Your company runs a payments API behind an NGINX Ingress Controller on a GKE Standard cluster with three n2-standard-4 nodes; the Ops Agent DaemonSet is deployed on all nodes and forwards access logs to Cloud Logging.
In the past hour you observed suspicious traffic from the IP address 198.51.100.77, and you need to visualize the per-minute count of requests from this IP in Cloud Monitoring without changing application code or deploying additional collectors.
What should you do to achieve this with minimal operational overhead?
Correct. This uses existing log ingestion (Ops Agent -> Cloud Logging) and a managed logs-based counter metric to convert matching log entries into a Monitoring time series. Filtering on the client IP (198.51.100.77) yields a per-minute request count when charted with 60-second alignment. It meets the constraints: no app changes and no additional collectors, with minimal operational overhead.
Incorrect. A CronJob that scrapes logs and pushes custom metrics adds operational burden (scheduling, permissions, retries, scaling, parsing correctness) and is fragile under load or log rotation. It also duplicates functionality already provided by logs-based metrics. While it can work, it violates the “minimal operational overhead” requirement and is not the recommended managed approach for log-derived counts.
Incorrect. Modifying the payments API to export per-IP counters requires application code changes, redeployments, and careful metric cardinality management (per-IP metrics can explode in cardinality and cost). The question explicitly forbids changing application code. Even with OpenTelemetry, this is heavier than necessary because the needed signal already exists in ingress access logs.
Incorrect. Ops Agent metrics receivers collect system and supported application metrics (CPU, memory, disk, some service metrics), but they do not infer per-client-IP request counts from access logs. Per-IP request data is typically only available in HTTP access logs or specialized L7 telemetry. Relying on node/application metrics will not produce the requested per-minute counts for a specific IP.
問題分析
Core concept:
This question tests Google Cloud observability patterns on GKE: turning existing log streams (NGINX Ingress access logs already in Cloud Logging via Ops Agent) into time-series data in Cloud Monitoring using logs-based metrics, without changing application code or adding collectors.
Why the answer is correct:
You already have the ingress access logs centralized in Cloud Logging. The lowest-overhead way to visualize “requests per minute from a specific client IP” is to create a logs-based counter metric that matches log entries where the client IP equals 198.51.100.77. Cloud Logging will count matching entries and export the metric to Cloud Monitoring, where you can chart it with 1-minute alignment/aggregation. This approach is managed, scalable, and requires no new runtime components in the cluster.
Key features / configurations:
- Ops Agent logging receiver: ensure the NGINX Ingress access log file/stream is being ingested (often via a file receiver or fluent-bit pipeline depending on setup). If logs are already present in Cloud Logging, no further agent changes may be needed.
- Logs-based metrics (counter): define a filter on the log payload field that contains the client IP (for NGINX, typically remote_addr / client_ip in structured logs, or parsed from text). Use a counter metric to count each matching entry.
- Cloud Monitoring charting: create a chart for the logs-based metric and set alignment period to 60s to get per-minute counts. Optionally add grouping labels if you want to pivot by ingress, namespace, or status code.
- Architecture Framework alignment: this follows the Observability pillar—use centralized logging/metrics with managed services, minimize operational burden, and enable rapid investigation.
Common misconceptions:
- “Need a custom metric pipeline”: Many assume you must scrape logs and push custom metrics. Logs-based metrics already provide a managed conversion from logs to metrics.
- “Use node/application metrics”: Standard metrics receivers won’t produce per-client-IP request counts; that data is in access logs, not typical system metrics.
Exam tips:
When you need metrics derived from logs (counts, rates, error patterns) and you’re told not to change code or add collectors, think: Cloud Logging + logs-based metrics + Cloud Monitoring dashboards/alerts. Also remember to choose counter vs distribution metrics appropriately and use 1-minute alignment for per-minute visualization.
外出先でもすべての問題を解きたいですか?
Cloud Passを無料でダウンロード — 模擬試験、学習進捗の追跡などを提供します。
合格体験記(6)
R
R**********Nov 24, 2025
学習期間: 1 month
The exam has many operational scenarios, and Cloud Pass prepared me well for them. The explanations were clear and helped me understand not just the “what” but the “why” behind each solution.
진
진**Nov 20, 2025
学習期間: 1 month
문제와 해설이 있어서 좋았고, 시험에서 무난하게 합격했어요. 시험에서 안보이던 유형도 나왔는데 잘 풀긴 했네요
J
J************Nov 17, 2025
学習期間: 1 month
The practice questions were challenging in a good way, and many matched the style of the real exam. I passed!
N
N************Nov 14, 2025
学習期間: 1 month
very close to the real exam format
D
D***********Oct 18, 2025
学習期間: 1 month
I used Cloud Pass during my last week of preparation, and it helped me fill in gaps I didn’t even know I had.
Cloud Passをダウンロードして、すべてのGoogle Professional Cloud DevOps Engineer練習問題を無料で利用しましょう。
外出先でもすべての問題を解きたいですか?
