Google (PCA) Exam Questions And Answers page 20
Your company has a project in Google Cloud with three Virtual Private Clouds (VPCs). There is a Compute Engine instance on each VPC. Network subnets do not overlap and must remain separated. The network configuration is shown below.
Instance #1 is an exception and must communicate directly with both Instance #2 and Instance #3 via internal IPs. How should you accomplish this?
Instance #1 is an exception and must communicate directly with both Instance #2 and Instance #3 via internal IPs. How should you accomplish this?
Create two VPN tunnels via CloudVPN:
" 1 between VPC #1 and VPC #2.
" 1 between VPC #2 and VPC #3.
Update firewall rules to enable traffic between the instances.
" 1 between VPC #1 and VPC #2.
" 1 between VPC #2 and VPC #3.
Update firewall rules to enable traffic between the instances.
Peer all three VPCs:
" Peer VPC #1 with VPC #2.
" Peer VPC #2 with VPC #3.
Update firewall rules to enable traffic between the instances.
" Peer VPC #1 with VPC #2.
" Peer VPC #2 with VPC #3.
Update firewall rules to enable traffic between the instances.
Add two additional NICs to Instance #1 with the following configuration:
" NIC1
% VPC: VPC #2
% SUBNETWORK: subnet #2
" NIC2
% VPC: VPC #3
% SUBNETWORK: subnet #3
Update firewall rules to enable traffic between instances.
" NIC1
% VPC: VPC #2
% SUBNETWORK: subnet #2
" NIC2
% VPC: VPC #3
% SUBNETWORK: subnet #3
Update firewall rules to enable traffic between instances.
Managing and provisioning a cloud solution infrastructure
Designing for security and compliance
Your company has a stateless web API that performs scientific calculations. The web API runs on a single Google Kubernetes Engine (GKE) cluster. The cluster is currently deployed in us-central1. Your company has expanded to offer your API to customers in Asia. You want to reduce the latency for users in Asia. What should you do?
Create a second GKE cluster in asia-southeast1, and expose both APIs using a Service of type LoadBalancer. Add the public IPs to the Cloud DNS zone.
Use a global HTTP(s) load balancer with Cloud CDN enabled.
Create a second GKE cluster in asia-southeast1, and use kubemci to create a global HTTP(s) load balancer.
Increase the memory and CPU allocated to the application in the cluster.
Managing and provisioning a cloud solution infrastructure
Designing for security and compliance
Your company has a support ticketing solution that uses App Engine Standard. The project that contains the App Engine application already has a Virtual Private Cloud (VPC) network fully connected to the company's on-premises environment through a Cloud VPN tunnel. You want to enable the App Engine application to communicate with a database that is running in the company's on-premises environment. What should you do?
Configure private Google access for on-premises hosts only.
Configure private Google access.
Configure private services access.
Configure serverless VPC access.
Managing and provisioning a cloud solution infrastructure
Designing for security and compliance
Your company has decided to build a backup replica of their on-premises user authentication PostgreSQL database on Google Cloud Platform. The database is 4 TB, and large updates are frequent. Replication requires private address space communication.
Which networking approach should you use?
Which networking approach should you use?
Google Cloud Dedicated Interconnect
Google Cloud VPN connected to the data center network
A NAT and TLS translation gateway installed on-premises
A Google Compute Engine instance with a VPN server installed connected to the data center network
Managing and provisioning a cloud solution infrastructure
Designing for security and compliance
Your company has decided to make a major revision of their API in order to create better experiences for their developers. They need to keep the old version of the API available and deployable, while allowing new customers and testers to try out the new API. They want to keep the same SSL and DNS records in place to serve both APIs.
What should they do?
What should they do?
Configure a new load balancer for the new version of the API
Reconfigure old clients to use a new endpoint for the new API
Have the old API forward traffic to the new API based on the path
Use separate backend pools for each API path behind the load balancer
Managing and provisioning a cloud solution infrastructure
Designing for security and compliance
Your company has developed a monolithic, 3-tier application to allow external users to upload and share files. The solution cannot be easily enhanced and lacks reliability. The development team would like to re-architect the application to adopt microservices and a fully managed service approach, but they need to convince their leadership that the effort is worthwhile. Which advantage(s) should they highlight to leadership?
