Free Cloud Architect Practice Exam – 2025 Updated

A. This suggests an unnecessary application redesign. Google Cloud's load balancers provide native support for websockets, so converting the code to a different protocol is not required.

B. While security is important, reviewing encryption does not solve the core architectural problem of routing traffic correctly to support websockets and non-distributed sessions.

D. This proposes a significant and costly application redesign as the first step. A Cloud Architect should first seek to support the existing application requirements with appropriate infrastructure before recommending a complete rewrite.

1. Google Cloud Documentation, "External HTTP(S) Load Balancer overview": This document explicitly states the load balancer's capabilities. Under the "Features" section, it lists "WebSocket support." The documentation explains: "Google Cloud Armor and Cloud CDN can be used with WebSockets. The WebSocket protocol... provides a full-duplex communication channel between a client and a server. The channel is initiated from an HTTP(S) request. The External HTTP(S) Load Balancer has native support for the WebSocket protocol."

2. Google Cloud Documentation, "Session affinity": This page details how to configure session affinity for various load balancers. For the Global External HTTP(S) Load Balancer, it states: "Session affinity sends all requests from the same client to the same virtual machine (VM) instance or endpoint... This is useful for applications that require stateful sessions." It then describes the different types, including Generated cookie affinity, Header field affinity, and HTTP cookie affinity, which directly address the "non-distributed sessions" requirement.

3. Google Cloud Architecture Framework, "System design pillar": This framework emphasizes selecting the right Google Cloud products and services to meet design requirements. The "Networking and connectivity principles" section guides architects to "Choose the right load balancer for your needs." This aligns with option C, which involves evaluating load balancer options to fit the application's specific websocket and session state requirements.

A: The resize command performs a one-time, manual scaling operation to a fixed number of nodes. It does not enable the cluster to scale automatically based on workload demand.

B: Adding tags to individual Compute Engine instances is used for networking rules or organization, not for enabling the GKE cluster autoscaler, which is a managed feature of the cluster itself.

D: This command creates an entirely new cluster. While it correctly enables autoscaling, it does not modify the running cluster as requested and would require a disruptive migration of all applications.

1. Google Cloud Documentation - Autoscaling a cluster: The official documentation explicitly provides the command for enabling cluster autoscaling on an existing cluster: gcloud container clusters update CLUSTERNAME --enable-autoscaling --min-nodes=MINNODES --max-nodes=MAXNODES. This directly supports option C as the correct procedure. (See "Enabling cluster autoscaling for an existing cluster" section).

Source: Google Cloud, "Autoscaling a cluster", cloud.google.com/kubernetes-engine/docs/how-to/cluster-autoscaler.

2. Google Cloud SDK Documentation - gcloud container clusters update: The reference for this command confirms its purpose is to "Update settings for a cluster" and lists --enable-autoscaling, --max-nodes, and --min-nodes as valid flags for managing the autoscaler.

Source: Google Cloud SDK, "gcloud container clusters update", cloud.google.com/sdk/gcloud/reference/container/clusters/update.

3. Google Cloud SDK Documentation - gcloud container clusters resize: This documentation clarifies that the resize command is for manual scaling: "This command is used for manual scaling. You can use this command to increase or decrease the number of nodes in a cluster." This confirms why option A is incorrect for automatic scaling.

Source: Google Cloud SDK, "gcloud container clusters resize", cloud.google.com/sdk/gcloud/reference/container/clusters/resize.

A. The error is with the javax.servlet-api-3.0.1.jar file's integrity, not a custom class. Changing the hash algorithm for a single class is irrelevant to the JAR verification process.

C. The error is a digest mismatch (does not match), not a ClassNotFoundException. This confirms the file is present but has failed an integrity check, rather than being missing.

1. Oracle Java Documentation, "Signing and Verifying JAR Files": This document explains the purpose of JAR signing. It states, "You can sign JAR files to ensure their integrity and authenticity... When a signed JAR file is loaded, the Java runtime can verify the signature to ensure that the file's contents have not been changed since it was signed." The SecurityException in the question is a direct result of this verification failing. (Source: Oracle, JDK 8 Documentation, The Java Tutorials, Deployment, Signing and Verifying JAR Files).

2. Google Cloud Documentation, "Java 8 Runtime Environment": The error log references the WEB-INF/lib/ directory, which is a standard part of the required application directory structure for Java applications on App Engine. This confirms the context is a standard Java web application deployment where such integrity checks are common. (Source: Google Cloud, App Engine standard environment for Java 8 documentation, "The Java 8 Runtime Environment", Section: "Organizing your files").

3. Princeton University, COS 432: Information Security, Lecture 18: Java Security: This courseware discusses the Java security model, including the sandbox, SecurityManager, and code signing. It explains that the SecurityManager is responsible for throwing a SecurityException when a security policy is violated, such as when code integrity cannot be verified via its signature. (Source: Princeton University, Department of Computer Science, COS 432, Lecture 18, Slides 15-18 on "Code Signing").

A. Tagging messages with a user identifier on the client side is insecure metadata. A malicious user can easily modify the client application to forge this tag.

B. Shared key (symmetric) encryption provides confidentiality, ensuring only those with the key can read the message. It does not prove origin, as anyone with the shared key could have created the message.

D. SSL/TLS secures the communication channel between the client and the server (data in transit). It does not cryptographically sign the individual messages to prove the user's identity to other chat participants.

1. Google Cloud Documentation, Cloud Key Management Service, "Digital signatures": "Digital signatures are commonly used to verify the integrity and authenticity of data. For example, you can use digital signatures to verify that a binary was released by a specific developer... A private key is used to create a digital signature, and the corresponding public key is used to validate the signature." This directly supports the mechanism described in option C for proving origin.

2. Google Cloud Documentation, Cloud Key Management Service, "Asymmetric encryption": This document distinguishes between symmetric and asymmetric keys, stating, "Asymmetric keys can be used for either asymmetric encryption or for creating digital signatures." This clarifies that the PKI approach (asymmetric keys) is the correct tool for signatures, unlike the symmetric approach in option B.

3. MIT OpenCourseWare, 6.857 Computer and Network Security, Fall 2017, Lecture 8: Public-Key Cryptography: The lecture notes state that a digital signature scheme provides "(1) Authentication (of origin), (2) Integrity (of message), (3) Non-repudiation (by origin)." The process is defined as Sign(SK, M) where SK is the secret (private) key, which aligns perfectly with option C's methodology.

4. Google Cloud Security Whitepaper, "Encryption in Transit in Google Cloud": This paper details how Google Cloud uses TLS to secure data in transit (Section: "Default encryption in transit"). This supports the reasoning for why option D is incorrect, as TLS secures the transport layer between two points (e.g., client and server), not the authenticity of the application-layer message itself for end-to-end verification between users.

A. Logging in to a server to iterate a fix is a manual process that is not scalable and will be undone when the instance group's self-healing mechanism replaces the instance.

B. While changing the instance template would work, it's a manual infrastructure-level intervention. The root cause is the application code, and the best practice is to fix the source of truth (the code) and let the pipeline manage the infrastructure changes.

D. Manually swapping code on live servers is an anti-pattern. It is not repeatable, not auditable, and any changes will be lost during self-healing events or subsequent automated deployments.

