Practice Free Associate Cloud Engineer Exam Online Questions
Question #61
You are using Google Kubernetes Engine with autoscaling enabled to host a new application. You want to expose this new application to the public, using HTTPS on a public IP address.
What should you do?
- A . Create a Kubernetes Service of type NodePort for your application, and a Kubernetes Ingress to
expose this Service via a Cloud Load Balancer. - B . Create a Kubernetes Service of type ClusterIP for your application. Configure the public DNS name of your application using the IP of this Service.
- C . Create a Kubernetes Service of type NodePort to expose the application on port 443 of each node of the Kubernetes cluster. Configure the public DNS name of your application with the IP of every node of the cluster to achieve load-balancing.
- D . Create a HAProxy pod in the cluster to load-balance the traffic to all the pods of the application. Forward the public traffic to HAProxy with an iptable rule. Configure the DNS name of your application using the public IP of the node HAProxy is running on.
Correct Answer: A
A
Explanation:
Reference: https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer
Create a Kubernetes Service of type ClusterIP for your application. Configure the public DNS name of your application using the IP of this Service. is not right.
Kubernetes Service of type ClusterIP exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster so you can not route external traffic to this IP.
Ref: https://kubernetes.io/docs/concepts/services-networking/service/
A
Explanation:
Reference: https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer
Create a Kubernetes Service of type ClusterIP for your application. Configure the public DNS name of your application using the IP of this Service. is not right.
Kubernetes Service of type ClusterIP exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster so you can not route external traffic to this IP.
Ref: https://kubernetes.io/docs/concepts/services-networking/service/
Question #62
Your team is using Linux instances on Google Cloud. You need to ensure that your team logs in to these instances in the most secure and cost efficient way.
What should you do?
- A . Attach a public IP to the instances and allow incoming connections from the internet on port 22 for SSH.
- B . Use a third party tool to provide remote access to the instances.
- C . Use the gcloud compute ssh command with the –tunnel-through-iap flag. Allow ingress traffic from the IP range 35.235.240.0/20 on port 22.
- D . Create a bastion host with public internet access. Create the SSH tunnel to the instance through the bastion host.
Correct Answer: D
Question #63
Your company’s developers use an automation that you recently built to provision Linux VMs in Compute Engine within a Google Cloud project to perform various tasks. You need to manage the Linux account lifecycle and access for these users. You want to follow Google-recommended practices to simplify access management while minimizing operational costs.
What should you do?
- A . Enable OS Login for all VMs. Use IAM roles to grant user permissions.
- B . Enable OS Login for all VMs. Write custom startup scripts to update user permissions.
- C . Require your developers to create public SSH keys. Make the owner of the public key the root user.
- D . Require your developers to create public SSH keys. Write custom startup scripts to update user permissions.
Correct Answer: A
A
Explanation:
OS Login is a Google-recommended practice for managing access to Linux VMs in Compute Engine. It centralizes user account management by linking the Linux user accounts on the VMs to Google Cloud identities. You then use IAM roles to grant users the necessary permissions to access the VMs (e.g., roles/compute.osLogin or roles/compute.osAdminLogin). This simplifies management as you control access through IAM policies rather than managing individual SSH keys on each VM, thus minimizing operational costs.
Option B: While enabling OS Login is a good first step, writing custom startup scripts to manage user permissions adds complexity and operational overhead, contradicting the goal of simplification and minimizing costs.
Option C: Requiring developers to manage their own SSH keys and making the owner root is a significant security risk and not a recommended practice. It also doesn’t centralize management.
Option D: This approach also involves managing individual SSH keys and custom scripts, which increases operational overhead and doesn’t leverage the centralized management benefits of OS Login.
Reference to Google Cloud Certified – Associate Cloud Engineer Documents:
OS Login and its benefits for simplified and secure Linux VM access management are detailed in the Compute Engine documentation, which is a key area for the Associate Cloud Engineer certification. The integration with IAM for permission control is a central aspect of this service.
A
Explanation:
OS Login is a Google-recommended practice for managing access to Linux VMs in Compute Engine. It centralizes user account management by linking the Linux user accounts on the VMs to Google Cloud identities. You then use IAM roles to grant users the necessary permissions to access the VMs (e.g., roles/compute.osLogin or roles/compute.osAdminLogin). This simplifies management as you control access through IAM policies rather than managing individual SSH keys on each VM, thus minimizing operational costs.
