
Associate Cloud Engineer Sample Questions<br>
The Cloud Engineer sample questions will familiarize you with the format of exam questions and example content that may be covered on the exam.<br>

**Question 1**<br>
 
Your organization plans to migrate its financial transaction monitoring application to Google Cloud. Auditors need to view the data and run reports in BigQuery, but they are not allowed to perform transactions in the application. You are leading the migration and want the simplest solution that will require the least amount of maintenance. What should you do?<br>
A. Assign roles/bigquery.dataViewer to the individual auditors.<br>
B. Create a group for auditors and assign roles/viewer to them.<br>
**C. Create a group for auditors, and assign roles/bigquery.dataViewer to them.<br>**
D. Assign a custom role to each auditor that allows view-only access to BigQuery.<br>

Feedback<br>
A is not correct because Google recommended practice is to assign IAM roles to groups, not individuals. Groups are easier to manage than individual users and they provide high level visibility into roles and permissions.<br>
B is not correct because it uses a basic role to give auditors view access to all resources on the project.<br>
C is correct because it uses a predefined role to provide view access to BigQuery for the group of auditors. Auditors can be added or deleted from the group if job responsibilities change.<br>
D is not correct because using a predefined role can accomplish the goal and requires less maintenance.<br>

https://cloud.google.com/iam/docs/understanding-roles<br>
<br>

**Question 2**<br>
 
You are managing your company’s first Google Cloud project. Project leads, developers, and internal testers will participate in the project, which includes sensitive information. You need to ensure that only specific members of the development team have access to sensitive information. You want to assign the appropriate Identity and Access Management (IAM) roles that also require the least amount of maintenance. What should you do?<br>
A. Assign a basic role to each user.<br>
B. Create groups. Assign a basic role to each group, and then assign users to groups.<br>
C. Create groups. Assign a Custom role to each group, including those who should have access to sensitive data. Assign users to groups.<br>
**D. Create groups. Assign an IAM Predefined role to each group as required, including those who should have access to sensitive data. Assign users to groups.<br>**

Feedback<br>
A is not correct for two reasons: The recommended practice is to use groups and not to assign roles to each user. Beyond that, Basic Roles do not have enough granularity to account for access to sensitive data.<br>
B is not correct because Basic roles do not have enough granularity to account for access to sensitive data.<br>
C is not correct because creating and maintaining Custom roles will require more maintenance than using Predefined roles.<br>
D is correct because Predefined roles are fine-grained enough to set permissions for specific roles requiring sensitive data access. This solution also uses groups, which is the recommended practice for managing permissions for individual roles.<br>
 
https://cloud.google.com/iam/docs/understanding-roles<br>
 
https://cloud.google.com/iam/docs/understanding-custom-roles<br>
<br>

**Question 3**<br>
 
You are responsible for monitoring all changes in your Cloud Storage and Firestore instances. For each change, you need to invoke an action that will verify the compliance of the change in near real time. You want to accomplish this with minimal setup. What should you do?<br>
A. Use the trigger mechanism in each datastore to invoke the security script.<br>
**B. Use Cloud Function events, and call the security script from the Cloud Function triggers.<br>**
D. Use a Python script to get logs of the datastores, analyze them, and invoke the security script.<br>
C. Redirect your data-changing queries to an App Engine application, and call the security script from the application.<br>

Feedback<br>
A is not correct because setting triggers in each individual database requires additional setup.<br>
B is correct because it provides fast response and requires the minimal amount of setup.<br>
C is not correct because it requires custom programming.<br>
D is not correct because it requires significant custom programming.<br>
 
https://cloud.google.com/functions/docs/concepts/events-triggers<br>
<br>

**Question 4**<br>
 
Your application needs to process a significant rate of transactions. The rate of transactions exceeds the processing capabilities of a single virtual machine (VM). You want to spread transactions across multiple servers in real time and in the most cost-effective manner. What should you do?<br>
A. Send transactions to BigQuery. On the VMs, poll for transactions that do not have the ‘processed’ key, and mark them ‘processed’ when done.<br>
B. Set up Cloud SQL with a memory cache for speed. On your multiple servers, poll for transactions that do not have the ‘processed’ key, and mark them ‘processed’ when done.<br>
**C. Send transactions to Pub/Sub. Process them in VMs in a managed instance group.<br>**
D. Record transactions in Cloud Bigtable, and poll for new transactions from the VMs.<br>

