NotJustExam Interactive Question Bank | [Google] GCP-ACE

Question 1

Every employee of your company has a Google account. Your operational team needs to manage a large number of instances on Compute Engine. Each member of this team needs only administrative access to the servers. Your security team wants to ensure that the deployment of credentials is operationally efficient and must be able to determine who accessed a given instance. What should you do?

A. Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key in the metadata of each instance.
B. Ask each member of the team to generate a new SSH key pair and to send you their public key. Use a configuration management tool to deploy those keys on each instance.
C. Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the ג€compute.osAdminLoginג€ role to the Google group corresponding to this team.
D. Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key as a project-wide public SSH key in your Cloud Platform project and allow project-wide public SSH keys on each instance.

Correct Answer: C

Explanation:

The best approach is C. Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the `compute.osAdminLogin` role to the Google group corresponding to this team.

Reasoning: This option provides the most secure and operationally efficient solution for managing access to Compute Engine instances. By having each team member generate their own SSH key pair and associating the public key with their Google account, you leverage Google Cloud's Identity and Access Management (IAM) for authentication and authorization. Granting the `compute.osAdminLogin` role to the Google group allows the team members to log in to the instances with administrative privileges. This method also ensures that you can audit who accessed which instance, as the SSH key is linked to their individual Google account.

Why other options are not correct:

A: Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key in the metadata of each instance. Sharing a single private key among multiple users is a major security risk. If the key is compromised, it's difficult to determine who was responsible for a particular action. Also, this method does not leverage Google Cloud IAM for access control and auditing.
B: Ask each member of the team to generate a new SSH key pair and to send you their public key. Use a configuration management tool to deploy those keys on each instance. While this is more secure than option A, it's still less efficient and less integrated with Google Cloud IAM than option C. Manually managing SSH keys across multiple instances is cumbersome and doesn't provide the same level of auditability.
D: Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key as a project-wide public SSH key in your Cloud Platform project and allow project-wide public SSH keys on each instance. Similar to option A, sharing a single private key is a security risk. Project-wide SSH keys can be useful in some scenarios, but are not ideal for managing access for a team, as it offers less granular control and auditability.

The recommended solution aligns with Google Cloud's best practices for identity and access management, providing both security and operational efficiency.

IAM Roles for Compute Engine, https://cloud.google.com/compute/docs/access/iam
Adding and Removing SSH Keys, https://cloud.google.com/compute/docs/connect/add-ssh-keys

Question 2

You need to create a custom VPC with a single subnet. The subnet's range must be as large as possible. Which range should you use?

A. 0.0.0.0/0
B. 10.0.0.0/8
C. 172.16.0.0/12
D. 192.168.0.0/16

Correct Answer: B

Explanation:

The recommended answer is B. 10.0.0.0/8. The reason for choosing this answer is that it provides the largest possible private IP address range for a VPC subnet, allowing for approximately 16 million addresses. This is suitable when you need to maximize the available IP address space within your custom VPC. Option A (0.0.0.0/0) is not a valid subnet range as it represents all possible IP addresses and is not practical for a private VPC. Options C (172.16.0.0/12) and D (192.168.0.0/16) provide smaller ranges and fewer usable IP addresses compared to /8. A /8 CIDR block offers significantly more address space than a /12 or /16, making it ideal when the requirement is to have the "largest possible" subnet.

VPC Subnet Sizing, https://cloud.google.com/vpc/docs/vpc
CIDR Notation, https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

Question 3

You want to select and configure a cost-effective solution for relational data on Google Cloud Platform. You are working with a small set of operational data in one geographic location. You need to support point-in-time recovery. What should you do?

A. Select Cloud SQL (MySQL). Verify that the enable binary logging option is selected.
B. Select Cloud SQL (MySQL). Select the create failover replicas option.
C. Select Cloud Spanner. Set up your instance with 2 nodes.
D. Select Cloud Spanner. Set up your instance as multi-regional.

Correct Answer: A

Explanation:

The recommended answer is A: Select Cloud SQL (MySQL). Verify that the enable binary logging option is selected.

