Google Cloud Certification
63 practice questions with correct answers and detailed explanations. Use this guide to review concepts before taking the practice exam.
The Google Cloud Cloud Engineer Google Cloud (Associate) certification validates professional expertise in Google Cloud technologies. This study guide covers all 63 practice questions from our Associate practice test, complete with correct answers and explanations to help you understand each concept thoroughly.
Review each question and explanation below, then test yourself with the full interactive practice exam to measure your readiness.
You need to deploy a containerized application that processes real-time data streams. Which Google Cloud service would be most appropriate for this use case?
Cloud Run paired with Pub/Sub is ideal for event-driven, real-time data processing workflows, offering automatic scaling and serverless architecture. App Engine is more suitable for traditional web applications, not streaming data.
Your organization requires that all data at rest in Cloud Storage be encrypted with customer-managed keys. Which encryption method should you implement?
Cloud KMS with customer-managed keys (CMEK) provides the required level of control and compliance for customer-managed encryption of data at rest. Google-managed encryption does not meet the customer-managed requirement.
You are configuring VPC Flow Logs for network troubleshooting. What is the primary benefit of enabling flow logs on a subnet?
VPC Flow Logs capture metadata about IP traffic (source, destination, protocol, bytes transferred) for monitoring and troubleshooting. They do not block traffic, encrypt connections, or reduce costs.
Your application requires a database with strong consistency guarantees and ACID transactions across multiple regions. Which Google Cloud database service best meets these requirements?
Cloud Spanner provides strong consistency, ACID transactions, and horizontal scalability across regions, making it ideal for globally distributed transactional workloads. Cloud Bigtable lacks ACID guarantees, and Cloud SQL replicas provide eventual consistency.
You need to create a custom machine type with 12 vCPUs and 32 GB of memory in Compute Engine. How should you approach this?
Custom machine types can be created directly through the Console or gcloud CLI within supported ranges (typically 0.25-6.5 vCPUs, 0.9 GB to 6.5 GB per vCPU). Support intervention is not needed for standard custom configurations.
Your organization's compliance policy requires that encryption keys never leave a specific geographic region. Which key management strategy should you use?
Creating a Cloud KMS keyring in a specific region ensures keys remain in that geographic location. Key rotation addresses key lifecycle, not geographic constraints. Application-Default Credentials and Datastore are not appropriate for this compliance requirement.
You have deployed a Kubernetes cluster on GKE with Workload Identity enabled. What is the primary security benefit of this configuration?
Workload Identity allows Kubernetes service accounts to impersonate Google Cloud service accounts, eliminating the need to distribute and manage service account keys. This significantly improves the security posture of the cluster.
When configuring Cloud Load Balancing, you need to route traffic based on the request path (e.g., /api/* to backend A, /static/* to backend B). Which load balancer type should you use?
HTTP(S) Load Balancer supports content-based routing through URL maps and path rules, enabling path-based routing decisions. Network Load Balancer operates at Layer 4 and cannot inspect application-layer paths.
Your application uses Cloud Pub/Sub for event streaming. You notice some subscribers are falling behind on processing. Which metric should you monitor to identify this issue?
The 'oldest unacked message age' metric indicates how far behind a subscriber is in processing messages. High values suggest the subscriber cannot keep pace with message delivery rate.
You need to ensure that a Compute Engine instance can access credentials securely without embedding secrets in code. Which approach is recommended?
Attaching a service account to an instance and granting it specific IAM roles is the secure, recommended approach. Application code can then use Application Default Credentials without handling keys directly.
Your organization has hundreds of GCP projects. You need to enforce a policy that all Compute Engine instances must have OS Login enabled. What is the most efficient way to implement this across all projects?
Organization Policy constraints provide centralized enforcement of OS Login requirements across all projects, folders, and resources without manual intervention. This is more scalable and maintainable than project-by-project configuration.
You are designing a disaster recovery solution for a critical application. You need RPO of 1 hour and RTO of 4 hours. Which backup and recovery strategy best meets these requirements?
Hourly snapshots provide the 1-hour RPO, and automated failover infrastructure supports the 4-hour RTO requirement. Daily or weekly backups cannot meet the 1-hour RPO, and real-time replication exceeds typical cost/complexity needs for this RPO/RTO.
You have a Cloud SQL instance with a large dataset. You need to export data to a specific Cloud Storage bucket that is in a different project. What authentication approach should you use?
Cross-project IAM bindings allow the Cloud SQL service account in one project to access Cloud Storage resources in another without managing keys or complex network setup. This is the recommended secure approach.