無料アプリを入手
Cloud Passを無料でダウンロード — 模擬試験、学習進捗の追跡などを提供します。
2
問題 2
You are the on-call SRE for a live trivia streaming platform running on Google Kubernetes Engine (GKE) behind a global external HTTP(S) Load Balancer with geo-based routing; each of 4 regions (us-central1, europe-west1, asia-southeast1, southamerica-east1) contains 3 regional GKE clusters serving traffic via NEG backends, and at 18:05 UTC you receive a page that asia-southeast1 users have had 100% connection failures (HTTP 502) for the past 7 minutes while other regions are healthy and asia-southeast1 normally serves 25% of global requests and the availability SLO is 99.95% monthly with a rapid burn alert firing; you want to resolve the incident following SRE best practices.
What should you do first?
Correct. This is the quickest, safest mitigation to reduce user impact and error-budget burn: remove asia-southeast1 from the serving path (disable/drain backends or adjust weights) so traffic goes to healthy regions. It leverages the global external HTTP(S) Load Balancer’s multi-region design and is reversible. After service is stabilized, you can investigate the asia-southeast1 root cause.
Checking CPU/memory can help diagnose whether the region is overloaded, but it does not immediately restore availability for users currently seeing 502s. Also, 100% 502s across a region often indicates a broader failure (health check, networking, ingress/proxy, endpoint readiness) rather than just resource saturation. In SRE response, mitigation comes before deep metric analysis.
Adding large node pools is a slow, potentially expensive change and is not a first-response action during an active outage. It assumes capacity is the root cause, which is not supported by the symptom (HTTP 502 across the region). Scaling may not fix misconfigurations, network failures, or load balancer/NEG health issues. Prefer traffic shift first, then targeted remediation.
Logs are valuable for root cause analysis (e.g., ingress/controller errors, upstream resets, TLS issues), but they are not the first step when a regional outage is causing total failures and rapid SLO burn. SRE best practice is to mitigate user impact first (traffic reroute), then use logs/metrics/traces to diagnose and implement a permanent fix.
問題分析
Core concept:
This question tests incident response under SRE principles: prioritize user impact reduction, protect the error budget, and restore service quickly using safe, reversible mitigations. It also touches global external HTTP(S) Load Balancing with geo-based routing and NEG backends, where a single region can be isolated without taking down the whole service.
Why the answer is correct:
With 100% connection failures (HTTP 502) for asia-southeast1 for 7 minutes and a rapid burn alert firing against a 99.95% monthly SLO, the first action should be to mitigate customer impact immediately. Disabling/draining the asia-southeast1 backends (or adjusting traffic steering so that region receives 0% traffic) is a fast, low-risk mitigation that restores availability for affected users by sending them to the nearest healthy regions. This aligns with SRE best practice: stop the bleeding first, then investigate root cause. It also buys time to troubleshoot without continuing to burn error budget.
Key features / best practices:
Global external HTTP(S) Load Balancer supports multi-region backends with health checks and traffic steering. If a region is returning 502s, removing it from serving (or setting failover/weights) reduces errors immediately. Using NEGs with GKE makes backend health dependent on endpoint readiness and health checks; a regional issue (control plane, networking, misconfig, certificate, Envoy/Ingress, etc.) can cause widespread 502s. SRE playbooks typically start with mitigation steps (traffic shift, rollback, feature flag off) before deep debugging.
Common misconceptions:
It’s tempting to start with logs/metrics (B/D) because they help find root cause, but they don’t immediately reduce user-visible errors. Another trap is assuming capacity (C) is the issue; 502s often indicate backend unavailability, misrouting, or proxy/upstream failures rather than simple CPU/memory pressure, and scaling can be slow and may not fix the underlying fault.
Exam tips:
When you see “rapid burn,” “100% failures,” and “other regions healthy,” choose the fastest reversible mitigation that restores service (traffic shift/disable bad region) before detailed troubleshooting. Map actions to SRE priorities: mitigate impact, stabilize, then diagnose and prevent recurrence. Also remember that global load balancers are designed for regional isolation and failover—use that capability during incidents.
3
問題 3
Your video analytics platform is deploying a frame-processing microservice on both GKE Autopilot in us-central1 (200 pods across 5 namespaces) and 30 on-premises Linux servers in a private data center; you must collect detailed, function-level performance data (CPU and heap profiles) with under 5% overhead, keep profiles for 30 days, and visualize everything centrally in a single Google Cloud project without building or operating your own metrics pipeline—what should you do?
Cloud Profiler is the managed Google Cloud service for continuous, low-overhead CPU and heap profiling with function-level attribution. Installing the Profiler agent in both GKE Autopilot workloads and on-prem Linux services allows profiles to be uploaded to a single Cloud project for centralized visualization and analysis. This meets the <5% overhead goal and avoids building/operating a custom metrics pipeline; you mainly manage agent integration and IAM/network access.
Cloud Debugger is designed for inspecting application state (snapshots) and adding logpoints without redeploying, not for continuous CPU/heap profiling. Emitting debug logs with timing data increases logging volume and overhead, lacks statistically meaningful function-level CPU/heap attribution, and becomes a quasi-custom pipeline for performance analysis. It also doesn’t naturally provide aggregated profiling views over time comparable to Cloud Profiler.
Exposing a /metrics endpoint and using a timing library is closer to custom metrics collection than managed profiling. Cloud Monitoring uptime checks are for availability/endpoint checks and are not intended to scrape Prometheus-style metrics at scale across many pods/namespaces and on-prem servers. Even with Managed Service for Prometheus, you’d still be collecting metrics, not CPU/heap profiles with function-level attribution, and you’d be operating more instrumentation and ingestion components.
A third-party APM agent can provide profiling, but it violates the requirement to avoid building/operating your own metrics pipeline and adds operational complexity (agent management, licensing, data export, storage, and visualization). Exporting to a bucket/database for later analysis is not a managed, integrated profiling experience in Google Cloud and increases cost and maintenance. For the exam, prefer first-party managed observability services when requirements match.
問題分析
Core Concept:
This question tests Google Cloud’s managed observability tooling for code-level performance profiling across hybrid environments. The key service is Cloud Profiler, which continuously collects statistical CPU and heap profiles from running applications with low overhead and stores/visualizes them centrally in a Google Cloud project.
Why the Answer is Correct:
You need function-level performance data (CPU and heap profiles), <5% overhead, 30-day retention, and a single centralized view in Google Cloud without operating a custom pipeline. Cloud Profiler is purpose-built for this: you integrate the Profiler agent into the application (or use supported language agents), and it uploads profiles to Cloud Profiler in your project. It works for workloads running on GKE (including Autopilot) and for on-prem Linux servers as long as they can authenticate to Google Cloud APIs (typically via service account credentials or workload identity federation) and reach the Profiler endpoint. This directly satisfies the “no pipeline to build/operate” requirement.
Key Features / Configurations / Best Practices:
- Low-overhead, continuous profiling: sampling-based profiling is designed to keep overhead typically well under 5%.
- Profile types: CPU and heap (and others depending on language/runtime) provide function-level attribution.
- Centralized visualization: profiles are aggregated and explored in the Cloud Profiler UI within one project, aligning with the Google Cloud Architecture Framework’s Operational Excellence and Reliability pillars (measure, observe, and improve).
- Retention: Cloud Profiler retains profiles for analysis over time (commonly aligned with 30-day operational windows), enabling regression detection.
- Hybrid enablement: on-prem services can upload profiles using service account credentials or federation; ensure egress and IAM permissions (e.g., roles/cloudprofiler.agent).
Common Misconceptions:
Teams often confuse profiling with logging (Cloud Logging) or debugging (Cloud Debugger). Logs and debugger snapshots can show symptoms but do not provide statistically valid, low-overhead, function-level CPU/heap attribution over time. Similarly, “/metrics endpoints” and uptime checks are for availability and basic metrics, not deep code profiling.
Exam Tips:
When you see “function-level CPU/heap profiles,” “low overhead,” and “managed/centralized without building a pipeline,” think Cloud Profiler. For request-level latency and distributed call graphs, think Cloud Trace; for logs, Cloud Logging; for metrics, Cloud Monitoring. Also consider hybrid identity/authentication and IAM roles as part of the correct implementation details.
4
問題 4
You work for a fintech company headquartered in Frankfurt where an Organization Policy enforces constraints/gcp.resourceLocations to allow only europe-west3 and europe-west1 for all resources.
When you tried to create a secret in Secret Manager using automatic replication, you received the error: "Constraint constraints/gcp.resourceLocations violated for [orgpolicy:projects/1234567890] attempting to create a secret in [global]".
You must resolve the error while remaining compliant and ensure the secret’s data resides only in the allowed EU regions.
What should you do?
Incorrect. Removing the Organization Policy would resolve the immediate error but breaks compliance and governance requirements. In regulated fintech environments, location constraints are typically mandated for data residency and risk management. The question explicitly requires remaining compliant and keeping secret data only in allowed EU regions, so weakening or removing the guardrail violates the stated constraints and best practices.
Incorrect. Creating the secret with automatic replication is exactly what caused the violation. Automatic replication is treated as a global location because Google controls where replicas are stored, which may include regions outside europe-west1 and europe-west3. Under constraints/gcp.resourceLocations, global resources or resources with non-deterministic placement commonly fail creation.
Correct. User-managed replication lets you explicitly choose the allowed regions (europe-west3 and/or europe-west1), ensuring the secret’s data resides only in those locations and satisfying constraints/gcp.resourceLocations. This approach maintains compliance, supports auditability, and aligns with governance best practices by adapting the resource configuration to the organization’s policy rather than changing the policy.
Incorrect. Adding global to the allowed list would permit automatic replication but would no longer guarantee that secret material stays only in europe-west1 and europe-west3. “Global” implies Google-managed placement that can span beyond the intended regions, undermining strict data residency requirements. This option also weakens organizational governance controls, contrary to the compliance requirement.
問題分析
Core Concept:
This question tests Organization Policy Service constraints (constraints/gcp.resourceLocations) and how they interact with Secret Manager replication. Secret Manager secrets must be created in locations that comply with the organization’s allowed resource locations. “Automatic replication” is treated as “global” because Google manages multi-region placement, which can include locations outside the explicitly allowed set.
Why the Answer is Correct:
With constraints/gcp.resourceLocations allowing only europe-west3 and europe-west1, creating a secret with automatic replication violates the policy because the secret’s replication location is [global]. To remain compliant and ensure data residency only in the allowed EU regions, you must create the secret using user-managed replication and explicitly select europe-west3 and/or europe-west1. This makes the secret’s replication policy deterministic and auditable, satisfying both the policy and fintech regulatory expectations.
Key Features / Best Practices:
- Secret Manager supports two replication modes: automatic (Google-managed, “global”) and user-managed (customer-specified regions).
- Organization Policy constraints/gcp.resourceLocations restrict where supported resources can be created and where data can reside.
- For regulated workloads, user-managed replication is a best practice for data residency, compliance evidence, and predictable failover characteristics.
- Aligns with Google Cloud Architecture Framework governance and compliance principles: enforce guardrails centrally and design workloads to comply rather than weakening controls.
Common Misconceptions:
Automatic replication can sound “more available” and “still in the EU,” but it is not guaranteed to stay within the allowed regions and is represented as global, triggering policy violations. Another misconception is to “fix” the error by loosening the org policy (removing it or adding global), which would undermine governance and likely violate regulatory requirements.
Exam Tips:
When you see constraints/gcp.resourceLocations and an error mentioning [global], think “automatic/multi-region/global resource” conflicting with location restrictions. The compliant pattern is to choose a regional or user-managed placement that matches the allowed list. For secrets and keys, explicitly selecting regions is a common exam theme for regulated industries (finance/healthcare).
5
問題 5
During a controlled traffic-shift rollout, your ride-hailing platform running across three GKE regions suffered a 2 hours 45 minutes outage that impacted 100% of rider and driver requests; after approximately 3 hours of incident response, service is fully restored with SLIs back to baseline, and you have 30 minutes to deliver an incident summary to executives, customer support leads, and key city partners following SRE-recommended practices.
What should you do first?
Scheduling individual calls is too slow and does not scale when you have multiple stakeholder groups (execs, support, city partners) and only 30 minutes. It also increases the risk of inconsistent messaging and missing key facts. SRE practice favors a single written source of truth (sitrep/ISD) that everyone can reference, with follow-up meetings only if needed for specific audiences.
A full postmortem requires careful data gathering, timeline validation, contributing factor analysis, and action items—none of which can be completed reliably in 30 minutes right after a major outage. SRE guidance is to first stabilize and communicate current status, then produce a blameless postmortem on an appropriate timeline. Sending an incomplete or rushed postmortem can create confusion and erode trust.
Distributing the current ISD/situation report is the correct first step because it provides a fast, factual, consistent summary: impact, timeline, mitigations, and current status (restored, SLIs baseline). It enables customer support and partner teams to respond immediately with aligned messaging. This matches SRE incident management best practices: frequent, standardized updates and a canonical document before deeper RCA work.
A personal apology email from the on-call engineer is not an SRE-recommended first action. It can be premature (facts may still be evolving), can imply blame, and does not provide the operational details stakeholders need to coordinate communications. Apologies and customer-facing statements should be coordinated through established comms processes using verified information from the ISD.
問題分析
Core Concept:
This question tests SRE incident communication practices: how to quickly inform stakeholders after service restoration, using standardized artifacts (incident state document/situation report) before the deeper postmortem. It aligns with SRE guidance to separate fast, factual status communication from later root-cause analysis and corrective actions.
Why the Answer is Correct:
You have 30 minutes to deliver an incident summary to executives, customer support, and external partners. The fastest, most reliable first action is to distribute the current Incident State Document (ISD)/situation report that already captures the essentials: customer impact (100% outage), duration (2h45m), what’s restored (SLIs back to baseline), and a high-level timeline. This ensures consistent messaging, reduces rumor/contradictions, and enables downstream teams (support, partner managers) to communicate immediately. SRE practice emphasizes timely, accurate, and broadly shared updates during/after incidents; the ISD is the canonical source of truth.
Key Features / Best Practices:
An effective ISD includes: impact summary (who/what/where), start/end times, current status, mitigations applied, known remaining risks, and next steps (e.g., postmortem ETA). It should be written in plain language for non-engineers, with links to dashboards and incident tickets. This supports blameless culture and operational excellence (Google Cloud Architecture Framework: Operational Excellence and Reliability pillars), ensuring stakeholders can act without waiting for a full RCA.
Common Misconceptions:
It’s tempting to start the full postmortem immediately (B) or to do high-touch calls (A), but those are slower and risk inconsistent narratives. Apology emails (D) are not a first step; they can be premature, may admit fault before facts are verified, and don’t provide actionable operational context.
Exam Tips:
For DevOps/SRE exam scenarios with tight timelines and many stakeholders, prioritize standardized, repeatable communication artifacts (ISD/sitrep) first. Postmortems come later, after data collection and stabilization. Look for keywords like “30 minutes,” “executives/support/partners,” and “SRE-recommended practices” to select “share the current status report” over “write the full report” or “schedule meetings.”
