Google Practice Questions, Discussions & Exam Topics by our Authors
You are deploying an application to Cloud Run. The application requires a password to start. Your organization requires that all passwords are rotated every 24 hours, and your application must have the l...
To ensure your application has the latest password without downtime and adheres to the policy of rotating the password every 24 hours, using Secret Manager to securely manage the password is the most appropriate approach. The solution should allow for the automatic rotation of the password without requiring rebuilding or redeploying the container. Here's the analysis of each option:
Selected option: B) Store the password in Secret Manager and mount the secret as a volume within the application.
Reason for selection:
- No downtime: Mounting the secret as a volume allows the application to access the latest version of the password without needing to rebuild or redeploy the application. Cloud Run automatically fetches the latest version of the secret, meaning that when the password is rotated in Secret Manager, it will be available to the application immediately.
- Security and rotation: Secret Manager is designed for secure secret management, including automatic rotation, which makes it compliant with your organization’s policy of rotating passwords every 24 hours. By mounting the secret, you avoid hard-coding the password into the application or needing to rebuild containers.
- Cloud Run native integration: Cloud Run can directly access secrets from Secret Manager, making this method seamless and efficient for both security and operations.
Why other options are rejected:
- A) Store the password in Secret Manager and send the secret to the application by using environment variables.
Reason for rejection: While this optio...
Author: Daniel · Last updated May 31, 2026
Your company runs applications in Google Kubernetes Engine (GKE) that are deployed following a GitOps methodology. Application developers frequently create cloud resources to support their applications. You want to give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recom...
To address the need to manage infrastructure as code (IaC) while ensuring periodic reconciliation to avoid configuration drift in Google Kubernetes Engine (GKE) with a GitOps methodology, let’s evaluate each option:
A) Install and configure Config Connector in Google Kubernetes Engine (GKE)
- Explanation: Config Connector is a Google Cloud tool that enables you to manage Google Cloud resources using Kubernetes resources. It integrates with Kubernetes and allows for IaC through declarative YAML manifests, enabling infrastructure resources to be treated as part of the Kubernetes environment.
- Pros: Config Connector automatically reconciles the state of the resources and ensures that the desired state defined in the Kubernetes manifests is maintained. This provides periodic reconciliation, which helps avoid configuration drift. It’s a Google-recommended solution for managing cloud resources within GKE and aligns well with GitOps principles.
- Cons: It is more complex to set up compared to some other options and can introduce additional overhead in terms of managing the Config Connector itself.
B) Configure Cloud Build with a Terraform builder to execute terraform plan and terraform apply commands
- Explanation: Cloud Build is a CI/CD service that can automate tasks like running Terraform to manage infrastructure. Using a Terraform builder to execute `terraform plan` and `terraform apply` would allow infrastructure changes to be applied from a Git repository.
- Pros: This approach can be useful for CI/CD pipelines but does not provide native periodic reconciliation. You would need to trigger Cloud Build manually or on a schedule. It's not designed for continuous reconciliation like other options.
- Cons: Cloud Build is not typically used for continuous infrastructure state reconciliation. It’s better suited for infrastructure changes triggered by commits rather than for periodic reconciliation on a continuous b...
Author: Ava · Last updated May 31, 2026
You are designing a system with three different environments: development, quality assurance (QA), and production. Each environment will be deployed with Terraform and has a Google Kubernetes Engine (GKE) cluster created so that application teams can deploy their applications. Anthos Config Management will be used and templated to deploy infrastructure level resources in each GKE cluster. All users (for example, inf...
When designing the structure for managing Infrastructure as Code (IaC) and application code using GitOps in an environment with multiple stages (development, QA, production) and Google Kubernetes Engine (GKE), there are several key factors to consider:
Key Factors for Structuring Repositories:
1. Separation of Environments: Each environment (development, QA, production) should be managed separately to ensure the correct configurations are applied to the right environment and avoid accidental misconfigurations.
2. Infrastructure and Application Code: The IaC (Terraform) and GKE configuration (via Anthos Config Management using Kustomize) should be structured so that both infrastructure and application code are modular and easy to manage.
3. GitOps: GitOps dictates that all changes to infrastructure and application code should happen through Git repositories, and the deployment process should automatically synchronize with the state in the Git repositories.
4. Flexibility and Security: Different users (e.g., infrastructure operators and application developers) should have clear roles, with sufficient segregation between environments for security and operational efficiency.
Let's evaluate the options:
Option A:
- Cloud Infrastructure (Terraform) repository: Shared, with different directories for different environments (development, QA, production).
- GKE Infrastructure (Anthos Config Management Kustomize manifests) repository: Shared, with different overlay directories for different environments.
- Application repositories: Separate repositories, with different branches for different features.
Pros:
- Single repository for Terraform and Anthos configurations: This can simplify management and reduce the complexity of maintaining multiple repositories.
- Clear separation of application features via branches: Allows for managing different application features independently.
Cons:
- Large repositories: As the infrastructure and application code grow, having everything in a single repository (with directories or branches for each environment) could make the repository difficult to manage.
- Overhead in managing branches for features and environments within the same repository, especially for complex applications.
Conclusion: This approach works well for smaller teams or simpler systems but might lead to challenges with scaling in larger or more complex setups due to repository size and complexity.
Option B:
- Cloud Infrastructure (Terraform) repository: Shared, with different directories for different environments (development, QA, production).
- GKE Infrastructure (Anthos Config Management Kustomize manifests) repositories: Separate repositories for each environment.
- Application repositories: Separate repositories, with different branches for different features.
Pros:
- Clear separation of GKE infrastructure for each environment: This allows for fine-grained control over different configurations for each environment.
- Separate application repositories for better isolation between different feature branches and environments.
Cons:
- Multiple repositories for GKE infrastructure: This increases the complexity of managing multiple repositories for GKE configurations, which can lead to higher operational overhead.
- Potentially redunda...
Author: Jack · Last updated May 31, 2026
You are configuring Cloud Logging for a new application that runs on a Compute Engine instance with a public IP address. A user-managed service account is attached to the instance. You confirmed that the necessary agents are running on the instance but you cannot see any log entries from...