Feedback<br>
A is not correct because its latency is significantly higher than the real-time response required.<br>
B is not correct because it will not deliver the desired performance.<br>
C is correct because Pub/Sub is a scalable solution that can effectively distribute a large number of tasks among multiple servers at a low cost.<br>
D is not correct because, although fast, it will introduce an additional expense for storing the data.<br>
 
https://cloud.google.com/pubsub/docs/overview<br>
<br>

**Question 5**<br>
 
Your team needs to directly connect your on-premises resources to several virtual machines inside a virtual private cloud (VPC). You want to provide your team with fast and secure access to the VMs with minimal maintenance and cost. What should you do?<br>
A. Set up Cloud Interconnect.<br>
**B. Use Cloud VPN to create a bridge between the VPC and your network.<br>**
C. Assign a public IP address to each VM, and assign a strong password to each one.<br>
D. Start a Compute Engine VM, install a software router, and create a direct tunnel to each VM.<br>

Feedback<br>
A is not correct because it is significantly more expensive than other existing solutions.<br>
B is correct because it agrees with the Google recommended practices.<br>
C is not correct because it will require a sizable maintenance effort.<br>
D is not correct because setting up connections for each individual VM requires a significant amount of maintenance.<br>
 
https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview<br>
<br>

**Question 6**<br>
 
You are implementing Cloud Storage for your organization. You need to follow your organization’s regulations. They include: 1) Archive data older than one year. 2) Delete data older than 5 years. 3) Use standard storage for all other data. You want to implement these guidelines automatically and in the simplest manner available. What should you do?<br>
**A. Set up Object Lifecycle management policies.<br>**
B. Run a script daily. Copy data that is older than one year to an archival bucket, and delete five-year-old data.<br>
C. Run a script daily. Set storage class to ARCHIVE for data that is older than one year, and delete five-year-old data.<br>
D. Set up default storage class for three buckets named: STANDARD, ARCHIVE, DELETED. Use a script to move the data in the appropriate bucket when its condition matches your company guidelines.<br>

Feedback<br>
A is correct because Object Lifecycle allows you to automate the implementation of your organization’s data policy.<br>
B is not correct because changing an object's storage class does not require copying the object to another bucket.<br>
C is not correct because it requires custom programming.<br>
D is not correct because moving an object to a DELETED bucket does not really delete it.<br>
 
https://cloud.google.com/storage/docs/lifecycle<br>
 
https://cloud.google.com/storage/docs/storage-classes<br>
<br>

**Question 7**<br>
 
You are creating a Cloud IOT application requiring data storage of up to 10 petabytes (PB). The application must support high-speed reads and writes of small pieces of data, but your data schema is simple. You want to use the most economical solution for data storage. What should you do?<br>
A. Store the data in Cloud Spanner, and add an in-memory cache for speed.<br>
B. Store the data in Cloud Storage, and distribute the data through Cloud CDN for speed.<br>
**C. Store the data in Cloud Bigtable, and implement the business logic in the programming language of your choice.<br>**
D. Use BigQuery, and implement the business logic in SQL.<br>

Feedback<br>
A is not correct because Cloud Spanner would not be the most economical solution.<br>
B is not correct because blob-oriented Cloud Storage is not a good fit for reading and writing small pieces of data.<br>
C is correct because Bigtable provides high-speed reads and writes, accommodates a simple schema, and is cost-effective.<br>
D is not correct because BigQuery does not provide the high-speed reads and writes required by IoT.<br>
 
https://cloud.google.com/bigtable/docs/overview<br>
<br>

**Question 8**<br>
 
You have created a Kubernetes deployment on Google Kubernetes Engine (GKE) that has a backend service. You also have pods that run the frontend service. You want to ensure that there is no interruption in communication between your frontend and backend service pods if they are moved or restarted. What should you do?<br>
**A. Create a service that groups your pods in the backend service, and tell your frontend pods to communicate through that service.<br>**
B. Create a DNS entry with a fixed IP address that the frontend service can use to reach the backend service.<br>
C. Assign static internal IP addresses that the frontend service can use to reach the backend pods.<br>
D. Assign static external IP addresses that the frontend service can use to reach the backend pods.<br>

Feedback<br>
A is correct because Kubernetes service serves the purpose of providing a destination that can be used when the pods are moved or restarted.<br>
B is not correct because a DNS entry is created by service creation.<br>
C is not correct because static internal IP addresses do not automatically change when pods are restarted.<br>
D is not correct because static external IP addresses do not automatically change when pods are restarted, and they take traffic outside of Google networks.<br>
 
https://cloud.google.com/kubernetes-engine/docs/how-to/exposing-apps<br>
<br>

**Question 9**<br>
 
You are responsible for the user-management service for your global company. The service will add, update, delete, and list addresses. Each of these operations is implemented by a Docker container microservice. The processing load can vary from low to very high. You want to deploy the service on Google Cloud for scalability and minimal administration. What should you do?<br>
**A. Deploy your Docker containers into Cloud Run.<br>**
B. Start each Docker container as a managed instance group.<br>
C. Deploy your Docker containers into Google Kubernetes Engine.<br>
D. Combine the four microservices into one Docker image, and deploy it to the App Engine instance.<br>

Feedback<br>
A is correct because Cloud Run is a managed service that requires minimal administration.<br>
B is not correct because managed instance groups lack management capabilities to expose their services.<br>
C is not correct because, although GKE provides scalability, it requires ongoing administration of the cluster.<br>
D is not correct because it required effort to reimplement the four microservices in one Docker container. You will also lose your microservice architecture.<br>
 
https://cloud.google.com/run/docs/quickstarts<br>
<br>

**Question 10**<br>
 
You provide a service that you need to open to everyone in your partner network.  You have a server and an IP address where the application is located. You do not want to have to change the IP address on your DNS server if your server crashes or is replaced. You also want to avoid downtime and deliver a solution for minimal cost and setup. What should you do?<br>
A. Create a script that updates the IP address for the domain when the server crashes or is replaced.<br>
B. Reserve a static internal IP address, and assign it using Cloud DNS.<br>
**C. Reserve a static external IP address, and assign it using Cloud DNS.<br>**
D. Use the Bring Your Own IP (BYOIP) method to use your own IP address.<br>

Feedback<br>
A is not correct because updating DNS records could take up to 24 hours and it will cause downtime.<br>
B is not correct because internal IPs are not routable and cannot be seen on the internet.<br>
C is correct because external IPs are routable and can be advertised and seen on the internet, and this is also the most cost-effective solution.<br>
D is not correct because, while it is possible, bringing your own IP address is not as cost effective as Google Cloud DNS.<br>
 
https://cloud.google.com/vpc/docs/using-vpc<br>
 
https://cloud.google.com/vpc/docs/alias-ip<br>
 
https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address<br>
 
https://cloud.google.com/vpc/docs/bring-your-own-ip<br>
<br>

**Question 11**<br>
 
Your team is building the development, test, and production environments for your project deployment in Google Cloud. You need to efficiently deploy and manage these environments and ensure that they are consistent. You want to follow Google-recommended practices. What should you do?<br>
A. Create a Cloud Shell script that uses gcloud commands to deploy the environments.<br>
B. Create one Terraform configuration for all environments. Parameterize the differences between environments.<br>
C. For each environment, create a Terraform configuration. Use them for repeated deployment. Reconcile the templates periodically.<br>
**D. Use the Cloud Foundation Toolkit to create one deployment template that will work for all environments, and deploy with Terraform.<br>**

Feedback<br>
A is not correct because creating a custom script of gcloud commands that adheres to Google Cloud recommended practices would require substantial development and maintenance effort.<br>
B is not correct because parameterizing the environment differences is time consuming and error prone.<br>
C is not correct because it is prone to error and involves significant reconciliation work.<br>
D is correct because the Cloud Foundation Toolkit (CFT) provides ready-made templates that reflect Google Cloud recommended practices and can be used to automate creation of the environments.<br>
 
https://cloud.google.com/foundation-toolkit<br>
<br>

**Question 12**<br>
 
You receive an error message when you try to start a new VM: “You have exhausted the IP range in your subnet.” You want to resolve the error with the least amount of effort.  What should you do?
A. Create a new subnet and start your VM there.<br>
**B. Expand the CIDR range in your subnet, and restart the VM that issued the error.<br>**
C. Create another subnet, and move several existing VMs into the new subnet.<br>
D. Restart the VM using exponential backoff until the VM starts successfully.<br>

Feedback<br>
A is not correct because you do not need a new subnet. Once you expand the CIDR range, the initial VM will work by redeploying it.<br>
B is correct because once you expand the CIDR range, you can redeploy it, and it will work.<br>
C is not correct because moving your VMs to another subnet is an additional time-consuming effort that is not required.<br>
D is not correct because once the CIDR range is exhausted, redeploying the failed VM will not resolve the issue.<br>
 
https://cloud.google.com/vpc/docs/using-vpc#expand-subnet<br>
<br>

**Question 13**<br>
 
You are running several related applications on Compute Engine virtual machine (VM) instances. You want to follow Google-recommended practices and expose each application through a DNS name. What should you do?<br>
A. Use the Compute Engine internal DNS service to assign DNS names to your VM instances, and make the names known to your users.<br>
B. Assign each VM instance an alias IP address range, and then make the internal DNS names public.<br>
C. Assign Google Cloud routes to your VM instances, assign DNS names to the routes, and make the DNS names public.<br>
**D. Use Cloud DNS to translate your domain names into your IP addresses.<br>**