You are configuring an identity and access management hierarchy for your organization. Which of the following represents the correct order from most to least restrictive scope?
The IAM hierarchy flows from broadest (Organization) to most specific (individual Resource). Permissions granted at higher levels are inherited by lower levels, making Organization the most restrictive in scope.
Your application requires ultra-low latency access to frequently accessed data across multiple regions. Which caching solution should you implement?
Cloud Memorystore (Redis) provides ultra-low latency in-memory caching with replication capabilities. Cloud CDN suits static assets, Memcached requires manual coordination, and Cloud Storage doesn't offer the required latency characteristics.
You need to set up monitoring for a critical application running on Compute Engine. You want to receive alerts when CPU utilization exceeds 80% for more than 5 minutes. Which Google Cloud service should you use?
Cloud Monitoring allows creation of alert policies based on metrics thresholds and durations. Cloud Logging is for event tracking, instance groups handle scaling, and Cloud Profiler is for code performance analysis.
You are designing a multi-tier application with separate networks for frontend, backend, and database layers. How should you structure your VPC to enforce network isolation?
A single VPC with multiple subnets and firewall rules provides efficient isolation between network tiers while maintaining intra-organization connectivity. Multiple VPCs adds unnecessary complexity, and Cloud Armor is designed for edge protection, not inter-tier isolation.
Your organization uses Cloud Identity for user management. You need to ensure that users can only access Google Cloud resources from corporate IP addresses. Which feature should you implement?
VPC Service Controls with access levels can enforce IP-based restrictions for Google Cloud API access. Cloud IAM doesn't natively support IP-based conditions, and firewall rules/Cloud Armor operate at different layers of the stack.
You have deployed an application on Cloud Run that processes images. The function occasionally times out on large files. What is the first optimization you should attempt?
For long-running operations like image processing, asynchronous processing with Pub/Sub decouples the request from processing, avoiding timeout issues. Increasing memory can help but doesn't address the timeout constraint; the other options are less optimal.
When using Cloud Build, you want to automatically build and deploy your application whenever code is pushed to a specific branch in Cloud Source Repositories. How should you configure this?
Cloud Build triggers provide native integration with Cloud Source Repositories and support branch filtering, enabling automatic builds on code pushes. Cloud Functions, webhooks, and Cloud Scheduler are less direct approaches for this use case.
You need to analyze network traffic patterns across your GCP infrastructure. Which tool provides the most detailed visibility into network flows and connectivity?
VPC Flow Logs provide detailed packet-level information (source, destination, protocol, bytes) exported to Cloud Logging for comprehensive analysis. Network Topology shows architecture but not flows; Activity logs track resource changes; Cloud Trace focuses on application latency.
Your organization requires that all Google Cloud APIs be accessed through a VPC Service Controls perimeter. How should you configure this to allow legitimate internal applications while blocking external access?
VPC Service Controls perimeters combined with access levels provide comprehensive control over API access based on identity and network context. Cloud Armor, firewall rules, and VPC Flow Logs don't directly enforce service-level access controls.
You are migrating a legacy application from on-premises to Google Cloud. The application requires specific Windows Server patches. How should you handle this?
Creating custom images with patches pre-installed and enabling OS patch management provides consistent, automated patching. Manual patching is error-prone; Google Cloud doesn't auto-patch, and Cloud Scheduler isn't designed for OS patching.
You have a Cloud Firestore database in native mode with global distribution enabled. What is the main consideration for consistency guarantees in multi-region deployments?
Cloud Firestore provides strong consistency for reads and writes within a single region, but multi-region deployments involve eventual consistency between regions due to replication latency. This is an important design consideration for global applications.
Your application needs to store sensitive data such as API keys and database passwords. Which Google Cloud service is specifically designed for this use case?
Secret Manager is purpose-built for storing, managing, and retrieving sensitive data with automatic rotation, audit logging, and fine-grained access control. Cloud Storage, Datastore, and Spanner are general-purpose storage solutions not optimized for secrets.
You are implementing a disaster recovery strategy with a standby region. To minimize data loss, you replicate data continuously to the standby region. However, there is replication lag. Which metric should you monitor to ensure it meets your RPO requirements?
Replication lag directly determines the maximum potential data loss, which defines the Recovery Point Objective (RPO). Network latency, data transfer volume, and startup time are related but don't directly measure RPO.
You need to create a GKE cluster with nodes that automatically scale based on workload demand. Which features should you enable?