To resolve the issue of missing log entries from a Compute Engine instance in Cloud Logging, let's evaluate each option based on the Google-recommended practices for logging in Google Cloud.
A) Export the service account key and configure the agents to use the key
- Explanation: Exporting the service account key and manually configuring the agents to use the key would involve creating and downloading a service account key file. This key would be configured within the agent so it can authenticate with Google Cloud services like Cloud Logging.
- Pros: This method could work by manually assigning credentials to the agent, but it is not Google-recommended. Using service account keys is less secure and harder to manage. It can lead to potential security risks because the keys can be compromised or improperly handled.
- Cons: This approach does not follow best practices and introduces unnecessary complexity and security concerns, especially since Google recommends using the default Compute Engine service account or a properly scoped custom service account without using exported keys.
B) Update the instance to use the default Compute Engine service account
- Explanation: The default Compute Engine service account has broad permissions, including those necessary for logging, monitoring, and interacting with other Google Cloud services. If the instance is configured with a custom user-managed service account, it might not have sufficient permissions for Cloud Logging.
- Pros: The default service account is pre-configured with the necessary permissions to write logs to Cloud Logging. Switching to the default service account could immediately resolve the issue by giving the instance the necessary permissions.
- Cons: Changing to the default service account might not always be ideal in cases where custom service accounts are required for specific security or operational requirements. However...
Author: Oscar · Last updated May 31, 2026
As a Site Reliability Engineer, you support an application written in Go that runs on Google Kubernetes Engine (GKE) in production. After releasing a new version of the application, you notice the application runs for about 15 minutes and then restarts. You decide to add Cloud Profiler ...
The issue you're describing indicates that the Go application is likely experiencing a memory leak, where the heap usage grows continuously until the application reaches its memory limit and restarts. Let's evaluate each option to determine the best approach for resolving the problem.
A) Increase the CPU limit in the application deployment
- Explanation: Increasing the CPU limit in Kubernetes might improve the application's performance if it’s CPU-bound, but it doesn’t directly address the issue of growing heap memory.
- Pros: Increasing CPU limits may help the application run faster if it’s struggling due to a lack of CPU resources.
- Cons: The problem described — growing heap usage — is more related to memory management, not CPU performance. Increasing CPU limits won’t fix the memory leak, as it doesn’t directly address memory usage or leaks.
B) Add high memory compute nodes to the cluster
- Explanation: Adding nodes with more memory can provide more resources for your application and might delay or temporarily alleviate the memory issue, but it doesn't address the root cause of the problem — the memory leak.
- Pros: This could temporarily allow the application to run longer without restarting due to memory constraints.
- Cons: This is only a temporary workaround. The root cause (memory leak) is not resolved, and the application will eventually still run out of memory, leading to restarts. This solution is more of a "band-aid" than a permanent fix.
C) Increase the memory limit in the application deployment
- Explanation: Increasing the memory limit in the Kubernetes deployment could delay the memory-related restarts by providing more memory to the application.
- Pros...
Author: FrozenWolf2022 · Last updated May 31, 2026
You are deploying a Cloud Build job that deploys Terraform code when a Git branch is updated. While testing, you noticed that the job fails. You see the following error in the build logs:
Initializing the backend...
Error: Failed to get existing workspaces: querying Cloud Storage ...
The error you're seeing — Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403 — indicates a permission issue when trying to access the backend state file in Cloud Storage. Specifically, Terraform is unable to access the state file stored in the Cloud Storage bucket, leading to a failure in the Cloud Build job.
Let's evaluate each option:
A) Change the Terraform code to use local state
- Explanation: Switching to a local state file means Terraform would store its state locally on the Cloud Build environment, rather than in Cloud Storage.
- Pros: This could avoid the permission issue temporarily by using a local state file.
- Cons: This is not recommended for production environments, especially when using Cloud Build and GitOps. Storing Terraform state locally undermines the benefits of using a centralized, remote state file in a shared cloud environment, making it difficult to track changes and collaborate. Additionally, it doesn’t solve the permissions issue with Cloud Storage, which is a better long-term approach for state management.
B) Create a storage bucket with the name specified in the Terraform configuration
- Explanation: This option suggests ensuring that the storage bucket specified in the Terraform configuration exists before running the Cloud Build job.
- Pros: Creating the storage bucket would prevent errors related to a missing backend state storage bucket.
- Cons: While this ensures the bucket exists, it doesn’t address the core issue, which is likely related to permissions on the existing bucket. The error you're seeing is related to the lack of proper permissions (403 error), not the existence of the bucket itself. Simply creating the bucket won’t resolve the IAM permissions problem.
C) Grant the roles/owner Identity and Access Management (IAM) role to the Cloud Build service account on the project
...
Author: Zara · Last updated May 31, 2026
Your company runs applications in Google Kubernetes Engine (GKE). Several applications rely on ephemeral volumes. You noticed some applications were unstable due to the DiskPressure node condition on the worker nodes. You need to identify which ...
To identify which Pods are causing the issue due to DiskPressure on the worker nodes in Google Kubernetes Engine (GKE), we need to approach the problem by analyzing the storage usage at the right levels.
Option Breakdown:
A) Check the node/ephemeral_storage/used_bytes metric by using Metrics Explorer:
- This option shows the total ephemeral storage usage at the node level. However, it does not identify which specific Pods are using the storage. It only tells you that the node itself is under pressure, which isn't sufficient to pinpoint the Pods causing the problem.
- Rejected because: This metric doesn’t provide information at the granularity of individual Pods.
B) Check the container/ephemeral_storage/used_bytes metric by using Metrics Explorer:
- This metric provides detailed ephemeral storage usage at the container level. It is useful because it helps identify which specific containers (and thereby which Pods) are consuming excessive storage.
- Selected because: This option helps you find out the storage usage for each container, which allows pinpointing the specific Pods that are contributing to the DiskPressure c...
Author: Jack · Last updated May 31, 2026
You are designing a new Google Cloud organization for a client. Your client is concerned with the risks associated with long-lived credentials created in Google Cloud. You need to design a solution to completely eliminate the risks associat...
To design a solution that eliminates the risks associated with long-lived credentials (specifically JSON service account keys) in Google Cloud while minimizing operational overhead, we need to focus on limiting or disabling the ability to create and use these keys. Here's a detailed breakdown of the options:
Option Breakdown:
A) Apply the constraints/iam.disableServiceAccountKeyCreation constraint to the organization:
- This constraint prevents the creation of new service account keys for service accounts within the organization. It directly addresses the problem of long-lived credentials by ensuring no new keys can be created, thereby eliminating the risk associated with key usage.
- Selected because: This option is the most straightforward and effective solution to eliminate the risk of long-lived keys. It prevents the creation of service account keys entirely, addressing the core concern without adding unnecessary complexity or operational overhead. It also scales well across the organization without requiring manual intervention.
B) Use custom versions of predefined roles to exclude all iam.serviceAccountKeys. service account role permissions:
- While this option can help control who has access to manage service account keys, it does not prevent the creation of keys. Users could still manually generate keys or use existing keys, which could still pose a risk.
- Rejected because: This option adds some complexity without directly add...
Author: Ming88 · Last updated May 31, 2026
You are designing a deployment technique for your applications on Google Cloud. As part of your deployment planning, you want to use live traffic to gather performance metrics for new versions of your applications. You need to...
When designing a deployment technique to test new versions of your applications using live traffic and gather performance metrics before launching, you need to choose an approach that allows you to test under full production load, while minimizing risk and ensuring smooth monitoring of performance. Here's a breakdown of each option:
Option Breakdown:
A) Use A/B testing with blue/green deployment:
- Blue/green deployments involve deploying the new version of the application (the "green" environment) while keeping the old version (the "blue" environment) running. Traffic is then switched between the two environments.
- While A/B testing allows you to direct a portion of traffic to test different versions, blue/green deployments are more suited for gradual rollouts and may not necessarily test the new version under full production load all at once.
- Rejected because: Although A/B testing is valuable, it is not designed specifically for testing full production load. It tests performance under controlled traffic division, which does not meet the requirement to test against the entire production load before launch.
B) Use canary testing with continuous deployment:
- Canary testing involves deploying the new version of the application to a small subset of users first (the "canaries"), while the rest of the users continue using the current version. You can monitor how the new version performs with real traffic.
- With continuous deployment, new versions of your application are automatically deployed, but the canary testing ensures that only a small percentage of traffic hits the new version initially. This provides real-world performance metrics while minimizing risk.
- Selected because: This approach allows you to test new versions of the application under real traffic but limits exposure to a small subset of users initially. It gives the advantage of full production traffic in a controlled and incremental fashion, making it ideal for gathering perform...
Author: Scarlett · Last updated May 31, 2026
Your Cloud Run application writes unstructured logs as text strings to Cloud Logging. You want to convert the unstructured l...
When working with Cloud Run and wanting to convert unstructured logs (plain text) into structured JSON logs for better analysis and indexing in Cloud Logging, you need to focus on a solution that allows you to format logs as JSON entries before they are sent to Cloud Logging. Let's break down each option:
Option Breakdown:
A) Modify the application to use Cloud Logging software development kit (SDK), and send log entries with a jsonPayload field:
- This option involves updating your application code to use the Cloud Logging SDK to structure the logs as JSON when they are created. By using the SDK, you can format your logs to include a `jsonPayload` field directly, allowing you to send structured logs in JSON format.
- Selected because: This is the most direct and efficient way to convert unstructured logs to structured JSON logs. It gives you control over the log format at the source, ensuring logs are generated and forwarded as structured JSON from the beginning. This approach minimizes complexity and leverages Cloud Logging's native capabilities.
B) Install a Fluent Bit sidecar container, and use a JSON parser:
- Fluent Bit is a log forwarder and processor that can be used to gather, transform, and forward logs. You can configure it to parse and convert unstructured logs to JSON.
- Rejected because: Although Fluent Bit is a powerful tool for log transformation and forwarding, installing a sidecar container adds additional complexity to your Cloud Run setup. Cloud Run typically encourages stateless applications, and adding a sidecar might be more complex than simply modifying the application's logging approach directly.
C) Install the log agent in the Cloud Run container image, and use the log a...
Author: Ryan · Last updated May 31, 2026
Your company is planning a large marketing event for an online retailer during the holiday shopping season. You are expecting your web application to receive a large volume of traffic in a short period. You need to prep...
For preparing your application for a large volume of traffic during the marketing event, you want to ensure that your system is resilient, can handle increased load, and is able to detect and respond to issues quickly. Let's break down each option to determine the best course of action:
Option Breakdown:
A) Configure Anthos Service Mesh on the application to identify issues on the topology map:
- Anthos Service Mesh can provide visibility into your application’s architecture and identify issues at the service level (like latency or failures) across microservices. It offers advanced monitoring and tracing capabilities.
- However, configuring Anthos Service Mesh introduces additional complexity and may not be necessary for basic fault tolerance or scaling purposes during the event. It's primarily useful for more complex microservices environments.
- Rejected because: While Anthos Service Mesh is useful for monitoring complex applications, it might not be the most practical or required tool in this case, especially if your application isn't based on microservices or doesn't already use Anthos.
B) Ensure that relevant system metrics are being captured with Cloud Monitoring, and create alerts at levels of interest:
- Cloud Monitoring helps capture key system metrics such as CPU usage, memory usage, request latency, etc. You can set up custom alerts based on thresholds that are critical for your application’s performance. This allows you to proactively monitor and be alerted on any performance issues or anomalies that arise during the event.
- Selected because: Monitoring system metrics and setting up alerts allows you to catch potential performance issues (e.g., increased latency, high memory usage) before they become critical, ensuring that you're prepared for the expected traffic and can react quickly if something goes wrong.
C) Review your increased capacity requirements and plan for the required quota management:
- During a large-scale event, it's essential to ensure that you have adequate capacity to handle the increased traffic. This may involve increasing resource...
