Questions d'entraînement

Question 1

Your media-streaming company operates on Google Cloud with 6 departments each mapped to a folder under the organization; there are 120 existing projects and about 10 new projects are created every month, and the security team requires that every log entry (all log types and resource types, across all regions) be exported in near real time to a third-party SIEM that ingests from a Cloud Pub/Sub topic named siem-ingest, so you must implement a solution that automatically covers all current and future projects with minimal ongoing maintenance and does not move logs into Cloud Logging buckets; what should you do?

Analyse de la question

Core Concept: This question tests Cloud Logging sinks (especially aggregated sinks) and how to export logs at scale across an organization with minimal maintenance. It also tests choosing the correct sink scope (project/folder/org) and destination type (Pub/Sub) to integrate with an external SIEM in near real time. Why the Answer is Correct: An organization-level aggregated sink exports logs from all projects in the organization, including future projects, without needing per-project configuration. Because the SIEM ingests from a Pub/Sub topic (siem-ingest) and the requirement explicitly says not to move logs into Cloud Logging buckets, the sink destination must be Pub/Sub (not a log bucket). Setting an inclusion filter that matches all logs (for example, resource.type:* or an empty filter) ensures all log types and resource types are exported. This meets the “all regions” requirement because Cloud Logging is a global service and the sink captures logs regardless of where resources run. Key Features / Configurations / Best Practices: - Use an organization-level aggregated sink with destination pubsub.googleapis.com/projects/PROJECT_ID/topics/siem-ingest. - Ensure the sink’s writer identity has Pub/Sub Publisher on the topic. - Consider Pub/Sub throughput and retention: SIEM ingestion bursts may require adequate topic quotas and subscriber scaling. - Use a single org-level sink to minimize operational overhead; this aligns with the Google Cloud Architecture Framework principle of operational excellence (centralized, automated governance). Common Misconceptions: - “Repeat per folder” (option B) can seem centralized, but it still creates 6 sinks and ongoing governance overhead; it also risks gaps if projects are moved between folders or new folders are added. - “Project-level sinks” (option D) are the most error-prone at this scale and violate the minimal maintenance requirement. - “Use a log bucket destination” (option A) conflicts with the requirement not to move logs into Cloud Logging buckets and doesn’t directly feed a third-party SIEM via Pub/Sub. Exam Tips: - If the requirement is “all current and future projects,” prefer organization-level aggregated sinks (or folder-level if scope is intentionally limited). - If the destination is an external system, Pub/Sub is the common near-real-time export mechanism. - Watch for constraints like “do not move logs into buckets” which rules out log bucket destinations and often points to Pub/Sub or BigQuery exports.

Question 2

You manage the release pipeline for a payments API running on a regional GKE cluster in us-central1. The API is exposed via a Kubernetes Service (ClusterIP) behind an HTTP Ingress managed by Cloud Load Balancing. You implement blue/green by running two Deployments: pay-blue-v1 and pay-green-v2, each with 10 replicas and labels color=blue/green. During the cutover, you updated the Service selector to color=green to send 100% of ~1,500 RPS to pay-green-v2. Within 2 minutes, the HTTP 5xx error rate spikes to 7%, breaching the 1% SLO target. You must roll back immediately with less than 30 seconds of impact, without rebuilding images or modifying the Ingress configuration. What should you do?

Question 3

Your company runs a payments API behind an NGINX Ingress Controller on a GKE Standard cluster with three n2-standard-4 nodes; the Ops Agent DaemonSet is deployed on all nodes and forwards access logs to Cloud Logging. In the past hour you observed suspicious traffic from the IP address 198.51.100.77, and you need to visualize the per-minute count of requests from this IP in Cloud Monitoring without changing application code or deploying additional collectors. What should you do to achieve this with minimal operational overhead?

Analyse de la question

Core concept: This question tests Google Cloud observability patterns on GKE: turning existing log streams (NGINX Ingress access logs already in Cloud Logging via Ops Agent) into time-series data in Cloud Monitoring using logs-based metrics, without changing application code or adding collectors. Why the answer is correct: You already have the ingress access logs centralized in Cloud Logging. The lowest-overhead way to visualize “requests per minute from a specific client IP” is to create a logs-based counter metric that matches log entries where the client IP equals 198.51.100.77. Cloud Logging will count matching entries and export the metric to Cloud Monitoring, where you can chart it with 1-minute alignment/aggregation. This approach is managed, scalable, and requires no new runtime components in the cluster. Key features / configurations: - Ops Agent logging receiver: ensure the NGINX Ingress access log file/stream is being ingested (often via a file receiver or fluent-bit pipeline depending on setup). If logs are already present in Cloud Logging, no further agent changes may be needed. - Logs-based metrics (counter): define a filter on the log payload field that contains the client IP (for NGINX, typically remote_addr / client_ip in structured logs, or parsed from text). Use a counter metric to count each matching entry. - Cloud Monitoring charting: create a chart for the logs-based metric and set alignment period to 60s to get per-minute counts. Optionally add grouping labels if you want to pivot by ingress, namespace, or status code. - Architecture Framework alignment: this follows the Observability pillar—use centralized logging/metrics with managed services, minimize operational burden, and enable rapid investigation. Common misconceptions: - “Need a custom metric pipeline”: Many assume you must scrape logs and push custom metrics. Logs-based metrics already provide a managed conversion from logs to metrics. - “Use node/application metrics”: Standard metrics receivers won’t produce per-client-IP request counts; that data is in access logs, not typical system metrics. Exam tips: When you need metrics derived from logs (counts, rates, error patterns) and you’re told not to change code or add collectors, think: Cloud Logging + logs-based metrics + Cloud Monitoring dashboards/alerts. Also remember to choose counter vs distribution metrics appropriately and use 1-minute alignment for per-minute visualization.

Question 4

Your team runs a CI pipeline that executes ~200 integration test jobs per day, and each job must call internal gRPC APIs that are reachable only on 10.20.0.0/16 in a Shared VPC with no external IPs or NAT; the security policy requires that test traffic must never traverse the public internet, you are not allowed to maintain bastion hosts or custom proxies, tests must finish within 10 minutes per run, and you want the least operational overhead for setup and ongoing management—what should you do?

Question 5

A biotech company aggregates container and application logs from 15 Google Cloud projects into a single Cloud Logging bucket in a dedicated observability project using aggregated sinks with a 30-day retention policy. Compliance requires that each of the 8 product squads can only view logs originating from their own project(s), while the SRE team must be able to view all logs across all projects. You must implement least-privilege access, avoid duplicating data, and minimize ongoing costs and operational overhead. What should you do?

Envie de vous entraîner partout ?

Téléchargez Cloud Pass gratuitement — inclut des tests d'entraînement, le suivi de progression et plus encore.

Question 6

Your team operates a high-throughput webhook processor on Cloud Run (fully managed) in us-central1 with min instances set to 0, max instances set to 40, request concurrency set to 80, and container limits of 1 vCPU and 1 GiB memory; over the last 14 days peak traffic reached 2,500 RPS with p95 latency under 300 ms, and you need to accurately identify actual container CPU and memory utilization per revision to right-size resources and reduce Cloud Run costs by at least 20% without changing application code; which tool should you use to get these utilization metrics across all revisions?

Question 7

You are responsible for a customer-facing booking service deployed on Google Kubernetes Engine (GKE) using a blue/green deployment approach. The manifests include two Deployments (app-green and app-blue), a Service (app-svc), and an Ingress that routes traffic to the Service, as shown in the provided configuration. After updating app-green to the latest release, users report that most booking requests are failing in production, even though the release passed all pre-production tests. You must quickly restore service availability while giving developers a chance to debug the failing release. What should you do?

Question 8

(Sélectionnez 2)

You are setting up an automated container image build in Cloud Build for a payment reconciliation microservice. The source code is hosted in Bitbucket Cloud. Your compliance policy mandates that production-grade images must be built only from the release/v1 branch, and that all merges into release/v1 must be explicitly approved by the governance group with at least two approvers. You want the process to be as automated as possible while meeting these requirements. What should you do? (Choose two.)