Reasoning: The question specifies a need for a cost-effective solution for relational data in a single geographic location with point-in-time recovery. Cloud SQL (MySQL) with binary logging enabled is the most suitable option because:

Cost-Effectiveness: Cloud SQL is generally more cost-effective than Cloud Spanner for smaller datasets and single-region deployments.
Point-in-Time Recovery: Enabling binary logging in Cloud SQL provides the necessary functionality for point-in-time recovery. Binary logs record all modifications to the database, allowing you to restore the database to a specific point in time.
Suitability for the requirements: Cloud SQL is well-suited for operational data and supports point-in-time recovery when binary logging is enabled.

Reasons for not choosing the other answers:

B: Select Cloud SQL (MySQL). Select the create failover replicas option. While failover replicas provide high availability, they do not directly address the requirement for point-in-time recovery. Failover replicas help in case of instance failure, but point-in-time recovery allows restoring data to a specific moment in the past.
C: Select Cloud Spanner. Set up your instance with 2 nodes. Cloud Spanner is designed for globally distributed, scalable databases. It is more expensive than Cloud SQL and is an overkill for a small dataset in a single geographic location. While Spanner offers point-in-time recovery, it is not the most cost-effective solution for the specified requirements.
D: Select Cloud Spanner. Set up your instance as multi-regional. Similar to option C, Cloud Spanner in a multi-regional configuration is designed for global availability and scalability, making it unnecessarily expensive and complex for the described scenario.

The configuration mentioned in Option A directly addresses the need for point-in-time recovery in a cost-effective manner, fitting the described scenario perfectly.

Cloud SQL Point-in-Time Recovery, https://cloud.google.com/sql/docs/mysql/point-in-time-recovery

Question 4

You want to configure autohealing for network load balancing for a group of Compute Engine instances that run in multiple zones, using the fewest possible steps.
You need to configure re-creation of VMs if they are unresponsive after 3 attempts of 10 seconds each. What should you do?

A. Create an HTTP load balancer with a backend configuration that references an existing instance group. Set the health check to healthy (HTTP)
B. Create an HTTP load balancer with a backend configuration that references an existing instance group. Define a balancing mode and set the maximum RPS to 10.
C. Create a managed instance group. Set the Autohealing health check to healthy (HTTP)
D. Create a managed instance group. Verify that the autoscaling setting is on.

Correct Answer: C

Explanation:

The best approach to configure autohealing for Compute Engine instances in multiple zones with the fewest steps, meeting the specified requirements, is to use a managed instance group (MIG) with an autohealing health check. Therefore, the recommended answer is C. Create a managed instance group. Set the Autohealing health check to healthy (HTTP).

Reasoning: Managed instance groups (MIGs) are designed to maintain high availability and automatically recreate instances that become unhealthy. By setting an Autohealing health check, the MIG monitors the instances' health and automatically recreates any that fail the health check. This directly addresses the requirement to recreate VMs if they are unresponsive. The question specifies the need to configure re-creation of VMs if they are unresponsive. Configuring a health check on a managed instance group is the most direct and efficient way to achieve this.

Why other options are not suitable:

A. Create an HTTP load balancer with a backend configuration that references an existing instance group. Set the health check to healthy (HTTP): While a load balancer can perform health checks, it primarily focuses on distributing traffic and ensuring high availability from a traffic management perspective. It doesn't directly address the auto-recreation of instances within the group. This involves more configurations than necessary.
B. Create an HTTP load balancer with a backend configuration that references an existing instance group. Define a balancing mode and set the maximum RPS to 10: Setting the maximum RPS (requests per second) is related to load balancing and traffic management, not autohealing. While load balancing is important, this option does not configure the necessary autohealing functionality.
D. Create a managed instance group. Verify that the autoscaling setting is on: Autoscaling adjusts the number of instances based on load, but it doesn't automatically recreate unhealthy instances. Autohealing specifically monitors instance health and triggers re-creation when necessary. Only verifying autoscaling does not guarantee instance re-creation upon unresponsiveness.