Feedback<br>
A is not correct because email is not the way for submitting DNS publication requests.<br>
B is not correct because you cannot make the internal DNS name public.<br>
C is not correct because you cannot make DNS names public.<br>
D is correct because Cloud DNS is the proper tool for translating domain names into IP addresses.<br>
 
https://cloud.google.com/dns/docs/tutorials/create-domain-tutorial<br>
<br>

**Question 14**<br>
 
You are charged with optimizing Google Cloud resource consumption. Specifically, you need to investigate the resource consumption charges and present a summary of your findings. You want to do it in the most efficient way possible. What should you do?<br>
A. Rename resources to reflect the owner and purpose. Write a Python script to analyze resource consumption.<br>
**B. Attach labels to resources to reflect the owner and purpose. Export Cloud Billing data into BigQuery, and analyze it with Data Studio.<br>**
C. Assign tags to resources to reflect the owner and purpose. Export Cloud Billing data into BigQuery, and analyze it with Data Studio.<br>
D. Create a script to analyze resource usage based on the project to which the resources belong. In this script, use the IAM accounts and services accounts that control given resources.<br>

Feedback<br>
A is not correct because it requires custom programming and does not follow Google recommended practices and is not the most efficient solution.<br>
B is correct because it describes Google Recommended practice: labels are attached to resources and these labels are then propagated into billing items.<br>
C is not correct because tags are no longer created when a label is created for a resource and cannot be used for tracking resources.<br>
D is not correct because it requires custom programming.<br>
 
https://cloud.google.com/billing/docs/how-to/export-data-bigquery<br>
 
https://cloud.google.com/compute/docs/labeling-resources#common-uses<br>
 
https://cloud.google.com/compute/docs/labeling-resources#labels_tags<br>
<br>

**Question 15**<br>
 
You are creating an environment for researchers to run ad hoc SQL queries. The researchers work with large quantities of data.  Although they will use the environment for an hour a day on average, the researchers need access to the functional environment at any time during the day. You need to deliver a cost-effective solution. What should you do?<br>
A. Store the data in Cloud Bigtable, and run SQL queries provided by Bigtable schema.<br>
**B. Store the data in BigQuery, and run SQL queries in BigQuery.<br>**
C. Create a Dataproc cluster, store the data in HDFS storage, and run SQL queries in Spark.<br>
D. Create a Dataproc cluster, store the data in Cloud Storage, and run SQL queries in Spark.<br>

Feedback<br>
A is not correct because HBase does not allow ad-hoc queries.<br>
B is correct because BigQuery allows for ad hoc queries and is cost effective.<br>
C is not correct because HDFS is not the recommended storage to use with Dataproc on Google Cloud.<br>
D is not correct because it is not the most cost-effective solution, because cluster is always running.<br>
 
https://cloud.google.com/bigquery/docs<br>
<br>

**Question 16**<br>
 
You are migrating your workload from on-premises deployment to Google Kubernetes Engine (GKE). You want to minimize costs and stay within budget. What should you do?<br>
**A. Configure Autopilot in GKE to monitor node utilization and eliminate idle nodes.<br>**
B. Configure the needed capacity; the sustained use discount will make you stay within budget.<br>
C. Scale individual nodes up and down with the Horizontal Pod Autoscaler.<br>
D. Create several nodes using Compute Engine, add them to a managed instance group, and set the group to scale up and down depending on load.<br>

Feedback<br>
A is correct because Autopilot is designed to reduce the operational cost of managing clusters and optimize your clusters for production.<br>
B is not correct because it violates the principle of provisioning on-demand rather than overprovisioning. Although sustained use discount lowers the budget, not using unnecessary resources will keep costs down more.<br>
C is not correct because Horizontal Pod Autoscaler is for adjusting the Kubernetes parameters for performance, not for taking out unnecessary resources.<br>
D is not correct because, although Google Kubernetes Engine uses Compute Engine internally, managed instance groups lack the Autopilot capabilities for scaling Kubernetes.<br>
 
https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview<br>
<br>

**Question 17**<br>
 
Your application allows users to upload pictures. You need to convert each picture to your internal optimized binary format and store it. You want to use the most efficient, cost-effective solution. What should you do?<br>
A. Store uploaded files in Cloud Bigtable, monitor Bigtable entries, and then run a Cloud Function to convert the files and store them in Bigtable.<br>
B. Store uploaded files in Firestore, monitor Firestore entries, and then run a Cloud Function to convert the files and store them in Firestore.<br>
C. Store uploaded files in Filestore, monitor Filestore entries, and then run a Cloud Function to convert the files and store them in Filestore.<br>
**D. Save uploaded files in a Cloud Storage bucket, and monitor the bucket for uploads. Run a Cloud Function to convert the files and to store them in a Cloud Storage bucket.<br>**
 
Feedback<br>
A is not correct because BigTable has limitations on storing binary files.<br>
B is not correct because Firestore is not efficient for large binary files.<br>
C is not correct because it is not the most cost-effective solution.<br>
D is correct because it follows Google recommended-practices and is the most efficient, cost-effective solution.<br>
 
https://cloud.google.com/storage<br>
<br>

**Question 18**<br>
 
You are migrating your on-premises solution to Google Cloud. As a first step, the new cloud solution will need to ingest 100 TB of data. Your daily uploads will be within your current bandwidth limit of 100 Mbps. You want to follow Google-recommended practices for the most cost-effective way to implement the migration. What should you do?<br>
A. Set up Partner Interconnect for the duration of the first upload.<br>
**B. Obtain a Transfer Appliance, copy the data to it, and ship it to Google.<br>**
C. Set up Dedicated Interconnect for the duration of your first upload, and then drop back to regular bandwidth.<br>
D. Divide your data between 100 computers, and upload each data portion to a bucket. Then run a script to merge the uploads together.<br>

Feedback<br>
A is not correct because Partner Interconnect, although less expensive than Dedicated Interconnect, is still not the most cost effective solution for this migration.<br>
B is correct because it follows Google recommended practices for these data sizes and is the most cost-effective solution to implement the migration.<br>
C is not correct because Dedicated Interconnect is not the most cost-effective for this use case.<br>
D is not correct because it is not the most cost effective solution.<br>
 
https://cloud.google.com/transfer-appliance/docs/4.0<br>
<br>

**Question 19**<br>
 
You are setting up billing for your project. You want to prevent excessive consumption of resources due to an error or malicious attack and prevent billing spikes or surprises. What should you do?<br>
A. Set up budgets and alerts in your project.<br>
**B. Set up quotas for the resources that your project will be using.<br>**
C. Set up a spending limit on the credit card used in your billing account.<br>
D. Label all resources according to best practices, regularly export the billing reports, and analyze them with BigQuery.<br>

Feedback<br>
A is not correct because budgets and alerts will result in notifications, but will not prevent excessive resource consumption.<br>
B is correct because setting up quotas will prevent resource consumption from exceeding specified limits.<br>
C is not correct because it will not prevent excessive resource consumption. Instead, your credit card will incur an unpaid balance; you will receive an email about it from Google and will still be liable to pay.<br>
D is not correct because analyzing the root cause for going over the budget will not prevent overspend.<br>
 
https://cloud.google.com/compute/quotas<br>
<br>

**Question 20**<br>
 
Your project team needs to estimate the spending for your Google Cloud project for the next quarter. You know the project requirements. You want to produce your estimate as quickly as possible. What should you do?<br>
A. Build a simple machine learning model that will predict your next month’s spend.<br>
B. Estimate the number of hours of compute time required, and then multiply by the VM per-hour pricing.<br>
**C. Use the Google Cloud Pricing Calculator to enter your predicted consumption for all groups of resources.<br>**
D. Use the Google Cloud Pricing Calculator to enter your consumption for all groups of resources, and then adjust for volume discounts.<br>

Feedback<br>
A is not correct because, although ML produces excellent results in many areas, there are more straightforward approaches that require less time to produce an estimate.<br>
B is not correct because you need to add other charges, such as storage and data egress charges.<br>
C is correct because the Google Cloud Pricing Calculator quickly gives the result, and you know the resources required for the project.<br>
D is not correct because volume discounts, also called sustained use discounts, are applied automatically and are included in the calculator estimates.<br>
 
https://cloud.google.com/products/calculator<br>
 
https://cloud.google.com/compute/docs/sustained-use-discounts<br>
<br>