1. Google Cloud Documentation, DevOps tech: Continuous delivery: "A key goal of continuous delivery is to make your release process a low-risk event that you can perform at any time and on demand. ... Because you are deploying smaller changes, you can more easily pinpoint and address bugs and roll back changes if necessary." This supports the principle of rolling back a problematic change through the established process.

Source: Google Cloud, "DevOps tech: Continuous delivery", Section: "What is continuous delivery?".

2. Google, Site Reliability Engineering, Chapter 8 - Release Engineering: "A key feature of our release system is the ability to quickly and safely roll back a release that is found to be bad. ... Rollbacks use the same infrastructure as rollouts, but in reverse." This highlights the best practice of using the same automated system (the pipeline) for rollbacks as for deployments, which is achieved by reverting the code and re-running the pipeline.

Source: Beyer, B., Jones, C., Petoff, J., & Murphy, N. R. (2016). Site Reliability Engineering: How Google Runs Production Systems. O'Reilly Media. Chapter 8, Section: "Rollout Policies".

3. Google Cloud Documentation, Managed instance groups (MIGs): "A managed instance group (MIG) ... maintains high availability of your apps by proactively keeping your VMs (instances) running. If a VM in the group stops, crashes, or is deleted... the MIG automatically recreates it in accordance with the group's instance template". This confirms that any manual changes made directly to an instance (as suggested in options A and D) will be lost.

Source: Google Cloud, "Managed instance groups (MIGs)", Section: "High availability".

A. Multiple Organizations with multiple Folders: Using multiple Organizations breaks the principle of central control, as each Organization is a distinct root entity with its own separate policies.

B. Multiple Organizations, one for each department: This approach completely fragments governance, creating isolated silos for each department and making central IAM policy enforcement impossible.

D. A single Organization with multiple projects, each with a central owner: While this provides central control, it lacks the intermediate grouping layer (Folders) for departments, making policy management at scale inefficient and difficult to delegate.

1. Google Cloud Documentation, Resource Manager, "Cloud Platform resource hierarchy": "Folders are an additional grouping mechanism on top of projects... Folders are commonly used to model different departments, teams, or legal entities within a company. For example, a first level of folders could represent the major departments in your organization." This directly supports using folders to represent departments.

2. Google Cloud Documentation, Resource Manager, "Creating and managing folders", Section: "Using folders for access control": "You can use folders to isolate resources for different departments... Access to resources can be limited by department by assigning IAM roles at the folder level. All projects and folders within a parent folder inherit the IAM policies of that folder." This confirms that folders are the correct tool for delegating departmental control.

3. Google Cloud Documentation, IAM, "Policy inheritance": "The resource hierarchy for policy evaluation includes the organization, folders, projects, and resources... The child resource inherits the parent's policy." This explains the mechanism for central control from the Organization node downwards.

4. Google Cloud Architecture Framework, "Design a resource hierarchy for your Google Cloud landing zone": In the "Folder structure" section, a common pattern recommended is: "A folder for each department, such as Dept-A and Dept-B." This establishes the chosen answer as a documented best practice.

A. The Cloud Monitoring alerting console is used for configuring and viewing alerts based on metrics, logs, and uptime checks, not for retrospectively searching historical audit logs for specific events.

B. Resource creation events are captured in Admin Activity logs, not Data Access logs. Data Access logs track when data within a resource is read or written, which is not relevant here.

D. Checking system logs on the GCE instance would only show who has logged into the virtual machine, not who created the underlying network or the instance itself. The creator may have never accessed the instance.

1. Cloud Audit Logs Overview: "Admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions." This confirms that creating a network is an Admin Activity.

Source: Google Cloud Documentation, "Cloud Audit Logs", Overview section.

2. Querying Logs in Logs Explorer: The Logs Explorer allows for building queries to find specific log entries. A query to find network creation events would look like: resource.type="gcenetwork" and protoPayload.methodName="v1.compute.networks.insert". This demonstrates the method described in the correct answer.

Source: Google Cloud Documentation, "Build queries in the Logs Explorer", Query for a resource type and log name section.

3. Compute Engine Audited Operations: The official documentation lists the specific API methods that are logged. For creating a network, the method is v1.compute.networks.insert. This validates that searching for an "insert" entry for a GCE Network is the correct procedure.

Source: Google Cloud Documentation, "Compute Engine audit logging information", Audited operations table.

A. Configure their replication to use UDP.

UDP is an unreliable, connectionless protocol that does not guarantee packet delivery or order. Database replication requires the guaranteed, in-order delivery provided by TCP to prevent data corruption.

C. Restore their database daily using Google Cloud SQL.

This is a backup-and-restore strategy, not replication. A daily restore implies a Recovery Point Objective (RPO) of up to 24 hours, which is typically unacceptable for a production database DR plan.

D. Add additional VPN connections and load balance them.

While this can increase aggregate throughput and add redundancy, all connections still traverse the unreliable public internet. It does not solve the fundamental problems of inconsistent latency and packet loss for a single replication stream.

E. Send the replicated transaction to Google Cloud Pub/Sub.

This introduces significant architectural complexity, requiring custom producers and consumers. It does not address the underlying network instability between the on-premises data center and GCP, which is the root cause of the problem.

1. Google Cloud Documentation, "Choosing a Network Connectivity product": This document directly compares Cloud VPN and Cloud Interconnect. It states, "Cloud Interconnect provides low latency, high availability connections that enable you to reliably transfer data between your on-premises and Virtual Private Cloud (VPC) networks." It also notes for Cloud VPN, "Because this connection traverses the internet, its performance...can be inconsistent." This supports choosing Interconnect (B) over VPN (D).

2. Google Cloud Documentation, "Dedicated Interconnect overview": This page highlights the key benefits of Dedicated Interconnect: "Lower latency. Traffic between your on-premises and VPC networks doesn't touch the public internet. Instead, it travels over a dedicated connection with lower latency." This directly addresses the problem described in the question.

3. MySQL 8.0 Reference Manual, "Section 19.1.1 Replication Implementation Overview": The MySQL documentation describes the replication process where a replica's I/O thread connects to the source server over the network to read the binary log. This connection relies on a stable, reliable transport protocol like TCP, making UDP (A) an unsuitable choice.

4. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. In Chapter 3, Section 3.3, UDP is described as providing an "unreliable data transfer service," while Section 3.5 describes TCP's "reliable data transfer" service, reinforcing why UDP is incorrect for database replication.

A. Hash all data using SHA256: Hashing the entire log entry would render the non-sensitive data unusable for the stated purpose of retention and analysis, as it's a one-way, irreversible process.

B. Encrypt all data using elliptic curve cryptography: Encryption protects data but does not sanitize or de-identify it. The sensitive information still exists in an encrypted form and is not removed or transformed for analysis.

D. Use regular expressions to find and redact phone numbers, email addresses, and credit card numbers: This approach is brittle, difficult to maintain, and prone to errors. It cannot reliably detect all formats of sensitive data (e.g., international phone numbers, names) or validate them (e.g., credit card checksums), unlike the managed and sophisticated detectors in Cloud DLP.

1. Cloud Data Loss Prevention Documentation - De-identification of sensitive data: "You can use Cloud DLP to de-identify sensitive data in your content. De-identification is the process of removing identifying information from data. Its goal is to allow the sharing and use of personal data while protecting privacy." This page details methods like redaction and masking, which are ideal for the scenario.