Author: Noah Williams · Last updated May 31, 2026
Your company recently migrated to Google Cloud. You need to design a fast, reliable, and repeatable solution for your company to provision new pr...
To design a fast, reliable, and repeatable solution for provisioning new projects and resources in Google Cloud, the selected approach must meet the following criteria:
1. Speed: The solution should be efficient in provisioning resources with minimal manual intervention.
2. Reliability: The solution should ensure that provisioning is consistent and error-free every time it's executed.
3. Repeatability: The process should allow the provisioning of resources to be repeated consistently with the same configuration in the future.
Let’s examine each option:
A) Use the Google Cloud console to create projects.
- Reasoning: The Google Cloud Console provides a user-friendly interface for creating and managing resources. However, this is a manual approach and does not fulfill the need for repeatability and automation, which is essential for scaling operations and ensuring consistent setups.
- Drawback: Human error is more likely, and it would be time-consuming to repeat the process for multiple projects. This method also lacks automation, which means it would not scale effectively.
B) Write a script by using the gcloud CLI that passes the appropriate parameters from the request. Save the script in a Git repository.
- Reasoning: A script using `gcloud CLI` can automate the provisioning process and offer more flexibility and repeatability compared to the Google Cloud Console.
- Drawback: This approach still requires manual intervention for running the script, and while it provides automation, it lacks a robust, structured framework for managing more complex resource configurations and dependencies. This might not scale well for larger or more complex environments.
C) Write a Terraform module and save it in your source control repository. Copy and run the terraform apply command to create the new project.
- Reasoning: Writing a Terraform module offers great flexibility and repeatability. Terraform allows the m...
Author: Julian · Last updated May 31, 2026
You are configuring a CI pipeline. The build step for your CI pipeline integration testing requires access to APIs inside your private VPC network. Your security team requires that you do not expose API traffic publi...
To meet the requirement of having your CI pipeline integration testing access APIs inside a private VPC network without exposing API traffic publicly, while minimizing management overhead, the solution needs to fulfill these criteria:
- Private Access: The APIs should remain inaccessible from the public internet.
- Automation and Low Overhead: The solution should be automated and not require ongoing manual configuration.
- Minimal Security Risks: No unnecessary exposure of the APIs or their traffic.
Let’s review each option:
A) Use Cloud Build private pools to connect to the private VPC.
- Reasoning: Cloud Build private pools are a feature that allows you to run builds inside a private VPC network. This approach is ideal for accessing resources within a private VPC because it ensures that build steps do not require public access to the internet.
- Benefits:
- Private Access: Cloud Build can securely connect to your VPC using private pools without exposing traffic to the public internet.
- Low Overhead: Once set up, it’s a hands-off solution for running builds within the VPC.
- Best Fit for CI/CD: Cloud Build is tailored for CI/CD workflows, which makes it an excellent choice for integration testing.
- Drawback: There might be a slight setup complexity, but the benefits of private access outweigh the initial configuration time.
B) Use Spinnaker for Google Cloud to connect to the private VPC.
- Reasoning: Spinnaker is a powerful CI/CD tool that can integrate with Google Cloud, but it is typically used for more complex deployment pipelines and may not be the best fit for this scenario.
- Drawback: Spinnaker is more suited for sophisticated deployment pipelines rather than straightforward integra...
Author: Emily · Last updated May 31, 2026
You are leading a DevOps project for your organization. The DevOps team is responsible for managing the service infrastructure and being on-call for incidents. The Software Development team is responsible for writing, submitting, and reviewing code. Neither team has any published SLOs. You want to design a new joint-ownership model for a servic...
Author: Benjamin · Last updated May 31, 2026
You recently migrated an ecommerce application to Google Cloud. You now need to prepare the application for the upcoming peak traffic season. You want to follow Google-reco...
When preparing an ecommerce application for peak traffic, the goal is to ensure that the system can handle increased load effectively, without introducing inefficiencies or outages. Google recommends a strategy that focuses on scalability, reliability, and proactive performance monitoring. Let's evaluate each option:
A) Migrate the application to Cloud Run, and use autoscaling.
- Reasoning: Cloud Run is a fully managed compute platform that automatically scales based on traffic. It is an excellent option for handling fluctuating loads, especially for stateless applications. Autoscaling ensures that resources are allocated based on demand, reducing over-provisioning and managing cost efficiently.
- Benefits:
- Scalability: Cloud Run can automatically scale your application up or down based on traffic.
- Reduced management overhead: Since it is a managed service, you don’t need to worry about manually scaling instances or configuring infrastructure.
- Ideal for unpredictable load: For ecommerce applications, which experience sudden spikes in traffic, Cloud Run offers a great solution for dynamic scaling.
- Drawback: Migrating an application to Cloud Run might require refactoring parts of your application to be stateless or to fit Cloud Run’s execution model. If your application is already in a well-functioning infrastructure and doesn't need such a drastic change, this might not be the best first step for immediate peak season preparation.
B) Create a Terraform configuration for the application's underlying infrastructure to quickly deploy to additional regions.
- Reasoning: Terraform is a great tool for managing infrastructure as code, and setting up configurations to deploy to additional regions can ensure that your application is more resilient and can handle traffic from different geographic locations.
- Benefits:
- Scalability and fault tolerance: Deploying to additional regions can help mitigate issues like regional outages or ensure better response times for users in different locations.
- Automation: Using Terraform allows you to automate the provisioning of infrastructure, which is helpful for quickly deploying additional resources when needed.
- Drawback: While this approach helps with scaling, it doesn’t focus directly on the immediate need...
Author: Deepak · Last updated May 31, 2026
You are monitoring a service that uses n2-standard-2 Compute Engine instances that serve large files. Users have reported that downloads are slow. Your Cloud Monitoring dashboard shows that your VMs are running at peak ...
To improve network throughput performance for your Compute Engine instances that are serving large files, we need to consider options that directly address the network bandwidth limitations indicated by the fact that the VMs are already running at peak network throughput.