6
問題 6
Your team operates a multi-tenant fraud-scoring API written in Node.js and deployed on Cloud Run (fully managed) with concurrency set to 50 and minimum instances set to 2.
During load tests (~200 errors per minute), you must customize the error data sent to Cloud Error Reporting to include tenant_id and op_id, set a custom service/version for grouping, and use a custom fingerprint while ensuring no PII is logged.
What should you do?
Incorrect. Moving the application to Compute Engine is unnecessary because Cloud Run already supports Cloud Logging and can call Google Cloud APIs directly, including Error Reporting. The problem is about customizing how errors are reported, not about needing VM-level control or a different runtime environment. Introducing Compute Engine would add operational burden such as instance management, patching, and scaling configuration without providing a unique capability required by the question. On the exam, platform migrations are usually wrong when the existing managed service already supports the needed feature set.
Incorrect. Google Kubernetes Engine is also an unnecessary platform change for this scenario because the application can remain on Cloud Run and still integrate with Error Reporting and Cloud Logging. The requirement is to enrich and control error-reporting data, not to gain orchestration features like sidecars, daemonsets, or custom node-level agents. Migrating to GKE would increase complexity and operational overhead while not being required for service/version attribution or structured error logging. The best practice is to keep the managed serverless platform when it already supports the observability APIs you need.
Incorrect. Keeping the service on Cloud Run is the right direction, but this option is too narrow because it only mentions installing the Node.js Error Reporting client library. The question specifically asks for customized error data handling and explicit service/version control, and the most complete supported mechanism in the answer set is to use the Error Reporting API together with structured Cloud Logging. A client library may help capture exceptions, but the option does not clearly address the full customization and logging design required by the scenario. Therefore, C is not the best answer even though Cloud Run itself is still the correct platform to use.
Correct. Cloud Run fully supports sending application errors to Google Cloud Error Reporting without changing the deployment platform, either by calling the Error Reporting API or by emitting properly formatted error logs to Cloud Logging. This approach gives you explicit control over serviceContext.service and serviceContext.version, which is the standard way to identify the logical service and deployed version in Error Reporting. You can also include tenant_id and op_id as structured, non-PII metadata in the related log entry for correlation and troubleshooting. This is the most direct option that satisfies the customization requirement while preserving the managed operational model of Cloud Run.
問題分析
Core concept:
This question tests Cloud Error Reporting customization and how errors are ingested/grouped from serverless runtimes (Cloud Run) using Cloud Logging and/or the Error Reporting API. It also touches on multi-tenant observability design (adding tenant/op correlation) and privacy controls (avoiding PII).
Why the answer is correct:
On Cloud Run, unhandled exceptions and properly formatted error logs can automatically appear in Error Reporting, but the built-in capture/grouping is limited. The requirement explicitly asks to (1) add custom fields (tenant_id, op_id), (2) set custom service/version for grouping, and (3) use a custom fingerprint. The most direct and fully controllable way is to call the Error Reporting API and write a ReportedErrorEvent with custom context (service/version) and a custom fingerprint, while also emitting Cloud Logging entries formatted for Error Reporting. This approach gives deterministic grouping and metadata without changing the compute platform.
Key features / best practices:
- Use Error Reporting API (projects.events.report) with ReportedErrorEvent.
- Populate serviceContext.service and serviceContext.version to control grouping across deployments.
- Use a custom fingerprint to group by tenant/op or by error signature (careful: too-granular fingerprints can explode cardinality).
- Include tenant_id/op_id as non-PII labels/metadata; keep payloads scrubbed (no request bodies, emails, tokens). Implement allowlists and redaction at the application layer.
- Prefer structured logging to Cloud Logging; Cloud Run automatically ships stdout/stderr. Ensure logs meet Error Reporting format so they are recognized.
Common misconceptions:
Many assume installing the Node.js Error Reporting client library is sufficient. While it can capture exceptions, it does not inherently solve custom fingerprinting and precise service/version grouping in the way the API does, and it doesn’t require moving to GKE/Compute Engine. Another trap is thinking platform changes (GKE/VMs) are needed for richer error reporting—Cloud Run supports the same APIs.
Exam tips:
When you see requirements like “custom fingerprint” and “custom service/version,” think “Error Reporting API / ReportedErrorEvent” rather than only agent/client libraries. Also, for multi-tenant systems, watch for PII constraints and cardinality risks: add tenant identifiers as labels/metadata but avoid embedding sensitive data in messages or stack traces, and design grouping to remain actionable at scale.
