GCP - HackMD

# GCP # Kubernates ## Basic concepts - Runs containers on cluster of virtual or phisval machines(VMs in GCP) - Known as container orchestration ## Features - Load balancing of workloads - Node pools to segment nodes within a cluster - Automatic scaling and Updating - Autohealing - Stackdriver monitoring ## Kubernetes Process Objects - Pods - Deployment : wrapped pods - Services : wrapped deployments ## Kubernetes Storage Objects - Persistent Volumes - Persistent Volume Claims: A pod can use the data in persistent volume if it has persistent volume claims ## Basic components - images The basis of container. The content is at rest. - Container The image when it's "running". The standard unit for the app service. - Engine The softweare that executes commands for containers. Networking an volumes are part of the Engine. Can be clustered together. - Registry Stores, distributes and manages Docker containers. - Control Plane Management plane for containers and cluster orchestraion(編排). ## Deploy Application on GKE ### step **1. Create project and enable APIs** create project and enable service - Kubernates Engine API - Google COntainer Registry API when get service not enabled error, try belowed ``` gcloud services enable container ``` **2. Build the container image** - git clone sample ``` git clone https://github.com/GoogleCloudPlatform/kubernetes-engine-samples ``` - cd hello-app - export project id ``` export PROJECT_ID={PROJECT ID} ``` - build image ``` docker build -t gcr.io/${PROJECR_ID}/hello-app:v1 . ``` - check image ``` docker images ``` - config docker(one time step) ``` gcloud auth configure-docker ``` **3. Upload the container image to google container registey** - push docker image to container registry ``` docker push gcr.io/${PROJECT_ID}/hello-app:v1 ``` **4. Tests local execution** - run locally ``` docker run --rm -p 8080:8080 gcr.io/${PROJECT_ID}/hello-app:v1 ``` - open web privew of gcloud console to check **5. Deploy app on cluster** - set project ``` gcloud config set project $PROJECT_ID ``` - set zone `gcloud config set zone/compute {zone}` - create clusters ``` gcloud container clusters create {cluster-name} --num-nodes=2 ``` - check instances ``` gcloud compute instances list ``` - create app deployment ``` kubectl create deployment {app-name} --image=gcr.io/${PROJECT_ID}/hello-app:v1 ``` - check pods ``` kubectl get pods ``` **6. Expose app to internet** - expose app to internet ``` kubectl expose deployment {app-name} --type=LoadBalancer --port 80 --target-port 8080 ``` ## Managine Clusters in Kubernates Clusters ### Kubectl operations - Autoscale - Cluster-info - Config - Create - Delete - Describe - Expose (a service) - Run (an image) ### Monitoring Kubernates # GCP Storage ### Structured Data - Adheres to a schema - Therefore all the data has the same field or properties - Stored in a database table with rows and columns(e.g.SQL) - Relies on keys to indicate how one row in a table relates to data in another row of another table - Reffered to as "relational data" ### Semi-structured Data - Doesn't fit neatky into tables, rows and columns - Uses tags or keys to organize and provide a hierarchy for the data - Often reffered to as NoSQL or non-relataional data ### Unstructured Data - No designated structure - No restrictions on the kinds of data it can hold - Example a object store can hold a PDF, JPEG, JSON, videos etc - Enterprises are struggling to manage and tap into the insights from their unstructured data ## Storage and DB Services ![](https://i.imgur.com/yXDAu8Q.png) ## Storage Decisions ![](https://i.imgur.com/vyFbEHG.png) ## Storage Classes - **Standard Storage** Standard Storage is best for data that is frequently accessed ("hot" data) and/or stored for only brief periods of time. - **Nearline Storage** Nearline Storage is a low-cost, highly durable storage service for storing infrequently accessed data. Nearline Storage is a better choice than Standard Storage in scenarios where slightly lower availability, a 30-day minimum storage duration, and costs for data access are acceptable trade-offs for lowered at-rest storage costs. - **Coldline Storage** Coldline Storage is a very-low-cost, highly durable storage service for storing infrequently accessed data. Coldline Storage is a better choice than Standard Storage or Nearline Storage in scenarios where slightly lower availability, a 90-day minimum storage duration, and higher costs for data access are acceptable trade-offs for lowered at-rest storage costs. ## Choosing Storage ### Cloud Storage - Unstrucured data - Images - Iideos - Iext - Archived data - Temporary storage between services - Global access, Web accessible ### Managed SQL Database - Relational databases: - Structured data - Requires SQL - ACID transactions - Complex queries - Joins - Cloud SQL - Up to 10TB - Regional - Cloud Spanner - Horizontally scalable - Global - Expensive ### MAnaged NoSQL Database - NoSQL databases: - Semi-structured, flexible schema - No joins - Datastore/Firestore - Document, JSON structure - Hierarchical structure - Bigtable - Petabyte scale - Wide column - Low latency writes - Analytics ### Analytoc Database - BigQuery - Data warehousing - Petabyte scale - SQL query language - Some support for joins - Not transactional # Storage Exam prepare ## Know about Storage 1 - Object vs Persistent Disk vs Managed Database - Cloud Storage - 4 types: regional, multi-regional, Nearline, Coldline - Lifecycle polices - gsutil - Persistent Disk - Used with VMs - Persis data even when VM shuts down ## Know about Storage 2 - NoSQL for flexible schema data - Datastore/Firestore - Bigtable - Relational for Structured Data - Cloud SQL up to 10TB - Cloud Spanner for global database - BigQuery - Data warehousing - Bq command line tool # App Engine ## python app sample ``` gcloud components install app-engine-python git clone https://github.com/GoogleCloudPlatform/python-docs-samples gcloud app deploy app.yaml gcloud app browse ``` ## App Engine Traffic Splitting - if more than one version of an app running, you can split traffics between versions. - 3 ways to do so - IP address - HTTP cookie - Random selection - Traffic splitted by ip address - Provides stickness so all traffic from IP address are handeled by same instances - Can create problems if state is maintained and user changes IP address - Traffic splitted by cookie (**recommend**) - Preferred method of traffic splitting - HTTP request header for cookie named GOOGAPPUID contains hash value - Hash value determines instance to route traffic to - Tolerates user changing IP address - Traffic splitted by random selection - Good for stateless app # Cloud Function ## Basic concept - Serverless compute service - Excute code in respond to events based on triggers - Available for events in : - Cloud storage - Cloud Pub/Sub - HTTP - Firebase - Stackdriver Logging ## Events - Specific to GCP services - Storage - Upload - Delete - Archive - Cloud Pub/Sub - Publish a message - HTTP - GET - POST - PUT - DELETE - OPTIONS ## Triggers - Declaraction of interest in an event - Bind finction to a trigger to execute it - May be associated with a resource - Cloud Storage Bucket - Cloud Pub/Sub topic # App Engine/Cloud Function Difference First of all Google App Engine is a fully managed Platform as a Service (PaaS) offering where is Cloud Function is Function as a Service (FaaS. Scenarios: Web Application: App Engine is capable of hosting a fully-fledged web application where is in you cannot deploy a web application to cloud function. The reason being the Cloud function expect a code to be written in a functional manner. Event-Driven: Cloud function natively supports invocation through events (e.g. PubSub) and through REST call where is in App Engine does not natively support event-based invocations. Although it's possible to configure pubsub to invoke the REST Service if deployed in App Engine it's not natively supported. Time of Execution: Once invoked the cloud function can be excused for a maximum time of 540 sec whereas in App Engine does not have any such limitation. You can refer https://cloud.google.com/functions/quotas. Typically you will use cloud function when you want to perform smaller dedicated tasks upon the occurrence of an event and the function will be invoked via Event-Driven or through HTTP Rest APIs. E.g., 1. Once the order has been placed you want to notify other systems about it. 2. If an error has occurred in your application and Stackdriver wants to perform an operation based on error event (notify, take action etc). 3. Processing some data upon receiving the request. # Cloud Run ## Basic Concept - Compute service for stateless containers - Managed service - Anthos - Pay per use - Up to - 1000 service per region - 2GB memory/ 2vcpu per container instance - Manage identities that can access serive or allow unauthorized access - Containers isolated to gVisor sandbox ## Cloud Run Resources - Service is the main abstraction of computing in Cloud run - Revision is a deployment of a service. Consists of a specific image and a configuration - Container instances run revisions. Autoscale based on load ## Concurrency - Container instances cna recieve up to 80 requests at the same time, while Cloud function can recieve only 1 - Possible to reduce concurrency to 1 ## Cloud Run vs Cloud Run on Anthos - Cloud run on Anthos supports web sockets # Anthos ## Basic Concept - Application manage platform based on kubernates - Spans cloud and on-premises - Anthos GKE - Anthos on-prem - Anthos AWS ## Anthos Config Management - Declarative model for specifying configuration(ex. how many nodes etc) - When configuration varies from specification, Anthos automatically address difference(ex. add node, reduce node etc) - Configuration stored in GIT - Policy controller enforces business logic on API requests # Chossing Compute resources ## Options - Compute Engine - Maximun control and configurability - Shielded VMs and Sole Tenancy - Kubernates Engine - Managed clusters - Containerized applications - App Engine - Platform as service - Minimal configuration requirements - Cloud Functions - Responding to events in GCP # Instance Group ## Basic concept - Collection of instances that are managed as a single entity - 2 Types - Managed instance group - Unmanaged instance group ### Managed Instance Group(MIG) - Multiple identiclal VMs - Configuration defined in instance template - Features include - Autoscaling - Autohealing - Multi-zone deployments - Auto-updating ### Unmanaged Instance Group - Multiple possible heterogeneous VMs - Used to apply load balancing across heterogeneous group of instances - In general, recommended for legacy clusters only - No autoscaling, autohealing, or auto-updating ### Autoscaling Configuration - Automatically add or remove instances based on worklod - Set min and max number of instances - Based on target utilizaion - CPU Utilization - HTTP load balancing serving capacity - Stackdriver metrics - Cool Down and Stablization Periods - Cool down period is time allowed for instances to finish initializing - Stabilization period is time autoscaler uses to calculate MIGs recommended target size - Avoids thrashing, i.e. rapidly adding and removing instances # Quiz ## Cloud Function 1. What file format should be used when storing function code in a Cloud Storage bucket? ANS: ZIP 2. When using Gcloud functions deploy, what parameter do you use to specify the resource that will trigger events, such as a Pub/Sub topic or a Cloud Storage bucket? ANS: trigger-resource 3. What is the default amount of memory available for a Cloud Function? ANS: 256MB 4. What is the default name of the file retrieved from a Cloud Storage bucket if no name is specified? ANS: main.zip # Cloud Dataproc for hadoop cluster and Spark # Study Point 5, 10,12,15,19,24,27,28,30,31,33,35,37,39,40,42,43,44 re-study kubernates(statefulset daemonset) cloud dataproc predefine and custom rule migrate to instances group instances group type CPU utilization as metric kubernates Persistant IPClaim re-study kubernates difference between app engine standard and flexible cloud pub/sub storage,db network vpc peering app engine flexible billing account ## Exam Review 2. A team of data scientists wants to run Python scripts in a managed Spark cluster. What GCP service would you recommend? ANS: Cloud Dataproc **Explanation** Cloud Dataproc is a managed Hadoop and Spark service. 3. What is the order of the resource hierarchy component from the root of the hierarchy to the lowest level? ANS: Organizaion, Folder, Project, Resource **Explanation** The root of the hierarchy is an organization, which can contain folders and projects. Folders can contain other folders and projects. Projects contain resources. 6. Software engineers are using Google Cloud for development and testing. They have noticed that the instances they use to run tests shutdown without anyone explicitly shutting them down. None of the instances seem to run longer than 24 hours. What would be the first thing to check about the test instance configuration? ANS: The instances are running as preemptible instances **Explanation** Preemptible machines will run up to 24 hours before they are shutdown. Running Shielded VMs instances would not make the instances shutdown after at most 24 hours of runtime. Instance groups minimum and the maximum number of instances would not account for the behavior described. 9. You enter the command “gcloud compute disk” in Cloud Shell. What do you expect to see? ANS: A list of disks defined in the project **Explanation** The command will show a list of disks available in a project. It does not show disks associated with the Cloud Shell VM. Gsutil is used for working with Cloud Storage. There is no such thing as a default VM in GCP. 10. The term “identity” has a specific meaning in Google Cloud. What is it? ANS: An identity represents an entity that has previleges to perform actions in GCP **Explanation** An identity represents an entity such as a person or service account that can be granted privileges by assigning roles to the identity. Identity types include Google accounts, Cloud Identity or G Suite accounts, Google groups, and service accounts. 11. During an audit review, your team of developers is informed that you cannot use the developer’s credentials for automatically running systems management jobs that run during the night. The job needs to be run using its own identity. What kind of identity would you create for running the systems management job? ANS: Service account **Explanation** A service account is designed to grant VMs and application roles that enable them to execute actions within the GCP. Google accounts and Google groups are valid identity types but they are designed for persons, not VMs or applications. There is no such thing as a batch account. 12. As a consultant to a startup using Google Cloud, you have been asked to review the company’s security policies in GCP. You discover that all users have been granted one of the three primitive roles. Predefined and custom rules are not used. What would you recommend? ANS: Recommand using pre-defined roles instead and grant only the roles users need for their jobs **Explanation** It is a best practice to use predefined roles. Predefined roles are designed to provide permissions need to perform common tasks, such as administering databases. Custom roles should only be used predefined roles do not meet your requirements. Primitive roles may be used in small teams where each member has broad responsibilities for administering GCP but otherwise using primitive roles is not recommended. 22. A colleague asks for your help diagnosing a problem with some of their instance groups. It appears that when the overall workload decreases, the instance groups remove more instances than should be to meet the lower workload. What would you suggest your colleague do to correct this problem? ANS: Increase the cool down period to allow more time for an instance to finish so the auto scaler igoners those instances when making a scale down decision **Explanation** During the cool down period, the autoscaler does not take a VMs metrics into account when making scale down decisions so increasing this period will give instances more time to complete initialization and start taking on load. Increasing the minimum or decreasing the maximum number of instances will not stop thrashing. Changing the metric used might avoid thrashing but a metric that avoids thrashing may not be measuring a metric useful for scaling decisions. 27. You need to assign a stable IP address as an endpoint for your application. Your application is running in Kubernetes Engine. What Kubernetes component would you use to ensure traffic is correctly routed to pods running your application? ANS: Service Explanation A service is used to provide a stable endpoint for clients to reach an application. The service is responsible for maintaining information about healthy pods that can accept traffic and process requests. 28. An unhealthy pod is shut down and replaced by Kubernetes Engine. The replacement pod has access to the data that was persisted by the unhealthy pod. What Kubernetes storage mechanisms must have been used? ANS: Persistent volumn **Explanation** A Persistent volume stores data independent of specific pods so if a pod fails, another pod can replace it and access the data on the persistent volume by using a persistent volume claim. The other options are not actually Kubernetes components. 35. An application developer is debugging a problem with an app running in App Engine. The developer would like to have the instance running the application available at all times, even when there is no load on the application. What would you recommend? ANS: Configure the application to use resident instances **Explanation** Resident instances run at all times regardless of the load on the application. Unmanaged instance groups are not used by App Engine and changing the health check to always return a healthy status is not something that can be done with certainty since the instance running the health check may not be healthy, which means it may not be able to return a value. 40. The finance director of your company is determined to reduce the cost of maintaining a data warehouse that is currently implemented in a commercial relational database. They want to use a managed service in Google Cloud and want the analysts to continue to use their SQL tools. What would you recommend? ANS: Bigquery **Explanation** BigQuery is an analytics database designed for data warehouse and analytics operations. It scales to petabyte sized databases and uses SQL for a query language. Bigtable is a NoSQL wide column database and is not suitable for relational data models that will be queried with SQL. Cloud Datastore is a NoSQL document data store. Cloud Spanner does use SQL for a query language, but it is designed to horizontally scale relational transaction processing systems. 42. The legal department in your company has stored a large number of scanned documents. They continue to add scanned documents daily. The lead attorney in the department has pointed out that after a scanned document is uploaded, it will likely be accessed in the first 30 days. It is not likely to be accessed after 60 days. You’d like to move scanned images that are older than 60 days to Coldline storage. How would you implement the process? ANS: Implement an object lifecycle rule to move files to Coldline once the age reaches 60 days **Explanation** This is a use case well suited to using lifecycle management policies because object storage is modified based on age. You could write a script for this task but that would take longer to implement and would have to be maintained. Data retention rules are used to ensure files are not deleted before some period of time has passed. 44. A startup is migrating its archival storage from AWS to GCP. They have approximately 2 TB of data to transfer. What method would you recommend they use to transfer data from an AWS S3 bucket to a Google Cloud Storage bucket? ANS: Cloud Storage Transfer **Explanation** Cloud Storage Transfer is the way to transfer data from AWS S3 to Cloud Storage. Gsutil can be used for smaller transfers. Cloud Transfer Appliance is used to transfer data from on-premises to GCP. Gcloud transfer is not actually an available command. 45. You have created a VPC choosing default configuration parameters. Subnets are created in what regions? **Explanation** The default configurations for VPCs create subnets in all regions. Routes are defined between subnets so subnets must be created first. 48. You would like to share resources across two projects. The projects are in different organizations. What networking mechanism would you use? ANS: VPC Peering **Explanation** Both VPC Peering and Shared VPC are used to make resources in a VPC available to resources in another VPC but Shared VPCs only work with VPCs in the same organization. Cloud Interconnect and VPN are used to link on-premises networks to GCP. 49. A team of developers has created an e-commerce application that will run in multiple regions in North America, Asia, and Europe. Customers will use HTTPS to securely connect to the application. What kind of load balancer would you recommend to distribute traffic? ANS: HTTP(S) **Explanation** The HTTP(S) load balancer is a global load balancer for distributing HTTP and HTTPS traffic. Internal TCP/UDP and Network TCP/UDP are regional load balancers and can’t be used to route global traffic. SSL Proxy is a global load balancer but it is used for non-HTTPS SSL/TLS traffic. ## GCP sample exam review 1. You are a project owner and need your co-worker to deploy a new version of your application to App Engine. You want to follow Google’s recommended practices. Which IAM roles should you grant your co-worker? A. Project Editor B. App Engine Service Admin C. App Engine Deployer D. App Engine Code Viewer ANS:C A is not correct because this access is too wide, and Google recommends least-privilege. Also Google recommends predefined roles instead of primitive roles like Project Editor. B is not correct because although it gives write access to module-level and version-level settings, users cannot deploy a new version. C is correct because this gives write access only to create a new version. D is not correct because this is read-only access. 2. You have a project using BigQuery. You want to list all BigQuery jobs for that project. You want to set this project as the default for the bq command-line tool. What should you do? A. Use "gcloud config set project" to set the default project. B. Use "bq config set project" to set the default project. C. Use "gcloud generate config-url" to generate a URL to the Google Cloud Platform Console to set the default project. D. Use "bq generate config-url" to generate a URL to the Google Cloud Platform Console to set the default project. ANS:A A is correct because you need to use gcloud to manage the config/defaults. B is not correct because the bq command-line tool assumes the gcloud configuration settings and can’t be set through BigQuery. C is not correct because entering this command will not achieve the desired result and will generate an error. D is not correct because entering this command will not achieve the desired result and will generate an error. 3. You developed a new application for App Engine and are ready to deploy it to production. You need to estimate the costs of running your application on Google Cloud Platform as accurately as possible. What should you do? A. Create a YAML file with the expected usage. Pass this file to the "gcloud app estimate" command to get an accurate estimation. B. Multiply the costs of your application when it was in development by the number of expected users to get an accurate estimation. C. Use the pricing calculator for App Engine to get an accurate estimation of the expected charges. D. Create a ticket with Google Cloud Billing Support to get an accurate estimation. ANS:C A is not correct because that command will generate an error and not give you an estimation on workloads. B is not correct because this does not result in an accurate estimation. C is correct because this is the proper way to estimate charges. D is not correct because billing support is available to help you set up billing and understand invoices, not to make estimations. 4. You have a Kubernetes cluster with 1 node-pool. The cluster receives a lot of traffic and needs to grow. You decide to add a node. What should you do? A. Use "gcloud container clusters resize" with the desired number of nodes. B. Use "kubectl container clusters resize" with the desired number of nodes. C. Edit the managed instance group of the cluster and increase the number of VMs by 1. D. Edit the managed instance group of the cluster and enable autoscaling. ANS:A A is correct because this resizes the cluster to the desired number of nodes. B is not correct because you need to use gcloud, not kubectl. C is not correct because you should not manually manage the MIG behind a cluster. D is not correct because you should not manually manage the MIG behind a cluster. 5. You have created a Kubernetes deployment, called Deployment-A, with 3 replicas on your cluster. Another deployment, called Deployment-B, needs access to Deployment-A. You cannot expose Deployment-A outside of the cluster. What should you do? A. Create a Service of type NodePort for Deployment A and an Ingress Resource for that Service. Have Deployment B use the Ingress IP address. B. Create a Service of type LoadBalancer for Deployment A. Have Deployment B use the Service IP address. C. Create a Service of type LoadBalancer for Deployment A and an Ingress Resource for that Service. Have Deployment B use the Ingress IP address. D. Create a Service of type ClusterIP for Deployment A. Have Deployment B use the Service IP address. ANS:D A is not correct because this exposes Deployment A over the public internet. B is not correct because LoadBalancer will expose the service publicly. C is not correct because this exposes the service externally using a cloud provider’s load balancer, and Ingress can work only with nodeport, not clusterIP. D is correct because this exposes the service on a cluster-internal IP address. Choosing this method makes the service reachable only from within the cluster. 6. You want to find out who in your organization has Owner access to a project called "my-project".What should you do? A. In the Google Cloud Platform Console, go to the IAM page for your organization and apply the filter "Role:Owner". B. In the Google Cloud Platform Console, go to the IAM page for your project and apply the filter "Role:Owner". C. Use "gcloud iam list-grantable-role --project my-project" from your Terminal. D. Use "gcloud iam list-grantable-role" from Cloud Shell on the project page. ANS:B A is not correct because it will give the org-wide owners, but you are interested in the project owners, which could be different. B is correct because this shows you the Owners of the project. C is not correct because this command is to list grantable roles for a resource, but does not return who has a specific role. D is not correct because this command is to list grantable roles for a resource, but does not return who has a specific role. # GCP Practice exam ## exam1 **Question 1:** Your company uses Google Cloud for all its compute workloads. One of the applications that you developed has passed unit testing, and you want to use Jenkins to deploy the application in User Acceptance Testing (UAT) environment. Your manager has asked you to automate Jenkins installation as quickly and efficiently as possible. What should you do? ANS:Use GCP Marketplace to provision Jenkins **Explanation** * Deploy Jenkins on a Google Compute Engine VM. is not right. While this can be done, this involves a lot more work than installing the Jenkins server through GCP Marketplace. * Deploy Jenkins on a GKE Cluster. is not right. While this can be done, this involves a lot more work than installing the Jenkins server through GCP Marketplace. * Deploy Jenkins on a fleet of Google Cloud Compute Engine VMs in a Managed Instances Group (MIG) with autoscaling. is not right. Like the above options, this can be done, but it involves a lot more work than installing the Jenkins server through GCP Marketplace. * Use GCP Marketplace to provision Jenkins. is the right answer. The simplest way to launch a Jenkins server is from GCP Market place. GCP market place has several builds available for Jenkins: https://console.cloud.google.com/marketplace/browse?q=jenkins. All you need to do is spin up an instance from a suitable market place build, and you have a Jenkins server in a few minutes with just a few clicks. **Question 2** An intern joined your team recently and needs access to Google Compute Engine in your sandbox project to explore various settings and spin up compute instances to test features. You have been asked to facilitate this. How should you give your intern access to compute engine without giving more permissions than is necessary? ANS: Grant Compute Engine Instance Admin Role for the sandbox project. **Explanation** Create a shared VPC to enable the intern access Compute resources. is not right. Creating a shared VPC is not sufficient to grant intern access to compute resources. Shared VPCs are primarily used by organizations to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network, so that they can communicate with each other securely and efficiently using internal IPs from that network. Ref: https://cloud.google.com/vpc/docs/shared-vpc Grant Project Editor IAM role for sandbox project. is not right. Project editor role grants all viewer permissions, plus permissions for actions that modify state, such as changing existing resources. While this role lets the intern explore compute engine settings and spin up compute instances, it grants more permissions than what is needed. Our intern can modify any resource in the project. https://cloud.google.com/iam/docs/understanding-roles#primitive_roles Grant Compute Engine Admin Role for sandbox project. is not right. Compute Engine Admin Role grants full control of all Compute Engine resources; including networks, load balancing, service accounts etc. While this role lets the intern explore compute engine settings and spin up compute instances, it grants more permissions than what is needed. Ref: https://cloud.google.com/compute/docs/access/iam#compute.storageAdmin Grant Compute Engine Instance Admin Role for the sandbox project. is the right answer. Compute Engine Instance Admin Role grants full control of Compute Engine instances, instance groups, disks, snapshots, and images. It also provides read access to all Compute Engine networking resources. This provides just the required permissions to the intern. **Question 3** An engineer from your team accidentally deployed several new versions of NodeJS application on Google App Engine Standard. You are concerned the new versions are serving traffic. You have been asked to produce a list of all the versions of the application that are receiving traffic as well the percent traffic split between them. What should you do? ANS: gcloud app versions list --hide-no-traffic. **Explanation** gcloud app versions list. is not right This command lists all the versions of all services that are currently deployed to the App Engine server. While this list includes all versions that are receiving traffic, it also includes versions that are not receiving traffic. Ref: https://cloud.google.com/sdk/gcloud/reference/app/versions/list gcloud app versions list --traffic. is not right gcloud app versions list command does not support --traffic flag. Ref: https://cloud.google.com/sdk/gcloud/reference/app/versions/list gcloud app versions list --show-traffic. is not right gcloud app versions list command does not support --show-traffic flag. Ref: https://cloud.google.com/sdk/gcloud/reference/app/versions/list gcloud app versions list --hide-no-traffic. is the right answer. This command correctly lists just the versions that are receiving traffic by hiding versions that do not receive traffic. This is the only command that fits our requirements. Ref: https://cloud.google.com/sdk/gcloud/reference/app/versions/list **Questi**on 8: You are migrating your on-premises workloads to GCP VPC, and you want to use Compute Engine virtual machines. You want to separate the Finance team VMs and the Procurement team VMs into separate subnets. You need all VMs to communicate with each other over their internal IP addresses without adding routes. What should you do? ANS: Use Deployment Manager to create a new VPC with 2 subnets in 2 different regions. Ensure the subnets use non-overlapping IP range. **Explanation** Use Deployment Manager to create two VPCs, each with a subnet in a different region. Ensure the subnets use non-overlapping IP range. is not right. We need to get our requirements working with 1 VPC, not 2 !! Use Deployment Manager to create two VPCs, each with a subnet in the same region. Ensure the subnets use overlapping IP range. is not right. We need to get our requirements working with 1 VPC, not 2 !! Use Deployment Manager to create a new VPC with 2 subnets in the same region. Ensure the subnets use the same IP range. is not right. We can not create two subnets in one VPC with the same CIDR range. "Primary and secondary ranges for subnets cannot overlap with any allocated range, any primary or secondary range of another subnet in the same network, or any IP ranges of subnets in peered networks." Ref: https://cloud.google.com/vpc/docs/using-vpc#subnet-rules Use Deployment Manager to create a new VPC with 2 subnets in 2 different regions. Ensure the subnets use non-overlapping IP range. is the right answer. When we create subnets in the same VPC with different CIDR ranges, they can communicate automatically within VPC. "Resources within a VPC network can communicate with one another by using internal (private) IPv4 addresses, subject to applicable network firewall rules." Ref: https://cloud.google.com/vpc/docs/vpc **Question 10:** Your company recently acquired a startup that lets its developers pay for their projects using their company credit cards. You want to consolidate the billing of all GCP projects into a new billing account. You want to follow Google recommended practices. How should you do this? ANS: In the GCP Console, move all projects to the root organization in the Resource Manager. **Explanation** Send an email to billing.support@cloud.google.com and request them to create a new billing account and link all the projects to the billing account. is not right. That is not how we set up billing for the organization. Ref: https://cloud.google.com/billing/docs/concepts Raise a support request with Google Billing Support and request them to create a new billing account and link all the projects to the billing account. is not right. That is not how we set up billing for the organization. Ref: https://cloud.google.com/billing/docs/concepts Ensure you have the Billing Account Creator Role. Create a new Billing account yourself and set up a payment method with company credit card details. is not right. Unless all projects are modified to use the new billing account, this doesn't work. Ref: https://cloud.google.com/billing/docs/concepts In the GCP Console, move all projects to the root organization in the Resource Manager. is the right answer. If we move all projects under the root organization hierarchy, they still need to modify to use a billing account within the organization (same as the previous option). Ref: https://cloud.google.com/resource-manager/docs/migrating-projects-billing#top_of_page Note: The link between projects and billing accounts is preserved, irrespective of the hierarchy. When you move your existing projects into the organization, they will continue to work and be billed as they used to before the migration, even if the corresponding billing account has not been migrated yet. But in this option, all projects are in the organization resource hierarchy so the organization can uniformly apply organization policies to all its projects which is a Google recommended practice. So this is the better of the two options. Ref: https://cloud.google.com/billing/docs/concepts ![](https://i.imgur.com/VFfNGUb.png) **Question 17:** Your team is responsible for the migration of all legacy on-premises applications to Google Cloud. Your team is a big admirer of serverless and has chosen App Engine Standard as the preferred choice for compute workloads. Your manager asked you to migrate a legacy accounting application built in C++, but you realized App Engine Standard doesn’t support C++. What GCP compute services should you use instead to maintain the serverless aspect? (Choose two answers) ANS: 1. Deploy the containerized version of the application in Cloud Run. 2. Deploy the containerized version of the application in Cloud Run on GKE. **Explanation** App engine standard currently supports Python, Java, Node.js, PHP, Ruby and Go. Ref: https://cloud.google.com/appengine/docs/standard/ The question already states App Engine doesn’t support C#. We are required to ensure we maintain the serverless aspect of our application. Convert the application into a set of functions and deploy them in Google Cloud Functions. is not right. Cloud Functions is a serverless platform where you can run the code in the cloud without having to provision servers. You split your application functionality into multiple functions, and each of these is defined as a cloud function. Cloud Functions don’t support C#. Supported runtimes are Python, Node.js and Go. Ref: https://cloud.google.com/functions Deploy the containerized version of the application in App Engine Flex. is not right. While App Engine flexible lets us customize runtimes or provide our runtime by supplying a custom Docker image or Dockerfile from the open-source community, it uses compute engine virtual machines, so it is not serverless. Ref: https://cloud.google.com/appengine/docs/flexible/ Deploy the containerized version of the application in Google Kubernetes Engine (GKE). is not right. GKE, i.e. Google Kubernetes Clusters uses compute engine virtual machines, so it is not serverless. Ref: https://cloud.google.com/kubernetes-engine Deploy the containerized version of the application in Cloud Run. is the right answer. Cloud Run is a fully managed compute platform that automatically scales your stateless containers. Cloud Run is serverless: it abstracts away all infrastructure management, so you can focus on what matters most—building great applications. Run your containers in fully managed Cloud Run or on Anthos, which supports both Google Cloud and on‐premises environments. Cloud Run is built upon an open standard, Knative, enabling the portability of your applications. Ref: https://cloud.google.com/run Deploy the containerized version of the application in Cloud Run on GKE. is the right answer. Cloud Run implements the Knative serving API, an open-source project to run serverless workloads on top of Kubernetes. That means you can deploy Cloud Run services anywhere Kubernetes runs. And suppose you need more control over your services (like access to GPU or more memory). In that case, you can also deploy these serverless containers in your GKE cluster instead of using the fully managed environment. When using the fully managed environment, Cloud Run on GKE is serverless. Ref: https://github.com/knative/serving/blob/master/docs/spec/spec.md Ref: https://cloud.google.com/blog/products/serverless/cloud-run-bringing-serverless-to-containers **Question 24:** You are exploring the possibility of migrating a mission-critical application from your on-premises data centre to Google Cloud Platform. You want to host this on a GKE cluster with autoscaling enabled, and you need to ensure each node can run a pod to push the application logs to a third-party logging platform. How should you deploy the pod ANS: Deploy the logging pod in a DaemonSet Kubernetes object. **Explanation** In GKE, DaemonSets manage groups of replicated Pods and adhere to a one-Pod-per-node model, either across the entire cluster or a subset of nodes. As you add nodes to a node pool, DaemonSets automatically add Pods to the new nodes as needed. So, this is a perfect fit for our monitoring pod. https://cloud.google.com/kubernetes-engine/docs/concepts/daemonset DaemonSets are useful for deploying ongoing background tasks that you need to run on all or certain nodes, and which do not require user intervention. Examples of such tasks include storage daemons like ceph, log collection daemons like fluentd, and node monitoring daemons like collectd. For example, you could have DaemonSets for each type of daemon run on all of your nodes. Alternatively, you could run multiple DaemonSets for a single type of daemon, but have them use different configurations for different hardware types and resource needs. **Question 25:** You want to migrate an application from Google App Engine Standard to Google App Engine Flex. Your application is currently serving live traffic and you want to ensure everything is working in Google App Engine Flex before migrating all traffic. You want to minimize effort and ensure the availability of service. What should you do? ANS: ``` 1. Set env: flex in app.yaml 2. gcloud app deploy --no-promote --version=[NEW_VERSION] 3. Validate [NEW_VERSION] in App Engine Flex 4. gcloud app versions migrate [NEW_VERSION] ``` **Question 30:** Your production Compute workloads are running in a subnet with a range 192.168.20.128/25. A recent surge in traffic has seen the production VMs struggle, and you want to add more VMs, but all IP addresses in the subnet are in use. All new and old VMs need to communicate with each other. How can you do this with the fewest steps? ANS: Update the subnet range to 192.168.20.0/24. **Explanation** Since there are no private IP addresses available in the subnet, the most appropriate action is to expand the subnet. Expanding the range to 192.168.21.0/24 gives you 128 additional IP addresses. You could you gcloud compute networks subnets expand-ip-range to expand a subnet. Ref: https://cloud.google.com/sdk/gcloud/reference/compute/networks/subnets/expand-ip-range **Question 37:** Your compliance team requested all audit logs are stored for 10 years and to allow access for external auditors to view. You want to follow Google recommended practices. What should you do? (Choose two) ANS: 1. Export audit logs to Cloud Storage via an export sink. 2. Generate a signed URL to the Stackdriver export destination for auditors to access. **Explanation** Export audit logs to Cloud Storage via an export sink. is the right answer. Among all the storage solutions offered by Google Cloud Platform, Cloud storage offers the best pricing for long term storage of logs. Google Cloud Storage offers several storage classes such as Nearline Storage ($0.01 per GB per Month) Coldline Storage ($0.007 per GB per Month) and Archive Storage ($0.004 per GB per month) which are significantly cheaper than the storage options covered by the above options above. Ref: https://cloud.google.com/storage/pricing Generate a signed URL to the Stackdriver export destination for auditors to access. is the right answer. In Google Cloud Storage, you can generate a signed URL to provide limited permission and time to make a request. Anyone who possesses it can use the signed URL to perform specified actions, such as reading an object, within a specified period of time. In our scenario, we do not need to create accounts for our auditors to provide access to logs in Cloud Storage. Instead, we can generate them signed URLs which are time-bound and lets them access/download log files. Ref: https://cloud.google.com/storage/docs/access-control/signed-urls **Question 38:** You run a batch job every month in your on-premises data centre that downloads clickstream logs from Google Cloud Storage bucket, enriches the data and stores them in Cloud BigTable. The job runs for 32 hours on average, is fault-tolerant and can be restarted if interrupted, and must complete. You want to migrate this batch job onto a cost-efficient GCP compute service. How should you deploy it? ANS: Deploy the batch job in a GKE Cluster with preemptible VM node pool. **Explanation** Deploy the batch job on a Google Cloud Compute Engine Preemptible VM. is not right. A preemptible VM is an instance that you can create and run at a much lower price than regular instances. However, Compute Engine might terminate (preempt) these instances if it requires access to those resources for other tasks. Preemptible instances are excess Compute Engine capacity, so their availability varies with usage. Since our batch process must be restarted if interrupted, a preemptible VM by itself is not sufficient. https://cloud.google.com/compute/docs/instances/preemptible#what_is_a_preemptible_instance Deploy the batch job on a Google Cloud Compute Engine non-preemptible VM. Restart instances as required. is not right. Stopping and starting instances as needed is a manual activity and incurs operational expenditure. Since we require to minimize cost, we shouldn't do this. Deploy the batch job on a fleet of Google Cloud Compute Engine preemptible VM in a Managed Instances Group (MIG) with autoscaling. is not right. Our requirement is not to scale up or scale down based on target CPU utilization. Deploy the batch job in a GKE Cluster with preemptible VM node pool. is the right answer. Preemptible VMs are Compute Engine VM instances that last a maximum of 24 hours and provide no availability guarantees. Preemptible VMs are priced lower than standard Compute Engine VMs and offer the same machine types and options. You can use preemptible VMs in your GKE clusters or node pools to run batch or fault-tolerant jobs that are less sensitive to the ephemeral, non-guaranteed nature of preemptible VMs. Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/preemptible-vms GKE’s autoscaler is very smart and always tries to first scale the node pool with cheaper VMs. In this case, it scales up the preemptible node pool. The GKE autoscaler then scales up the default node pool—but only if no preemptible VMs are available. Ref: https://cloud.google.com/blog/products/containers-kubernetes/cutting-costs-with-google-kubernetes-engine-using-the-cluster-autoscaler-and-preemptible-vms **Question 41:** You created a Kubernetes deployment by running kubectl run nginx --image=nginx --replicas=1. After a few days, you decided you no longer want this deployment. You identified the pod and deleted it by running kubectl delete pod. You noticed the pod got recreated. ``` $ kubectl get pods NAME READY STATUS RESTARTS AGE nginx-84748895c4-nqqmt 1/1 Running 0 9m41s $ kubectl delete pod nginx-84748895c4-nqqmt pod "nginx-84748895c4-nqqmt" deleted $ kubectl get pods NAME READY STATUS RESTARTS AGE nginx-84748895c4-k6bzl 1/1 Running 0 25s ``` ANS: `kubectl delete deployment nginx.` **Explanation** This command correctly deletes the deployment. Pods are managed by kubernetes workloads (deployments). When a pod is deleted, the deployment detects the pod is unavailable and brings up another pod to maintain the replica count. The only way to delete the workload is by deleting the deployment itself using the kubectl delete deployment command. ``` $ kubectl delete deployment nginx deployment.apps "nginx" deleted ``` Ref: https://kubernetes.io/docs/reference/kubectl/cheatsheet/#deleting-resources **Question 50:** Your company wants to migrate all compute workloads from the on-premises data centre to Google Cloud Compute Engine. A third-party team provides operational support for your production applications outside business hours. Everyone at your company has a Gsuite account, but the support team do not. How should you grant them access to the VMs? ANS: Use Cloud Identity Aware Proxy (IAP) to enable SSH tunnels to the VMs and add the third-party team as a tunnel user. **Explanation** This option is the preferred approach, given that the operations partner does not use Google accounts. IAP lets you - Control access to your cloud-based and on-premises applications and VMs running on Google Cloud - Verify user identity and use context to determine if a user should be granted access - Work from untrusted networks without the use of a VPN - Implement a zero-trust access model To set up SSH tunnels using IAP, see: https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_ssh_connections ## Exam 2 **Question 1:** Your company has multiple GCP projects in several regions, and your operations team have created numerous gcloud configurations for most common operational needs. They have asked your help to retrieve an inactive gcloud configuration and the GKE clusters that use it, using the least number of steps. What command should you execute to retrieve this information? ANS: Execute kubectl config get-contexts. **Explanation** kubectl config get-contexts displays a list of contexts as well as the clusters that use them. Here's a sample ``` $ kubectl config get-contexts CURRENT NAME CLUSTER gke_kubernetes-260922_us-central1-a_standard-cluster-1 gke_kubernetes-260922_us-central1-a_standard-cluster-1 gke_kubernetes-260922_us-central1-a_your-first-cluster-1 gke_kubernetes-260922_us-central1-a_your-first-cluster-1 * gke_kubernetes-260922_us-central1_standard-cluster-1 gke_kubernetes-260922_us-central1_standard-cluster-1 ``` **Question 2:** Your Company is planning to migrate all Java web applications to Google App Engine. However, you still want to continue using your on-premise database. How can you set up the app engine to communicate with your on-premise database while minimizing effort? ANS: Setup the application using App Engine Flexible environment with Cloud VPN to connect to an on-premise database. **Explanation** Setup the application using App Engine Standard environment with Cloud Router to connect to an on-premise database. is not right. Cloud router by itself is not sufficient to connect VPC to an on-premise network. Cloud Router enables you to dynamically exchange routes between your Virtual Private Cloud (VPC) and on-premises networks by using Border Gateway Protocol (BGP). Ref: https://cloud.google.com/router Setup the application using App Engine Flexible environment with Cloud Router to connect to an on-premise database. is not right. Cloud router by itself is not sufficient to connect VPC to an on-premise network. Cloud Router enables you to dynamically exchange routes between your Virtual Private Cloud (VPC) and on-premises networks by using Border Gateway Protocol (BGP). Ref: https://cloud.google.com/router Setup the application using App Engine Standard environment with Cloud VPN to connect to an on-premise database. is not right. App Engine Standard can’t connect to the on-premise network with just Cloud VPN. Since App Engine is serverless, it can’t use Cloud VPN tunnels. In order to get App Engine to work with Cloud VPN, you need to connect it to the VPC using serverless VPC. You can configure the Serverless VPC by creating a connector: https://cloud.google.com/vpc/docs/configure-serverless-vpc-access and then you then update your app in App Engine Standard to use this connector https://cloud.google.com/appengine/docs/standard/python/connecting-vpc Setup the application using App Engine Flexible environment with Cloud VPN to connect to an on-premise database. is the right answer. You need Cloud VPN to connect VPC to an on-premise network. Ref: https://cloud.google.com/vpn/docs/concepts/overview Unlike App Engine Standard which is serverless, App Engine Flex instances are already within the VPC, so they can use Cloud VPN to connect