Therefore, option C provides the most direct and efficient solution to configure autohealing as requested in the question.

Managed Instance Groups, https://cloud.google.com/compute/docs/instance-groups/
Adding Autohealing to MIGs, https://cloud.google.com/compute/docs/instance-groups/autohealing-of-instances

Question 5

You are using multiple configurations for gcloud. You want to review the configured Kubernetes Engine cluster of an inactive configuration using the fewest possible steps. What should you do?

A. Use gcloud config configurations describe to review the output.
B. Use gcloud config configurations activate and gcloud config list to review the output.
C. Use kubectl config get-contexts to review the output.
D. Use kubectl config use-context and kubectl config view to review the output.

Correct Answer: D

Explanation:

The best approach to review the configured Kubernetes Engine cluster of an inactive gcloud configuration with the fewest steps is to use kubectl commands. Here's the breakdown:

The suggested answer is D: Use kubectl config use-context and kubectl config view to review the output.

Reasoning:

The question specifies reviewing the Kubernetes Engine cluster configuration of an inactive gcloud configuration. The kubectl command-line tool is the correct utility for interacting with and viewing Kubernetes cluster configurations. Using kubectl config use-context allows switching the current context to the desired configuration, even if it's associated with an inactive gcloud configuration. Then, kubectl config view displays the Kubernetes configuration, including cluster details, associated with the chosen context.

Why other options are not the best:

A. Use gcloud config configurations describe to review the output. This command is used to describe gcloud configurations, not Kubernetes configurations. It won't provide the necessary Kubernetes Engine cluster details.
B. Use gcloud config configurations activate and gcloud config list to review the output. Activating the configuration isn't necessary to view its Kubernetes context. gcloud config list also shows gcloud configurations, not Kubernetes configurations. Activating a configuration is an unnecessary step for simply *viewing* the Kubernetes cluster details.
C. Use kubectl config get-contexts to review the output. While this command *does* show the available contexts, it doesn't display the full configuration details for the cluster associated with that context. The question asks to review the *configured Kubernetes Engine cluster*, implying a more detailed view than just the context name. kubectl config view provides that detailed view.

Therefore, option D provides the most direct and complete solution to review the configured Kubernetes Engine cluster of an inactive gcloud configuration.

gcloud config configurations describe, https://cloud.google.com/sdk/gcloud/reference/config/configurations/describe
gcloud config configurations activate, https://cloud.google.com/sdk/gcloud/reference/config/configurations/activate
gcloud config list, https://cloud.google.com/sdk/gcloud/reference/config/list
kubectl config get-contexts, https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
kubectl config use-context, https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config
kubectl config view, https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#config

Question 6

Your company uses Cloud Storage to store application backup files for disaster recovery purposes. You want to follow Google's recommended practices. Which storage option should you use?

A. Multi-Regional Storage
B. Regional Storage
C. Nearline Storage
D. Coldline Storage

Correct Answer: D

Explanation:

The recommended answer is D. Coldline Storage.

Reasoning:

The question focuses on disaster recovery backups and following Google's recommended practices while considering cost-effectiveness. While Multi-Regional Storage is indeed a good option for disaster recovery due to its high availability and redundancy, Coldline Storage is designed for infrequently accessed data with lower storage costs, making it a suitable choice for backups that are rarely accessed but need to be readily available when needed for recovery. Therefore, for disaster recovery purposes where the backup data is infrequently accessed, Coldline provides a good balance of cost and availability.

Why other options are not the best:

A. Multi-Regional Storage: Although suitable for disaster recovery due to its redundancy and availability, it is more expensive than Coldline. The prompt implies a cost consideration by asking to follow recommended practices, suggesting to pick the most cost-effective option that meets the requirement.
B. Regional Storage: Regional Storage offers lower latency and higher performance than Multi-Regional, Nearline, or Coldline Storage, but it lacks the geographic redundancy of Multi-Regional Storage, making it less ideal for disaster recovery and is more expensive than Coldline.
C. Nearline Storage: Nearline Storage is more appropriate for data accessed slightly more frequently than Coldline. While it is less expensive than Regional and Multi-Regional, it is more expensive than Coldline and less suitable for infrequently accessed disaster recovery backups.