Option B: While enabling OS Login is a good first step, writing custom startup scripts to manage user permissions adds complexity and operational overhead, contradicting the goal of simplification and minimizing costs.
Option C: Requiring developers to manage their own SSH keys and making the owner root is a significant security risk and not a recommended practice. It also doesn’t centralize management.
Option D: This approach also involves managing individual SSH keys and custom scripts, which increases operational overhead and doesn’t leverage the centralized management benefits of OS Login.
Reference to Google Cloud Certified – Associate Cloud Engineer Documents:
OS Login and its benefits for simplified and secure Linux VM access management are detailed in the Compute Engine documentation, which is a key area for the Associate Cloud Engineer certification. The integration with IAM for permission control is a central aspect of this service.
Question #64
You are setting up a Windows VM on Compute Engine and want to make sure you can log in to the VM via RDP.
What should you do?
- A . After the VM has been created, use your Google Account credentials to log in into the VM.
- B . After the VM has been created, use gcloud compute reset-windows-password to retrieve the login credentials for the VM.
- C . When creating the VM, add metadata to the instance using ‘windows-password’ as the key and a password as the value.
- D . After the VM has been created, download the JSON private key for the default Compute Engine service account. Use the credentials in the JSON file to log in to the VM.
Correct Answer: B
B
Explanation:
You can generate Windows passwords using either the Google Cloud Console or the gcloud command-line tool. This option uses the right syntax to reset the windows password.
gcloud compute reset-windows-password windows-instance
Ref: https://cloud.google.com/compute/docs/instances/windows/creating-passwords-for-windows-instances#gcloud
B
Explanation:
You can generate Windows passwords using either the Google Cloud Console or the gcloud command-line tool. This option uses the right syntax to reset the windows password.
gcloud compute reset-windows-password windows-instance
Ref: https://cloud.google.com/compute/docs/instances/windows/creating-passwords-for-windows-instances#gcloud
Question #65
You are writing a shell script that includes a few gcloud CLI commands to access some Google Cloud resources. You want to test the script in your local development environment with a service account in the most secure way.
What should you do?
- A . Download the service account key file and save it in a secure location. Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the key file.
- B . Enable service account impersonation, and use the gcloud config set auth/impersonate_service_account command to use it by default.
- C . Generate an ID token for the service account. Use the token with the gcloud CLI commands.
- D . Download the service account key file, and use it to generate an access token. Use the token with the gcloud CLI commands.
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
To adhere to the most secure way and Google-recommended practices, you must avoid the creation and handling of service account key files.
Option B (Impersonation): This method allows the currently logged-in user to temporarily assume the identity and permissions of the service account. It is keyless, meaning no long-lived secret is downloaded or stored on the local machine, drastically improving security. The gcloud config command sets this behavior for all subsequent gcloud commands in the session.
Reference: Google Cloud Documentation – Best practices for using service accounts:
"Avoid creating service account keys… Instead, use service account impersonation or workload identity federation."
Reference: Google Cloud Documentation – Service Account Impersonation (Overview):
"With service account impersonation, a user or service can temporarily gain the permissions of a service account… [This] helps you to avoid creating and downloading a service account key."
B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
To adhere to the most secure way and Google-recommended practices, you must avoid the creation and handling of service account key files.
Option B (Impersonation): This method allows the currently logged-in user to temporarily assume the identity and permissions of the service account. It is keyless, meaning no long-lived secret is downloaded or stored on the local machine, drastically improving security. The gcloud config command sets this behavior for all subsequent gcloud commands in the session.
Reference: Google Cloud Documentation – Best practices for using service accounts:
"Avoid creating service account keys… Instead, use service account impersonation or workload identity federation."
Reference: Google Cloud Documentation – Service Account Impersonation (Overview):
"With service account impersonation, a user or service can temporarily gain the permissions of a service account… [This] helps you to avoid creating and downloading a service account key."
Question #66
You need to manage a Cloud Spanner Instance for best query performance. Your instance in production runs in a single Google Cloud region. You need to improve performance in the shortest amount of time. You want to follow Google best practices for service configuration.
What should you do?
- A . Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 45% If you exceed this threshold, add nodes lo your instance.
