a pipeline run D Use Dataflow Shuffle service to centralize state management across all workers

57 / 60

Question 58 of 60

A company's Cloud Armor security policy is blocking legitimate traffic because a misconfigured rule has a deny action on a broad IP range that includes a partner network. The security team needs to fix this immediately without downtime. How should they make the change safely? (Google Cloud Professional Cloud Architect, 2023)

A Delete the Cloud Armor security policy and recreate it with the corrected rules â€” the policy is only attached when explicitly reassigned to the load balancer B Add a higher-priority Cloud Armor rule (lower numerical priority value) that explicitly allows the partner's IP range before the misconfigured deny rule â€” Cloud Armor evaluates rules in priority order and stops at the first match, so the allow rule takes effect for the partner's IPs immediately without modifying the existing deny rule C Change the rule's action from 'deny' to 'allow' â€” this immediately stops blocking the partner's traffic without affecting other rules D Disable the Cloud Armor policy on the load balancer temporarily while the rules are updated

58 / 60

Question 59 of 60

A company's Cloud Build CI/CD pipeline builds Docker images and pushes them to Artifact Registry. A security audit finds that the build process uses a service account with broad Artifact Registry admin permissions. How should the principle of least privilege be applied? (Google Cloud Professional Cloud Artifact, 2023)

A Remove all IAM roles from the Cloud Build service account and use the default compute service account instead B Grant the Cloud Build service account only the roles/artifactregistry.writer role on the specific Artifact Registry repository (not the whole project or all registries) â€” this allows pushing images but not deleting repositories, managing IAM, or accessing other repositories; combine with Workload Identity for Cloud Build to avoid storing credentials C Grant roles/artifactregistry.reader so the service account can pull images but not push â€” pushes use a separate pipeline D Use Cloud Build's built-in Artifact Registry integration that requires no IAM role assignment

59 / 60

Question 60 of 60

A financial company is designing a system for real-time regulatory reporting that must submit a transaction summary to a regulator's API within 30 seconds of each transaction completing. Transactions currently write to Cloud Spanner. Which event-driven architecture ensures the 30-second SLA is met? (Google Cloud Professional Cloud Architect, 2023)

A Poll Cloud Spanner for new transactions every 5 seconds from a Cloud Function; submit detected new records to the regulator B Use Cloud Spanner Change Streams to capture transaction commits in near-real-time; a Dataflow pipeline reads from the change stream, aggregates transaction data, and calls the regulator's API â€” end-to-end latency from Spanner commit to regulator call is typically under 5 seconds C Export Cloud Spanner data to BigQuery every 30 seconds using Datastream; a Cloud Function triggers on BigQuery table update to submit to regulator D Use Pub/Sub with a Spanner-to-Pub/Sub connector running on Cloud Run to forward all transaction events

60 / 60

GCP Professional Cloud Architect Advanced Quiz