Questões de Prática

Questão 1

Your retail analytics team has an IoT gateway that uploads a 5 MB CSV summary every 10 minutes to a Cloud Storage bucket gs://retail-iot-summaries-prod. Upon each successful upload, you must notify a downstream pipeline via the Pub/Sub topic projects/acme/topics/iot-summaries so a Dataflow job can start. You want a solution that requires the least development and operational effort, introduces no additional compute to manage, and can be set up within 1 hour; what should you do?

Questão 2

Your startup manages 3,000 smart vending machines that publish 4 KB JSON telemetry to a Pub/Sub topic at an average rate of 600 messages per second (peaks up to 1,200). You must parse each message and persist it for analytics with end-to-end latency under 45 seconds, and each message must be processed exactly once to avoid double-counting transactions. You want the cheapest and simplest fully managed approach with minimal operations overhead and cannot maintain clusters or build custom deduplication workflows. What should you do?

Análise da Questão

Core concept: This question tests selecting a fully managed streaming ingestion and processing architecture that meets low-latency SLAs and exactly-once processing semantics. The key services are Pub/Sub for ingestion and Dataflow (Apache Beam) for managed stream processing, with an analytics sink. Why the answer is correct: A Dataflow streaming pipeline reading from Pub/Sub and writing windowed outputs to Cloud Storage is the simplest fully managed option among the choices that can meet the <45s end-to-end latency requirement while providing exactly-once processing guarantees within the pipeline. Dataflow provides checkpointing, autoscaling, and fault-tolerant processing. With Pub/Sub as the source, Dataflow can ensure each message is processed once by the pipeline (no custom dedup workflow required) and can emit deterministic windowed files to Cloud Storage for downstream analytics (for example, batch loads to BigQuery or processing via Dataproc Serverless/BigQuery external tables). Key features / configurations / best practices: - Use Dataflow streaming with Pub/Sub source and enable streaming engine for efficiency. - Use event-time processing with fixed windows (e.g., 1-minute) and allowed lateness appropriate to device clock skew. - Write to Cloud Storage using windowed writes (e.g., file-per-window with sharding) to keep file sizes reasonable and avoid small-file problems. - Size for peaks: 1,200 msg/s * 4 KB ≈ 4.8 MB/s, which is well within Pub/Sub and Dataflow throughput; Dataflow autoscaling handles bursts. - Exactly-once: Dataflow’s checkpointing and replay handling avoids double-processing in the pipeline; avoid non-idempotent side effects unless the sink supports idempotency. Common misconceptions: - “Cloud Functions is simpler”: it is operationally simple, but exactly-once is not guaranteed with Pub/Sub-triggered functions (at-least-once delivery), so you must deduplicate, which the prompt forbids. - “Dataproc job is cheaper”: recurring batch jobs increase latency and require cluster operations (or at least job orchestration) and don’t naturally meet a 45-second streaming SLA. - “Use Bigtable then dedupe”: introduces extra pipelines and custom dedup logic, violating the requirement for minimal operations and no custom dedup workflows. Exam tips: - For Pub/Sub streaming with low latency and minimal ops, default to Dataflow. - If the requirement says “exactly once” and forbids custom dedup, avoid Cloud Functions/Cloud Run consumers unless the sink is inherently idempotent and the design explicitly uses unique keys. - Map requirements to the Google Cloud Architecture Framework: operational excellence (managed services), reliability (checkpointing/retries), performance (autoscaling), and cost (avoid always-on clusters).

Questão 3

You are migrating a MySQL table named AccountActivity to Cloud Bigtable. The table schema includes Account_id, Event_timestamp, Transaction_type, and Amount, with a primary key defined as (Account_id, Event_timestamp). To ensure efficient data modeling and query performance in Bigtable, how should you design the row key?