7
問題 7
Your production machine learning inference services run on a 30-node GKE cluster in asia-northeast1 while your Jenkins build agents run in europe-west1, and each rollout requires all nodes to pull a 1.5-GB image within a 10-minute deployment window; to maximize pull bandwidth and use a scalable registry, where should you push the images?
gcr.io stores images in the US multi-region, not “global.” For a GKE cluster in asia-northeast1, this typically introduces higher latency and potential intercontinental egress compared to an Asia location. While GCR is scalable, the distance can reduce effective aggregate pull throughput and make it harder to meet a strict 10-minute rollout window for 30 nodes pulling 1.5-GB images.
eu.gcr.io stores images in the EU multi-region. This aligns with the Jenkins build agents in europe-west1 for pushes, but the dominant requirement is fast pulls by the production GKE nodes in asia-northeast1. Pulling from Europe to Asia adds latency and cross-region traffic, which can become a bottleneck during concurrent node pulls and increases the risk of missing the deployment window.
asia.gcr.io stores images in the Asia multi-region, which is the closest GCR location to a GKE cluster in asia-northeast1. This minimizes network distance, reduces latency and potential cross-continent egress, and improves the likelihood that 30 nodes can concurrently pull a 1.5-GB image within 10 minutes. It also preserves the benefits of a fully managed, scalable registry.
A private registry on a Compute Engine VM in asia-northeast1 may be geographically close, but it is not inherently scalable for 30 concurrent large pulls and introduces significant operational overhead (patching, scaling, HA, backups, TLS, auth). It can become a single point of failure and may require load balancing and multi-VM architecture to match GCR’s reliability and throughput.
問題分析
Core Concept:
This question tests container image distribution performance for GKE rollouts and how Google Container Registry (GCR) hostnames map to multi-regional storage locations. It’s fundamentally about minimizing latency/egress bottlenecks and maximizing aggregate pull throughput during a tight deployment window.
Why the Answer is Correct:
Your GKE cluster is in asia-northeast1 and must pull a large (1.5-GB) image to 30 nodes within 10 minutes. The best way to maximize pull bandwidth is to place the registry storage closest to the consumers (the GKE nodes). Using the asia.gcr.io hostname stores images in GCR’s Asia multi-region, which is geographically and network-topology closer to asia-northeast1 than EU or US multi-regions. This reduces cross-continent latency and avoids unnecessary intercontinental egress, improving effective throughput and rollout reliability.
Key Features / Best Practices:
GCR provides a scalable, managed registry backed by Google infrastructure, supporting high concurrency pulls without you managing servers. The hostname determines the multi-region: gcr.io (US), eu.gcr.io (EU), asia.gcr.io (Asia). For large-scale rollouts, also consider node image caching, controlling maxUnavailable in Deployments, and (in modern architectures) Artifact Registry with regional repositories and pull-through/cache patterns. From a Google Cloud Architecture Framework perspective, this aligns with Performance Optimization and Reliability by reducing network dependencies and variance.
Common Misconceptions:
Many assume gcr.io is “global” and therefore best; it is not—it maps to the US multi-region. Others choose eu.gcr.io because builds run in europe-west1, but build push location is less important than pull location when 30 production nodes must download quickly. A private registry in-region sounds fast, but it is not inherently scalable and becomes an operational and availability risk.
Exam Tips:
When asked about image pull speed for GKE, prioritize registry proximity to the cluster and managed scalability. Remember GCR hostnames correspond to multi-regions; pick the one nearest the runtime environment, not the CI system. Also watch for questions where Artifact Registry is an option; prefer regional repos near the cluster for predictable performance and cost.
8
問題 8
Your organization lets product squads self-manage Google Cloud projects, including project-level IAM; the network platform team operates a Shared VPC host project named net-host-prod that connects 18 service projects across 3 folders, and a lien has already been placed on the host project to prevent accidental deletion; you must implement a control so that only principals who hold the resourcemanager.projects.updateLiens permission at the organization level can remove the lien and delete the host project; what should you do?
Managing IAM changes via Terraform pull requests is a strong operational practice (auditable, reviewable, repeatable), but it is not an enforcement mechanism. A user with sufficient permissions could still remove the lien or change IAM directly using the Console, gcloud, or API. The question requires a technical control that guarantees only org-authorized principals can remove the lien, which Terraform workflow alone cannot ensure.
VPC Service Controls creates service perimeters to reduce data exfiltration risk for supported Google APIs. It does not provide a governance control for lien removal or project deletion, and enabling it for container.googleapis.com is unrelated to resourcemanager liens. This option confuses security boundary controls with resource governance controls; it would not meet the requirement to restrict who can remove the lien.
Removing resourcemanager.projects.updateLiens from identities bound directly to the host project is insufficient and fragile. Permissions can be granted through inherited IAM bindings at the folder or organization level, and project-level admins might still be able to adjust IAM depending on their roles. The requirement calls for a centralized, enforceable restriction tied to org-level authority, which is better achieved with Organization Policy.
Enforcing compute.restrictXpnProjectLienRemoval at the organization root is the correct preventive guardrail. It centrally restricts removal of the Shared VPC host project lien (XPN lien) regardless of project-level IAM self-management. Applied at the org root, it inherits down to the host project and ensures only appropriately authorized principals (with the necessary org-level permission) can remove the lien and proceed with deletion.
問題分析
Core Concept:
This question tests Google Cloud resource governance for Shared VPC host projects using Organization Policy Service and IAM. Specifically, it focuses on controlling who can remove a Shared VPC host project lien (a protective mechanism that blocks deletion) and ensuring that only centrally authorized principals (with an org-level permission) can perform that action.