Node pool autoscaling with Cluster Autoscaler automatically adds or removes nodes based on pod resource requests and cluster utilization. HPA scales pods within existing nodes; VPA adjusts resource requests but doesn't add nodes; manual scaling is inefficient.
You need to deploy a containerized application on Google Cloud with automatic scaling based on CPU utilization. Which service should you choose?
GKE provides native Kubernetes support with automatic scaling based on custom metrics including CPU utilization. While Cloud Run auto-scales, it's event-driven rather than metric-based.
What is the primary purpose of Cloud IAM service accounts?
Service accounts are designed for applications and services to authenticate with Google Cloud APIs and resources, not for human users.
You are configuring VPC firewall rules for your application. The rule has direction set to INGRESS and action set to DENY. What happens when this rule matches traffic?
INGRESS rules apply to inbound traffic, and DENY action blocks matching traffic. The direction and action work together to drop incoming packets matching the rule criteria.
Your company requires that all data at rest in Cloud Storage buckets be encrypted with customer-managed encryption keys (CMEK). Which service must you use to manage these keys?
Cloud KMS is the service specifically designed to manage encryption keys for CMEK scenarios across Google Cloud services including Cloud Storage.
You have a Compute Engine instance with a standard persistent disk. You need to increase the disk size from 100 GB to 200 GB while the instance is running. What is the correct approach?
Persistent disks can be resized while attached and running, but you must then expand the filesystem using tools like resize2fs or equivalent to make the additional space usable.
When using Cloud Pub/Sub, what is the relationship between topics and subscriptions?
Cloud Pub/Sub uses a publish-subscribe model where topics are message channels created by publishers, and subscriptions allow subscribers to receive messages from those topics.
You need to migrate a database from on-premises to Cloud SQL with minimal downtime. Which feature should you use?
Database Migration Service provides continuous replication to minimize downtime, allowing you to validate the migrated data before cutover and keep the source and target in sync.
In Cloud Load Balancing, what is the difference between a health check and a backend service?
Health checks determine if instances are healthy and able to receive traffic, while backend services are groups of instances configured with load balancing parameters and traffic routing policies.
You configure a Cloud Storage bucket with uniform bucket-level access enabled. What impact does this have on object-level IAM permissions?
Enabling uniform bucket-level access disables object-level ACLs and permissions, enforcing that all access control is defined at the bucket level only.
You need to ensure that a specific Google Cloud project can only be accessed from your corporate network IP range. Which service should you implement?
VPC Service Controls allows you to define security perimeters that restrict access to Google Cloud resources based on network location and device attributes, including IP ranges.
When creating a custom machine type on Compute Engine, what are the constraints on vCPU selection?
Custom machine types require vCPU counts to be even numbers (with some exceptions like 1 vCPU) and memory allocation must meet minimum ratios for optimal performance.
You deploy an application on App Engine standard environment and need to store session data that persists across requests. What is the recommended approach?
App Engine standard environment instances are stateless and may be terminated between requests, so persistent session data must be stored in external services like Datastore or Firestore.
What is the primary advantage of using Cloud CDN compared to serving content directly from Cloud Storage?
Cloud CDN integrates with Google's global edge network to cache and serve content closer to users, reducing latency and bandwidth costs at the origin.
You are designing a system that requires strong consistency for real-time financial transactions. Which database should you choose?
Cloud SQL provides ACID compliance and strong consistency guarantees, making it suitable for financial transactions where data accuracy is critical and eventual consistency is unacceptable.
In Google Cloud, what is the purpose of organization policies (formerly known as security policies)?
Organization policies allow administrators to enforce constraints on how Google Cloud resources can be created and configured, enabling centralized compliance and security governance.
You need to monitor the performance of a GKE cluster and receive alerts when pods consume excessive memory. Which tool should you use?
Cloud Monitoring provides native integration with GKE to collect container and pod metrics including memory usage, and allows you to create alert policies based on these metrics.
What is the difference between Cloud Identity and Google Cloud IAM?
Cloud Identity handles user and device identity management (authentication), while IAM controls what authenticated users and service accounts can do with resources (authorization).
You configure a Cloud SQL instance for high availability with automatic failover. How does this protect your database?
High availability in Cloud SQL creates a standby replica with synchronous replication, enabling automatic failover with minimal downtime if the primary instance becomes unavailable.
When using Dataflow to process streaming data, what is the significance of specifying the windowing strategy?
Windowing in Dataflow defines how unbounded streaming data is grouped into finite sets for processing, enabling operations like time-based aggregations and statistics.
You have multiple Google Cloud projects in an organization and want to consolidate billing across all projects. How should you configure this?