- B . Create an alert in Cloud Monitoring to alert when the percentage to high priority CPU utilization reaches 45% Use database query statistics to identify queries that result in high CPU usage, and then rewrite those queries to optimize their resource usage
- C . Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 65% If you exceed this threshold, add nodes to your instance
- D . Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 65%. Use database query statistics to identity queries that result in high CPU usage, and then rewrite those queries to optimize their resource usage.
Correct Answer: B
B
Explanation:
https://cloud.google.com/spanner/docs/cpu-utilization#recommended-max
B
Explanation:
https://cloud.google.com/spanner/docs/cpu-utilization#recommended-max
Question #66
You need to manage a Cloud Spanner Instance for best query performance. Your instance in production runs in a single Google Cloud region. You need to improve performance in the shortest amount of time. You want to follow Google best practices for service configuration.
What should you do?
- A . Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 45% If you exceed this threshold, add nodes lo your instance.
- B . Create an alert in Cloud Monitoring to alert when the percentage to high priority CPU utilization reaches 45% Use database query statistics to identify queries that result in high CPU usage, and then rewrite those queries to optimize their resource usage
- C . Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 65% If you exceed this threshold, add nodes to your instance
- D . Create an alert in Cloud Monitoring to alert when the percentage of high priority CPU utilization reaches 65%. Use database query statistics to identity queries that result in high CPU usage, and then rewrite those queries to optimize their resource usage.
Correct Answer: B
B
Explanation:
https://cloud.google.com/spanner/docs/cpu-utilization#recommended-max
B
Explanation:
https://cloud.google.com/spanner/docs/cpu-utilization#recommended-max
Question #68
You recently received a new Google Cloud project with an attached billing account where you will work. You need to create instances, set firewalls, and store data in Cloud Storage. You want to follow Google-recommended practices.
What should you do?
- A . Use the gcloud CLI services enable cloudresourcemanager.googleapis.com command to enable all resources.
- B . Use the gcloud services enable compute.googleapis.com command to enable Compute Engine and the gcloud services enable storage-api.googleapis.com command to enable the Cloud Storage APIs.
- C . Open the Google Cloud console and enable all Google Cloud APIs from the API dashboard.
- D . Open the Google Cloud console and run gcloud init –project <project-id> in a Cloud Shell.
Correct Answer: B
Question #68
You recently received a new Google Cloud project with an attached billing account where you will work. You need to create instances, set firewalls, and store data in Cloud Storage. You want to follow Google-recommended practices.
What should you do?
- A . Use the gcloud CLI services enable cloudresourcemanager.googleapis.com command to enable all resources.
- B . Use the gcloud services enable compute.googleapis.com command to enable Compute Engine and the gcloud services enable storage-api.googleapis.com command to enable the Cloud Storage APIs.
- C . Open the Google Cloud console and enable all Google Cloud APIs from the API dashboard.
- D . Open the Google Cloud console and run gcloud init –project <project-id> in a Cloud Shell.
Correct Answer: B
Question #70
Your company wants to standardize the creation and management of multiple Google Cloud resources using Infrastructure as Code. You want to minimize the amount of repetitive code needed to manage the environment.
What should you do?
- A . Create a bash script that contains all requirement steps as gcloud commands
- B . Develop templates for the environment using Cloud Deployment Manager
- C . Use curl in a terminal to send a REST request to the relevant Google API for each individual resource.
- D . Use the Cloud Console interface to provision and manage all related resources
Correct Answer: B
B
Explanation:
You can use Google Cloud Deployment Manager to create a set of Google Cloud resources and manage them as a unit, called a deployment. For example, if your team’s development environment needs two virtual machines (VMs) and a BigQuery database, you can define these resources in a configuration file, and use Deployment Manager to create, change, or delete these resources. You can make the configuration file part of your team’s code repository, so that anyone can create the same environment with consistent results. https://cloud.google.com/deployment-manager/docs/quickstart
B
Explanation:
You can use Google Cloud Deployment Manager to create a set of Google Cloud resources and manage them as a unit, called a deployment. For example, if your team’s development environment needs two virtual machines (VMs) and a BigQuery database, you can define these resources in a configuration file, and use Deployment Manager to create, change, or delete these resources. You can make the configuration file part of your team’s code repository, so that anyone can create the same environment with consistent results. https://cloud.google.com/deployment-manager/docs/quickstart