Why the Answer is Correct:
The correct control is to enforce the organization policy constraint compute.restrictXpnProjectLienRemoval at the organization root. This constraint is designed to restrict removal of the Shared VPC (XPN) host project lien. By enforcing it at the org root, you apply a consistent, centrally managed guardrail across the entire resource hierarchy (org/folders/projects), regardless of how product squads manage project-level IAM. This aligns with the requirement: only principals who hold resourcemanager.projects.updateLiens at the organization level should be able to remove the lien and delete the host project. Org Policy provides preventive control that cannot be bypassed by project admins.
Key Features / Best Practices:
- Organization Policy Service provides “policy-as-guardrails” that overrides local project autonomy for critical controls.
- Enforcing at the organization root ensures inheritance to all folders/projects, including the Shared VPC host.
- Liens are a deletion-protection mechanism; controlling lien removal is stronger than relying on process controls.
- This approach aligns with the Google Cloud Architecture Framework governance principle: use centralized policies for risk reduction and consistent compliance.
Common Misconceptions:
- Removing permissions from project-level bindings (option C) seems logical, but it’s incomplete because permissions can be granted via folder/org inheritance or re-granted by those with sufficient authority, and it doesn’t create a durable, centrally enforced guardrail.
- Process controls like “use Terraform PRs” (option A) improve change management but do not technically prevent a privileged user from removing the lien via console/gcloud.
- VPC Service Controls (option B) is about data exfiltration boundaries for APIs, not about controlling lien removal or project deletion.
Exam Tips:
When you see requirements like “must enforce” and “only principals with org-level authority,” prefer Organization Policy constraints over procedural controls. For Shared VPC host protections, look for XPN-specific constraints (compute.*) and apply them at the highest appropriate node (often the organization root) to prevent project-level IAM autonomy from weakening the control.
9
問題 9
Your platform team distributes Envoy WASM plugins as OCI-compliant artifacts to 150 edge gateways across 3 regions, and some plugins are currently sourced weekly from 4 public registries while others come from 2 internal teams; the security team has flagged the use of public registries as a supply-chain risk and requires repository-level IAM, audit logging, and enforcement within a VPC Service Controls perimeter with no public egress at deployment time using Private Google Access.
You want to manage all plugins uniformly with native access control, unified auditability, and VPC Service Controls while remaining compatible with OCI clients; what should you do?
Correct. Artifact Registry is Google’s managed artifact service with native OCI support, repository-level IAM, and Cloud Audit Logs integration. It can be protected by VPC Service Controls to reduce exfiltration risk and can be accessed without public egress using Private Google Access and/or Private Service Connect for Google APIs. Mirroring public plugins into Artifact Registry removes runtime dependency on public registries while keeping OCI client compatibility.
Incorrect. GitHub Enterprise Packages is not a Google Cloud-native artifact service and does not integrate with VPC Service Controls. Even with centralized identity, it won’t provide Google Cloud repository-level IAM controls, Cloud Audit Logs in the same way, or perimeter enforcement. It also typically requires internet access from gateways unless additional complex networking is built, violating the “no public egress at deployment time” requirement.
Incorrect. Cloud Storage can store binaries, but serving plugins from storage.googleapis.com over HTTPS is not an OCI registry and won’t be uniformly compatible with OCI clients expecting registry endpoints, manifests, and auth flows. While Cloud Storage can be used with IAM and can be placed behind VPC-SC, the solution changes the distribution mechanism and loses OCI-native workflows, making it a poor fit for “remain compatible with OCI clients.”
Incorrect. A self-managed registry on GKE increases operational burden (patching, scaling, HA, backups) and does not satisfy the requirement for VPC Service Controls enforcement because VPC-SC applies to Google-managed services/APIs, not arbitrary workloads. NetworkPolicies and private ingress help, but they don’t provide the same perimeter-based exfiltration protections, unified Google Cloud auditability, or simplified IAM at the repository level.
問題分析
Core Concept:
This question tests secure software supply chain management for OCI artifacts on Google Cloud, specifically using Artifact Registry with repository-level IAM, Cloud Audit Logs, and VPC Service Controls (VPC-SC) to eliminate public registry dependency and prevent data exfiltration. It also tests private access patterns (Private Google Access / Private Service Connect) so deployments can occur without public egress.
Why the Answer is Correct:
Option A centralizes all Envoy WASM plugins (both formerly public and internal) into Artifact Registry as OCI-compliant artifacts. Artifact Registry natively supports OCI (container images and generic OCI artifacts), integrates with IAM at the repository level, and emits admin/data access audit logs. By placing the Artifact Registry API/project inside a VPC-SC perimeter and configuring gateways to access Google APIs privately (typically via Private Google Access for Google APIs and/or Private Service Connect for Google APIs), gateways can pull artifacts without traversing the public internet. This directly satisfies: uniform management, native access control, unified auditability, VPC-SC enforcement, and OCI client compatibility.
Key Features / Configurations:
- Artifact Registry repositories (regional) with IAM bindings at repo scope for least privilege.
- Cloud Audit Logs for Artifact Registry (Admin Activity by default; enable Data Access logs as required for read events).
- VPC Service Controls perimeter including the Artifact Registry service and relevant projects; use access levels and ingress/egress rules to control access paths.