Analyse de la question

Core Concept: This question tests CI/CD governance controls across two systems: (1) Cloud Build triggers to ensure production images are built only from an allowed source branch, and (2) source-control enforcement (Bitbucket) to ensure merges into that branch meet an approval policy. In regulated environments, the strongest control is to enforce policy at the earliest point (the VCS) and then automate downstream builds. Why the Answer is Correct: You must guarantee that production-grade images are built only from release/v1. The most direct and automatable way is a Cloud Build trigger that fires on pushes to the release/v1 branch (Option C). This ensures the build pipeline only runs when code actually lands in the controlled branch, rather than on arbitrary branches or unmerged pull requests. Separately, the compliance requirement is that all merges into release/v1 are explicitly approved by the governance group with at least two approvers. That control belongs in Bitbucket branch protection (Option D), which can require a minimum number of approvals and restrict who can approve/merge. This prevents non-compliant code from ever reaching release/v1, which is stronger than trying to “catch” violations during build. Key Features / Best Practices: - Cloud Build trigger filtering: configure “Push to a branch” and set the branch regex to match only release/v1. This aligns with least privilege and reduces accidental production builds. - Bitbucket branch permissions/protection: require 2 approvals, enforce review from a specific group (governance), and optionally restrict direct pushes to release/v1. - Architecture Framework alignment: governance and security controls should be preventative (shift-left) and automated; CI should be deterministic and tied to immutable, controlled sources. Common Misconceptions: - Using PR triggers (Option A) can build unmerged code and does not guarantee the image corresponds to what is actually released. - Cloud Build “Approval” (Option E) is a manual gate for the build execution, not a governance control over merges into the branch; it also adds operational friction and doesn’t ensure two approvers from a specific group. Exam Tips: When requirements mention “all merges into branch X must be approved,” look first to VCS branch protection. When requirements mention “build only from branch X,” look to CI trigger branch filters. Prefer controls that prevent noncompliance rather than detect it later.

Question 9

You operate a high-frequency IoT telemetry ingestion service on Google Kubernetes Engine with separate production and staging clusters, each in its own VPC network; within each VPC, the API gateway nodes and stream processing nodes run on different subnets (api-subnet and proc-subnet), and a security analyst suspects an intermittent malicious beacon originating from the production API gateway nodes that occurs a few times per hour and lasts under 10 seconds, and you need to ensure network flow data is captured for forensic analysis without delaying the investigation; what should you do?

Question 10

You are the on-call SRE for a live trivia streaming platform running on Google Kubernetes Engine (GKE) behind a global external HTTP(S) Load Balancer with geo-based routing; each of 4 regions (us-central1, europe-west1, asia-southeast1, southamerica-east1) contains 3 regional GKE clusters serving traffic via NEG backends, and at 18:05 UTC you receive a page that asia-southeast1 users have had 100% connection failures (HTTP 502) for the past 7 minutes while other regions are healthy and asia-southeast1 normally serves 25% of global requests and the availability SLO is 99.95% monthly with a rapid burn alert firing; you want to resolve the incident following SRE best practices. What should you do first?

Question 11

Your retail analytics team is deploying a webhook service on Cloud Run that ingests inventory updates and uses the OpenTelemetry SDK with a BatchSpanProcessor to export traces to Cloud Trace every 5 seconds. Under light traffic (<1 request/second), about 30% of spans never appear in Cloud Trace even though requests return HTTP 200. The service is configured with min instances = 0, concurrency = 80, memory = 1 GiB, and 2 vCPU, and CPU is currently set to be allocated only during request processing. You must ensure reliable trace export without changing application code or adding external components. What should you do?

Question 12

Your fintech startup operates three GKE Autopilot clusters (dev, staging, prod) across us-central1 and europe-west4 and uses a GitOps workflow with a single Git repository per team. Product squads often need Google Cloud resources (for example, 12 Pub/Sub topics, 4 Cloud SQL instances, and multiple IAM bindings) to support their microservices. You must let engineers declare these resources as code from within their Kubernetes namespaces, enforce least-privilege access with Kubernetes RBAC, and have the system continuously reconcile desired state so that any manual console change is corrected within 10 minutes, following Google-recommended practices. What should you do?