Source: Google Cloud Documentation, "De-identification of sensitive data".

2. Cloud Data Loss Prevention Documentation - InfoType detector reference: This document lists the extensive built-in detectors for PII and PCI data, such as CREDITCARDNUMBER, EMAILADDRESS, and PHONENUMBER. This demonstrates why Cloud DLP is superior to custom regular expressions.

Source: Google Cloud Documentation, "InfoType detector reference".

3. Google Cloud Architecture Framework - Security, privacy, and compliance: "Use Cloud DLP to discover, classify, and redact sensitive data. For example, you can use Cloud DLP to find and redact credit card numbers from a chat transcript before you store the transcript." This directly cites the use case described in the question as a recommended practice.

Source: Google Cloud Architecture Framework, Security pillar, "Implement least privilege".

B. Cloud Storage: This is an object storage service, not a local filesystem directory in the execution path. The utility would need to be downloaded to the VM before it could be run.

C. /google/scripts: This directory is part of the ephemeral Cloud Shell virtual machine instance. Any files placed here will be lost when your session ends.

D. /usr/local/bin: While this directory is in the default execution path, it resides on the ephemeral VM's filesystem. It does not persist across sessions, so the utility would be deleted.

1. Google Cloud Documentation, "How Cloud Shell works", Section: Persistent disk storage: "Cloud Shell provisions 5 GB of persistent disk storage on your temporarily allocated virtual machine. This storage is located at your $HOME directory and persists between sessions... Any modifications you make to your home directory, including installed software, scripts, and user configuration files like .bashrc and .vimrc, persist between sessions."

2. Google Cloud Documentation, "Cloud Shell features", Section: A pre-configured gcloud CLI and other utilities: This section implies a standard Linux environment. In standard Linux configurations (like the Debian base for Cloud Shell), the default .profile script adds $HOME/bin to the $PATH if the directory exists. This behavior, combined with the persistence of the $HOME directory, makes ~/bin the correct location.

3. Google Cloud Documentation, "Customizing your Cloud Shell environment": This guide explains how to make persistent customizations. It states, "When you start Cloud Shell, a bash shell is run and any commands in ~/.bashrc and ~/.profile are executed." This confirms that standard shell startup scripts, which typically configure the path to include ~/bin, are honored and persist.

B. A single Cloud VPN tunnel provides a maximum of 3 Gbps of bandwidth, which does not meet the 20 Gbps requirement.

C. Cloud CDN is a content delivery network used for caching and distributing web content to users globally; it is not a service for establishing private network connectivity.

D. This option is incorrect for two reasons: Cloud CDN is the wrong service for this purpose, and a single Cloud VPN does not meet the bandwidth requirement.

1. Google Cloud Documentation, "Choosing a Network Connectivity product": In the comparison table under "Features," Cloud Interconnect is listed with a bandwidth of "10 Gbps or 100 Gbps per link," suitable for high-throughput needs. In contrast, Cloud VPN is listed with a bandwidth of "Up to 3 Gbps per tunnel." This directly supports the choice of Interconnect over VPN for the 20 Gbps requirement.

2. Google Cloud Documentation, "Dedicated Interconnect overview": This document states, "Dedicated Interconnect provides a direct physical connection between your on-premises network and Google's network... Connections are offered as one or more 10-Gbps or 100-Gbps Ethernet connections." This confirms that multiple 10 Gbps connections can be used to meet the 20 Gbps requirement.

3. Google Cloud Documentation, "Cloud CDN overview": This document describes Cloud CDN as a service that "uses Google's global edge network to bring content closer to your users." This clarifies that its purpose is content distribution, not establishing a private network link for backend services, making options C and D incorrect.

A. Utilize free tier and sustained use discounts. Provision a staff position for service cost management.

Hiring a dedicated staff position for a startup in a trial phase is not cost-effective and contradicts the goal of minimizing costs.

B. Utilize free tier and sustained use discounts. Provide training to the team about service cost management.

Sustained Use Discounts (SUDs) are automatic and less impactful than CUDs. A best-practice business process should be proactive, planning to use the most effective tools, not just relying on passive, automatic ones.

C. Utilize free tier and committed use discounts. Provision a staff position for service cost management.

As with option A, provisioning a dedicated staff position is an unnecessary expense for a startup and is not a recommended best practice for this scenario.

1. Google Cloud Cost Management Solutions: The official documentation outlines key principles, including empowering teams and using intelligent pricing models. It states, "Empower your teams with the training, resources, and tools they need to operate with cost-efficiency" and "Take advantage of intelligent recommendations to... use pricing models like committed use discounts to optimize costs." This directly supports the combination of training and CUDs in option D. (Source: Google Cloud, "Cost Management", Section: "Key principles of cloud cost management").

2. Committed Use Discounts (CUDs) Documentation: CUDs are Google's primary tool for reducing costs on predictable workloads. The documentation states, "Committed use discounts (CUDs) provide deeply discounted prices in exchange for your commitment... The discounts are ideal for workloads with predictable resource needs." A best practice business process involves identifying these predictable needs and applying CUDs. (Source: Google Cloud, "Committed use discounts", Overview section).

3. Sustained Use Discounts (SUDs) Documentation: This page explains that SUDs are automatic and apply when resources run for a significant portion of the month. While beneficial, they are a passive mechanism and have been largely superseded by the more strategic CUDs for vCPU and memory, making them a less central part of a proactive cost management process. (Source: Google Cloud, "Sustained use discounts", Overview section).

A. Red/black (or blue/green) is a production deployment strategy that minimizes downtime. It does not, by itself, provide a pre-production verification stage, which is the primary requirement.

B. Running tests on production deployments is a high-risk practice. The goal is to find and fix issues before they reach production and impact users, not after.

C. A canary deployment (releasing to 10% of users) is a strategy for a phased rollout to production. Verification happens on a subset of live users, not in a dedicated test environment before production.

1. Google Cloud Documentation - CI/CD on Google Cloud: This documentation outlines the typical stages of a software delivery pipeline: Source, Build, Test, and Deploy. Option D aligns perfectly with this model by including a dedicated "Test" stage (in the staging environment) before the final "Deploy" stage (to production). The document emphasizes that "Each stage acts as a gate that vets a new change for quality."

Source: Google Cloud Documentation, "CI/CD modernization: A guide to building a software delivery pipeline", Section: "Stages of a software delivery pipeline".

2. Google Cloud Solutions - Continuous deployment to GKE using Jenkins: This official tutorial demonstrates a multi-environment pipeline. It uses separate Git branches (dev, production) to trigger deployments to different environments. Using tags, as described in option D, is an analogous and widely accepted best practice for managing releases, where a specific tag triggers the promotion of a build through the pipeline from staging to production.

Source: Google Cloud Solutions, "Continuous deployment to GKE using Jenkins", Section: "Understanding the application development and deployment workflow".

3. Google Cloud Documentation - Release and deployment strategies: This page describes strategies like blue/green (red/black) and canary deployments. It positions them as methods for the final step of deploying to production to reduce risk, which confirms that they are distinct from the pre-production verification step described in option D.

Source: Google Cloud Documentation, "Application deployment and testing strategies", Sections: "Blue/green deployments" and "Canary deployments".