The new approach will be significantly less costly, make it easier to manage the underlying infrastructure, and automatically manage the CI/CD pipelines.
The monolithic solution can be converted to a container with Docker. The generated container can then be deployed into a Kubernetes cluster.
The new approach will make it easier to decouple infrastructure from application, develop and release new features, manage the underlying infrastructure, manage CI/CD pipelines and perform A/B testing, and scale the solution if necessary.
The process can be automated with Migrate for Compute Engine.
Designing and planning a cloud solution architecture
Designing for security and compliance
Your company has just acquired another company, and you have been asked to integrate their existing Google Cloud environment into your company s data center. Upon investigation, you discover that some of the RFC 1918 IP ranges being used in the new company s Virtual Private Cloud (VPC) overlap with your data center IP space. What should you do to enable connectivity and make sure that there are no routing conflicts when connectivity is established?
Create a Cloud VPN connection from the new VPC to the data center, create a Cloud Router, and apply new IP addresses so there is no overlapping IP space.
Create a Cloud VPN connection from the new VPC to the data center, and create a Cloud NAT instance to perform NAT on the overlapping IP space.
Create a Cloud VPN connection from the new VPC to the data center, create a Cloud Router, and apply a custom route advertisement to block the overlapping IP space.
Create a Cloud VPN connection from the new VPC to the data center, and apply a firewall rule that blocks the overlapping IP space.
Managing and provisioning a cloud solution infrastructure
Designing for security and compliance
Your company has just recently activated Cloud Identity to manage users. The Google Cloud Organization has been configured as well. The security team needs to secure projects that will be part of the Organization. They want to prohibit IAM users outside the domain from gaining permissions from now on. What should they do?
Configure an organization policy to restrict identities by domain.
Configure an organization policy to block creation of service accounts.
Configure Cloud Scheduler to trigger a Cloud Function every hour that removes all users that don t belong to the Cloud Identity domain from all projects.
Create a technical user (e.g., [email protected]), and give it the project owner role at root organization level. Write a bash script that:
" Lists all the IAM rules of all projects within the organization.
" Deletes all users that do not belong to the company domain.
Create a Compute Engine instance in a project within the Organization and configure gcloud to be executed with technical user credentials. Configure a cron job that executes the bash script every hour.
" Lists all the IAM rules of all projects within the organization.
" Deletes all users that do not belong to the company domain.
Create a Compute Engine instance in a project within the Organization and configure gcloud to be executed with technical user credentials. Configure a cron job that executes the bash script every hour.
Designing for security and compliance
Managing security and compliance
Your company has multiple on-premises systems that serve as sources for reporting. The data has not been maintained well and has become degraded over time. You want to use Google-recommended practices to detect anomalies in your company data. What should you do?
Upload your files into Cloud Storage. Use Cloud Datalab to explore and clean your data.
Upload your files into Cloud Storage. Use Cloud Dataprep to explore and clean your data.
Connect Cloud Datalab to your on-premises systems. Use Cloud Datalab to explore and clean your data.
Connect Cloud Dataprep to your on-premises systems. Use Cloud Dataprep to explore and clean your data.
Designing for security and compliance
Analyzing and optimizing technical and business processes
Your company has sensitive data in Cloud Storage buckets. Data analysts have Identity Access Management (IAM) permissions to read the buckets. You want to prevent data analysts from retrieving the data in the buckets from outside the office network. What should you do?
1. Create a VPC Service Controls perimeter that includes the projects with the buckets.
2. Create an access level with the CIDR of the office network.
2. Create an access level with the CIDR of the office network.
1. Create a firewall rule for all instances in the Virtual Private Cloud (VPC) network for source range.
2. Use the Classless Inter-domain Routing (CIDR) of the office network.
2. Use the Classless Inter-domain Routing (CIDR) of the office network.
1. Create a Cloud Function to remove IAM permissions from the buckets, and another Cloud Function to add IAM permissions to the buckets.
2. Schedule the Cloud Functions with Cloud Scheduler to add permissions at the start of business and remove permissions at the end of business.
2. Schedule the Cloud Functions with Cloud Scheduler to add permissions at the start of business and remove permissions at the end of business.
1. Create a Cloud VPN to the office network.
2. Configure Private Google Access for on-premises hosts.
2. Configure Private Google Access for on-premises hosts.
Designing for security and compliance
Managing security and compliance
Comments