to the on-premise network. **Question 7:** You deployed an application on a general-purpose Google Cloud Compute Engine instance that uses a persistent zonal SSD of 300 GB. The application downloads large Apache AVRO files from Cloud Storage, retrieve customer details from them and saves a text file on local disk for each customer before pushing all the text files to a Google Storage Bucket. These operations require high disk I/O, but you find that the read and write operations on the disk are always throttled. What should you do to improve the throughput while keeping costs to a minimum? ANS: Replace Zonal Persistent SSD with a Local SSD **Explanation** Replace Zonal Persistent SSD with a Regional Persistent SSD. is not right. Migrating to a regional SSD would actually make it worse. At the time of writing, the Read IOPS for a Zonal standard persistent disk is 7,500, and the Read IOPS reduces to 3000 for a Regional standard persistent disk, which reduces the throughput. Ref: https://cloud.google.com/compute/docs/disks/performance Bump up the size of its SSD persistent disk to 1 TB. is not right. The performance of SSD persistent disks scales with the size of the disk. Ref: https://cloud.google.com/compute/docs/disks/performance#cpu_count_size However, no guarantee increasing the disk to 1 TB will increase the throughput in this scenario as disk performance also depends on the number of vCPUs on VM instance. Ref: https://cloud.google.com/compute/docs/disks/performance#ssd_persistent_disk_performance_by_disk_size Ref: https://cloud.google.com/compute/docs/disks/performance#machine-type-disk-limits For example, consider a 1,000 GB SSD persistent disk attached to an instance with an N2 machine type and 4 vCPUs. The read limit based solely on the size of the disk is 30,000 IOPS. However, because the instance has 4 vCPUs, the read limit is restricted to 15,000 IOPS. Bump up the CPU allocated to the general-purpose Compute Engine instance. is not right. In Compute Engine, machine types are grouped and curated for different workloads. Each machine type is subject to specific persistent disk limits per vCPU. Increasing the vCPU count increases the Read IOPS https://cloud.google.com/compute/docs/disks/performance#machine-type-disk-limits However, no guarantee increasing CPU will increase the throughput in this scenario as disk performance could be limited by disk size. Ref: https://cloud.google.com/compute/docs/disks/performance#ssd_persistent_disk_performance_by_disk_size Ref: https://cloud.google.com/compute/docs/disks/performance#machine-type-disk-limits For example, consider a 1,000 GB SSD persistent disk attached to an instance with an N2 machine type and 48 vCPUs. The read limit based solely on the vCPU count is 60,000 IOPS. However, because the instance has 1000 GB SSD, the read limit is restricted to 30,000 IOPS. Replace Zonal Persistent SSD with a Local SSD. is the right answer. Local SSDs are physically attached to the server that hosts your VM instance. Local SSDs have higher throughput and lower latency than standard persistent disks or SSD persistent disks. The performance gains from local SSDs require trade-offs in availability, durability, and flexibility. Because of these trade-offs, Local SSD storage isn't automatically replicated, and all data on the local SSD might be lost if the instance terminates for any reason. Ref: https://cloud.google.com/compute/docs/disks#localssds Ref: https://cloud.google.com/compute/docs/disks/performance#type_comparison **Question 15:** Your company’s compute workloads are split between the on-premises data centre and Google Cloud Platform. The on-premises data centre is connected to Google Cloud network by Cloud VPN. You have a requirement to provision a new non-publicly-reachable compute engine instance on a c2-standard-8 machine type in australia-southeast1-b zone. What should you do? ANS: Provision the instance without a public IP address. **Explanation** Provision the instance in a subnet that has Google Private Access enabled. is not right. VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access to external IP addresses of Google APIs and services. Private Google Access has no effect on instances with Public IPs as they are always publicly reachable irrespective of the private google access setting. Ref: https://cloud.google.com/vpc/docs/private-access-options#pga Provision the instance in a subnetwork that has all egress traffic disabled. is not right. An egress firewall rule prevents traffic from leaving the VPC network, but does not prevent traffic coming in. If the instance has a public IP address, then the instance is still publicly reachable despite creating a deny-all egress firewall rule. Configure a route to route all traffic to the public IP of compute engine instance through the VPN tunnel. is not right. You can not create routes for public IP addresses. Routes within the VPC are applicable only to traffic on the internal IP range. Ref: https://cloud.google.com/vpc/docs/routes Provision the instance without a public IP address. is the right answer. Public IP addresses are internet routable. But Private IP addresses are internal and cannot be internet routable, such as RFC 1918 addresses. So creating the instance without a public IP address ensures that no internet traffic can reach it. Ref: https://cloud.google.com/vpc/docs/ip-addresses **Question 20: ** Your team is working towards using the desired state configuration for your application deployed on the GKE cluster. You have YAML files for the Kubernetes Deployment and Service objects. Your application is designed to have 2 pods, which is defined by the replicas parameter in app-deployment.yaml. Your service uses GKE Load Balancer which is defined in app-service.yaml ANS: Edit the number of replicas in the YAML file and rerun the kubectl apply. kubectl apply -f app-deployment.yaml. **Explanation** Disregard the YAML file. Use the kubectl scale command to scale the replicas to 5. kubectl scale --replicas=5 -f app-deployment.yaml. is not right. While the outcome is the same, this approach doesn't update the change in the desired state configuration (YAML file). If you were to make some changes in your app-deployment.yaml and apply it, the update would scale back the replicas to 2. This is undesirable. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#scaling-a-deployment Disregard the YAML file. Enable autoscaling on the deployment to trigger on CPU usage and set minimum pods as well as maximum pods to 5. kubectl autoscale myapp --min=5 --max=5 --cpu-percent=80. is not right. While the outcome is the same, this approach doesn't update the change in the desired state configuration (YAML file). If you were to make some changes in your app-deployment.yaml and apply it, the update would scale back the replicas to 2. This is undesirable. Ref: https://kubernetes.io/blog/2016/07/autoscaling-in-kubernetes/ Modify the current configuration of the deployment by using kubectl edit to open the YAML file of the current configuration, modify and save the configuration. kubectl edit deployment/app-deployment -o yaml --save-config. is not right. Like the above, the outcome is the same. This is equivalent to first getting the resource, editing it in a text editor, and then applying the resource with the updated version. This approach doesn't update the replicas change in our local YAML file. If you were to make some changes in your local app-deployment.yaml and apply it, the update would scale back the replicas to 2. This is undesirable. Ref: https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources Edit the number of replicas in the YAML file and rerun the kubectl apply. kubectl apply -f app-deployment.yaml. is the right answer. This is the only approach that guarantees that you use desired state configuration. By updating the YAML file to have 5 replicas and applying it using kubectl apply, you are preserving the intended state of Kubernetes cluster in the YAML file. Ref: https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#in-place-updates-of-resources **Question 23:** You migrated an internal HR system from an on-premises database to Google Cloud Compute Engine Managed Instance Group (MIG). The networks team at your company has asked you to associate the internal DNS records of the VMs with a custom DNS zone. You want to follow Google recommended practices. What should you do? ANS: 1. Create a new Cloud DNS zone and set its visibility to private. 2. When provisioning the VMs, associate the DNS records with the new DNS zone. **EXplanation** Explanation Our requirements here are 1. Internal, and 2. Custom Zone 1. Provision the VMs with custom hostnames. is not right. This option doesn’t create the DNS records in a custom DNS zone. 1. Install a new BIND DNS server on Google Compute Engine, using the BIND name server software (BIND9). 2. Configure a Cloud DNS forwarding zone to direct all requests to the Internal BIND DNS server. 3. When provisioning the VMs, associate the DNS records with the Internal BIND DNS server. is not right. This option might be possible but not something Google recommends. The Cloud DNS service offering from Google already offers these features, so it is pointless installing a custom DNS server to do that. 1. Create a new Cloud DNS zone and a new VPC and associate the DNS zone with the VPC. 2. When provisioning the VMs, associate the DNS records with the new DNS zone. 3. Configure firewall rules to block all external (public) traffic. 4. Finally, configure the DNS zone associated with the default VPC to direct all requests to the new DNS zone. is not right. This doesn’t make any sense. Moreover, the two VPCs can’t communicate without VPC peering. Ref: https://cloud.google.com/dns/docs/overview#concepts 1. Create a new Cloud DNS zone and set its visibility to private. 