A. The IAM Viewer role is a read-only role and does not grant the necessary permissions (compute.instances.osLogin or compute.instances.setMetadata) to connect to a VM via SSH.

B. Performing a rolling restart will not solve the issue. The new instances created during the restart will still fail the health check and enter the same restart loop.

D. The question explicitly states that autoscaling is already disabled. The issue is caused by autohealing, which is a separate feature from autoscaling, even though both are part of MIGs.

1. Autohealing and Health Checks: Google Cloud documentation states, "Autohealing relies on a health check to determine if an application on an instance is responding as expected... If the health check determines that an application has failed, the group automatically recreates that instance." To stop this, the health check must be removed.

Source: Google Cloud Documentation, "Setting up health checking and autohealing," Section: "How autohealing works."

2. Updating a Managed Instance Group: To disable the health check, you must update the instance group's configuration. The documentation outlines procedures for updating MIGs, which includes removing an associated health check.

Source: Google Cloud Documentation, "Updating managed instance groups (MIGs)," Section: "Updating a health check for a MIG."

3. Managing SSH Keys: Project-wide public SSH keys can be used to grant access to all instances in a project. "When you add a public SSH key to a project, any user who has the private key can connect to any VM in that project that is configured to accept project-wide keys."

Source: Google Cloud Documentation, "Managing SSH keys in metadata," Section: "Adding and removing project-wide public SSH keys."

4. IAM Roles for Compute Engine: The documentation for the Viewer role (roles/viewer) confirms it does not include permissions like compute.instances.setMetadata or IAP-based access, which are required for SSH connections.

Source: Google Cloud Documentation, "Compute Engine IAM roles," Section: "Project roles."

A. This is incorrect. Google's list of services covered by its PCI DSS compliance includes many compute platforms, such as Compute Engine, Cloud Functions, and Google Kubernetes Engine, not just App Engine.

B. This is incorrect. GKE can be configured to meet PCI DSS requirements. Using features like VPC-native clusters with network policies, IAM for GKE, and private clusters allows for the necessary network segmentation and isolation.

D. This is a common misconception. Not all Google Cloud services are in scope for PCI DSS. Furthermore, even for in-scope services, the platform's compliance does not confer compliance on the customer's application; it is a shared responsibility.

1. Google Cloud Compliance Offerings: PCI DSS: "Google Cloud undergoes a third-party audit to certify individual products against the PCI DSS. This means that these services provide an infrastructure on top of which customers can build their own service or application that stores, processes, or transmits cardholder data... PCI DSS compliance is a shared responsibility." The page lists Google Kubernetes Engine as an in-scope product.

Source: Google Cloud Documentation, "Compliance offerings: PCI DSS," Section: "Shared Responsibility."

2. PCI DSS compliance on Google Kubernetes Engine: "This guide describes how to build a Payment Card Industry Data Security Standard (PCI DSS) compliant environment on Google Kubernetes Engine (GKE)... GKE provides many features that can help you meet the PCI DSS requirements, such as private clusters, VPC-native clusters, network policy, Google Groups for GKE, and GKE Sandbox."

Source: Google Cloud Architecture Center, "PCI DSS compliance on Google Kubernetes Engine," Introduction.

3. Shared responsibility for PCI DSS compliance on Google Cloud: "Although Google Cloud is a PCI DSS-validated service provider, you are still responsible for your own PCI DSS compliance for your applications on Google Cloud."

Source: Google Cloud Architecture Center, "PCI DSS on Google Cloud," Section: "Shared responsibility."

A. Cloud Datalab (now part of Vertex AI Workbench) is a notebook-based environment for data scientists. While powerful, it requires writing custom code for data cleaning and anomaly detection, making it less efficient for this task than a dedicated visual tool.

C. Connecting a cloud service directly to multiple on-premises systems for processing is complex and not a standard ingestion pattern for batch data. Furthermore, Cloud Datalab is not the optimal tool for this use case.

D. While Cloud Dataprep is the correct tool, the recommended architectural pattern is to first land the data in a central staging area like Cloud Storage, rather than connecting directly to multiple on-premises sources.

1. Cloud Dataprep Overview: "Cloud Dataprep by Trifacta is an intelligent data service for visually exploring, cleaning, and preparing structured and unstructured data... With each UI interaction, Cloud Dataprep automatically suggests and predicts the next data transformation, which can help you reduce the time to get insights." This highlights its purpose for cleaning and anomaly detection.

Source: Google Cloud Documentation, "Cloud Dataprep overview".

2. Cloud Storage as a Staging Area: "Cloud Storage is an ideal place to land data from other clouds or on-premises before it's moved into a data warehouse like BigQuery or a data lakehouse like Dataplex." This confirms the pattern of uploading files to Cloud Storage first.

Source: Google Cloud Documentation, "Build a modern, open, and intelligent data cloud".

3. Data Lifecycle on Google Cloud: Reference architectures for analytics pipelines consistently show data being ingested from on-premises sources into Cloud Storage before being processed by services like Cloud Dataprep, Dataflow, or Dataproc.

Source: Google Cloud Architecture Center, "Data lifecycle on Google Cloud".

4. Comparing Data Preparation Tools: "Cloud Dataprep is a good choice when you want to use a UI to build your data preparation pipelines... Vertex AI Workbench is a good choice when you want to use a notebook to explore and prepare your data." This distinguishes the use cases, positioning Dataprep as the correct choice for the visual, UI-driven task described in the question.

Source: Google Cloud Documentation, "Data preparation options".

A. This is incorrect because it ignores the fundamental principle of policy inheritance in the Google Cloud resource hierarchy. Policies from parent nodes are always inherited by child nodes.

B. This is incorrect because the standard IAM policy model is additive, not restrictive. Permissions granted at an ancestor level are added to, not used to restrict, permissions at a lower level. While Deny Policies can restrict permissions, the fundamental mechanism for calculating the effective allow policy is a union.

D. This is incorrect because an intersection would require a permission to be granted at every level of the hierarchy to be effective. This would be overly restrictive and is not how Google Cloud IAM operates.

1. Google Cloud Documentation, IAM Overview, "Policy inheritance": "The effective policy for a resource is the union of the policy set on the resource and the policy inherited from its parent. This policy evaluation is transitive. For example, if you set a policy at the Organization level, it is inherited by all of its child folders and projects. If you set a policy at the project level, it is inherited by all of its child resources."

2. Google Cloud Documentation, Resource Manager, "Overview of the resource hierarchy", Section: "IAM policy inheritance": "The allow policy for a resource is the union of the allow policy set on the resource and the allow policy inherited from its ancestors. This rule applies to the entire resource hierarchy."

3. Google Cloud Documentation, IAM, "Hierarchical policy evaluation": "The full set of permissions for a resource is the union of permissions granted on that resource and permissions inherited from higher up in the hierarchy. In other words, permissions are inherited through the resource hierarchy."

A. Use the same IP range on Google Cloud as you use on-premises

This creates a direct IP address conflict, which breaks routing between the two networks and makes systems unreachable.

B. Use the same IP range on Google Cloud as you use on-premises for your primary IP range and use a secondary range that does not overlap with the range you use on-premises

The overlapping primary IP range still causes the fundamental routing conflict, making the connection unreliable regardless of the secondary range.