Multiple projects can be linked to a single billing account, consolidating charges and enabling you to view combined usage and costs across projects.
You need to deploy an application that requires persistent storage accessible from multiple Compute Engine instances simultaneously. Which storage option is most appropriate?
Filestore provides NFS-based shared file storage that can be mounted simultaneously by multiple Compute Engine instances, enabling shared access without manual synchronization.
When configuring a Cloud Run service, what is the significance of setting the concurrency value?
Concurrency in Cloud Run specifies how many requests a single container instance processes simultaneously; exceeding this triggers the creation of additional instances to maintain performance.
You are implementing disaster recovery for a critical application with a Recovery Time Objective (RTO) of 1 hour. Which backup and recovery strategy best meets this requirement while optimizing costs?
Daily backups with tested restoration procedures provide a cost-effective approach that can meet a 1-hour RTO, especially if restoration takes minutes and backups are frequent enough to limit data loss.
What is the primary purpose of Cloud Armor in Google Cloud?
Cloud Armor is a Web Application Firewall that protects HTTP(S) load balancers from DDoS attacks and common web exploits using rules and policies.
You need to analyze large datasets stored in BigQuery for business intelligence. When should you use BigQuery ML instead of training models externally?
BigQuery ML allows you to create and train models using SQL queries on BigQuery data, eliminating data movement and simplifying the ML workflow for analysts and data engineers.
How does Google Cloud's commitment to a multi-cloud strategy impact the tools available to Cloud Engineers?
Anthos is Google Cloud's platform for running and managing applications across Google Cloud, on-premises, and other cloud providers, providing consistent deployment and management.
You are deploying a multi-tier application on Google Cloud. You need to ensure that your Compute Engine instances in a private subnet can access external APIs without exposing them to the internet. What should you implement?
Cloud NAT provides outbound internet access for resources with only internal IPs, allowing private instances to reach external APIs securely without public IPs.
Your organization uses Cloud Storage buckets across multiple projects. You need to enforce consistent lifecycle policies across all buckets without manually configuring each one. Which approach is most efficient?
Terraform modules allow you to define reusable infrastructure code with consistent configurations, making it the most efficient way to deploy and maintain uniform policies across multiple buckets.
You have a GKE cluster where some pods are experiencing high latency when communicating with Cloud SQL. What is the most likely cause and the recommended solution?
Cloud SQL Proxy provides secure, encrypted connections and handles authentication automatically, significantly reducing latency compared to direct connections.
Your company requires that all data stored in Cloud Storage must be encrypted with customer-managed encryption keys (CMEK). You have already created keys in Cloud KMS. What is the next step to enforce this requirement?
Organization Policy constraints enforce CMEK usage organization-wide, ensuring compliance across all Cloud Storage buckets without manual configuration on each bucket.
You are configuring monitoring and alerting for a production application on Google Cloud. You need to receive notifications when CPU utilization exceeds 80% on any Compute Engine instance. What should you use?
Cloud Monitoring alert policies allow you to define threshold-based conditions on metrics like CPU utilization and route notifications through various channels like email.
Your application requires low-latency access to frequently changing configuration data that must be consistent across regions. Which Google Cloud solution best meets these requirements?
Cloud Firestore in multi-region mode provides strong consistency for configuration data while offering low-latency reads across geographic regions.
You need to migrate a legacy on-premises MySQL database to Cloud SQL while minimizing downtime. What tool should you use for the initial data transfer?
Database Migration Service automates the migration process, handles continuous replication, and minimizes downtime during cutover for MySQL to Cloud SQL migrations.
You have deployed a containerized application on Cloud Run that calls other Google Cloud APIs. The application is failing with permission errors when accessing Cloud Storage. What is the most likely cause?
Cloud Run uses a service account to call other Google Cloud APIs; the service account must have the appropriate IAM roles (like Storage Object Viewer) granted.
Your organization wants to implement a hub-and-spoke network topology connecting multiple projects across Google Cloud regions. Which networking solution should you implement?
Shared VPC enables centralized network management by allowing a hub project to share subnets with multiple spoke projects, simplifying the hub-and-spoke topology.
You are optimizing costs for a batch processing job that runs nightly on Compute Engine. The job is not latency-sensitive and can tolerate interruptions. What approach would reduce costs most significantly?
Preemptible VMs cost up to 80% less than standard instances, making them ideal for fault-tolerant, non-latency-sensitive workloads like batch processing with proper retry mechanisms.
You've reviewed all 63 questions. Take the interactive practice exam to simulate the real test environment.
▶ Start Practice Exam — Free