Analyse de la question

Core Concept: This question tests Kubernetes-native infrastructure management on Google Cloud using GitOps principles. The key service is Config Connector (KCC), which exposes Google Cloud resources as Kubernetes Custom Resources (CRDs) and reconciles them continuously, aligning with the Google Cloud Architecture Framework principles of automation, least privilege, and operational excellence. Why the Answer is Correct: You need engineers to declare Google Cloud resources “from within their Kubernetes namespaces,” enforce least privilege with Kubernetes RBAC, and continuously reconcile drift within ~10 minutes. Config Connector is purpose-built for this: teams apply YAML manifests (e.g., Pub/SubTopic, SQLInstance, IAMPolicyMember) in their namespace, and KCC’s controllers create/update the corresponding Google Cloud resources. Drift correction is inherent to the controller reconciliation loop—manual console changes are reverted automatically without requiring an external pipeline run. Key Features / Configurations: - Namespace-scoped management: Use KCC’s namespace mode so each squad manages only resources mapped to its namespace. - Least privilege: Combine Kubernetes RBAC (who can create/update CRDs in a namespace) with Google Cloud IAM via a dedicated service account per namespace/team (often via Workload Identity) granting only required permissions (e.g., pubsub.admin on specific projects or folders, cloudsql.admin where needed). - Continuous reconciliation: Controllers regularly reconcile desired vs actual state, meeting the “correct within 10 minutes” requirement. - GitOps fit: Store CRDs in the same team repo and let your GitOps tool (e.g., Config Sync/Argo CD/Flux) apply them; KCC then handles cloud resource lifecycle. Common Misconceptions: Terraform-based options (Cloud Build, Pod, Job) can provision resources, but they are not Kubernetes-native per-namespace APIs and do not inherently provide continuous drift reconciliation unless you build additional scheduling/automation. They also complicate least-privilege at the namespace level because Terraform typically runs with broader credentials and state management. Exam Tips: When you see “manage Google Cloud resources via Kubernetes manifests,” “namespace isolation,” and “continuous reconciliation,” think Config Connector. Terraform is excellent for centralized IaC, but KCC is the Google-recommended pattern for Kubernetes-centric, multi-tenant, GitOps-driven resource management with RBAC boundaries.

Question 13

You are planning capacity for a real-time video engagement analytics platform ahead of an international rollout; the platform runs entirely in containers on Google Kubernetes Engine (GKE) Standard using a regional cluster in asia-southeast1 across three zones with the cluster autoscaler enabled, you forecast 10% month-over-month user growth over the next six months, current steady-state workload consumes about 28% of total deployed CPU capacity, and the service must remain resilient to the loss of any single zone; you want to minimize user impact from either growth or a zonal outage while avoiding unnecessary spend; how should you prepare to handle the predicted growth?

Analyse de la question

Core concept: This question tests capacity planning for GKE Standard with autoscaling, specifically balancing reliability (N+1 across zones) and cost efficiency. It also touches on Kubernetes resource requests/limits, Horizontal Pod Autoscaler (HPA), Cluster Autoscaler, and Google Cloud quota planning. Why the answer is correct: Option A is the only choice that prepares for both predictable growth and a zonal outage while avoiding unnecessary spend. With a regional cluster across three zones, resilience to loss of one zone implies you must ensure the remaining two zones can carry the full workload (or at least maintain SLOs with graceful degradation). Today’s 28% CPU utilization is against total deployed capacity, but that doesn’t automatically translate to “safe headroom” because (1) growth compounds (~1.1^6 ≈ 1.77, ~77% increase), (2) capacity is distributed per-zone, and (3) pod scheduling constraints, requests, and HPA behavior determine whether capacity is actually usable during spikes or failures. Validating max node pool size and regional quotas ensures autoscaling can actually add nodes when needed. Key features / best practices: - HPA scales pods based on metrics; it requires accurate CPU/memory requests to make scaling decisions and to allow binpacking. - Cluster Autoscaler adds/removes nodes when pods are pending due to insufficient resources; it is bounded by node pool max size and project/region quotas (CPU, IPs, etc.). - Load testing (including simulating a single-zone loss) validates real capacity under disruption and confirms PodDisruptionBudgets, topology spread constraints, and anti-affinity rules behave as intended. - Aligns with Google Cloud Architecture Framework: reliability (design for failure), performance (validate under load), and cost optimization (avoid overprovisioning). Common misconceptions: It’s tempting to assume autoscaler “handles everything” (B) or that 28% utilization means ample headroom (C). Both ignore quota ceilings, per-zone failure scenarios, and misconfigured requests/limits that can prevent scaling or cause inefficient node usage. Pre-provisioning large capacity (D) reduces risk but wastes money and still doesn’t prove the system meets SLOs during a zonal outage. Exam tips: For GKE scaling questions, look for answers that combine: (1) correct autoscaling layers (HPA + Cluster Autoscaler), (2) quota and max-size validation, and (3) empirical validation via load testing and failure testing. Regional resilience questions usually imply N+1 planning and testing with a zone removed.

