Google Associate Cloud Engineer Exam Practice Test Instant Access

Question 1

You want to deploy a new containerized application into Google Cloud by using a Kubernetes manifest. You want to have full control over the Kubernetes deployment, and at the same time, you want to minimize configuring infrastructure. What should you do?

ADeploy the application on GKE Autopilot.

BDeploy the application on GKE Standard.

CDeploy the application on Cloud Functions.

DDeploy the application on Cloud Run.

Answer : A

Question 2

Your preview application, deployed on a single-zone Google Kubernetes Engine (GKE) cluster in us-centrall, has gained popularity. You are now ready to make the application generally available. You need to deploy the application to production while ensuring high availability and resilience. You also want to follow Google-recommended practices. What should you do?

AUse the gcloud container clusters create command with the options--enable-multi-networking and--enable- autoscaling to create an autoscaling zonal cluster and deploy the application to it.

BUse the gcloud container clusters create-auto command to create an autopilot cluster and deploy the application to it.

CUse the gcloud container clusters update command with the option---region us-centrall to update the cluster and deploy the application to it.

DUse the gcloud container clusters update command with the option---node-locations us-centrall-a,us-centrall-b to update the cluster and deploy the application to the nodes.

Answer : B

Question 3

You are running out of primary internal IP addresses in a subnet for a custom mode VPC. The subnet has the IP range 10.0.0.0/20. and the IP addresses are primarily used by virtual machines in the project. You need to provide more IP addresses for the virtual machines. What should you do?

AChange the subnet IP range from 10.0.0.0/20 to 10.0.0.0/22.

BChange the subnet IP range from 10.0 0.0/20 to 10.0.0.0718.

CAdd a secondary IP range 10.1.0.0/20 to the subnet.

DConvert the subnet IP range from IPv4 to IPv6

Answer : B

Question 4

You are a Google Cloud organization administrator. You need to configure organization policies and log sinks on Google Cloud projects that cannot be removed by project users to comply with your company's security policies. The security policies are different for each company department Each company department has a user with the Project Owner role assigned to their projects. What should you do?

AOrganize projects under folders for each department. Configure both organization policies and log sinks on the folders

BOrganize projects under folders for each department. Configure organization policies on the organization and log sinks on the folders.

CUse a standard naming convention for projects that includes the department name. Configure organization policies on the organization and log sinks on the projects.

DUse a standard naming convention for projects that includes the department name. Configure both organization policies and log sinks on the projects.

Answer : A

Question 5

Your application stores files on Cloud Storage by using the Standard Storage class. The application only requires access to files created in the last 30 days. You want to automatically save costs on files that are no longer accessed by the application. What should you do?

ACreate a retention policy on the storage bucket of 30 days, and lock the bucket by using a retention policy lock.

BEnable object versioning on the storage bucket and add lifecycle rules to expire non-current versions after 30 days

CCreate an object lifecycle on the storage bucket to change the storage class to Archive Storage for objects with an age over 30 days.

DCreate a cron job in Cloud Scheduler to call a Cloud Functions instance every day to delete files older than 30 days.

Answer : C

Question 6

During a recent audit of your existing Google Cloud resources, you discovered several users with email addresses outside of your Google Workspace domain.

You want to ensure that your resources are only shared with users whose email addresses match your domain. You need to remove any mismatched users, and you want to avoid having to audit your resources to identify mismatched users. What should you do?

ACreate a Cloud Scheduler task to regularly scan your projects and delete mismatched users.

BCreate a Cloud Scheduler task to regularly scan your resources and delete mismatched users.

CSet an organizational policy constraint to limit identities by domain to automatically remove mismatched users.

DSet an organizational policy constraint to limit identities by domain, and then retroactively remove the existing mismatched users.

Answer : D

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints This list constraint defines the set of domains that email addresses added to Essential Contacts can have. By default, email addresses with any domain can be added to Essential Contacts. The allowed/denied list must specify one or more domains of the form @example.com. If this constraint is active and configured with allowed values, only email addresses with a suffix matching one of the entries from the list of allowed domains can be added in Essential Contacts. This constraint has no effect on updating or removing existing contacts. constraints/essentialcontacts.allowedContactDomains

Question 7

You have deployed an application on a Compute Engine instance. An external consultant needs to access the Linux-based instance. The consultant is connected to your corporate network through a VPN connection, but the consultant has no Google account. What should you do?

AInstruct the external consultant to use the gcloud compute ssh command line tool by using Identity-Aware Proxy to access the instance.

BInstruct the external consultant to use the gcloud compute ssh command line tool by using the public IP address of the instance to access it.

CInstruct the external consultant to generate an SSH key pair, and request the public key from the consultant.
Add the public key to the instance yourself, and have the consultant access the instance through SSH with their private key.

DInstruct the external consultant to generate an SSH key pair, and request the private key from the consultant.
Add the private key to the instance yourself, and have the consultant access the instance through SSH with their public key.

Answer : C

The best option is to instruct the external consultant to generate an SSH key pair, and request the public key from the consultant. Then, add the public key to the instance yourself, and have the consultant access the instance through SSH with their private key. This way, you can grant the consultant access to the instance without requiring a Google account or exposing the instance's public IP address.This option also follows the best practice of using user-managed SSH keys instead of service account keys for SSH access1.

Option A is not feasible because the external consultant does not have a Google account, and therefore cannot use Identity-Aware Proxy (IAP) to access the instance.IAP requires the user to authenticate with a Google account and have the appropriate IAM permissions to access the instance2. Option B is not secure because it exposes the instance's public IP address, which can increase the risk of unauthorized access or attacks. Option D is not correct because it reverses the roles of the public and private keys. The public key should be added to the instance, and the private key should be kept by the consultant.Sharing the private key with anyone else can compromise the security of the SSH connection3.

1: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

2: https://cloud.google.com/iap/docs/using-tcp-forwarding

3: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances