Professional-Cloud-Architect Questions and Answers

Google Cloud Storage, Google Cloud Dataflow, Google Compute Engine

Google Cloud Storage, Google App Engine, Google Network Load Balancer

Google Kubernetes Registry, Google Container Engine, Google HTTP(S) Load Balancer

Google Cloud Functions, Google Cloud Pub/Sub, Google Cloud Deployment Manager

Configure two Partner Interconnect connections in one metro (City), and make sure the Interconnect connections are placed in different metro zones.

Configure two VPN connections from on-premises to Google Cloud, and make sure the VPN devices on-premises are in separate racks.

Configure Direct Peering between EHR Healthcare and Google Cloud, and make sure you are peering at least two Google locations.

Configure two Dedicated Interconnect connections in one metro (City) and two connections in another metro, and make sure the Interconnect connections are placed in different metro zones.

Use a private cluster with a private endpoint with master authorized networks configured.

Use a public cluster with firewall rules and Virtual Private Cloud (VPC) routes.

Use a private cluster with a public endpoint with master authorized networks configured.

Use a public cluster with master authorized networks enabled and firewall rules.

Enable Binary Authorization on GKE, and sign containers as part of a CI/CD pipeline.

Configure Jenkins to utilize Kritis to cryptographically sign a container as part of a CI/CD pipeline.

Configure Container Registry to only allow trusted service accounts to create and deploy containers from the registry.

Configure Container Registry to use vulnerability scanning to confirm that there are no vulnerabilities before deploying the workload.

Verify EHR's product usage against the list of compliant products on the Google Cloud compliance page.

Advise EHR to execute a Business Associate Agreement (BAA) with Google Cloud.

Use Firebase Authentication for EHR's user facing applications.

Implement Prometheus to detect and prevent security breaches on EHR's web-based applications.

Use GKE private clusters for all Kubernetes workloads.

Add a new Dedicated Interconnect connection.

Upgrade the bandwidth on the Dedicated Interconnect connection to 100 G.

Add three new Cloud VPN connections.

Add a new Carrier Peering connection.

Configure Workload Identity and service accounts to be used by the application platform.

Use Kubernetes Secrets, which are obfuscated by default. Configure these Secrets to be used by the

application platform.

Configure Kubernetes Secrets to store the secret, enable Application-Layer Secrets Encryption, and use

Cloud Key Management Service (Cloud KMS) to manage the encryption keys. Configure these Secrets to

be used by the application platform.

Configure HashiCorp Vault on Compute Engine, and use customer managed encryption keys and Cloud

Key Management Service (Cloud KMS) to manage the encryption keys. Configure these Secrets to be used

by the application platform.

Create an Organizational Policy with a constraint to allow external IP addresses only on the frontend Compute Engine instances.

Revoke the compute.networkAdmin role from all users in the project with front end instances.

Create an Identity and Access Management (IAM) policy that maps the IT staff to the compute.networkAdmin role for the organization.

Create a custom Identity and Access Management (IAM) role named GCE_FRONTEND with the compute.addresses.create permission.

Using the Cron service provided by App Engine, publishing messages directly to a message-processing utility service running on Compute Engine instances.

Using the Cron service provided by App Engine, publish messages to a Cloud Pub/Sub topic. Subscribe to that topic using a message-processing utility service running on Compute Engine instances.

Using the Cron service provided by Google Kubernetes Engine (GKE), publish messages directly to a

message-processing utility service running on Compute Engine instances.

Using the Cron service provided by GKE, publish messages to a Cloud Pub/Sub topic. Subscribe to that topic using a message-processing utility service running on Compute Engine instances.

Increase the Pub/Sub Total Timeout retry value.

Move from a Pub/Sub subscriber pull model to a push model.

Turn off Pub/Sub message batching.

Create a backup Pub/Sub message queue.

1. Create a VPC Service Controls perimeter that includes the projects with the buckets.

2. Create an access level with the CIDR of the office network.

1. Create a firewall rule for all instances in the Virtual Private Cloud (VPC) network for source range.

2. Use the Classless Inter-domain Routing (CIDR) of the office network.

1. Create a Cloud Function to remove IAM permissions from the buckets, and another Cloud Function to add IAM permissions to the buckets.

2. Schedule the Cloud Functions with Cloud Scheduler to add permissions at the start of business and remove permissions at the end of business.