Let’s evaluate each option:
A) Add additional network interface controllers (NICs) to your VMs.
- Reasoning: Google Cloud allows adding multiple NICs to VMs, which can be useful for improving network throughput by separating different types of traffic (e.g., management, application, and storage traffic). However, this may not directly increase the throughput for serving large files unless the traffic is specifically optimized for multiple interfaces, and managing multiple NICs can introduce additional complexity.
- Drawback: For a straightforward improvement in throughput, adding more NICs is generally not the most effective solution unless there is a specific need to separate traffic types. Also, adding NICs will not increase the network throughput of a single NIC.
B) Deploy a Cloud NAT gateway and attach the gateway to the subnet of the VMs.
- Reasoning: Cloud NAT allows VMs without external IP addresses to access the internet. While it is useful for enabling outbound connections from private VMs, it does not directly address the network throughput for large file serving between the VMs and clients. It mainly improves outbound internet access for private instances, not the network bandwidth performance of the VMs serving large files.
- Drawback: Since the problem is related to serving files and network throughput, Cloud NAT does not provide a solution for improving the throughput between the VMs and users. This would only be relevant if the VMs needed outbound internet access for other reasons.
C) Change the machine type for your VMs to n2-standard-8.
- Reasoning: Chan...
Author: Ryan · Last updated May 31, 2026
Your organization is starting to containerize with Google Cloud. You need a fully managed storage solution for container images and Helm charts. You need to identify a storage solution that has native integration into existing Google Cloud services, including Google Kub...
In your scenario, you're looking for a fully managed storage solution for container images and Helm charts with native integration into Google Cloud services like Google Kubernetes Engine (GKE), Cloud Run, VPC Service Controls, and Identity and Access Management (IAM). Let's break down the options:
Option A: Use Docker to configure a Cloud Storage driver pointed at the bucket owned by your organization
- Rejected: While Cloud Storage is a general-purpose storage solution, it is not designed specifically for container images or Helm charts. Google Cloud's storage buckets are typically used for object storage, but using it as a container registry would require additional management and configuration. It lacks native integration with GKE and other Google Cloud services designed for container workloads. Moreover, it doesn’t offer the specific features, such as image versioning, vulnerability scanning, and integration with IAM policies, that are needed for containerized applications.
Option B: Configure an open-source container registry server to run in GKE with a restrictive role-based access control (RBAC) configuration
- Rejected: Although this option allows you to host your own container registry, it introduces complexity because you'd need to manage the registry server yourself, including updates, scalability, security patches, and high availability. Additionally, it may lack native integration with Google Cloud services such as IAM, Cloud Run, or VPC Service Controls. A self-hosted registry would require more overhead and wouldn't provide a fully managed experience compared to other solutions offered by Google Cloud.
Option C: Configure Artifact Registry as an OCI-based container registry for both Helm charts and container images...
Author: Kai · Last updated May 31, 2026
You need to define SLOs for a high-traffic web application. Customers are currently happy with the application performance and availability. Based on current measurement, the 90th percentile of latency is 160 ms and the ...
To define the Service Level Objectives (SLOs) for latency in a high-traffic web application, it's essential to take into account the observed current performance metrics and ensure that the SLOs reflect acceptable performance for your users. In this case, the application already has the following percentiles based on a 28-day window:
- 90th percentile of latency = 160 ms
- 95th percentile of latency = 300 ms
Option A: 90th percentile - 150 ms, 95th percentile - 290 ms
- Rejected: While these values are slightly lower than the current measured latency, they would set a more stringent target that might not be realistic given the current performance. Given that the 90th percentile is already 160 ms, aiming for 150 ms at this percentile might be too aggressive without any significant performance improvements. Similarly, setting the 95th percentile to 290 ms, while closer to the current performance, is still an unrealistic target compared to the current 300 ms value.
Option B: 90th percentile - 160 ms, 95th percentile - 300 ms
- Selected: This option is the most aligned with the current observed performance. The 90th percentile of 160 ms and the 95th percentile of 300 ms exactly match the current measurements, reflecting the current state of application performance and ensuring that the SLOs are both realistic and achievable. This is the most accurate representation of the application's actual performance and provides a reasonable benchmark for the team to monitor and maintain moving f...
Author: Vikram · Last updated May 31, 2026
Your company runs applications in Google Kubernetes Engine (GKE). Application developers frequently create cloud resources to support their applications. You need to give developers the ability to manage infrastructure as code while adhering to Google-recommended practices. You want to manage infrastructure as code through Kubernet...
When your company needs to enable application developers to manage infrastructure as code while adhering to Google-recommended practices and using Kubernetes Custom Resource Definitions (CRDs), it's essential to select the most appropriate solution. Let's break down each option:
Option A: Configure Cloud Build with a Terraform builder to execute the terraform plan and terraform apply commands.
- Terraform is a powerful tool for managing infrastructure as code, but it is not designed specifically to integrate directly with Kubernetes CRDs for managing cloud resources in a native way.
- Cloud Build with Terraform can automate the execution of Terraform commands, but it doesn't support Kubernetes-specific custom resources out of the box.
- While Cloud Build and Terraform can work in CI/CD pipelines, they don’t align with Kubernetes CRDs for managing infrastructure directly within Kubernetes clusters.
- Conclusion: This option does not leverage Kubernetes CRDs for infrastructure management and is not as aligned with the Google-recommended practices for managing infrastructure through Kubernetes.
Option B: Install and configure Crossplane in GKE.
- Crossplane is a powerful tool for managing infrastructure through Kubernetes CRDs. It enables you to manage cloud resources (such as GCP services) declaratively via Kubernetes, providing a seamless experience for Kubernetes users to manage infrastructure as code using Kubernetes-native CRDs.
- Crossplane allows you to provision and manage resources like databases, storage, and compute instances directly from Kubernetes and is Google Cloud supported.
- This solution fits perfectly for teams that want to manage infrastructure as code within the Kubernetes ecosystem, while also adhering to Google-recommended practices.