D. Use an IP range on Google Cloud that does not overlap with the range you use on-premises for your primary IP range and use a secondary range with the same IP range as you use on-premises

Introducing an overlapping secondary range re-creates the routing conflict for any resource using that range, leading to connectivity failures.

1. Google Cloud Documentation, Cloud VPN Overview, "Network and subnet considerations": "The IP ranges for subnets in your VPC network cannot overlap with the IP ranges used in your on-premises network. If they do, traffic routing issues can occur." This section explicitly states the core requirement for non-overlapping IP ranges.

2. Google Cloud Documentation, "Best practices and reference architectures for VPC design," Section: "Hybrid networking": "When you connect your VPC network to another network, such as an on-premises network... the subnet IP ranges in the VPC network and the other network can't overlap. If you have overlapping IP addresses, traffic doesn't route correctly." This reinforces the principle as a best practice for any hybrid connectivity scenario.

3. Google Cloud Documentation, Cloud Router Overview, "BGP sessions": Cloud Router uses BGP to exchange routes between your VPC network and your on-premises network. The BGP protocol relies on unique network prefixes (IP ranges) to build a coherent routing table. Overlapping prefixes make it impossible for BGP to establish predictable routes.

B. App Engine does not automatically detect or apply index configuration files from a Cloud Storage bucket. Index deployment is an explicit administrative action.

C. Deleting current indexes is unnecessary and potentially harmful, as it could break existing application queries. The correct command updates indexes without requiring deletion.

D. Index management is a control plane operation performed via tools like gcloud or the GCP Console, not through runtime HTTP requests to application modules.

1. Google Cloud Documentation - Managing Datastore indexes: "To upload your indexes to Datastore, run the following command from the directory where your index.yaml file is located: gcloud datastore create-indexes index.yaml". This page explicitly details the command in option A as the correct procedure.

Source: Google Cloud, "Managing Datastore indexes", section "Uploading indexes".

2. Google Cloud SDK Documentation - gcloud datastore create-indexes: This official command reference describes the usage: "gcloud datastore create-indexes INDEXFILE ... This command creates new Datastore indexes from a local file." This directly validates option A.

Source: Google Cloud SDK Documentation, gcloud datastore create-indexes.

3. Google Cloud Documentation - index.yaml Configuration: "When you have finished creating your index.yaml file, deploy it to Datastore. See Managing Datastore Indexes for details." This confirms that index.yaml is the configuration file and it must be actively deployed.

Source: Google Cloud, "Configuring Datastore indexes with index.yaml".

A. Using single Compute Engine instances in each region creates single points of failure and lacks the scalability and auto-healing benefits provided by managed instance groups.

B. This describes a hybrid cloud DR strategy, not a multi-region cloud-native one. The primary deployment on a single instance is not a resilient or highly available design.

D. Deploying in separate projects adds unnecessary operational and networking complexity (e.g., requiring Shared VPC or VPC Peering) without providing any direct benefit for the stated DR goal.

1. Google Cloud Documentation, Disaster recovery planning guide: This guide outlines DR patterns. The "Warm standby (active-passive)" pattern for applications describes using Cloud Load Balancing to fail over between regions. It states, "You configure a health check that determines when to fail over to the VMs in [REGIONB]." This directly supports the architecture in option C.

Source: Google Cloud, "Disaster recovery scenarios for applications", Section: "Warm standby (active-passive)".

2. Google Cloud Documentation, Cloud Load Balancing overview: The documentation for the Global External HTTP(S) Load Balancer explicitly states its multi-region capabilities. "Global external HTTP(S) Load Balancer is a global load balancer... You can use this load balancer to route traffic to backends in multiple regions." This confirms it is the correct tool for cross-region failover.

Source: Google Cloud, "Cloud Load Balancing overview", Section: "Types of load balancers".

3. Google Cloud Documentation, Managed instance groups (MIGs): This document explains the benefits of MIGs over single instances, including high availability through autohealing and scalability through autoscaling, which are critical for a robust production architecture.

Source: Google Cloud, "Managed instance groups (MIGs)", Section: "Benefits of MIGs".

4. Google Cloud Architecture Framework, Reliability pillar: This framework recommends deploying applications across multiple zones and regions to protect against failures. "To protect against regional failure, you need to deploy your application in multiple regions... you can use Cloud Load Balancing to provide a single IP address for users."

Source: Google Cloud Architecture Framework, "Reliability pillar", Section: "Design for disaster recovery".

A. App Engine firewall rules control inbound traffic to the application, not outbound connections to a database. The standard environment also lacks the required native VPC integration.

B. The App Engine standard environment runs in a sandboxed environment and cannot be placed directly within a VPC to initiate connections over a Cloud VPN tunnel.

C. App Engine firewall rules are the incorrect tool; they manage incoming requests to the application, not secure outgoing connections to an external database.

1. App Engine Flexible Environment Networking: The official documentation states that App Engine flexible environment instances run on Compute Engine virtual machines within your project's VPC network. This enables direct access to other VPC resources.

Source: Google Cloud Documentation, "App Engine flexible environment, Connecting to a VPC network". Section: "Accessing Google Cloud services".

2. Comparison of App Engine Environments: The choice between standard and flexible environments often depends on networking requirements. The flexible environment is explicitly designed for applications that need to operate within a VPC and access resources via VPN or Interconnect.

Source: Google Cloud Documentation, "Choosing an App Engine environment". The table comparing features highlights that the flexible environment allows "Access to resources in a VPC network".

3. Cloud VPN for Hybrid Connectivity: Cloud VPN is the designated service for securely connecting a VPC network to an on-premises network over an IPsec VPN connection.

Source: Google Cloud Documentation, "Cloud VPN overview". Section: "How Cloud VPN works".

4. App Engine Firewall Functionality: The documentation clarifies that App Engine firewalls are used to control incoming requests to the application from specified IP ranges, not for securing outbound traffic.

Source: Google Cloud Documentation, "Controlling Ingress Traffic". Section: "Creating firewalls".

B: Using firewall rules to allow traffic to Cloud Storage IP ranges still requires the VM to have an external IP address to route traffic, which violates the core security constraint of no public internet access.

C: Cloud Source Repositories is a managed Git repository service designed for source code, not for storing software installation binaries or packages. Cloud Storage is the appropriate service for this use case.

D: This option is incorrect for two reasons: it uses the inappropriate service (Cloud Source Repositories) for the file type, and it proposes using the wrong tool (gsutil) to access it.

1. Private Google Access: "Private Google Access provides access to the external IP addresses of Google APIs and services from VMs that don't have external IP addresses." This directly supports the method described in option A.

Source: Google Cloud Documentation, "Private Google Access overview", Section: "Overview".

2. Cloud Storage Use Cases: "Cloud Storage is a service for storing your objects in Google Cloud... Cloud Storage is a good choice for storing data for archival and disaster recovery, or for distributing large data objects to users via direct download." This confirms Cloud Storage is the correct service for installation files.

Source: Google Cloud Documentation, "Cloud Storage - Product overview".

3. gsutil Tool: "gsutil is a Python application that lets you access Cloud Storage from the command line." This confirms gsutil is the correct tool for downloading files from Cloud Storage.

Source: Google Cloud Documentation, "gsutil tool".

4. Cloud Source Repositories Use Cases: "Cloud Source Repositories provides Git version control to support developing and deploying your app." This highlights its purpose for source code, making it an inappropriate choice for software installers.