1. Create a Cloud VPN to the office network.

2. Configure Private Google Access for on-premises hosts.

Create a Google Group per department and add all department members to their respective groups Create a folder per department

and grant the respective group the required 1AM permissions at the folder level Add the projects under the respective folders

Grant all department members the required 1AM permissions for their respective projects

Create a Google Group per department and add all department members to their respective groups Grant each group the required I AM permissions for their respective projects

Create a folder per department and grant the respective members of the department the required 1AM permissions at the folder level. Structure all projects for each department under the respective folders

Configure an organization policy to restrict identities by domain

Configure an organization policy to block creation of service accounts

Configure Cloud Scheduler to trigger a Cloud Function every hour that removes all users that don't belong to the Cloud identity domain from all projects.

Create network load balancers. Use preemptible Compute Engine instances.

Create network load balancers. Use non-preemptible Compute Engine instances.

Create a global load balancer with managed instance groups and autoscaling policies. Use preemptible Compute Engine instances.

Create a global load balancer with managed instance groups and autoscaling policies. Use non-preemptible Compute Engine instances.

Export Cloud Machine Learning Engine performance metrics from Stackdriver to BigQuery, to be used to analyze the efficiency of the model.

Build a roadmap to move the machine learning model training from Cloud GPUs to Cloud TPUs, which

offer better results.

Monitor Compute Engine announcements for availability of newer CPU architectures, and deploy the model to them as soon as they are available for additional performance.

Save a history of recommendations and results of the recommendations in BigQuery, to be used as training data.

Install the latest BigQuery API client library for Python

Run your script on a new virtual machine with the BigQuery access scope enabled

Create a new service account with BigQuery access and execute your script with that user

Install the bq component for gccloud with the command gcloud components install bq.

Create CPU Utilization and Request Latency as service level indicators.

Create GKE CPU Utilization and Memory Utilization as service level indicators.

Create Request Latency and Error Rate as service level indicators.

Create Server Uptime and Error Rate as service level indicators.

Create a distribution list of all customers to inform them of an upcoming backward-incompatible change at least one month before replacing the old API with the new API.

Create an automated process to generate API documentation, and update the public API documentation as part of the CI/CD process when deploying an update to the API.

Use a versioning strategy for the APIs that increases the version number on every backward-incompatible change.

Use a versioning strategy for the APIs that adds the suffix “DEPRECATED” to the current API version number on every backward-incompatible change. Use the current version number for the new API.

Google Cloud Storage Coldline to store the data, and gsutil to access the data.

Google Cloud Storage Nearline to store the data, and gsutil to access the data.

Google Bigtabte with US or EU as location to store the data, and gcloud to access the data.

BigQuery to store the data, and a web server cluster in a managed instance group to access the data. Google Cloud SQL mirrored across two distinct regions to store the data, and a Redis cluster in a managed instance group to access the data.

Configure Cloud NAT on the subnet where the instance is hosted. Create an SSH connection to the Cloud NAT IP address to reach the instance.

Add all instances to an unmanaged instance group. Configure TCP Proxy Load Balancing with the instance group as a backend. Connect to the instance using the TCP Proxy IP.

Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance.

Create a bastion host in the network to SSH into the bastion host from your office location. From the bastion host, SSH into the desired instance.

Perform a mapping of the on-premises physical hardware cores and RAM to the nearest machine types in the cloud.

Recommend that Dress4Win deploy application servers to machine types that offer the highest RAM to CPU ratio available.

Recommend that Dress4Win deploy into production with the smallest instances available, monitor them over time, and scale the machine type up until the desired performance is reached.

Identify the number of virtual cores and RAM associated with the application server virtual machines align them to a custom machine type in the cloud, monitor performance, and scale the machine types up until the desired performance is reached.

Create a cron script using gsutil to copy the files to a Coldline Storage bucket.

Create a cron script using gsutil to copy the files to a Regional Storage bucket.

Create a Cloud Storage Transfer Service Job to copy the files to a Coldline Storage bucket.

Create a Cloud Storage Transfer Service job to copy the files to a Regional Storage bucket.

Store image files in a Google Cloud Storage bucket. Use Google Cloud Datastore to maintain metadata that maps each customer's ID and their image files.

Store image files in a Google Cloud Storage bucket. Add custom metadata to the uploaded images in Cloud Storage that contains the customer's unique ID.

Use a distributed file system to store customers' images. As storage needs increase, add more persistent disks and/or nodes. Assign each customer a unique ID, which sets each file's owner attribute, ensuring privacy of images.

Use a distributed file system to store customers' images. As storage needs increase, add more persistent disks and/or nodes. Use a Google Cloud SQL database to maintain metadata that maps each customer's ID to their image files.

Install the Stackdriver agent on all of the legacy web servers.

In the Cloud Platform Console download the list of the uptime servers' IP addresses and create an inbound firewall rule

Configure their load balancer to pass through the User-Agent HTTP header when the value matches GoogleStackdriverMonitoring-UptimeChecks (https://cloud.google.com/monitoring)

Configure their legacy web servers to allow requests that contain user-Agent HTTP header when the value matches GoogleStackdriverMonitoring— UptimeChecks (https://cloud.google.com/monitoring)

They should enable Google Stackdriver Debugger on the application code to show errors in the code.

They should add additional unit tests and production scale load tests on their cloud staging environment.

They should run the end-to-end tests in the cloud staging environment to determine if the code is working as intended.

They should add canary tests so developers can measure how much of an impact the new release causes to latency.

Grant the operations engineers access to use Google Cloud Shell.

Configure a VPN connection to GCP to allow SSH access to the cloud VMs.

Develop a new access request process that grants temporary SSH access to cloud VMs when an operations engineer needs to perform a task.

Have the development team build an API service that allows the operations team to execute specific remote procedure calls to accomplish their tasks.

Create a dump of the on-premises MySQL master server, and then shut it down, upload it to the cloud environment, and load into a new MySQL cluster.

Setup a MySQL replica server/slave in the cloud environment, and configure it for asynchronous replication from the MySQL master server on-premises until cutover.

Create a new MySQL cluster in the cloud, configure applications to begin writing to both on-premises and cloud MySQL masters, and destroy the original cluster at cutover.

Create a dump of the MySQL replica server into the cloud environment, load it into: Google Cloud Datastore, and configure applications to read/write to Cloud Datastore at cutover.

They should run the end to end tests in the cloud staging environment to determine if the code is working as

intended.

They should enable google stack driver debugger on the application code to show errors in the code

They should add additional unit tests and production scale load tests on their cloud staging environment.

They should add canary tests so developers can measure how much of an impact the new release causes to latency

Use Google App Engine with Google Cloud Endpoints. Focus on an API for dealers and partners.

Use Google App Engine with a JAX-RS Jersey Java-based framework. Focus on an API for the public.

Use Google App Engine with the Swagger (open API Specification) framework. Focus on an API for the public.

Use Google Container Engine with a Django Python container. Focus on an API for the public.

Use Google Container Engine with a Tomcat container with the Swagger (Open API Specification) framework. Focus on an API for dealers and partners.

Have your engineers inspect the data for patterns, and then create an algorithm with rules that make operational adjustments automatically.

Capture all operating data, train machine learning models that identify ideal operations, and run locally to make operational adjustments automatically.

Implement a Google Cloud Dataflow streaming job with a sliding window, and use Google Cloud Messaging (GCM) to make operational adjustments automatically.

Capture all operating data, train machine learning models that identify ideal operations, and host in Google Cloud Machine Learning (ML) Platform to make operational adjustments automatically.

Move all the data into 1 zone, then launch a Cloud Dataproc cluster to run the job.

Move all the data into 1 region, then launch a Google Cloud Dataproc cluster to run the job.

Launch a cluster in each region to preprocess and compress the raw data, then move the data into a multi region bucket and use a Dataproc cluster to finish the job.

Launch a cluster in each region to preprocess and compress the raw data, then move the data into a region bucket and use a Cloud Dataproc cluster to finish the jo

Migrate from CSV to binary format, migrate from FTP to SFTP transport, and develop machine learning analysis of metrics.

Migrate from FTP to streaming transport, migrate from CSV to binary format, and develop machine learning analysis of metrics.

Increase fleet cellular connectivity to 80%, migrate from FTP to streaming transport, and develop machine learning analysis of metrics.

Migrate from FTP to SFTP transport, develop machine learning analysis of metrics, and increase dealer local inventory by a fixed factor.

Have the vehicle’ computer compress the data in hourly snapshots, and store it in a Google Cloud storage (GCS) Nearline bucket.

Push the telemetry data in Real-time to a streaming dataflow job that compresses the data, and store it in Google BigQuery.

Push the telemetry data in real-time to a streaming dataflow job that compresses the data, and store it in Cloud Bigtable.

Have the vehicle's computer compress the data in hourly snapshots, a Store it in a GCS Coldline bucket.

Treat every micro service call between modules on the vehicle as untrusted.

Require IPv6 for connectivity to ensure a secure address space.

Use a trusted platform module (TPM) and verify firmware and binaries on boot.

Use a functional programming language to isolate code execution cycles.

