Questions d'entraînement

Question 1

You are designing a tablet app for municipal tree inspectors that must store hierarchical observations (city -> district -> park -> tree -> inspection) with up to 5 nested levels and support offline work for up to 72 hours; upon reconnect, the app must automatically sync local changes and handle conflicts gracefully. A backend on Cloud Run will use a dedicated service account to enrich the same records (e.g., geocoding, policy tags) directly in the database, performing up to 5,000 writes per minute at peak. The solution must scale securely to 250,000 monthly active users in the first quarter and provide client SDKs with built-in offline caching and synchronization. Which database and IAM role should you assign to the backend service account?

Analyse de la question

Core concept: This question tests selecting a database that supports hierarchical data modeling plus mobile/offline-first synchronization using Google-provided client SDKs, and choosing the least-privilege IAM role for a Cloud Run service account that must write to that database. Why the answer is correct: Firestore in Native mode is the best fit because it is the database behind Firebase/Firestore client SDKs that provide built-in offline persistence, local caching, and automatic synchronization when connectivity returns—exactly matching the 72-hour offline requirement and “sync + conflict handling” requirement. Firestore’s document/collection model naturally represents hierarchical entities (city/district/park/tree/inspection) via subcollections or by storing references/IDs, and it supports up to 100 levels of subcollections, so 5 nested levels is well within limits. For backend enrichment from Cloud Run, the service account needs read/write access to Firestore; roles/datastore.user grants the ability to read and write entities/documents (and is the common least-privilege baseline for server-side access), enabling the backend to perform up to 5,000 writes/minute. Key features and best practices: - Offline-first: Firestore SDKs (Android/iOS/Web) support offline persistence and automatic sync; conflicts are typically handled via “last write wins” semantics and can be improved with transactions, server timestamps, and custom merge logic. - Scale: Firestore is serverless and designed for high concurrency and large user bases; it aligns with Google Cloud Architecture Framework principles for scalability and operational excellence. - Security: Use Firebase Authentication/Identity Platform for end-user auth and Firestore Security Rules for client access; use a dedicated service account for Cloud Run with IAM-based access. - Throughput: 5,000 writes/min (~83 writes/sec) is generally feasible; design for hot-spot avoidance (spread writes across document keys, avoid single-document contention). Common misconceptions: - Cloud SQL can store hierarchical data but does not provide offline sync SDKs; you would need to build custom sync/conflict resolution. - Bigtable is highly scalable but lacks mobile offline sync SDKs and is not ideal for hierarchical document access patterns. - Firestore in Datastore mode is oriented toward Datastore APIs and does not align as directly with Firebase offline sync expectations. Exam tips: When you see “client SDKs with offline caching and automatic synchronization,” think Firestore (Native mode) / Firebase. Then choose an IAM role that enables required operations (read/write) for the backend service account; viewer roles won’t work for writes, and overly broad roles should be avoided.

Question 2

Your team uses Cloud Build to run CI for a Go microservice stored in a private GitHub repository mirrored to Cloud Source Repositories; one of the build steps requires a specific static analysis tool (version 3.7.2) that is not present in the default Cloud Build environment, the tool is ~120 MB and must be available within 5 seconds at step start to keep total build time under a 10-minute SLA, outbound internet access during builds is restricted, and you need reproducible results across ~50 builds per day—what should you do?

Analyse de la question

Core Concept: This question tests Cloud Build execution environments and how to supply deterministic, fast, offline dependencies for build steps. In Cloud Build, each step runs in a container image. If a required tool is not in the default builders, you can either fetch it at build time or package it into a custom builder image. Why the Answer is Correct: A custom Cloud Build builder image that already contains the static analysis tool (v3.7.2) ensures the tool is available immediately when the step starts (meeting the 5-second requirement) and avoids outbound internet access (which is restricted). It also guarantees reproducibility across ~50 builds/day because the tool version is pinned in the image. This aligns with CI best practices: immutable, versioned build environments that reduce variability and external dependencies. Key Features / Configurations / Best Practices: - Create a custom builder image (e.g., based on a minimal Linux image or an official Go builder) and bake the 120 MB binary into the image layer. - Store the image in Artifact Registry (or Container Registry) and reference it in cloudbuild.yaml steps via the image name. - Pin by immutable digest (e.g., image@sha256:...) for maximum reproducibility. - Use Cloud Build private pools if you need tighter network egress control; however, even with restricted egress, prepackaged images avoid runtime downloads. - This approach supports Google Cloud Architecture Framework principles: reliability (consistent builds), operational excellence (repeatable pipelines), and performance efficiency (fast step startup). Common Misconceptions: Downloading during the build (Option A) seems simple, but it violates the restricted outbound internet requirement and introduces latency/availability risk that can break the 10-minute SLA. Committing binaries (Option C) can appear reproducible, but it bloats repos, complicates reviews, and is generally an anti-pattern for supply-chain and maintainability. Requesting default support (Option D) is not an actionable solution for an exam scenario and does not meet immediate SLA needs. Exam Tips: For Cloud Build questions involving “tool not available,” “no internet,” “fast startup,” and “reproducible builds,” the expected pattern is: build a custom builder image, store it in Artifact Registry, and reference it in build steps (often pinned by digest). Prefer immutable, versioned artifacts over runtime downloads or committing large binaries into source control.

Question 3

You are building an external review portal for a film festival that stores high‑bitrate video dailies in Cloud Storage, and you must let reviewers—some of whom do not have Google accounts—securely access only their assigned files with the ability to read, upload replacements, or delete them for a strict 24-hour window; how should you provide access to the objects?