- Private access from gateways: ensure they are in subnets with Private Google Access enabled; optionally use Private Service Connect endpoints for Google APIs to keep traffic on Google’s network and simplify egress controls.
- Mirroring strategy: periodically import/sync from public registries into Artifact Registry so runtime pulls never require public egress.
Common Misconceptions:
Teams often assume “any private registry” meets VPC-SC requirements; however, VPC-SC protects Google-managed services and enforces perimeter controls—self-managed registries don’t gain VPC-SC protections. Others confuse Cloud Storage HTTPS hosting with OCI registry semantics; OCI clients expect registry APIs, auth flows, and artifact metadata.
Exam Tips:
When requirements include repository-level IAM, audit logging, OCI compatibility, and VPC-SC with no public egress, default to Artifact Registry (or Container Registry historically) plus VPC-SC and private Google API access. Prefer managed services over self-managed unless the question explicitly requires custom behavior not supported by Google Cloud.
10
問題 10
Your fintech startup's real-time payments API runs on GKE with a 99.9% monthly availability SLO and a latency SLI of p95 < 250 ms.
Over the last quarter, there have been 3 production incidents per month where p95 latency exceeded 1,200 ms and error rate surpassed 5% for 30-minute windows.
Engineers push feature branches and execute schema migrations directly against the production cluster during business hours, and data scientists run configuration experiments in production.
QA teams also perform load tests that ramp from 50 rps to 500 rps against the production endpoint twice a week, saturating the autoscaler and causing throttling.
You must redesign the environment to reduce production bugs and outages while allowing QA to load test new features at realistic scale.
What should you do?
Synthetic canaries improve detection and alerting, which is useful for observability and faster incident response. However, they do not address the root cause: uncontrolled production changes and intentional load tests that saturate production capacity. Canaries might simply alert you sooner while customers still experience latency and errors. Prevention via environment isolation and gated releases is required to meet the availability/latency SLOs.
A single lower-capacity dev cluster shared by developers and testers reduces cost but fails the requirement to load test at realistic scale. At 25% of production capacity, performance results won’t reflect production behavior (autoscaler thresholds, saturation points, p95 latency). Also, mixing dev and QA workloads increases contention and instability, and it still doesn’t create a safe pre-production gate for configuration experiments and migrations.
Locking down production access is directionally correct (reduce direct changes), but scheduling one controlled update per year is not viable for a real-time payments API. It would block feature delivery, security patching, and urgent fixes, increasing long-term risk. The goal is not to stop change, but to make change safe through CI/CD, testing, approvals, and progressive delivery with rollback.
Separate dev and staging/test environments and gate promotions through CI/CD directly addresses the problem: it prevents experiments, migrations, and load tests from impacting production while still enabling realistic performance validation. A production-mirroring staging environment supports 500 rps tests and configuration experiments safely. CI/CD gates (automated tests, approvals, policy checks) reduce change failure rate and protect the production error budget, improving SLO compliance.
問題分析
Core Concept:
This question tests environment strategy and release governance using CI/CD to protect production reliability while still enabling realistic testing. It aligns with SRE change management and the Google Cloud Architecture Framework’s Reliability pillar: reduce risk from changes, isolate blast radius, and validate before production.
Why the Answer is Correct:
The current process violates basic production controls: engineers run schema migrations and experiments directly in prod, and QA load tests overload the production autoscaler, causing throttling and user-visible latency/errors. The correct redesign is to separate environments and enforce promotions through CI/CD gates. A staging/test environment that mirrors production (capacity, configs, versions, autoscaling, network policies) allows QA to run high-RPS load tests and validate new features without consuming production error budget or impacting the 99.9% SLO. Development remains lower-risk for rapid iteration.
Key Features / Best Practices:
- Use separate GKE clusters (or at minimum separate namespaces/projects with strong isolation) for dev, staging, and prod; typically separate projects for IAM and quota isolation.
- Mirror production in staging: same node pools, autoscaling settings (HPA/VPA/Cluster Autoscaler), ingress, service mesh policies, and dependencies (or production-like replicas).
- CI/CD (Cloud Build/GitHub Actions + Artifact Registry + GitOps with Config Sync/Argo CD/Flux) to promote container images and Kubernetes manifests from dev → staging → prod.
- Add approval gates, automated tests (unit/integration), policy checks (Binary Authorization, OPA/Gatekeeper), and progressive delivery (canary/blue-green) to reduce risk.
- Handle schema migrations via controlled pipelines (e.g., expand/contract patterns) and scheduled change windows.
Common Misconceptions:
Observability (canaries) helps detect issues but doesn’t prevent self-inflicted outages from load tests and direct prod changes. A single small dev cluster cannot validate performance at 500 rps or production autoscaling behavior. “Lock prod and update yearly” is unrealistic for fintech and increases security/operational risk.
Exam Tips:
When production is being used for experiments/load tests, the DevOps exam usually expects: environment separation + CI/CD gated promotions + production protections (IAM, policy, progressive rollout). Look for answers that reduce change failure rate and isolate testing from production error budgets.