Use multiple connectivity subsystems for redundancy.

Enclose the vehicle's drive electronics in a Faraday cage to isolate chips.

Work with your ISP to diagnose the problem.

Open a support ticket to ask for network capture and flow data to diagnose the problem, then roll back your application.

Roll back to an earlier known good release initially, then use Stackdriver Trace and logging to diagnose the problem in a development/test/staging environment.

Roll back to an earlier known good release, then push the release again at a quieter period to investigate. Then use Stackdriver Trace and logging to diagnose the problem.

Use one Google Container Engine cluster of FTP servers. Save the data to a Multi-Regional bucket. Run the ETL process using data in the bucket.

Use multiple Google Container Engine clusters running FTP servers located in different regions. Save the data to Multi-Regional buckets in us, eu, and asia. Run the ETL process using the data in the bucket.

Directly transfer the files to different Google Cloud Multi-Regional Storage bucket locations in us, eu, and asia using Google APIs over HTTP(S). Run the ETL process using the data in the bucket.

Directly transfer the files to a different Google Cloud Regional Storage bucket location in us, eu, and asia using Google APIs over HTTP(S). Run the ETL process to retrieve the data from each Regional bucket.

Build or leverage an OAuth-compatible access control system.

Build SAML 2.0 SSO compatibility into your authentication system.

Restrict data access based on the source IP address of the partner systems.

Create secondary credentials for each dealer that can be given to the trusted third party.

Opex/capex allocation, LAN changes, capacity planning

Capacity planning, TCO calculations, opex/capex allocation

Capacity planning, utilization measurement, data center expansion

Data Center expansion, TCO calculations, utilization measurement

Create a service account (SA) in the legacy game's Google Cloud project, add this SA in the new game's IAM page, and then give it the Firebase Admin role in both projects

Create a service account (SA) in the legacy game's Google Cloud project, add a second SA in the new game's IAM page, and then give the Organization Admin role to both SAs

Create a service account (SA) in the legacy game's Google Cloud project, give it the Firebase Admin role, and then migrate the new game to the legacy game's project.

Create a service account (SA) in the lgacy game's Google Cloud project, give the SA the Organization Admin rule and then give it the Firebase Admin role in both projects

Use Cloud SQL for time series data, and use Cloud Bigtable for historical data queries.

Use Cloud SQL to replace MySQL, and use Cloud Spanner for historical data queries.

Use Cloud Bigtable to replace MySQL, and use BigQuery for historical data queries.

Use Cloud Bigtable for time series data, use Cloud Spanner for transactional data, and use BigQuery for historical data queries.

Create two G Suite accounts to manage users: one for development/test/staging and one for production. Each account should contain one project for every application.

Create two G Suite accounts to manage users: one with a single project for all development applications and one with a single project for all production applications.

Create a single G Suite account to manage users with each stage of each application in its own project.

Create a single G Suite account to manage users with one project for the development/test/staging environment and one project for the production environment.

Delete the virtual machine (VM) and disks and create a new one.

Delete the instance, attach the disk to a new VM, and investigate.

Take a snapshot of the disk and connect to a new machine to investigate.

Check inbound firewall rules for the network the machine is connected to.

Connect the machine to another network with very simple firewall rules and investigate.

Print the Serial Console output for the instance for troubleshooting, activate the interactive console, and investigate.

A single VPN tunnel, which limits throughput

A tier of Google Cloud Storage that is not suited for this task

A copy command that is not suited to operate over long distances

Fewer virtual machines (VMs) in GCP than on-premises machines

A separate storage layer outside the VMs, which is not suited for this task

Complicated internet connectivity between the on-premises infrastructure and GCP

Error rates for requests from Asia

Latency difference between US and Asia

Total visits, error rates, and latency from Asia

Total visits and average latency for users in Asia

The number of character sets present in the database

Provision service account keys for the on-premises infrastructure and for the GCE virtual machines (VMs).

Authenticate the on-premises infrastructure with a user account and provision service account keys for the VMs.

Provision service account keys for the on-premises infrastructure and use Google Cloud Platform (GCP) managed keys for the VMs

Deploy a custom authentication service on GCE/Google Container Engine (GKE) for the on-premises infrastructure and use GCP managed keys for the VMs.

Cloud Spanner

Google BigQuery

Google Cloud SQL

Google Cloud Datastore

Google Kubernetes Engine with an SSL Ingress

Cloud IoT Core with public/private key pairs

Compute Engine with project-wide SSH keys

Compute Engine with specific SSH keys

Replace the existing data warehouse with BigQuery. Use table partitioning.