Questão 4

You are a developer at a nationwide logistics platform. The company operates an on-premises dispatch system backed by PostgreSQL to store driver profiles and delivery logs. As part of a migration to Google Cloud, your team will move driver profile data to Cloud Firestore while delivery logs will also be stored in Firestore going forward. The system has 120,000 active drivers; each driver can create up to 200 delivery log entries per day from mobile devices that must support offline sync and per-driver access control. You also need efficient per-driver queries and occasional analytics that query across all drivers' logs. You are tasked with designing the Firestore collections. What should you do?

Análise da Questão

Core concept: This question tests Firestore data modeling for scale, security, offline sync, and query patterns. Firestore is a document database optimized for hierarchical data (collections/documents/subcollections), client-side offline persistence, and security rules that commonly scope access by document path. Why the answer is correct: Use a root collection for driver profiles (e.g., drivers/{driverId}) and a subcollection per driver for delivery logs (e.g., drivers/{driverId}/logs/{logId}). This aligns the data with the primary access pattern: “per-driver queries” and “per-driver access control.” With this model, mobile clients can query only their own logs efficiently (single collection query within a subcollection) and security rules can enforce that a signed-in driver only reads/writes under their own document path. Offline sync works naturally because clients sync the specific documents/collections they access. Key features / best practices: - Security rules: Path-based rules are straightforward: allow read/write on /drivers/{driverId}/logs/{logId} only when request.auth.uid == driverId (or mapped via a custom claim). This is a common Firestore best practice. - Scalability: 120,000 drivers and up to 200 logs/day each implies up to 24M writes/day. Firestore scales horizontally; distributing writes across many subcollections avoids concentrating write load on a single “hot” collection prefix pattern. Also avoid unbounded arrays in a single document. - Efficient queries: Per-driver queries are fast and cheap because they target a single driver’s logs subcollection. - Cross-driver analytics: When you occasionally need queries across all drivers’ logs, use a collection group query on “logs” (collectionGroup('logs')) to query all logs subcollections. For heavier analytics, export to BigQuery (via extensions or Dataflow) rather than running large ad-hoc scans in Firestore. Common misconceptions: A seems simpler (two root collections), but per-driver access control becomes more complex (must filter by driverId field) and cross-driver writes can create hot partitions if document IDs are time-ordered. C is a classic anti-pattern: arrays/nested lists grow without bound and hit the 1 MiB document limit and high contention. D inverts the natural hierarchy and complicates access patterns. Exam tips: Model Firestore around dominant queries and security boundaries. Prefer subcollections for one-to-many relationships and use collection group queries for occasional global queries. Avoid large arrays and designs that require scanning a massive root collection for routine user-scoped reads.

Questão 5

Your team uses Cloud Build to build a single container image and push it to Artifact Registry with two tags: latest and v2.3.7. You then use Google Cloud Deploy to promote this image through three GKE environments in different regions: dev (us-central1), staging (europe-west1), and prod (asia-northeast1). Compliance requires that the exact same binary is deployed to all three environments over the release week, even if tags are moved or new images are pushed. How should you reference the image in the Cloud Deploy/Skaffold release configuration to guarantee the same image is used across all environments?

Quer praticar todas as questões em qualquer lugar?

Baixe o Cloud Pass grátis — inclui simulados, acompanhamento de progresso e mais.

Questão 6

Your online ticketing platform runs a payment-validation microservice on a Compute Engine Managed Instance Group (autoscaling between 3 and 10 VMs) behind an internal HTTP(S) Load Balancer; during a canary at 5,000 requests per minute, 1–2% of requests intermittently return HTTP 500 when the code path handling 3-D Secure callbacks is executed, and you need to observe the values of customerId and tokenExpiry at line 214 every time that branch is hit across all running instances over the next 4 hours, with the observations written to Cloud Logging, without modifying code, restarting VMs, or redeploying. Which tool should you use?