Therefore, considering the infrequent access nature of disaster recovery backups and the desire to follow cost-effective recommended practices, Coldline Storage is the most appropriate choice.

Cloud Storage Classes, https://cloud.google.com/storage/docs/storage-classes

Question 7

Several employees at your company have been creating projects with Cloud Platform and paying for it with their personal credit cards, which the company reimburses. The company wants to centralize all these projects under a single, new billing account. What should you do?

A. Contact [email protected] with your bank account details and request a corporate billing account for your company.
B. Create a ticket with Google Support and wait for their call to share your credit card details over the phone.
C. In the Google Platform Console, go to the Resource Manage and move all projects to the root Organizarion.
D. In the Google Cloud Platform Console, create a new billing account and set up a payment method.

Correct Answer: D

Explanation:

The recommended answer is D: In the Google Cloud Platform Console, create a new billing account and set up a payment method.. This is the most direct and appropriate way to centralize billing. The process involves creating a new billing account within the Google Cloud Platform Console, configuring a payment method (e.g., credit card, bank account), and then associating the existing projects with this newly created billing account. This ensures that all costs are charged to the company's designated payment method. This is the standard procedure for establishing a centralized billing system in GCP.

Here's a breakdown of why other options are not ideal:

Option A: Contacting [email protected] might be a step for larger or more complex setups but isn't the standard initial approach. Creating the billing account yourself through the console is the first and most common step. This option is not wrong but not the most efficient way.
Option B: Creating a ticket with Google Support to share credit card details over the phone is highly unusual and insecure. Google Cloud Platform provides secure mechanisms within the console for managing billing information. Sharing credit card details over the phone is highly discouraged for security reasons.
Option C: Moving projects to the root Organization is important for organizational structure and policy enforcement, but it does not automatically change the billing account associated with those projects. Projects still need to be explicitly linked to the new billing account after being moved to the organization. This option addresses organization but misses the billing requirement.

Therefore, creating a new billing account and linking the projects to it is the complete and correct approach.

Creating a billing account, https://cloud.google.com/billing/docs/how-to/manage-billing-account
Changing a project's billing account, https://cloud.google.com/billing/docs/how-to/change-project-billing

Question 8

You have an application that looks for its licensing server on the IP 10.0.3.21. You need to deploy the licensing server on Compute Engine. You do not want to change the configuration of the application and want the application to be able to reach the licensing server. What should you do?

A. Reserve the IP 10.0.3.21 as a static internal IP address using gcloud and assign it to the licensing server.
B. Reserve the IP 10.0.3.21 as a static public IP address using gcloud and assign it to the licensing server.
C. Use the IP 10.0.3.21 as a custom ephemeral IP address and assign it to the licensing server.
D. Start the licensing server with an automatic ephemeral IP address, and then promote it to a static internal IP address.

Correct Answer: A

Explanation:

The best approach is to reserve the IP address 10.0.3.21 as a static internal IP address and assign it to the Compute Engine instance acting as the licensing server. Here's a breakdown of why this is the correct solution and why the others aren't:

The suggested answer is A: Reserve the IP 10.0.3.21 as a static internal IP address using gcloud and assign it to the licensing server.

Reasoning for choosing A: The application is configured to look for the licensing server at the internal IP address 10.0.3.21. To ensure the application can reach the server without any configuration changes, the licensing server must be assigned this specific IP address. Since ephemeral IP addresses can change upon instance restart, a static IP address is required. Furthermore, since the application expects an internal IP, reserving a static *internal* IP address is the correct approach.

Reasons for not choosing the other answers:

B: Reserve the IP 10.0.3.21 as a static public IP address using gcloud and assign it to the licensing server. - This is incorrect because the application is looking for an *internal* IP address. Using a public IP address would require routing and firewall configurations, and the application might not be able to resolve or connect to a public IP where it expects an internal one. It also exposes the licensing server unnecessarily to the public internet.
C: Use the IP 10.0.3.21 as a custom ephemeral IP address and assign it to the licensing server. - This is incorrect because ephemeral IPs are not static and can change. This violates the requirement that the application always be able to reach the licensing server at 10.0.3.21. An ephemeral IP address is temporary and will be released when the instance is stopped or terminated.
D: Start the licensing server with an automatic ephemeral IP address, and then promote it to a static internal IP address. - Although promoting an ephemeral IP to static is possible, this is not the most direct approach, and there's a risk that a different ephemeral IP is assigned initially. Reserving the desired IP as static from the start ensures that the licensing server gets the correct IP address from the beginning. Also, while technically feasible, it introduces an unnecessary step compared to simply reserving the desired IP statically beforehand.

Therefore, the most direct and reliable solution is to reserve 10.0.3.21 as a static internal IP address and assign it to the Compute Engine instance.

Google Cloud Documentation on Static Internal IP Addresses, https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address

Question 9

You are deploying an application to App Engine. You want the number of instances to scale based on request rate. You need at least 3 unoccupied instances at all times. Which scaling type should you use?

A. Manual Scaling with 3 instances.
B. Basic Scaling with min_instances set to 3.
C. Basic Scaling with max_instances set to 3.
D. Automatic Scaling with min_idle_instances set to 3.

Correct Answer: D

Explanation:

The suggested answer is D. Automatic Scaling with min_idle_instances set to 3.
The reasoning behind this choice is that Automatic Scaling is designed to automatically adjust the number of instances based on request rate and other configured metrics, which directly addresses the requirement of scaling based on request rate. Setting `min_idle_instances` to 3 ensures that at least 3 instances are always running and available to handle incoming requests, thus meeting the condition of having at least 3 unoccupied instances at all times.
Here's why the other options are not ideal:

A. Manual Scaling with 3 instances: This option does not allow scaling based on request rate. The number of instances remains fixed at 3, regardless of the application load. This approach does not take advantage of the dynamic scaling capabilities offered by App Engine.
B. Basic Scaling with min_instances set to 3: Basic Scaling is suitable for work that is interruptible or driven by user activity. However, Basic Scaling doesn't support the concept of `min_idle_instances`. It starts instances as needed, but doesn't guarantee a minimum number of idle instances are always available, as required by the question.
C. Basic Scaling with max_instances set to 3: This limits the application to a maximum of 3 instances, which might not be sufficient during peak traffic and does not ensure a minimum of 3 *idle* instances. It also doesn't scale based on request rate; it just caps the total instances.

Therefore, Automatic Scaling with `min_idle_instances` is the most appropriate choice for this scenario.

App Engine Scaling Types, https://cloud.google.com/appengine/docs/standard/python3/how-instances-are-managed#scaling_types

Question 10

You have a development project with appropriate IAM roles defined. You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps. What should you do?

A. Use gcloud iam roles copy and specify the production project as the destination project.
B. Use gcloud iam roles copy and specify your organization as the destination organization.
C. In the Google Cloud Platform Console, use the 'create role from role' functionality.
D. In the Google Cloud Platform Console, use the 'create role' functionality and select all applicable permissions.

Correct Answer: A

Explanation:

The best approach is to use the `gcloud iam roles copy` command, specifying the production project as the destination. The suggested answer is A. This method directly addresses the requirement of copying IAM roles from a development project to a production project with the fewest steps. The `gcloud iam roles copy` command is designed for this exact purpose, allowing you to efficiently replicate roles without manual configuration. Option B is incorrect because copying the roles to the entire organization is not the desired outcome, and the question specifically asks for copying roles to a single production project. Options C and D are less efficient as they involve manual steps in the Google Cloud Platform Console, contradicting the requirement for the fewest possible steps.

gcloud iam roles copy, https://cloud.google.com/sdk/gcloud/reference/iam/roles/copy

[Google] GCP-ACE - Associate Cloud Engineer Exam Dumps & Study Guide

Free [Google] GCP-ACE - Associate Cloud Engineer Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10