Question 14

You lead a team building Cloud Run–based microservices for a fintech product. Each repository includes end-to-end integration tests under tests/e2e that deploy a temporary Cloud Run revision into the staging project svc-stg-001 and delete it after completion. Source control is GitHub, and feature branches follow the pattern feature/*. You must automatically run the integration tests on every pull request targeting the main branch and block merges until tests pass. Tests should run only when files under service/ or tests/e2e/ change, and each run must finish within 30 minutes. You want a managed, GCP-native solution to automate this workflow. What should you do?

Question 15

Your retail analytics application runs on Cloud Run in us-central1 behind Cloud Load Balancing and depends on BigQuery and Cloud Storage; over the past week, P95 latency spiked from 180 ms to 3000 ms and 5xx errors peaked at 4.2% during three separate incidents. You need to build a Cloud Monitoring dashboard to troubleshoot and specifically determine whether the spikes are caused by your service or by outages/degradations in Google Cloud services you rely on (e.g., Cloud Load Balancing, BigQuery, Cloud Storage); what should you do?

Question 16

Your video analytics platform is deploying a frame-processing microservice on both GKE Autopilot in us-central1 (200 pods across 5 namespaces) and 30 on-premises Linux servers in a private data center; you must collect detailed, function-level performance data (CPU and heap profiles) with under 5% overhead, keep profiles for 30 days, and visualize everything centrally in a single Google Cloud project without building or operating your own metrics pipeline—what should you do?

Analyse de la question

Core Concept: This question tests Google Cloud’s managed observability tooling for code-level performance profiling across hybrid environments. The key service is Cloud Profiler, which continuously collects statistical CPU and heap profiles from running applications with low overhead and stores/visualizes them centrally in a Google Cloud project. Why the Answer is Correct: You need function-level performance data (CPU and heap profiles), <5% overhead, 30-day retention, and a single centralized view in Google Cloud without operating a custom pipeline. Cloud Profiler is purpose-built for this: you integrate the Profiler agent into the application (or use supported language agents), and it uploads profiles to Cloud Profiler in your project. It works for workloads running on GKE (including Autopilot) and for on-prem Linux servers as long as they can authenticate to Google Cloud APIs (typically via service account credentials or workload identity federation) and reach the Profiler endpoint. This directly satisfies the “no pipeline to build/operate” requirement. Key Features / Configurations / Best Practices: - Low-overhead, continuous profiling: sampling-based profiling is designed to keep overhead typically well under 5%. - Profile types: CPU and heap (and others depending on language/runtime) provide function-level attribution. - Centralized visualization: profiles are aggregated and explored in the Cloud Profiler UI within one project, aligning with the Google Cloud Architecture Framework’s Operational Excellence and Reliability pillars (measure, observe, and improve). - Retention: Cloud Profiler retains profiles for analysis over time (commonly aligned with 30-day operational windows), enabling regression detection. - Hybrid enablement: on-prem services can upload profiles using service account credentials or federation; ensure egress and IAM permissions (e.g., roles/cloudprofiler.agent). Common Misconceptions: Teams often confuse profiling with logging (Cloud Logging) or debugging (Cloud Debugger). Logs and debugger snapshots can show symptoms but do not provide statistically valid, low-overhead, function-level CPU/heap attribution over time. Similarly, “/metrics endpoints” and uptime checks are for availability and basic metrics, not deep code profiling. Exam Tips: When you see “function-level CPU/heap profiles,” “low overhead,” and “managed/centralized without building a pipeline,” think Cloud Profiler. For request-level latency and distributed call graphs, think Cloud Trace; for logs, Cloud Logging; for metrics, Cloud Monitoring. Also consider hybrid identity/authentication and IAM roles as part of the correct implementation details.