Replace the existing data warehouse with a Compute Engine instance with 96 CPUs.

Replace the existing data warehouse with BigQuery. Use federated data sources.

Replace the existing data warehouse with a Compute Engine instance with 96 CPUs. Add an additional Compute Engine pre-emptible instance with 32 CPUs.

Create a token and pass it in as an environment variable to func_display. When invoking func_query, include the token in the request Pass the same token to func _query and reject the invocation if the tokens are different.

Make func_query 'Require authentication.' Create a unique service account and associate it to func_display. Grant the service account invoker role for func_query. Create an id token in func_display and include the token to the request when invoking func_query.

Make func _query 'Require authentication' and only accept internal traffic. Create those two functions in the same VPC. Create an ingress firewall rule for func_query to only allow traffic from func_display.

Create those two functions in the same project and VPC. Make func_query only accept internal traffic. Create an ingress firewall for func_query to only allow traffic from func_display. Also, make sure both functions use the same service account.

Store the card data in Secret Manager after running a query to identify duplicates.

Encrypt the card data with a deterministic algorithm stored in Firestore using Datastore mode.

Encrypt the card data with a deterministic algorithm and shard it across multiple Memorystore instances.

Use column-level encryption to store the data in Cloud SQL.

glouc compute firewall rules update hlr-policy \

--priority 1000 \

target tags-sourceiplist fastly \

--allow tcp:443

gcloud compute security policies rules update 1000 \

--security-policy hlr-policy \

--expression "evaluatePreconfiguredExpr('sourceiplist-fastly')" \

--action " allow"

gcloud compute firewall rules update

sourceiplist-fastly \

priority 1000 \

allow tcp: 443

gcloud compute priority-policies rules update

1000 \

security policy from fastly

--src- ip-ranges"

-- action " allow"

Use Explainable AI.

Use Vision AI.

Use Google Cloud’s operations suite.

Use Jupyter Notebooks.

Set up Cloud Tasks and a Cloud Storage bucket that triggers a Cloud Function.

Set up a Cloud Logging sink and a Cloud Storage bucket that triggers a Cloud Function.

Configure the deployment job to notify a Pub/Sub queue that triggers a Cloud Function.

Set up Identity and Access Management (IAM) and Confidential Computing to trigger a Cloud Function.

Use Firestore for its scalable and flexible document-based database. Use collections to aggregate race data

by season and event.

Use Cloud Spanner for its scalability and ability to version schemas with zero downtime. Split race data

using season as a primary key.

Use BigQuery for its scalability and ability to add columns to a schema. Partition race data based on

season.

Use Cloud SQL for its ability to automatically manage storage increases and compatibility with MySQL. Use

separate database instances for each season.

Log into each Compute Engine instance and collect disk, CPU, memory, and network usage statistics for

analysis.

Use the gcloud compute instances list to list the virtual machine instances that have the idle: true label set.

Use the gcloud recommender command to list the idle virtual machine instances.

From the Google Console, identify which Compute Engine instances in the managed instance groups are

no longer responding to health check probes.

Use Stackdriver Trace to create a trace list analysis.

Use Stackdriver Monitoring to create a dashboard on the project’s activity.

Enable Cloud Identity-Aware Proxy in all projects, and add the group of Administrators as a member.

Use the Activity page in the GCP Console and Stackdriver Logging to provide the required insight.

Migrate the web application layer to App Engine, and MySQL to Cloud Datastore, and NAS to Cloud Storage. Deploy RabbitMQ, and deploy Hadoop servers using Deployment Manager.

Migrate RabbitMQ to Cloud Pub/Sub, Hadoop to BigQuery, and NAS to Compute Engine with Persistent Disk storage. Deploy Tomcat, and deploy Nginx using Deployment Manager.

Implement managed instance groups for Tomcat and Nginx. Migrate MySQL to Cloud SQL, RabbitMQ to Cloud Pub/Sub, Hadoop to Cloud Dataproc, and NAS to Compute Engine with Persistent Disk storage.

Implement managed instance groups for the Tomcat and Nginx. Migrate MySQL to Cloud SQL, RabbitMQ to Cloud Pub/Sub, Hadoop to Cloud Dataproc, and NAS to Cloud Storage.

Web applications deployed using App Engine standard environment

RabbitMQ deployed using an unmanaged instance group

Hadoop/Spark deployed using Cloud Dataproc Regional in High Availability mode

Jenkins, monitoring, bastion hosts, security scanners services deployed on custom machine types