Google Cloud Architecture Best Practices

Questions and Answers

What is the recommended approach to provide a bare-metal server application with access to Cloud Storage while adhering to security policies?

Assign a public IP address to the server

Set up a Cloud VPN connection (correct)

Use a Cloud Storage transfer service

Enable Cloud Storage API directly on the server

In a project with a single VPC and multiple regions, which method ensures the new instance in europe-west1 can access the application hosted in us-central1?

Ensure the Compute Engine instance has a public IP

Use a global load balancer to route traffic (correct)

Establish a VPN connection between the two regions

Deploy the new instance in the us-central1 region

What is the most efficient way to verify that all dependencies in a Deployment Manager template are satisfied before deployment?

Check dependencies manually before committing.

Use the 'gcloud deployment-manager deployments validate' command. (correct)

Run the template in a staging environment.

Deploy the template in the production environment directly.

Which service should be used to minimize costs when sending logs from Compute Engine instances to a BigQuery dataset?

Use the Cloud Logging agent to filter logs

How can you enable TCP communication on port 8080 from tier #1 to tier #2 in a 3-tier Compute Engine solution?

Modify firewall rules to allow traffic on port 8080.

What should you do to ensure an application on Cloud Run processes messages from a Cloud Pub/Sub topic following recommended practices?

Set up authentication with IAM roles

How can you quickly disable excessive logging from a development GKE container while minimizing steps?

Use kubectl to change log verbosity

To create service cost estimates from multiple Google Cloud projects, which action should you take?

Run a standard SQL query against the billing data.

What steps should you take to enable Cloud Pub/Sub for your App Engine application while ensuring service account authentication?

Enable the Cloud Pub/Sub API in the Google Cloud Console.

What can be done to avoid storing a database password in plain text within a GKE deployment YAML file?

Access the password using a secret management service

What method can you use to deliver 1% of your website traffic to a test version hosted on App Engine?

Use traffic splitting in App Engine's version settings.

If multiple changes frequently need to be made by a small data science team using BigQuery, what is the best approach to provide them with necessary access?

Create a service account for the team

Which service configuration is most appropriate for point-in-time recovery?

Enable daily backups on Cloud SQL

Which approach should be implemented for storing audit log files in compliance with a 3-year retention policy for hundreds of Google Cloud projects?

Use Cloud Storage with lifecycle management.

For a Cloud Spanner application needing monitoring access without exposing table data to the support team, what is the recommended action?

Grant monitoring permissions without table access.

To implement a caching HTTP reverse proxy on GCP for a latency-sensitive website, which option should be prioritized?

Use a regional load balancer with caching capabilities.

What action should you take to assign permissions for an external auditor to review GCP Audit Logs and Data Access logs?

Assign a Cloud IAM role with specific log viewing permissions.

To access combined logs for all GCP projects for the past 60 days, what is the recommended approach?

Use Cloud Logging to aggregate logs across projects.

What is the most effective way to turn off all configured services in an existing GCP project to reduce service costs?

Use the Google Cloud Console to disable each service individually.

How should you enable a service account in a web-applications project to access BigQuery datasets in another project?

Use a Cloud IAM role that includes permissions for BigQuery access.

What steps should you take to investigate any access by a terminated employee to sensitive customer information?

Analyze GCP audit logs for actions taken by the employee.

When creating a custom IAM role for GCP, what is a key consideration to ensure its suitability for production use?

Ensure all included permissions are reviewed and approved.

What is the recommended method for making unstructured data accessible for ETL transformations on Google Cloud?

Store the data in Cloud Storage for access by Dataflow.

To efficiently manage multiple Google Cloud projects using the Google Cloud SDK CLI, what should you do?

Use the 'gcloud' command to set the desired project context.

What is the necessary configuration to allow communication on TCP port 8080 between instances in tier #1 and tier #2?

Create an ingress firewall rule targeting all instances with tier #2 service account.

Which of the following configurations correctly establishes communication for TCP port 8080 between tier #2 and tier #3?

An ingress firewall rule targeting all instances with tier #3 service account from tier #2.

What is the primary purpose of executing the Deployment Manager template with the C-preview option?

To observe the state of interdependent resources.

Which of the following ingress firewall rule settings would NOT allow tier #1 to communicate with tier #2?

Targets: all instances; Source filter: IP ranges set to 10.0.2.0/24; Protocols: allow TCP: 8080.

What additional task should you perform besides creating necessary firewall rules to facilitate tier communication?

Ensure all service accounts have the necessary permissions.

Which of these ingress firewall rules allows both tiers to communicate effectively through TCP port 8080?

Ingress rule for tier #2 service account from tier #1 service account, allowing TCP: 8080.

When establishing communication on TCP port 8080, which approach can lead to potential security risks?

Allowing all protocols in ingress rules.

Which option defines the source filter of an ingress firewall rule that effectively allows communication between tier #2 and tier #3?

Service account associated with tier #2.

What is the best way to grant monitoring permissions to the support team without allowing access to table data in Cloud Spanner?

Add the support team group to the roles/monitoring.viewer role.

Which option minimizes costs while providing a 30-GB in-memory cache and an additional 2 GB for other processes for a caching HTTP reverse proxy?

Create a Cloud Memorystore for Redis instance with 32-GB capacity.

To run a single binary application that automatically scales based on CPU usage in a policy-compliant way on Google Cloud, what should you do?

Create an instance template, and use the template in a Managed Instance Group with autoscaling configured.

What is the purpose of exporting logs from Cloud Audit to BigQuery?