Question 17

Your fintech startup adheres to SRE practices, and a SEV-1 incident is causing elevated HTTP 5xx errors (38%) in the payment authorization service in us-central1, impacting approximately 65% of live transactions; you are the designated Communications Lead, engineering has no ETA for recovery, and within the first 10 minutes you’ve received over 40 internal Slack DMs and 120 customer tickets requesting updates. What should you do to efficiently keep everyone informed while the mitigation is in progress?

Question 18

Your retail analytics team uses Cloud Build to deploy a containerized Python service to Cloud Run (min instances: 0, max instances: 3) on the staging project; the latest deployment failed because the container exited at startup with exit code 78 and the log message 'KeyError: PAYMENT_SERVICE_URL not set', which has occurred in roughly 30% of recent staging runs when new configs are introduced; you must determine the root cause and add a control in the CI/CD workflow that prevents future rollouts when required environment variables are missing, ensuring the pipeline fails in under 2 minutes if any of PAYMENT_SERVICE_URL, OAUTH_ISSUER, or REGION is absent or empty; what should you do?

Analyse de la question

Core concept: This question tests CI/CD pipeline controls for Cloud Run deployments using Cloud Build, specifically “shift-left” validation to prevent bad releases. The failure (exit code 78 with KeyError for a missing env var) is a configuration validation problem, not a runtime scaling or observability problem. Why the answer is correct: Option C adds a fast, deterministic gate in Cloud Build that validates required environment variables (PAYMENT_SERVICE_URL, OAUTH_ISSUER, REGION) are present and non-empty before the deploy step runs. Because the issue occurs when new configs are introduced and only in ~30% of runs, it strongly suggests inconsistent injection of configuration (e.g., missing Secret Manager binding, missing Cloud Build substitution, or conditional logic in the build config). A pre-deploy smoke test that runs the built container (or a lightweight validation entrypoint) with the same env/secret wiring used for Cloud Run will reliably catch missing variables and fail the pipeline within the required <2 minutes. Key features / best practices: - Cloud Build gating: add a step that executes quickly (e.g., a script that checks env vars, or runs the container with an argument like “--check-config”). Then make the deploy step depend on it. - Secret Manager integration: ensure secrets are fetched via Cloud Build (availableSecrets) or substitutions, and passed explicitly to the validation step and the deploy step. This aligns with the Google Cloud Architecture Framework’s reliability principle: prevent failures through automation and pre-deployment checks. - Deterministic failure: checking for “absent or empty” avoids partial rollouts and reduces MTTR by failing early with a clear error. Common misconceptions: - Canary rollouts (A) reduce blast radius but do not prevent a bad revision from being deployed; Cloud Run revisions that fail to start will still cause errors and waste time. The requirement is to prevent rollouts when config is missing. - Static analysis (B) improves code quality but won’t detect missing runtime configuration values. - Audit logs (D) help investigate IAM/config changes but don’t add a preventive CI/CD control and won’t meet the <2-minute fail-fast requirement. Exam tips: When the prompt asks to “prevent future rollouts” and “fail fast,” prefer pipeline gates (unit/integration/smoke/config validation) over progressive delivery or post-deploy monitoring. For Cloud Run, validate configuration and secrets before deployment, and keep checks fast and deterministic to meet strict pipeline timing requirements.

Question 19

You are defining latency SLOs for a globally distributed checkout API used by a subscription media platform during concert livestream spikes; stakeholders expect consistent availability and fast responses, and current user feedback indicates performance is satisfactory. Over a rolling 30-day window, telemetry aggregated across all active-active regions shows the 90th percentile latency is 85 ms and the 95th percentile latency is 210 ms, measured at the HTTP request boundary. What latency SLO should the team publish?

Question 20

You work for a fintech company headquartered in Frankfurt where an Organization Policy enforces constraints/gcp.resourceLocations to allow only europe-west3 and europe-west1 for all resources. When you tried to create a secret in Secret Manager using automatic replication, you received the error: "Constraint constraints/gcp.resourceLocations violated for [orgpolicy:projects/1234567890] attempting to create a secret in [global]". You must resolve the error while remaining compliant and ensure the secret’s data resides only in the allowed EU regions. What should you do?