- Conclusion: This is a highly appropriate option, as it integrates well with Kubernetes CRDs and aligns with Google's best practices.
Option C: Configure a GitHub...
Author: Olivia · Last updated May 31, 2026
Your company runs services on Google Cloud. Each team runs their applications in a dedicated project. New teams and projects are created regularly. Your security team requires that all logs are processed by a security information and event management (SIEM) system. The SIEM inges...
To ensure that all existing and future logs from multiple teams and projects are processed by the security information and event management (SIEM) system via Pub/Sub, we need to configure a logging sink that collects and routes logs to the SIEM. The key goal is to make sure that both existing and future logs from all teams are captured without manual intervention for every new project or team.
Let’s review each option:
Option A: Create an organization-level aggregated sink with a SIEM log bucket as the destination. Set an inclusion filter to include all logs.
- Pros:
- Organization-level sinks will capture logs from all projects within the organization, including future projects, without needing to configure anything for each new project.
- Logs can be routed to a log bucket, which may be a simpler solution for storing logs before they're ingested by the SIEM.
- Cons:
- The question specifies that the SIEM ingests logs via Pub/Sub, not a log bucket.
- Log buckets are not the correct destination for Pub/Sub ingestion and may not integrate directly with the SIEM system as effectively as a Pub/Sub topic.
- Conclusion: While this could work for storing logs, it doesn't meet the requirement of Pub/Sub ingestion, making it an incorrect option.
Option B: Create a folder-level aggregated sink with a SIEM Pub/Sub topic as the destination. Set an inclusion filter to include all logs. Repeat for each folder.
- Pros:
- Folder-level sinks can be effective if the organization is organized into folders for different teams or departments, and it would work for managing different teams in separate folders.
- Logs are directed to a Pub/Sub topic, which is the correct method for SIEM ingestion.
- Cons:
- This requires setting up a sink for each folder, which is manual and may not scale well as the number of folders grows, especially with frequent addition of new teams and projects.
- Future projects created outside the folders would require addition...
Author: Rahul · Last updated May 31, 2026
Your company stores a large volume of infrequently used data in Cloud Storage. The projects in your company's CustomerService folder access Cloud Storage frequently, but store very little data. You want to enable Data Access audit logging across the company to identify data usa...
To meet the requirement of enabling Data Access audit logging while excluding the CustomerService folder projects, we need to carefully consider the options based on Google Cloud’s audit logging configuration.
Let’s break down each option:
Option A: Enable Data Access audit logging for Cloud Storage at the organization level, and configure exempted principals to include users of the CustomerService folder.
- Pros:
- This would allow organization-level auditing, which is good for capturing logs across the entire organization.
- You could exclude specific users in the CustomerService folder by specifying exempted principals.
- Cons:
- This option focuses on exempting specific users rather than projects or folders. It’s not ideal for excluding an entire folder of projects from audit logging.
- You’d need to specifically define exempted users (which might be cumbersome and complex to manage if many users are involved) instead of excluding the CustomerService folder itself.
- Conclusion: This is not ideal because the configuration focuses on individual users instead of projects or folders.
Option B: Enable Data Access audit logging for Cloud Storage at the organization level, with no additional configuration.
- Pros:
- Enables organization-wide auditing with no specific exclusions.
- Cons:
- This would include the CustomerService folder projects, which contradicts the requirement of excluding those projects from audit logging.
- Does not provide the flexibility to filter or exclude specific projects or folders, which would be necessary to meet the requirements.
- Conclusion: This option does not meet the requirement to exclude the Cust...
Author: Oliver · Last updated May 31, 2026
You have an application running in production on Cloud Run. Your team recently finished developing a new version (revision B) of the application. You want to test the new revision o...
Let's evaluate the options based on the requirement of testing a new revision on 10% of your clients with the least amount of effort.
Option A: Deploy the new revision to the existing service without traffic allocated. Tag the revision and share the URL with 10% of your clients.
- Pros:
- The least amount of effort, as the new revision is deployed to the same service.
- You can directly share the URL with a small set of clients (10%).
- Cons:
- This approach doesn't automatically route traffic to the new revision in a controlled way. The 10% of clients would need to be manually directed to the new revision, which is not scalable or efficient for managing traffic distribution.
- Lacks automation for proper traffic splitting and monitoring.
- Conclusion: This method is not ideal because it's a manual process and doesn't provide the automated traffic routing needed.
Option B: Create a new service, and deploy the new revision on the new service. Deploy a new revision of the old application where the application routes a percentage of the traffic to the new service.
- Pros:
- Separates the old and new versions into different services, providing clear separation between the two revisions.
- Allows for routing a percentage of traffic to the new service using a revision in the old service.
- Cons:
- Extra overhead: Creating a new service adds complexity and is not necessary if you're only testing a small subset of users.
- Adds unnecessary complexity since Cloud Run supports routing traffic between revisions of the same service, which would be simpler and more efficient.
- Conclusion: This adds unnecessary complexity by creating a new service...
Author: Nia · Last updated May 31, 2026
You are designing a new multi-tenant Google Kubernetes Engine (GKE) cluster for a customer. Your customer is concerned with the risks associated with long-lived credentials use. The customer requires that each GKE workload has the minimum Identity and Access Management (IAM) permissions set following the principle of ...
Evaluating the Options:
To meet the requirement of minimizing long-lived credentials and adhering to the principle of least privilege (PoLP) while using IAM impersonation for GKE workloads, let’s analyze each option:
Option A:
1. Create a Google service account.
2. Create a node pool, and set the Google service account as the default identity.
3. Ensure that workloads can only run on the designated node pool by using node selectors, taints, and tolerations.
4. Repeat for each workload.
- Pros:
- By creating a dedicated node pool with specific service account credentials, you are enforcing isolation between workloads with different identities.
- Can provide targeted IAM policies to the service account linked to the node pool.
- Cons:
- Using node selectors, taints, and tolerations to ensure workloads only run on designated node pools is a management overhead and less flexible.
- This approach does not provide fine-grained access control for each workload individually.
