You need to deploy a new service to production.

The service needs to automatically scale using a

managed instance group and should be deployed across multiple regions. The service needs a
large number of resources for each instance and you need to plan for capacity. What should you
do?

• A. Monitor results of Cloud Trace to determine the optimal sizing.

• B. Use the n2-highcpu-96 machine type in the configuration of the managed instance group.
• C. Deploy the service in multiple regions and use an internal load balancer to route traffic.
• D. Validate that the resource requirements are within the available project quota limits of
each region. Most Voted

Your organization stores all application logs from multiple Google Cloud projects in a central Cloud
Logging project. Your security team wants to enforce a rule that each project team can only view
their respective logs and only the operations team can view all the logs. You need to design a
solution that meets the security team s requirements while minimizing costs. What should you do?

• A. Grant each project team access to the project _Default view in the central logging
project. Grant togging viewer access to the operations team in the central logging project.
• B. Create Identity and Access Management (IAM) roles for each project team and restrict
access to the _Default log view in their individual Google Cloud project. Grant viewer
access to the operations team in the central logging project.
• C. Create log views for each project team and only show each project team their
application logs. Grant the operations team access to the _AllLogs view in the central
logging project. Most Voted
• D. Export logs to BigQuery tables for each project team. Grant project teams access to their
tables. Grant logs writer access to the operations team in the central logging project.

Your company uses Jenkins running on Google Cloud VM instances for CI/CD. You need to extend
the functionality to use infrastructure as code automation by using Terraform. You must ensure
that the Terraform Jenkins instance is authorized to create Google Cloud resources. You want to
follow Google-recommended practices. What should you do?

• A. Confirm that the Jenkins VM instance has an attached service account with the
appropriate Identity and Access Management (IAM) permissions. Most Voted
 • B. Use the Terraform module so that Secret Manager can retrieve credentials.
• C. Create a dedicated service account for the Terraform instance. Download and copy the
secret key value to the GOOGLE_CREDENTIALS environment variable on the Jenkins
server.
• D. Add the gcloud auth application-default login command as a step in Jenkins before
running the Terraform commands.

You encounter a large number of outages in the production systems you support. You receive
alerts for all the outages, the alerts are due to unhealthy systems that are automatically restarted
within a minute. You want to set up a process that would prevent staff burnout while following Site
Reliability Engineering (SRE) practices. What should you do?

• A. Eliminate alerts that are not actionable Most Voted

• B. Redefine the related SLO so that the error budget is not exhausted
• C. Distribute the alerts to engineers in different time zones
• D. Create an incident report for each of the alerts

You are developing reusable infrastructure as code modules. Each module contains integration
tests that launch the module in a test project. You are using GitHub for source control. You need to
continuously test your feature branch and ensure that all code is tested before changes are
accepted. You need to implement a solution to automate the integration tests. What should you
do?

• A. Use a Jenkins server for CI/CD pipelines. Periodically run all tests in the feature branch.
• B. Ask the pull request reviewers to run the integration tests before approving the code.
• C. Use Cloud Build to run the tests. Trigger all tests to run after a pull request is merged.
• D. Use Cloud Build to run tests in a specific folder. Trigger Cloud Build for every GitHub pull
request. Most Voted
Your company runs services by using Google Kubernetes Engine (GKE). The GKE dusters in the
development environment run applications with verbose logging enabled. Developers view logs by
using the kubectl logs command and do not use Cloud Logging. Applications do not have a
uniform logging structure defined. You need to minimize the costs associated with application
logging while still collecting GKE operational logs. What should you do?

• A. Run the gcloud container clusters update --logging=SYSTEM command for the
development cluster.
• B. Run the gcloud container clusters update --logging=WORKLOAD command for the
development cluster.
• C. Run the gcloud logging sinks update _Default --disabled command in the project
associated with the development environment.
• D. Add the severity >= DEBUG resource.type = "k8s_container" exclusion filter to the
_Default logging sink in the project associated with the development environment. Most Voted

You have deployed a fleet of Compute Engine instances in Google Cloud. You need to ensure that
monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring by
your company's operations and cyber security teams. You need to grant the required roles for the
Compute Engine service account by using Identity and Access Management (IAM) while following
the principle of least privilege. What should you do?