To analyze and store logs in a structured format.

When exporting logs to Cloud Pub/Sub, what is the typical use case?

For distributing logs to multiple subscribers.

If you want to grant the support team appropriate permissions for monitoring without exposing them to sensitive data in Cloud Spanner, which role is appropriate?

roles/spanner.databaseReader

Which method provides a streamlined logging solution that does not require manual log management?

Utilizing Stackdriver logging API to automate transfers.

Which design is most appropriate for a caching HTTP reverse proxy with very low CPU consumption needs?

Utilize Cloud Memorystore to manage the caching efficiently.

What should you do to effectively manage a rolling-action update with the specified configuration to maxSurge and maxUnavailable?

Perform a rolling-action start-update with maxSurge set to 1 and maxUnavailable set to 0.

To grant access for three users to view and edit table data on a Cloud Spanner instance, which action is correct?

Add the users to the roles/spanner.databaseUser role directly.

What is the first step required to create a new billing account and link it to an existing GCP project?

Verify you are Project Billing Manager for the GCP project.

When trying to verify user access activities in Cloud Storage buckets, what is the most efficient approach?

Use the GCP Console to filter the Activity log.

How do you ensure that a newly created Managed Instance Group functions correctly after linking with the backend service for the load balancer?

Monitor new instances until all are healthy before deleting the old group.

In a Managed Instance Group, what is the purpose of deleting instances to recreate them using a new instance template?

To efficiently apply the new application version without downtime.

What is a consequence of setting maxSurge to 0 during a rolling-action update?

Existing instances will be updated without additional instances being created.

What must you confirm before linking a new billing account to any GCP project?

You have Billing Administrator permissions for the billing account.

Study Notes

Google Cloud Platform (GCP) Associate Cloud Engineer (ACE) Exam

• GCP offers a range of services for building, deploying, and managing applications and infrastructure in the cloud.
• The ACE exam covers fundamental GCP concepts and practical application-level skills.

Exam Questions and Answers

• Question 1: Confirming dependencies in a Deployment Manager template: Use Deployment Manager's built-in dependency checking.
• Question 2: Enabling communication between tiers in a 3-tier solution: Configure firewall rules to allow communication between instances of different tiers (1-2 and 2-3) on TCP port 8080.
• Question 3: Estimating GCP service costs: Utilize standard query syntax within BigQuery to summarize service costs by type across multiple projects.
• Question 4: Enabling Cloud Pub/Sub for an App Engine application: Enable the Cloud Pub/Sub API and configure the service account to authenticate the App Engine application.
• Question 5: Deploying a new version of a website using App Engine: Use the --migrate option to deploy the new version without disrupting service to 1% of users.
• Question 6: Implementing a cost-effective log file retention strategy: Utilize Cloud Storage's lifecycle management to retain audit logs for 3 years.
• Question 7: Streamlining support team access to Cloud Spanner: Grant the correct permissions to the support team by using a Google-recommended approach without granting permissions to access the data.
• Question 8: Optimizing GCP Costs for Caching HTTP Reverse Proxy: Use Cloud Memorystore for Redis with a 32 GB in-memory cache to minimize cost.
• Question 9: Configuring automatic scaling for a binary application: Automatically scale the binary application based on CPU usage to be operationally efficient.
• Question 10: Granting permissions for Compute Engine instances to write to Cloud Storage: Use service account permissions to enable writing to the Cloud Storage bucket for the Compute Engine instances.
• Question 11: Sharing a Cloud Storage object with an external company: Securely share the object with the external company by using a Cloud Storage signed URL with an expiration time.
• Question 12: Configuring an autoscaling Managed Instance Group for HTTPS Web Application: Use a health check on port 443 to automatically recreate unhealthy VMs.
• Question 13: Setting up a Managed Instance Group to ensure only one instance runs per project: Configure the Managed Instance Group to ensure only one VM instance runs per project.
• Question 14: Configuring VPC network and two subnets for production and test workloads: Configure a VPC network with two subnets in different regions to isolate production and test workloads.
• Question 15: Configuring HTTPS load balancing services: Configure HTTPS load balancing services to terminate the client SSL session to minimize complexity.
• Question 16: Deploying a new version of an application using a Managed Instance Group: Gradually roll out the new version while maintaining the available capacity of your web application.
• Question 17: Granting access to Cloud Spanner instance table data: Grant three users access to view and modify table data for a Cloud Spanner instance.
• Question 18: Linking a billing account and GCP project: Create a new billing account and link it to an existing project.
• Question 19: Verifying Cloud Storage activity: Appropriately filter logs to verify Cloud Storage activity for a particular user.
• Question 20: Estimating BigQuery query costs: Use on-demand pricing to query BigQuery and estimate the costs of a query that expects to return a lot of records.
• Question 21: Monitoring resources across multiple projects: Collect and consolidate logs across projects into a single Stackdriver Monitoring view.
• Question 22: Dynamically provisioning VMs: Configure dynamic VM provisioning using a dedicated configuration file.
• Question 23: Sharing sensitive Cloud Storage objects with external companies: Leverage Cloud Storage's signed URLs to share sensitive data with specific expiration times.

…and so on for questions 24-61. This is a sample, and the full list is extensive.

Description

This quiz assesses your understanding of best practices for implementing Google Cloud solutions, focusing on security, resource access, and efficient deployment. Questions cover cloud storage access, instance management across regions, logging optimization, and service estimates. Test your knowledge and enhance your skills in cloud architecture design.