- Does not focus on IAM impersonation for workloads, which would allow workloads to assume the least privileged roles dynamically.
- Conclusion: This option does not align with the requirement to use IAM impersonation and is more about controlling where workloads run rather than controlling what permissions they have.
Option B:
1. Create a Google service account.
2. Create a node pool without taints, and set the Google service account as the default identity.
3. Grant IAM permissions to the Google service account.
- Pros:
- Allows workloads in the node pool to use a Google service account to authenticate.
- Grants permissions via IAM roles to the Google service account.
- Cons:
- Long-lived credentials are used because the service account key is used for authentication.
- This approach doesn't minimize the use of long-lived credentials; it still relies on service account identities, which can pose a security risk.
- Does not use IAM impersonation for workloads to assume specific roles dynamically, which would be the ideal approach for fine-grained, least-privilege access.
- Conclusion: This option does not meet the customer’s requirement for minimizing long-lived credentials or IAM impersonation.
Option C:
1. Create a Google service account.
2. Create a Kubernetes service account in a Workload Identity-enabled cluster.
3. Link the Google service account with the Kubernetes servi...
Author: SilverBear · Last updated May 31, 2026
Your company allows teams to self-manage Google Cloud projects, including project-level Identity and Access Management (IAM). You are concerned that the team responsible for the Shared VPC project might accidentally delete the project, so a lien has been placed on the project. You need to design a solution to restrict Sh...
To solve this problem, let’s evaluate each option based on key technical and organizational requirements, especially the need to prevent Shared VPC project deletion unless users have organization-level permission `resourcemanager.projects.updateLiens`.
---
Key facts from the question:
Teams self-manage IAM at the project level.
There is a Shared VPC project, which is critical and should not be accidentally deleted.
A lien has been placed to prevent deletion.
You want only users with `resourcemanager.projects.updateLiens` at the organization level to be able to remove the lien and thereby allow deletion.
The goal is to enforce this at the policy level, not rely on best practices or manual intervention.
---
Option Analysis:
---
A) Instruct teams to only perform IAM permission management as code with Terraform.
Why it sounds plausible: Encouraging teams to manage infrastructure as code improves consistency and governance.
Why it doesn’t solve the problem: This is a soft governance approach, not a technical enforcement. It doesn’t prevent project deletion, nor does it enforce lien permission restrictions.
When to use: For auditing, automation, and ...
Author: Stella · Last updated May 31, 2026
Your company runs an ecommerce business. The application responsible for payment processing has structured JSON logging with the following schema:
Capture and access of logs from the payment processing application is mandatory for operations, but the jsonPayload.user_email field contains personally identifiable information (PII). Your security team does not want the entire...
To determine the correct answer, let's analyze each option using key factors: data protection, access control, auditability, operational impact, and Google Cloud Logging best practices. The main objective is to restrict access to PII (user\_email) while ensuring log access for operational needs.
---
✅ Option B) Apply a jsonPayload.user\_email restricted field to the \_Default bucket. Grant the Log Field Accessor role to the security team members.
✔ Why this is correct:
Google Cloud Logging supports field-level access control using log field redaction and the Log Field Accessor role (`roles/logging.fieldAccessor`).
By marking `jsonPayload.user_email` as a restricted field, it can be hidden from users who don't have explicit access.
This approach preserves full logging for operational use while restricting sensitive fields (PII) to only those with a need-to-know, i.e., the security team.
No application code change is required, which reduces risk and maintenance complexity.
This is the recommended and scalable approach for access control in structured logs in production environments.
Use case:
Environments where structured logs contain a mix of sensitive and non-sensitive information, and access needs to be granularly controlled.
---
❌ Option A) Apply the conditional role binding resource.name.extract("locations/global/buckets/{bucket}/") == "\_Default" to the \_Default bucket.
✘ Why it's incorrect:
This condition controls access to the bucket, not the fields within the logs.
It doesn't solve the problem of PII exposure — engineers still get full access to logs, including PII.
Conditional role binding might help wit...
Author: Aarav2020 · Last updated May 31, 2026
Your organization is running multiple Google Kubernetes Engine (GKE) clusters in a project. You need to design a highly-available solution to collect and query both domain-specific workload metrics and GKE defa...
To design a highly-available, low operational overhead solution for collecting and querying both domain-specific workload metrics and GKE default metrics across multiple clusters, we need to evaluate each option based on several key factors:
---
🔑 Key Evaluation Criteria:
1. Availability: Highly-available collection and querying across clusters.
2. Operational Overhead: Minimize management and maintenance burden.
3. Scalability: Easily add new clusters and workloads.
4. Support for Custom Metrics: Support both GKE default and application-level metrics.
5. Centralized Querying: Ability to query all metrics from a central place.
---
✅ Option D: Enable managed collection on every GKE cluster. Query the metrics in Cloud Monitoring.
Explanation:
Highly available: Google Cloud’s Cloud Monitoring is fully managed and highly available.
Low operational overhead: No need to manage Prometheus or storage — it’s all handled by Google.
GKE default + Custom metrics: GKE native metrics are automatically available; domain-specific metrics can be collected via OpenTelemetry or Prometheus exporters, which integrate easily with Cloud Monitoring.
Centralized querying: All metrics are available in Cloud Monitoring Metrics Explorer and Cloud Monitoring API centrally, across all clusters.
Billing and Access Control: Integrates with Google Cloud’s IAM and billing model.
➡️ This is the most cloud-native, least operationally intensive, and scalable solution.
---
❌ Option A: Prometheus operator in every cluster with remote-write to a central Prometheus
High operational overhead: Requires managing Prometheus in every cluster and maintaining a central Prometheus instance (scaling, storage, etc.).
Availability concerns: Prometheus is not HA by default; you’d need to add components like Cortex/Thanos for HA and long-term storage.
Remote-write latency/failure: Can lead to data loss ...
Author: Noah · Last updated May 31, 2026
You are configuring a Cl pipeline in Cloud Build When you test the pipeline, the following cloudbuild.yaml definition results in 5 minutes each on the foo step and bar step
The foo step and bar step are independent of each other. The baz step needs both the foo ...