• A. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine

service accounts. Most Voted
• B. Grant the logging.admin and monitoring.editor roles to the Compute Engine service
accounts.
• C. Grant the logging.editor and monitoring.metricWriter roles to the Compute Engine
service accounts.
• D. Grant the logging.logWriter and monitoring.editor roles to the Compute Engine service
accounts.
You are the Site Reliability Engineer responsible for managing your company's data services and
products. You regularly navigate operational challenges, such as unpredictable data volume and
high cost, with your company's data ingestion processes. You recently learned that a new data
ingestion product will be developed in Google Cloud. You need to collaborate with the product
development team to provide operational input on the new product. What should you do?

• A. Deploy the prototype product in a test environment, run a load test, and share the results
with the product development team.
• B. When the initial product version passes the quality assurance phase and compliance
assessments, deploy the product to a staging environment. Share error logs and
performance metrics with the product development team.
• C. When the new product is used by at least one internal customer in production, share
error logs and monitoring metrics with the product development team.
• D. Review the design of the product with the product development team to provide
feedback early in the design phase. Most Voted

You are investigating issues in your production application that runs on Google Kubernetes Engine
(GKE). You determined that the source of the issue is a recently updated container image, although
the exact change in code was not identified. The deployment is currently pointing to the latest tag.
You need to update your cluster to run a version of the container that functions as intended. What
should you do?

• A. Create a new tag called stable that points to the previously working container, and
change the deployment to point to the new tag.
• B. Alter the deployment to point to the sha256 digest of the previously working
container. Most Voted
• C. Build a new container from a previous Git tag, and do a rolling update on the deployment
to the new container.
• D. Apply the latest tag to the previous container image, and do a rolling update on the
deployment.
You need to create a Cloud Monitoring SLO for a service that will be published soon. You want to
verify that requests to the service will be addressed in fewer than 300 ms at least 90% of the time
per calendar month. You need to identify the metric and evaluation method to use. What should
you do?

• A. Select a latency metric for a request-based method of evaluation. Most Voted

• B. Select a latency metric for a window-based method of evaluation.
• C. Select an availability metric for a request-based method of evaluation.
• D. Select an availability metric for a window-based method of evaluation.

You have an application that runs on Cloud Run. You want to use live production traffic to test a
new version of the application, while you let the quality assurance team perform manual testing.
You want to limit the potential impact of any issues while testing the new version, and you must be
able to roll back to a previous version of the application if needed. How should you deploy the new
version? (Choose two.)

• A. Deploy the application as a new Cloud Run service.

• B. Deploy a new Cloud Run revision with a tag and use the --no-traffic option. Most Voted
• C. Deploy a new Cloud Run revision without a tag and use the --no-traffic option.
• D. Deploy the new application version and use the --no-traffic option. Route production
traffic to the revision’s URL. Most Voted
• E. Deploy the new application version, and split traffic to the new version.

You need to introduce postmortems into your organization. You want to ensure that the
postmortem process is well received. What should you do? (Choose two.)

• A. Encourage new employees to conduct postmortems to team through practice.

• B. Create a designated team that is responsible for conducting all postmortems.
• C. Encourage your senior leadership to acknowledge and participate in postmortems. Most
Voted
• D. Ensure that writing effective postmortems is a rewarded and celebrated practice. Most
Voted
• E. Provide your organization with a forum to critique previous postmortems.
You are the Operations Lead for an ongoing incident with one of your services. The service usually
runs at around 70% capacity. You notice that one node is returning 5xx errors for all requests.
There has also been a noticeable increase in support cases from customers. You need to remove
the offending node from the load balancer pool so that you can isolate and investigate the node.
You want to follow Google-recommended practices to manage the incident and reduce the impact
on users. What should you do?

• A. 1. Communicate your intent to the incident team.

2. Perform a load analysis to determine if the remaining nodes can handle the increase in
traffic offloaded from the removed node, and scale appropriately.
3. When any new nodes report healthy, drain traffic from the unhealthy node, and remove
the unhealthy node from service. Most Voted
• B. 1. Communicate your intent to the incident team.
2. Add a new node to the pool, and wait for the new node to report as healthy.
3. When traffic is being served on the new node, drain traffic from the unhealthy node, and
remove the old node from service.
• C. 1. Drain traffic from the unhealthy node and remove the node from service.
2. Monitor traffic to ensure that the error is resolved and that the other nodes in the pool
are handling the traffic appropriately.
3. Scale the pool as necessary to handle the new load.
4. Communicate your actions to the incident team.
• D. 1. Drain traffic from the unhealthy node and remove the old node from service.
2. Add a new node to the pool, wait for the new node to report as healthy, and then serve
traffic to the new node.
3. Monitor traffic to ensure that the pool is healthy and is handling traffic appropriately.
4. Communicate your actions to the incident team.