Questão 7

You operate a Go-based Cloud Functions (2nd gen) HTTP function in us-central1 that processes invoice files at roughly 200 requests per second. The function must read and write objects in a single Cloud Storage bucket named acct-prod-uploads within the same project (retail-prod-123). You must follow the principle of least privilege and avoid project-wide roles and default service accounts. What should you do?

Questão 8

You are developing a local analytics worker that aggregates readings from 50 factory sensors at 10 Hz and publishes normalized events to a Pub/Sub topic named telemetry-normalized; you build locally 8–10 times per day and need each build to validate Pub/Sub integration in under 2 minutes without internet access or incurring any Google Cloud charges, using a dev project ID of plant-dev-31415—how should you configure local testing?

Questão 9

You are the lead developer for a real-time fleet tracking service running on Cloud Run at a transportation company with strict uptime SLAs. Binary Authorization for Cloud Run is enforced as an organization policy with a single attestor, and all service images are normally attested through the CI/CD pipeline. Deployments are allowed only during a 45-minute change window starting at 02:15 local time. A zero-day vulnerability in a widely used library is being actively exploited, and you must deploy a patched image immediately, before the next change window. You have built the new image and received written approval from your director via the company ticketing system. What should you do?

Questão 10

Your company is building a serverless QR-code rendering API on Cloud Run to generate boarding passes. The API must read PDF templates stored in a private Cloud Storage bucket named tickets-secure-prod in europe-west1, and the security team requires that: (1) production buckets must never be publicly accessible, (2) production workloads must not run with default service accounts, and (3) the API needs only read access to objects; peak traffic is 250 requests per second and clients will never access the bucket directly. You need to grant the API permission to read the templates while following Google-recommended best practices and the security constraints; what should you do?

Análise da Questão

Core concept: This question tests secure service-to-service access from Cloud Run to Cloud Storage using IAM, least privilege, and hardening controls (Public Access Prevention), aligned with the Google Cloud Architecture Framework security pillar. Why the answer is correct: The API runs on Cloud Run and must read private PDF templates from a production bucket. Because clients never access the bucket directly, you should use direct server-side access with IAM (not signed URLs). The security team requires production buckets never be publicly accessible, which is best enforced with Cloud Storage Public Access Prevention (PAP). PAP blocks all public IAM bindings (allUsers/allAuthenticatedUsers) at the bucket level, preventing accidental exposure even if someone later tries to grant public access. The workloads must not run with default service accounts. Cloud Run services should use a dedicated, user-managed service account (least privilege, clear ownership, and easier audit). Then grant that service account only the permissions needed: roles/storage.objectViewer on the specific bucket (or narrower via IAM Conditions/prefixes if applicable). This satisfies “read-only access to objects” and avoids over-permissioning. Key features/configurations: - Cloud Storage: enable Public Access Prevention on tickets-secure-prod to ensure it can’t be made public. - Cloud Run: configure the service to run as a user-managed service account (not the default Compute Engine or default App Engine/Cloud Run service identity). - IAM: grant roles/storage.objectViewer at the bucket level to that service account. - Regional note: bucket in europe-west1 is fine; Cloud Run can be deployed in europe-west1 to minimize latency/egress. 250 RPS is handled by Cloud Run autoscaling; Storage read throughput is typically sufficient, and caching templates in memory per instance can reduce repeated reads. Common misconceptions: Signed URLs are often suggested for “private bucket access,” but they are primarily for delegating temporary access to clients without IAM. Here, clients never access the bucket, so signed URLs add complexity and key management without meeting the “no public access” requirement as directly as PAP. Exam tips: When you see “production bucket must never be public,” think Public Access Prevention. When you see “don’t use default service accounts,” think user-managed service account per workload. For “needs only read access,” choose roles/storage.objectViewer on the narrowest resource scope (bucket/object prefix) that meets requirements.

Practice Test #4

Respostas e Explicações Verificadas por 3 IAs

Questões de Prática

Histórias de Sucesso(6)

Outros Simulados

Practice Test #1

Practice Test #2

Practice Test #3

Comece a Praticar Agora