2. When provisioning the VMs, associate the DNS records with the new DNS zone. is the right answer. You should do when you want internal DNS records in a custom zone. Cloud DNS gives you the option of private zones and internal DNS names. Ref: https://cloud.google.com/dns/docs/overview#concepts **Question 40:** You want to monitor resource utilization (RAM, Disk, Network, CPU, etc.) for all applications in development, test and production GCP projects in a single dashboard. What should you do? ANS: Create a Cloud Monitoring workspace in the production project and add development and test projects to it. **Explanation** In Cloud Monitoring, share charts from development, test and production GCP projects. is not right. This option involves a lot of work. You can share charts from development, test and production projects by enabling Cloud Monitoring as a data source for Grafana Ref: https://cloud.google.com/monitoring/charts/sharing-charts and then follow the instructions at https://grafana.com/docs/grafana/latest/features/datasources/cloudmonitoring/ to build Grafana dashboards. Grant roles/monitoring.admin to development, test and production GCP projects. is not right. You don’t grant roles to projects, and this doesn’t help you get a unified view in a single dashboard. Rer: https://cloud.google.com/monitoring/access-control Make use of the default Cloud Monitoring dashboards in all the projects. is not right. Possibly, but this doesn't satisfy the requirement "single pane of glass". Create a Cloud Monitoring workspace in the production project and add development and test projects to it. is the right answer. A Workspace is a tool for monitoring resources contained in one or more Google Cloud projects or AWS accounts. A Workspace accesses metric data from its monitored projects, but the metric data remains in those projects. You can configure Production project to be the host project and the development and test projects as the monitored projects. You can now build dashboards in the Cloud Monitoring workspace and view monitoring information for all projects in a "single pane of glass". Ref: https://cloud.google.com/monitoring/workspaces # Exam 3 **Question 2: ** You work for a multinational consumer credit reporting company that collects and aggregates financial information and provides a credit report for over 100 million individuals and businesses. The company wants to trial a new application for a small geography and requires a relational database for storing important user information. Your company places a high value on reliability and requires point-in-time recovery while minimizing operational cost. What should you do? ANS: Store the data in Cloud SQL for MySQL instance. Ensure Binary Logging on the Cloud SQL instance. Explanation Requirements 1. Cost-effective 2. Relational Data 3. One geography 4. Point-in-time recovery Store the data in a 2-node Cloud Spanner instance. is not right. Cloud spanner is a massively scalable, fully managed, relational database service for regional and global application data. Cloud spanner is expensive compared to Cloud SQL. We have a small set of data, and we want to be cost-effective, so Cloud Spanner doesn't fit these requirements. Furthermore, Cloud Spanner does not offer a "Point in time" recovery feature. Ref: https://cloud.google.com/spanner Store the data in a multi-regional Cloud Spanner instance. is not right. Cloud spanner is a massively scalable, fully managed, relational database service for regional and global application data. Cloud spanner is expensive compared to Cloud SQL. We don't require more than "one geographic location", and we want to be cost-effective, so Cloud Spanner doesn't fit these requirements. Furthermore, Cloud Spanner does not offer a "Point in time" recovery feature. Ref: https://cloud.google.com/spanner Store the data in Highly Available Cloud SQL for MySQL instance. is not right. Cloud SQL can easily handle small sets of relational data and is cost-effective compared to Cloud Spanner. But This option does not enable point in time recovery, so our requirement to support point-in-time recovery is not met. Ref: https://cloud.google.com/sql/docs/mysql Store the data in Cloud SQL for MySQL instance. Ensure Binary Logging on the Cloud SQL instance. is the right answer. Cloud SQL can easily handle small sets of relational data and is cost-effective compared to Cloud Spanner. And by enabling binary logging, we can enable point-in-time recovery, which fits our requirement. You must enable binary logging to use point-in-time recovery. Point-in-time recovery helps you recover an instance to a specific point in time. For example, if an error causes a loss of data, you can recover a database to its state before the error occurred. Ref: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups#tips-pitr **Question 8:** You are developing a mobile game that uses Cloud Datastore for gaming leaderboards and player profiles. You want to test an aspect of this solution locally on your Ubuntu workstation which already has Cloud SDK installed. What should you do? ANS: Install Datastore emulator to provide local emulation of the production datastore environment in your local workstation by running gcloud components install. **Explanation** Requirements - test your application locally. Initiate an export of Cloud Datastore instance from development GCP project by executing gcloud datastore export. Modify your applications to point to the export. is not right. By all means, you can export a copy of all or a subset of entities from Google Cloud Datastore to another storage system such as Google Cloud Storage. But, the application is configured to connect to a Cloud Datastore instance, not another system that stores a raw dump of exported data. So this option is not right. Add a new index to Cloud Datastore instance in the development project by running gcloud datastore indexes create and modify your application on your workstation to retrieve the data from Cloud Datastore using the index. is not right. You could create an index, but this doesn't help your application emulate connections to Cloud Datastore on your laptop. So this option is not right. Install Datastore emulator to provide local emulation of the production datastore environment in your local workstation by running apt get install. is not right. Datastore emulator is a gcloud component, and you can't install gcloud components using apt get. So this option is not right. Install Datastore emulator to provide local emulation of the production datastore environment in your local workstation by running gcloud components install. is the right answer. The Datastore emulator provides local emulation of the production Datastore environment. You can use the emulator to develop and test your application locally. Ref: https://cloud.google.com/datastore/docs/tools/datastore-emulator **Question 9: ** You developed a python application that exposes an HTTP(s) endpoint for retrieving 2-week weather forecast for a given location. You deployed the application in a single Google Cloud Compute Engine Virtual Machine, but the application is not as popular as you anticipated and has been receiving very few requests. To minimize costs, your colleague suggested containerizing the application and deploying on a suitable GCP compute service. Where should you deploy your containers? ANS: Cloud Run **Explanation** Explanation Cloud Run on GKE. is not right. Cloud Run on GKE can scale the number of pods to zero. The number of nodes per cluster cannot scale to zero, and these nodes are billed in the absence of requests. Ref: https://cloud.google.com/serverless-options GKE with horizontal pod autoscaling and cluster autoscaler enabled. is not right. Like above, while you can set up the pod autoscaler to scale back the pods to zero, the number of nodes per cluster cannot scale to zero, and these nodes are billed in the absence of requests. If you specify the minimum node pool size of zero nodes, an idle node pool can scale down completely. However, at least one node must always be available in the cluster to run system Pods. Ref: https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-autoscaler App Engine Flexible. is not right. App Engine flexible environment instances are Compute Engine virtual machines, and you can't truly scale down to zero and compute instances are billed in the absence of requests. Ref: https://cloud.google.com/appengine/docs/flexible Cloud Run. is the right answer. Cloud Run is a fully managed compute platform that automatically scales your stateless containers. Cloud Run is serverless. Cloud Run abstracts away all infrastructure management. It automatically scales up and down from zero depending on traffic almost instantaneously. Cloud Run only charges you for the exact resources you use. Ref: https://cloud.google.com/run **Question 12:** You have asked your supplier to send you a purchase order and you want to enable them to upload the file to a cloud storage bucket within the next 4 hours. Your supplier does not have a Google account. You want to follow Google recommended practices. What should you do? ANS: Create a service account with just the permissions to upload files to the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -m PUT -d 4h <JSON Key File> gs://<bucket>/**. **Explanation** Create a service account with just the permissions to upload files to the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -d 4h <JSON Key File> gs://<bucket>/. is not right. This command creates signed URLs for retrieving existing objects. This command does not specify a HTTP method and in the absence of one, the default HTTP method is GET. Ref: https://cloud.google.com/storage/docs/gsutil/commands/signurl Create a service account with just the permissions to upload files to the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -httpMethod PUT -d 4h <JSON Key File> gs://<bucket>/**. is not right. gsutil signurl does not accept -httpMethod parameter. $ gsutil signurl -d 4h -httpMethod PUT keys.json gs://gcp-ace-lab-255520/* CommandException: Incorrect option(s) specified. Usage: The HTTP method can be provided through -m flag. Ref: https://cloud.google.com/storage/docs/gsutil/commands/signurl Create a JSON key for the Default Compute Engine Service Account. Execute the command gsutil signurl -m PUT -d 4h <JSON Key File> gs://<bucket>/**. is not right. Using the default compute engine service account violates the principle of least privilege. The recommended approach is to create a service account with just the right permissions needed and create JSON keys for this service account to use with gsutil signurl command. Create a service account with just the permissions to upload files to the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -m PUT -d 4h <JSON Key File> gs://<bucket>/**. is the right answer. This command correctly creates a signed