Source: Google Cloud Documentation, "Cloud Source Repositories - Product overview".

B: Cloud Dataprep is a service for visually exploring, cleaning, and preparing structured and unstructured data for analysis and machine learning. It is not used for data transfer or decryption from a Transfer Appliance.

C: Using gsutil for a 75 TB transfer would be extremely slow and unreliable over most internet connections, potentially taking weeks or months. While resumable transfers add reliability, Transfer Appliance is the recommended solution for this data volume.

D: This option is incorrect for the same reason as C; the data volume is too large for an online transfer to be the recommended practice. Additionally, streaming transfers are typically used for data from stdin, not for uploading a large set of existing files.

1. Google Cloud Documentation, "Choosing a transfer option": The official decision tree recommends Transfer Appliance for transferring more than 20 TB of data if the transfer would take more than one week online. For 75 TB, this is almost always the case.

Source: Google Cloud Documentation, "Data Transfer", Section: "Choosing a transfer option".

2. Google Cloud Documentation, "Transfer Appliance overview": This document explicitly states, "Transfer Appliance is a hardware appliance you can use to securely migrate large amounts of data... to Google Cloud Storage." It is recommended for data sizes from hundreds of terabytes up to 1 petabyte.

Source: Google Cloud Documentation, "Transfer Appliance", Section: "Overview".

3. Google Cloud Documentation, "How Transfer Appliance works": The process is detailed as: 1. Request appliance, 2. Copy data to appliance, 3. Ship appliance back to Google, 4. Google uploads your data to Cloud Storage. This confirms that Google handles the final decryption and upload step.

Source: Google Cloud Documentation, "Transfer Appliance", Section: "How Transfer Appliance works".

B. Updating the underlying Instance Group modifies the cluster's nodes (VMs), not the application containers running on them. This is for infrastructure updates, not application updates.

C. Deleting and then recreating the Deployment is a "recreate" strategy. This causes a complete service outage because all old Pods are terminated before any new ones are started.

D. A Kubernetes Service is a networking object for exposing Pods; it does not define the container image. Modifying the Service will not update the application code.

1. Kubernetes Official Documentation, "Deployments": Under the section "Updating a Deployment," the documentation explicitly demonstrates using kubectl set image deployment/ = as the imperative command to trigger a rolling update. It states, "This is the default and desired way if you want to have your Pods updated without an outage."

Reference: Kubernetes Documentation > Concepts > Workloads > Controllers > Deployment > Updating a Deployment.

2. Google Cloud Documentation, "Deploying a containerized web application": This official GKE tutorial guides users through deploying and updating an application. In "Step 5: Update the application," it uses the kubectl set image command to perform a zero-downtime rolling update on a GKE cluster.

Reference: Google Cloud > Kubernetes Engine > Documentation > Tutorials > Deploying a containerized web application > Step 5: Update the application.

3. Google Cloud Documentation, "Deployment strategies": This document describes different deployment strategies, highlighting that the default strategy for a Kubernetes Deployment object is a rolling update, which "slowly replaces pods of the previous version of your application with pods of the new version," ensuring zero downtime.

Reference: Google Cloud > Architecture Center > Application development > Deployment strategies.

B: This configuration is reversed. Users would be billed on the data projects and would lack the permission (bigquery.jobs.create) to run queries in the designated billing project.

C: While roles/bigquery.jobUser also grants permission to run jobs, roles/bigquery.user is the more standard and appropriate role as it also allows users to list datasets in the project, which is a common user requirement. Option A is the better and more complete answer.

D: This configuration is also reversed and would not work. Users would be billed on the data projects and would be unable to run queries from the central billing project.

1. Google Cloud Documentation, "Introduction to IAM for BigQuery": This document outlines the principle of separating compute and storage. It states, "The project that is billed for a query is the project in which the job is run." To run a job, a user needs bigquery.jobs.create permission, which is part of the bigquery.user role.

Source: Google Cloud Documentation, BigQuery > Security and data governance > Access control > Introduction to IAM.

2. Google Cloud Documentation, "Predefined roles and permissions" for BigQuery: This page details the specific permissions within each role.

roles/bigquery.user: "When applied to a project, provides the ability to run jobs, including queries, within the project." It contains bigquery.jobs.create.

roles/bigquery.dataViewer: "When applied to a dataset, provides read-only access to the dataset's tables and views." It contains bigquery.tables.getData but not bigquery.jobs.create.

Source: Google Cloud Documentation, BigQuery > Security and data governance > Access control > Predefined roles and permissions.

3. Google Cloud Documentation, "Control access to projects": This section explicitly states, "To run a query job, a user must have the bigquery.jobs.create permission. This permission is included in the predefined bigquery.user and bigquery.jobUser project-level IAM roles." This confirms the need for the user or jobUser role on the project where queries are to be run and billed.

Source: Google Cloud Documentation, BigQuery > Security and data governance > Access control > Control access to projects.

A: Cloud Storage does not have a native feature to protect buckets with a simple password. Access control is managed through Identity and Access Management (IAM), Access Control Lists (ACLs), or signed URLs.

C: Building an entire App Engine application is overly complex for this temporary testing need. Furthermore, Cloud Identity is used to manage users within an organization and is not suitable for external testers who do not have Google Accounts.

D: This option shares the same flaws as option C. It proposes an unnecessarily complex solution (an App Engine app) and suggests an authentication method (Cloud Identity) that contradicts the requirement that not all users have a Google Account.

---

1. Google Cloud Documentation - Signed URLs Overview: "A signed URL is a URL that provides limited permission and time to make a request... Anyone who is in possession of the signed URL can use it to perform the specified actions... within the specified time." This directly supports providing access to users without Google accounts for a limited time.

Source: Google Cloud Documentation, "Cloud Storage > Documentation > Security > Signed URLs Overview".

2. Google Cloud Documentation - Using signed URLs: "You can use signed URLs to give time-limited resource access to anyone, regardless of whether they have a Google account." This explicitly confirms that signed URLs are the correct mechanism for users without Google accounts. The documentation also details setting an expiration time.

Source: Google Cloud Documentation, "Cloud Storage > Documentation > How-to Guides > Using signed URLs".

3. Google Cloud Documentation - What is Cloud Identity?: "Cloud Identity is an Identity as a Service (IDaaS) solution that lets you centrally manage users and groups." This service is for managing known, provisioned identities, making it unsuitable for the ad-hoc, external users described in the scenario.

Source: Google Cloud Documentation, "Cloud Identity > Documentation > Overview > What is Cloud Identity?".

4. Google Cloud Documentation - Overview of access control: This document outlines the methods for controlling access to Cloud Storage buckets and objects. The listed methods are IAM, ACLs, signed URLs, and signed policy documents. It makes no mention of a password-protection feature for buckets.

Source: Google Cloud Documentation, "Cloud Storage > Documentation > Security > Overview of access control".

A. This is incorrect because compliance is a shared responsibility. Google's certifications for its infrastructure do not automatically confer compliance upon the applications you build on it.

B. There is no single, universal "GDPR compliance setting" in the Google Cloud Console. Achieving compliance requires a comprehensive approach involving architecture, configuration, and operational processes.

C. Cloud Security Scanner is a tool for identifying web application vulnerabilities (e.g., XSS). While security is part of GDPR, this tool's scope is too narrow to address all GDPR requirements.

1. Official GDPR Text: Regulation (EU) 2016/679 (General Data Protection Regulation), Article 25, "Data protection by design and by default," paragraph 1 states, "...the controller shall...implement appropriate technical and organisational measures...which are designed to implement data-protection principles...in an effective manner and to integrate the necessary safeguards into the processing..." This legally mandates the action described in option D. (Source: Official Journal of the European Union, EUR-Lex)

2. Google Cloud Vendor Documentation: In the "Google Cloud & the General Data Protection Regulation (GDPR)" documentation, under the "Our shared responsibility" section, it clarifies: "While Google Cloud is responsible for the security of the cloud, you are responsible for security in the cloud... you, as a Google Cloud customer, are responsible for the applications that you build on our platform." This directly refutes the idea of "pass-on" compliance and emphasizes the customer's design responsibility. (Source: Google Cloud Security Documentation)

3. Google Cloud Vendor Documentation: The "Security foundations guide" outlines the shared responsibility model, stating that the customer is responsible for areas such as "Data classification and protection" and "Application-level controls." These are core components of designing a system for compliance. (Source: Google Cloud Security Foundations Guide)

A. Cloud SQL HA provides zonal resilience, but its automatic failover process typically takes several minutes to complete, which does not meet the strict "no downtime" requirement.

B. Cloud Spanner is a globally distributed, NewSQL database service. It is not Microsoft SQL Server and therefore does not fulfill the primary requirement of the question.

C. Placing nodes in different subnets is insufficient. Multiple subnets can exist within the same zone, so this configuration does not guarantee protection against a zonal outage.

1. Google Cloud Documentation - Architecting disaster recovery for Microsoft SQL Server on Google Cloud: This document explicitly details the recommended high-availability pattern. It states, "For a high availability (HA) scenario, you can deploy a SQL Server Always On availability group across multiple zones within a single Google Cloud region. An availability group provides a single point of connectivity... and automates failover in the event of a failure." This directly supports placing AG nodes in different zones (Option D).

2. Google Cloud Documentation - High availability for Cloud SQL: The official documentation describes the failover process for Cloud SQL HA. Under the "Failover process" section, it notes: "The failover operation takes, on average, several minutes to complete." This confirms that while Cloud SQL HA provides zonal redundancy, its recovery time is not instantaneous, making it less suitable than an Always On AG for a "no downtime" scenario (making Option A less correct than D).

3. Google Cloud Documentation - Options for deploying SQL Server on Google Cloud: This guide compares Cloud SQL and SQL Server on Compute Engine. For Compute Engine, it highlights "Full control over the database and the operating system" and "Support for SQL Server Always On availability groups," which are necessary for the architecture described in Option D. It positions this IaaS approach as the solution for maximum control and specific HA configurations not met by the managed service.

A. Using Deployment Manager is an indirect method for applying a Kubernetes manifest. The standard tool is kubectl, which directly interacts with the Kubernetes API.

C. kubectl is used to manage resources within an existing Kubernetes cluster; it cannot be used to create the cluster infrastructure itself.

D. kubectl cannot create the GKE cluster. While it is the correct tool for the deployment, the first step of the proposed action is incorrect.

1. Google Cloud Documentation - Creating a zonal cluster: This official guide explicitly demonstrates using the gcloud container clusters create command to provision a new GKE cluster.

Source: Google Cloud, Google Kubernetes Engine Documentation, "Creating a zonal cluster", Section: "Create a zonal cluster".

2. Google Cloud Documentation - Deploying an application: This document outlines the standard procedure for deploying a stateless application to a GKE cluster, specifying the use of kubectl apply -f [MANIFESTFILE] after the cluster has been created.

Source: Google Cloud, Google Kubernetes Engine Documentation, "Deploying a stateless Linux application", Section: "Deploy the application".

3. Kubernetes Documentation - Declarative Management of Kubernetes Objects Using Configuration Files: This official Kubernetes documentation explains that kubectl apply is the recommended command for managing applications from manifest files.

Source: Kubernetes.io, Documentation, "Tasks > Manage Kubernetes Objects > Declarative Management", Section: "How to apply a configuration".

4. University of California, Berkeley, Data 102: Data, Inference, and Decisions Courseware: Lab materials for cloud computing often demonstrate this standard workflow. For example, instructions for setting up a GKE cluster consistently use gcloud for cluster creation and kubectl for deploying applications.

Source: UC Berkeley, Data 102, Fall 2020, Lab 08, Section: "Setting up your Kubernetes Cluster". The lab instructs students to first run gcloud container clusters create and then kubectl apply.

A. Setting a deadline is a project management task, not a skills gap plan. It fails to provide a structured approach to ensure the team has the necessary competencies to meet that deadline successfully.

C. Hiring external consultants is a short-term solution that is generally more expensive than training an internal team. It does not build sustainable, in-house capability, thus conflicting with the long-term goal of cost optimization.

D. While a certification roadmap is good, pairing it with hiring consultants makes it a less cost-optimal solution. The primary focus should be on developing the existing team to foster self-sufficiency and reduce long-term costs.

1. Google Cloud Adoption Framework: The framework's "People" theme emphasizes the importance of training and developing internal teams. It states, "As your organization adopts the cloud, you need to help your people learn new skills... A training plan helps you to methodically upskill your teams." This supports investing in team training over external hires for long-term success. (Source: Google Cloud Adoption Framework whitepaper, "Phase 2: Plan and foundation," Section: "The People theme").

2. Google Cloud Architecture Framework - Cost Optimization Pillar: This document outlines principles for building cost-effective solutions on Google Cloud. The skills validated by certifications, particularly the Professional Cloud Architect, are directly aligned with these principles, such as "Control resource costs" and "Optimize resource costs." A certified team is better equipped to apply these principles. (Source: Google Cloud Architecture Framework documentation, "Cost optimization pillar," Section: "Overview of the pillar").

3. Google Cloud Certifications: Official documentation states that "Google Cloud certification validates your expertise and shows you can design, develop, manage, and administer application infrastructure and data solutions on Google Cloud technology." The role-based nature of these certifications ensures that team members acquire the specific skills needed for their function, which is the essence of a skills gap plan. (Source: Google Cloud, "Cloud Certifications" official page, "Grow your career" section).

B. Compute Engine: Virtual machines in Compute Engine incur costs as long as they are in a running state, even if idle. While they can be stopped, this is not an automatic, traffic-based scaling action and does not meet the "scales to zero" requirement.

C. Kubernetes Engine: A Google Kubernetes Engine (GKE) cluster requires at least one running node in its node pools to function, which incurs costs 24/7. It does not automatically scale the entire cluster infrastructure to zero when there is no traffic.

D. App Engine flexible environment: The App Engine flexible environment is designed for applications that require continuous availability and is configured to have at least one instance running at all times. It cannot automatically scale down to zero instances.

1. Cloud Functions Pricing: "With Cloud Functions, you pay only for the time your code runs, metered to the nearest 100 milliseconds. When your code is not running, you don't pay anything."

Source: Google Cloud Documentation, "Cloud Functions pricing", Section: "Pricing details".

2. App Engine Flexible Environment Scaling: "Scaling down to zero instances: To save costs for an app that receives no traffic, you can scale down to zero instances. This feature is only available in the standard environment."

Source: Google Cloud Documentation, "Comparing the standard and flexible environments", Feature comparison table.

3. Compute Engine Pricing: "For vCPUs and for memory, Compute Engine charges for a minimum of 1 minute. ... After 1 minute, instances are charged in 1-second increments." This confirms that a running instance is always being charged for.

Source: Google Cloud Documentation, "VM instances pricing", Section: "Billing model for virtual machine instances".

4. Kubernetes Engine Pricing: "In Autopilot mode, you pay for the vCPU, memory, and ephemeral storage resources that your Pods request while they are running. In Standard mode, you pay for each node at the standard Compute Engine price, regardless of whether Pods are running on the nodes." This shows a persistent cost for the underlying nodes or a cluster fee.

Source: Google Cloud Documentation, "Google Kubernetes Engine (GKE) pricing", Section: "Pricing overview".

B: Running multiple get operations is inefficient. It incurs the overhead of a separate network round trip for each entity, increasing latency and cost.

C: Using a query is less efficient than a direct get by key. A query must scan an index to find the entities, whereas a get is a direct lookup.

D: This is the least efficient option. It combines the higher overhead of using queries instead of gets with the high latency of multiple individual database calls.

1. Google Cloud Documentation, "Best practices for Cloud Datastore mode", Section: "Use batch operations": "Use batch operations for reads, writes, and deletes instead of single-entity operations. Batch operations are more efficient because they perform multiple operations with the same overhead as a single operation." This supports using a "batch...operation" over multiple individual operations.

2. Google Cloud Documentation, "Retrieving an entity": This page details the lookup (get) operation. It states, "To retrieve an entity from Datastore mode when you know the key, use the lookup method." It also describes how to perform a batch lookup by providing multiple keys in a single request, which is the most efficient retrieval method by key.

3. Google Cloud Documentation, "Datastore mode queries": This documentation clarifies that queries are used to retrieve entities that meet a specified set of conditions on their properties and keys. This is inherently less efficient than a direct lookup (get) when the full key is already known.

B. gcloud config is used to manage properties for the gcloud command-line interface, not for configuring specific gsutil settings like CSEK, which are handled by the .boto file.

C. The gsutil command does not have an --encryption-key flag. Passing keys directly on the command line is also a security risk as it can be exposed in shell history.

D. CSEK is applied on a per-object basis during upload or rewrite, not as a default property when a bucket is created. The --encryption-key flag is also invalid for bucket creation.

1. Google Cloud Documentation, "Customer-supplied encryption keys": Under the section "Using keys with gsutil," the documentation explicitly states: "You can use customer-supplied encryption keys with the gsutil command-line tool. Place your secret key in the ~/.boto configuration file." It provides the exact format:

[GSUtil]

encryptionkey = [YOURKEY]

This directly supports option A as the correct procedure.

2. Google Cloud Documentation, "gsutil: Edit the .boto configuration file": This document details the various configuration options available in the .boto file. It lists encryptionkey as a valid parameter within the [GSUtil] section, used for "The customer-supplied encryption key to be used for all requests." This confirms that the .boto file is the correct location for this configuration.

A. While Bigtable is excellent for storing large volumes of time-series data, Google Data Studio is a business intelligence tool with data freshness delays, making it less suitable for the "low-latency monitoring" requirement compared to native Cloud Monitoring dashboards.

C. This option describes a batch processing pipeline. Loading files from Cloud Storage every ten minutes introduces significant delay, which violates the "real-time" and "low latency" requirements of the scenario.

D. Cloud Datastore is a transactional NoSQL database not optimized for the high-throughput, analytical query patterns of time-series monitoring. Cloud Datalab is an interactive analysis environment, not a real-time monitoring dashboard.

1. Cloud Monitoring for Custom Metrics: Official Google Cloud documentation states, "You can instrument your application to send custom metrics to Cloud Monitoring... You can then use the data from custom metrics in charts and alerting policies." This directly supports using Cloud Monitoring to capture and view KPIs.

Source: Google Cloud Documentation, "Custom metrics overview", Section: "What are custom metrics?".

2. Cloud Monitoring Dashboards: "You can display the metric data that you've collected as charts on a custom dashboard. The console provides both predefined dashboards and a Dashboards page where you can create and modify custom dashboards." This supports the low-latency monitoring requirement.

Source: Google Cloud Documentation, "Dashboards and charts", Section: "Custom dashboards".

3. Bigtable for Time-Series Data: Google Cloud documentation positions Bigtable for time-series workloads, particularly for "large-scale time-series data, financial analysis, [and] IoT data," often as a backend for applications or heavy analytics, not typically for direct, low-latency dashboarding via a BI tool.

Source: Google Cloud Documentation, "Schema design for time series data" in Cloud Bigtable.

4. BigQuery Batch Loading: Loading data from Cloud Storage into BigQuery is a batch operation. "Loading data from Cloud Storage is a free operation, but you are charged for storing the data in Cloud Storage." This method is not designed for real-time ingestion.

Source: Google Cloud Documentation, "Introduction to loading data from Cloud Storage" for BigQuery.

A: Running a single small application per f1-micro VM is highly inefficient due to OS overhead and does not maximize utilization. Deploying via startup scripts is also unreliable and not easily repeatable.

B: While using custom VM images is a reliable pattern, a Managed Instance Group is less efficient at maximizing resource utilization for many small workloads compared to the bin-packing capabilities of GKE.

D: This option uses GKE but implements anti-patterns that undermine reliability. Using the :latest tag for production images is strongly discouraged as it is mutable, making rollouts and rollbacks unpredictable. Restarting pods is a crude, imperative action, not the proper declarative method of updating a Deployment manifest to trigger a controlled rollout.

1. GKE for Resource Utilization: Google Cloud documentation highlights GKE's ability to optimize resource usage. "GKE's cluster autoscaler automatically resizes the number of nodes in a given node pool, based on the demands of your workloads... When resources are underutilized, cluster autoscaler scales down, moving workloads to other nodes and removing unneeded nodes." This bin-packing and scaling maximizes utilization.

Source: Google Cloud Documentation, "Cluster autoscaler".

2. Best Practices for Container Images: The official Google Cloud documentation on building containers explicitly advises against using the :latest tag for production deployments. "We recommend that you tag your images with a version number... Because the :latest tag is a moving pointer, it's difficult to track which version of an image is running and it's difficult to roll back." This directly invalidates the approach in option D.

Source: Google Cloud Documentation, "Best practices for building containers", section "Tagging images".

3. Reliable Deployments with GKE: A Kubernetes Deployment is a declarative object. To reliably deploy a new version, you update the image tag in the Deployment's Pod template. Kubernetes then manages a controlled rolling update. "When you update the Pod template for a Deployment, the Deployment triggers a rollout to update its Pods to the new version." This is the correct, reliable method, contrasting with the manual pod restart suggested in option D.

Source: Google Cloud Documentation, "Updating a Deployment".

4. Using Namespaces for Environments: The official Kubernetes documentation (which GKE is built upon) describes using namespaces to isolate environments like staging and production. "Namespaces are intended for use in environments with many users spread across multiple teams, or projects." This supports the robust promotion workflow described in option C.

Source: Kubernetes.io Documentation, "Namespaces".