Question 4

You are setting up a new workstation to provision Google Cloud infrastructure with Terraform for a video analytics project at AuroraStream. Company policy requires that all resources be created by a dedicated deployment service account (tf-deployer@proj.example.iam.gserviceaccount.com) and forbids downloading long-lived service account keys. Your Cloud Identity user has the iam.serviceAccountTokenCreator role on that service account and the necessary project permissions to run Terraform. You will configure the Terraform Google provider to use impersonate_service_account pointing to the deployment service account. Following Google-recommended best practices, what should you do on your workstation to authenticate Terraform?

Question 5

You are preparing nightly releases of a serverless event-processing platform on Cloud Run across two regions. Each day at 18:00 UTC, your CI/CD pipeline builds and pushes 30–40 distinct Linux-based container images to a single Artifact Registry Docker repository, and the production rollout begins at 20:00 UTC. Security requires that you be alerted to any known OS-level vulnerabilities in the newly pushed images before the rollout, and you want to follow Google‑recommended best practices without adding custom scanning code to your pipeline. What should you do?

Envie de vous entraîner partout ?

Téléchargez Cloud Pass gratuitement — inclut des tests d'entraînement, le suivi de progression et plus encore.

Question 6

You are configuring a Cloud Build trigger for a Node.js REST service that builds a Docker image and pushes it to Artifact Registry (us-central1, repository 'apis') with the tag $SHORT_SHA. Compliance requires the pipeline to first run unit tests and then run integration tests against a disposable test database before the image is pushed. If any test fails, you must be able to tell from the Cloud Build history exactly which stage (unit or integration) failed without reading through logs. What should you do?

Analyse de la question

Core Concept: This question tests Cloud Build pipeline design for CI quality gates: structuring build steps so test phases are enforced in order and failures are clearly attributable from Cloud Build history. It also touches Artifact Registry publishing best practices (only push artifacts after validation). Why the Answer is Correct: Using separate Cloud Build steps with distinct step IDs for unit tests and integration tests (and ordering them before the Docker build/push) provides explicit stage boundaries in the Cloud Build UI and build history. Cloud Build shows each step’s status (success/failure) and the failing step ID without requiring log inspection. Because steps run sequentially by default (unless you use waitFor), placing “unit-tests” first and “integration-tests” second guarantees the required order. Only after both succeed should you run the Docker build and push to Artifact Registry with the $SHORT_SHA tag. Key Features / Best Practices: - Step granularity: Each step is a first-class entity in Cloud Build history; distinct IDs make compliance auditing and troubleshooting faster. - Ordered execution: Default sequential execution enforces unit then integration tests; you can also explicitly set waitFor to avoid accidental parallelism. - Disposable test database: Integration tests can spin up ephemeral dependencies (e.g., Cloud SQL via Auth Proxy, a temporary database/schema, or a containerized DB) within a dedicated step, then tear down in the same step to control cost and avoid state leakage. - Artifact promotion: Build and push only after tests pass aligns with supply-chain and release hygiene practices. Common Misconceptions: - Putting tests in a Dockerfile (option A) conflates image build with CI validation and makes failures appear as a generic “docker build failed,” obscuring which test stage failed. - Combining tests into one step (option B) still hides which phase failed at the Cloud Build step level; you’d need logs to distinguish unit vs integration failures. - Splitting into separate pipelines (option C) adds orchestration complexity and doesn’t inherently improve per-build stage visibility; it can also complicate passing artifacts/SHAs and enforcing a single audited flow. Exam Tips: For Cloud Build questions requiring visibility of which phase failed, prefer multiple steps with clear IDs. For “don’t publish if tests fail,” ensure push steps occur after test steps. Remember Cloud Build history surfaces step-level status, not sub-command granularity inside a single step.

Question 7

Your organization runs a Cloud Build CI/CD pipeline with 4 build steps for a Python API: (1) run unit tests, (2) generate a 6 KB text report containing the commit SHA and changed files, (3) build and push a container image, and (4) run a security gate that consumes the report; the report must be accessible to steps 3 and 4 within the same build and must not be persisted after the build; the pipeline executes up to 30 times per hour. How should you store the report so that all required build steps can access it?

Question 8

You operate a city-wide food delivery platform on Google Cloud. An order-processing microservice currently invokes an HTTP Cloud Function to send SMS status updates (order accepted, courier en route) through a third-party SMS gateway. After launching a 30%-off promotion, peak load spiked to about 18,000 notifications per minute, and the Cloud Function intermittently returns HTTP 500 errors. Some customers report missing SMS updates, and logs show the sender aborts on 500 responses without persisting the messages. You need to change how SMS messages are handled to minimize message loss without significantly increasing operational complexity. What should you do?

Question 9

You are launching a single App Engine Standard application (service: default, region: us-central1) and must make it accessible only at http://www.northwind.news/; your DNS is hosted in Cloud DNS (zone: public-zone, TTL: 300s), the domain is not yet verified, and you do not require any path- or service-based routing—what should you do?

Question 10

You are the lead developer for a city transit incident dashboard running on Cloud Run (512 MiB memory per instance, max 80 concurrent requests) backed by Firestore in Native mode; the web UI provides infinite scroll so users can browse all incident reports, and three months after launch you observe that during 07:30–09:30 peak hours several Cloud Run instances return HTTP 500 with out-of-memory errors while Firestore read throughput spikes to ~250 QPS. You need to stop Cloud Run from crashing and reduce Firestore reads using a performance-optimized approach without merely increasing resource limits; what should you do?

Practice Test #1

Réponses et explications vérifiées par triple IA

Questions d'entraînement

Témoignages de réussite(6)

Autres tests d'entraînement

Practice Test #2

Practice Test #3

Practice Test #4

Commencer à s'entraîner