url that is valid for 4 hours and allows PUT (through the -m flag) operations on the bucket. The supplier can then use the signed URL to upload a file to this bucket within 4 hours. Ref: https://cloud.google.com/storage/docs/gsutil/commands/signurl **Question 22:** Your data warehousing team executed an Apache Sqoop job to export data from Hive/Hbase and uploaded this data in AVRO file format to Cloud Storage. The business analysts at your company have years of experience using SQL. They have asked you to identify if there is a cost-effective way to query the information in AVRO files through SQL. What should you do? ANS: Point a BigQuery external table at the Cloud Storage bucket and advise the business analysts to run their SQL queries in BigQuery. **Explanation** Transfer the data from Cloud Storage to Cloud Datastore and advise the business analysts to run their SQL queries in Cloud Datastore. is not right. Datastore is a highly scalable NoSQL database, and although it supports SQL like queries, it doesn't support SQL. Moreover, there is no out of the box way for transforming the AVRO file from cloud storage into the Cloud Datastore entity. So we have to do in a bespoke way which adds to our cost and time. Ref: https://cloud.google.com/datastore Transfer the data from Cloud Storage to HDFS. Configure an external table in Hive to point to HDFS and advise the business analysts to run their SQL queries in Hive. is not right. Like Cloud Datastore, Hive doesn't directly support SQL; it provides HiveQL (HQL) which is SQL-like. Transfer the data from Cloud Storage to BigQuery and advise the business analysts to run their SQL queries in BigQuery. is not right. Like the above two, while it is possible to build a solution that transforms and loads data into the target, BigQuery, which is not a trivial process and involves cost and time. GCP provides an out of the box way to query AVRO files from Cloud Storage, and this should be preferred. Point a BigQuery external table at the Cloud Storage bucket and advise the business analysts to run their SQL queries in BigQuery. is the right answer. BigQuery supports querying Cloud Storage data in several formats such as CSV, JSON, AVRO, etc. You do this by creating a Big Query external table that points to a Cloud Storage data source (bucket). This solution works out of the box, involves minimal effort, minimal cost, and is quick. https://cloud.google.com/bigquery/external-data-cloud-storage **Question 35:** You developed a python application that gets triggered by messages from a Cloud Pub/Sub topic. Your manager is a big fan of both serverless and containers and has asked you to containerize the application and deploy on Google Cloud Run. How should you do it? ANS: Assign roles/run.invoker role (Cloud Run Invoker role) on your Cloud Run application to a service account. Set up a Cloud Pub/Sub subscription on the topic and configure it to use the service account to push the message to your Cloud Run application. **Explanation** Trigger a Cloud Function whenever the topic receives a new message. From the Cloud Function, invoke Cloud Run. is not right. Both Cloud functions and Cloud Run are serverless offerings from GCP, and they are both capable of integrating with Cloud Pub/Sub. It is pointless to invoking Cloud Function from Cloud Run. Assign roles/pubsub.subscriber (Pub/Sub Subscriber role) role to the Cloud Run service account. Set up a Cloud Pub/Sub subscription on the topic and configure the application to pull messages. is not right. You need to provide Cloud Run Invoker role to that service account for your Cloud Run application. Ref: https://cloud.google.com/run/docs/tutorials/pubsub Deploy your application to Google Cloud Run on GKE. Set up a Cloud Pub/Sub subscription on the topic and deploy a sidecar container in the same GKE cluster to consume the message from the topic and push it to your application. is not right. Like above, you need cloud Run Invoker role on the service account. Ref: https://cloud.google.com/run/docs/tutorials/pubsub Also, our question states the application on Cloud Run processes messages from a Cloud Pub/Sub topic; whereas in this option, we are utilizing a separate container to process messages from the topic. So this doesn't satisfy our requirements. Assign roles/run.invoker role (Cloud Run Invoker role) on your Cloud Run application to a service account. Set up a Cloud Pub/Sub subscription on the topic and configure it to use the service account to push the message to your Cloud Run application. is the right answer. This exact process is described in https://cloud.google.com/run/docs/tutorials/pubsub You create a service account. ``` gcloud iam service-accounts create cloud-run-pubsub-invoker \ --display-name "Cloud Run Pub/Sub Invoker" ``` You then give the invoker service account permission to invoke your service: ``` gcloud run services add-iam-policy-binding pubsub-tutorial \ --member=serviceAccount:cloud-run-pubsub-invoker@PROJECT_ID.iam.gserviceaccount.com \ --role=roles/run.invoker ``` And finally, you create a Pub/Sub subscription with the service account: ``` gcloud pubsub subscriptions create myRunSubscription --topic myRunTopic \ --push-endpoint=SERVICE-URL/ \ --push-auth-service-account=cloud-run-pubsub-invoker@PROJECT_ID.iam.gserviceaccount ``` **Question 45:** You are migrating a mission-critical HTTPS Web application from your on-premises data centre to Google Cloud, and you need to ensure unhealthy compute instances within the autoscaled Managed Instances Group (MIG) are recreated automatically. What should you do? ANS: Configure a health check on port 443 when creating the Managed Instance Group (MIG). **Explanation** We require to ensure unhealthy VMs are recreated. Deploy Managed Instance Group (MIG) instances in multiple zones. is not right. You can create two types of MIGs: A zonal MIG, which deploys instances to a single zone and a regional MIG, which deploys instances to multiple zones across the same region. However, this doesn't help with recreating unhealthy VMs. Ref: https://cloud.google.com/compute/docs/instance-groups Add a metadata tag to the Instance Template with key: healthcheck value: enabled. is not right. Metadata entries are key-value pairs and do not influence any other behaviour. Ref: https://cloud.google.com/compute/docs/storing-retrieving-metadata When creating the instance template, add a startup script that sends server status to Cloud Monitoring as a custom metric. is not right. The startup script is executed only when the instance boots up. In contrast, we need something like a liveness check that monitors the status of the server periodically to identify if the VM is unhealthy. So this is not going to work. Ref: https://cloud.google.com/compute/docs/startupscript Configure a health check on port 443 when creating the Managed Instance Group (MIG). is the right answer. To improve the availability of your application and to verify that your application is responding, you can configure an auto-healing policy for your managed instance group (MIG). An auto-healing policy relies on an application-based health check to verify that an application is responding as expected. If the auto healer determines that an application isn't responding, the managed instance group automatically recreates that instance. Since our application is an HTTPS web application, we need to set up our health check on port 443, which is the standard port for HTTPS. Ref: https://cloud.google.com/compute/docs/instance-groups/autohealing-instances-in-migs **Question 48:** Your company has several business-critical applications running on its on-premises data centre, which is already at full capacity, and you need to expand to Google Cloud Platform to handle traffic bursts. You want to virtual machine instances in both on-premises data centre and Google Cloud Compute Engine to communicate via their internal IP addresses. What should you do? ANS: Create a new VPC in GCP with a non-overlapping IP range and configure Cloud VPN between the on-premises network and GCP. Allow applications in the data centre to scale to Google Cloud through the VPN tunnel. **Explanation** Create a new GCP project and a new VPC and make this a shared VPC with the on-premises network. Allow applications in the data centre to scale to Google Cloud on the shared VPC. is not right. Shared VPC allows an organization to connect resources from multiple projects to a common Virtual Private Cloud (VPC) network so that they can communicate with each other securely and efficiently using internal IPs from that network. When you use Shared VPC, you designate a project as a host project and attach one or more other service projects to it. This in no way helps us connect to our on-premises network. Ref: https://cloud.google.com/vpc/docs/shared-vpc Create a new GCP project and a new VPC and enable VPC peering between the new VPC and networks in the data centre. is not right. Google Cloud VPC Network Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization. VPC Network Peering enables you to connect VPC networks so that workloads in different VPC networks can communicate internally. Traffic stays within Google's network and doesn't traverse the public internet. This doesn't help us connect to our on-premises network. Ref: https://cloud.google.com/vpc/docs/vpc-peering Add bastion hosts in GCP as well as on-premises network and set up a proxy tunnel between the bastion hosts in GCP and the bastion hosts in the on-premises network. Allow applications in the data centre to scale to Google Cloud through the proxy tunnel. is not right. Bastion hosts provide an external facing point of entry into a network containing private network instances. Bastion hosts are primarily for end users so they can connect to an instance that does not have an external IP address through a bastion host. Ref: https://cloud.google.com/compute/docs/instances/connecting-advanced Create a new VPC in GCP with a non-overlapping IP range and configure Cloud VPN between the on-premises network and GCP. Allow applications in the data centre to scale to Google Cloud through the VPN tunnel. is the right answer. Cloud VPN securely connects your on-premises network to your Google Cloud (GCP) Virtual Private Cloud (VPC) network through an IPsec VPN connection. Ref: https://cloud.google.com/vpn/docs/concepts/overview # Exam4