You are configuring your CI/CD pipeline natively on Google Cloud. You want builds in a pre-
production Google Kubernetes Engine (GKE) environment to be automatically load-tested before
being promoted to the production GKE environment. You need to ensure that only builds that have
passed this test are deployed to production. You want to follow Google-recommended practices.
How should you configure this pipeline with Binary Authorization?

• A. Create an attestation for the builds that pass the load test by requiring the lead quality
assurance engineer to sign the attestation by using their personal private key.
• B. Create an attestation for the builds that pass the load test by using a private key stored
in Cloud Key Management Service (Cloud KMS) with a service account JSON key stored as
a Kubernetes Secret.
 • C. Create an attestation for the builds that pass the load test by using a private key stored
in Cloud Key Management Service (Cloud KMS) authenticated through Workload
Identity. Most Voted
• D. Create an attestation for the builds that pass the load test by requiring the lead quality
assurance engineer to sign the attestation by using a key stored in Cloud Key Management
Service (Cloud KMS).

You are deploying an application to Cloud Run. The application requires a password to start. Your
organization requires that all passwords are rotated every 24 hours, and your application must
have the latest password. You need to deploy the application with no downtime. What should you
do?

• A. Store the password in Secret Manager and send the secret to the application by using
environment variables.
• B. Store the password in Secret Manager and mount the secret as a volume within the
application. Most Voted
• C. Use Cloud Build to add your password into the application container at build time.
Ensure that Artifact Registry is secured from public access.
• D. Store the password directly in the code. Use Cloud Build to rebuild and deploy the
application each time the password changes.

Your company runs applications in Google Kubernetes Engine (GKE) that are deployed following a
GitOps methodology. Application developers frequently create cloud resources to support their
applications. You want to give developers the ability to manage infrastructure as code, while
ensuring that you follow Google-recommended practices. You need to ensure that infrastructure as
code reconciles periodically to avoid configuration drift. What should you do?

• A. Install and configure Config Connector in Google Kubernetes Engine (GKE). Most Voted
• B. Configure Cloud Build with a Terraform builder to execute terraform plan and terraform
apply commands.
• C. Create a Pod resource with a Terraform docker image to execute terraform plan and
terraform apply commands.
• D. Create a Job resource with a Terraform docker image to execute terraform plan and
terraform apply commands.
You are designing a system with three different environments: development, quality assurance
(QA), and production. Each environment will be deployed with Terraform and has a Google
Kubernetes Engine (GKE) cluster created so that application teams can deploy their applications.
Anthos Config Management will be used and templated to deploy infrastructure level resources in
each GKE cluster. All users (for example, infrastructure operators and application owners) will use
GitOps. How should you structure your source control repositories for both Infrastructure as Code
(IaC) and application code?

• A. • Cloud Infrastructure (Terraform) repository is shared: different directories are different

environments
• GKE Infrastructure (Anthos Config Management Kustomize manifests) repository is
shared: different overlay directories are different environments
• Application (app source code) repositories are separated: different branches are different
features Most Voted
• B. • Cloud Infrastructure (Terraform) repository is shared: different directories are different
environments
• GKE Infrastructure (Anthos Config Management Kustomize manifests) repositories are
separated: different branches are different environments
• Application (app source code) repositories are separated: different branches are different
features
• C. • Cloud Infrastructure (Terraform) repository is shared: different branches are different
environments
• GKE Infrastructure (Anthos Config Management Kustomize manifests) repository is
shared: different overlay directories are different environments
• Application (app source code) repository is shared: different directories are different
features
• D. • Cloud Infrastructure (Terraform) repositories are separated: different branches are
different environments
• GKE Infrastructure (Anthos Config Management Kustomize manifests) repositories are
separated: different overlay directories are different environments
• Application (app source code) repositories are separated: different branches are different
As a Site Reliability Engineer, you support an application written in Go that runs on Google
Kubernetes Engine (GKE) in production. After releasing a new version of the application, you notice
the application runs for about 15 minutes and then restarts. You decide to add Cloud Profiler to
your application and now notice that the heap usage grows constantly until the application
restarts. What should you do?

• A. Increase the CPU limit in the application deployment.

• B. Add high memory compute nodes to the cluster.
• C. Increase the memory limit in the application deployment. Most Voted
• D. Add Cloud Trace to the application, and redeploy.

You are deploying a Cloud Build job that deploys Terraform code when a Git branch is updated.
While testing, you noticed that the job fails. You see the following error in the build logs:

Initializing the backend...

Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403

You need to resolve the issue by following Google-recommended practices. What should you do?

• A. Change the Terraform code to use local state.

• B. Create a storage bucket with the name specified in the Terraform configuration.
• C. Grant the roles/owner Identity and Access Management (IAM) role to the Cloud Build
service account on the project.
• D. Grant the roles/storage.objectAdmin Identity and Access Management (1AM) role to the
Cloud Build service account on the state file bucket. Most Voted
Your company runs applications in Google Kubernetes Engine (GKE). Several applications rely on
ephemeral volumes. You noticed some applications were unstable due to the DiskPressure node
condition on the worker nodes. You need to identify which Pods are causing the issue, but you do
not have execute access to workloads and nodes. What should you do?

• A. Check the node/ephemeral_storage/used_bytes metric by using Metrics Explorer.

• B. Check the container/ephemeral_storage/used_bytes metric by using Metrics
Explorer. Most Voted
• C. Locate all the Pods with emptyDir volumes. Use the df -h command to measure volume
disk usage.
• D. Locate all the Pods with emptyDir volumes. Use the df -sh * command to measure
volume disk usage.

You are designing a deployment technique for your applications on Google Cloud. As part of your
deployment planning, you want to use live traffic to gather performance metrics for new versions
of your applications. You need to test against the full production load before your applications are
launched. What should you do?

• A. Use A/B testing with blue/green deployment.

• B. Use canary testing with continuous deployment.
• C. Use canary testing with rolling updates deployment.
• D. Use shadow testing with continuous deployment. Most Voted

Your Cloud Run application writes unstructured logs as text strings to Cloud Logging. You want to
convert the unstructured logs to JSON-based structured logs. What should you do?

• A. Modify the application to use Cloud Logging software development kit (SDK), and send
log entries with a jsonPayload field.
• B. Install a Fluent Bit sidecar container, and use a JSON parser.
• C. Install the log agent in the Cloud Run container image, and use the log agent to forward
logs to Cloud Logging.
• D. Configure the log agent to convert log text payload to JSON payload. Most Voted
You are leading a DevOps project for your organization. The DevOps team is responsible for
managing the service infrastructure and being on-call for incidents. The Software Development
team is responsible for writing, submitting, and reviewing code. Neither team has any published
SLOs. You want to design a new joint-ownership model for a service between the DevOps team and
the Software Development team. Which responsibilities should be assigned to each team in the
new joint-ownership model?

• A.

• B.

• C. Most Voted

• D.
You recently migrated an ecommerce application to Google Cloud. You now need to prepare the
application for the upcoming peak traffic season. You want to follow Google-recommended
practices. What should you do first to prepare for the busy season?

• A. Migrate the application to Cloud Run, and use autoscaling.

• B. Create a Terraform configuration for the application's underlying infrastructure to
quickly deploy to additional regions.
• C. Load test the application to profile its performance for scaling. Most Voted
• D. Pre-provision the additional compute power that was used last season, and expect
growth.

You are monitoring a service that uses n2-standard-2 Compute Engine instances that serve large
files. Users have reported that downloads are slow. Your Cloud Monitoring dashboard shows that
your VMs are running at peak network throughput. You want to improve the network throughput
performance. What should you do?

• A. Add additional network interface controllers (NICs) to your VMs.

• B. Deploy a Cloud NAT gateway and attach the gateway to the subnet of the VMs.
• C. Change the machine type for your VMs to n2-standard-8. Most Voted
• D. Deploy the Ops Agent to export additional monitoring metrics.

Your organization is starting to containerize with Google Cloud. You need a fully managed storage
solution for container images and Helm charts. You need to identify a storage solution that has
native integration into existing Google Cloud services, including Google Kubernetes Engine (GKE),
Cloud Run, VPC Service Controls, and Identity and Access Management (IAM). What should you
do?

• A. Use Docker to configure a Cloud Storage driver pointed at the bucket owned by your
organization.
• B. Configure an open source container registry server to run in GKE with a restrictive role-
based access control (RBAC) configuration.
• C. Configure Artifact Registry as an OCI-based container registry for both Helm charts and
container images. Most Voted
• D. Configure Container Registry as an OCI-based container registry for container images.