To solve this problem, let’s analyze your goal and each option in the context of Cloud Build:
---
✅ Goal:
Parallelize the `foo` and `bar` steps to reduce build time.
Ensure the `baz` step only starts after both `foo` and `bar` complete.
The current pipeline runs `foo` and `bar` sequentially, each taking 5 minutes → total 10 mins before `baz`.
We want to change it so `foo` and `bar` run in parallel, reducing the wait to \~5 mins before `baz` starts.
---
Option Analysis:
---
A) Add `-options:machineType: 'E2_HIGHCPU_8'`
Pros:
More powerful machine = faster execution per step.
Cons:
Does not address the sequential execution.
Steps are still run in order, unless otherwise specified with `waitFor`.
Machine type affects performance, not parallelism logic.
When to use:
When step execution is CPU-bound and you want to reduce step run time.
Not useful if the problem is due to sequential step execution.
❌ Rejected: Doesn't enable parallelism.
---
B) Add `-options:machineType: 'E2_HIGHCPU_32'`
Pros & Cons:
Same reasoning as Option A, but with even more CPU resources.
Steps still run sequentially without explicit parallelism.
❌ Rejected: Same reason as A. More compute, but no change in step scheduling.
---
C) Change the script to:
```yaml
steps:
- name: foo
id: foo
waitFor: [""]
- name: bar
id: ba...
Author: Siddharth · Last updated May 31, 2026
You receive a Cloud Monitoring alert indicating potential malicious activity on a node in your Google Kubernetes Engine (GKE) cluster. The alert suggests a possible compromised container running on that node. You need to isolate this node to prevent further compromise while in...
To choose the best option for isolating a potentially compromised node in a GKE cluster while minimizing disruption to running applications, we need to evaluate each option based on security effectiveness, operational impact, workload availability, and GKE best practices.
---
🔍 Option A: Taint the suspicious node to prevent Pods that have interacted with it from being scheduled on other nodes in the cluster
Analysis:
Taints prevent new Pods from being scheduled onto a node, not the reverse (Pods interacting with this node from being scheduled elsewhere).
This option doesn’t isolate the node. Existing Pods, including the potentially malicious container, would continue to run.
It does not remove the compromised container or reduce risk of lateral movement.
Use case:
Useful for avoiding scheduling new workloads on a known bad node during maintenance—but not for isolating a compromised node.
Conclusion: ❌ Not appropriate for containment. Misunderstands how taints work.
---
🔍 Option B: Scale down the deployment associated with the compromised container to zero on other nodes
Analysis:
This scales down a specific deployment, not the node. If the container is compromised but already running, scaling it down does not stop other processes on the node.
Also assumes the compromised container is part of a managed deployment. If it’s a rogue process or container, this won’t help.
Doesn’t isolate the node—malicious actors may still have access or processes running.
Use case:
Valid if the issue is limited to a known deployment, and you want to stop it across the cluster. Not effective for node-level isolation.
Conclusion: ❌ Doesn’t address...
Author: Leah Davis · Last updated May 31, 2026
Your company has an application deployed on Google Kubernetes Engine (GKE) consisting of 12 microservices. Multiple teams are working concurrently on various features across three envi-ronments: Dev, Staging, and Prod. Developers report dependency test failures and delayed re-leases due to deployments from multiple feature branches in the shared Dev GKE cluster.
You need to implement a cost...
To solve the issue of dependency test failures and delayed releases due to multiple feature branch deployments in a shared Dev GKE cluster, we need to evaluate the options based on key factors:
---
🔑 Key Factors for Evaluation:
1. Isolation of Development Features: Developers must test their code without interference from other teams’ code.
2. Cost-effectiveness: Must not be overly expensive, especially with Dev environments.
3. Automation: CI/CD integration should reduce manual work and improve speed.
4. Environment Parity: Dev should reflect higher environments where applicable.
5. Resource Efficiency: Optimize usage of Kubernetes resources like clusters/namespaces.
6. Clean-up Mechanism: Temporary environments should be cleaned up post-test.
---
🅰️ Option A:
> Automate CI pipelines by using Cloud Build for container image creation and Kubernetes manifest updates from main branch merge requests. Integrate with Config Sync to test new images in dynamically created namespaces on the Dev GKE cluster with autoscaling enabled. Implement a post-test namespace cleanup routine.
Pros:
Dynamically creates isolated namespaces per feature on the shared Dev cluster → low cost.
Post-test cleanup → avoids resource sprawl.
Autoscaling ensures efficiency under variable loads.
Cons:
Only triggers from main branch merge requests, so doesn’t help developers test features before merging.
Use case fit: Works well for post-merge validation, not for pre-merge feature testing.
✅ Rejected due to lack of pre-merge feature testing support.
---
🅱️ Option B:
> Automate CI pipelines by using Cloud Build to create container images and update Kubernetes manifests for each commit. Use Cloud Deploy for progressive delivery to Dev, Staging, and Prod GKE clusters. Enable Config Sync for consistent Kubernetes configurations across environments.
Pros:
Full CI/CD pipeline from commit to production.
Consistent configuration management with Config Sync.
Cons:
Shared Dev e...
Author: Sara · Last updated May 31, 2026
You are troubleshooting a failed deployment in your CI/CD pipeline. The deployment logs indicate that the application container failed to start due to a missing environment variable. You need to identify the root cause and implem...
To resolve and prevent the issue of a missing environment variable causing application container startup failure in your CI/CD pipeline, we need to identify what directly addresses the root cause (missing env var) and provides proactive prevention.
Let’s evaluate the options carefully:
---
🔍 Option A: Use a canary deployment strategy
Canary deployment involves gradually rolling out a new version of an application to a small subset of users before full deployment.
✅ When it helps: Detects runtime issues, performance problems, or regressions in production with real traffic.
❌ Why it's rejected: It doesn't prevent issues like missing environment variables — the container would still fail to start, even in the canary environment. The deployment wouldn't succeed in either case.
❌ Key factor missed: Canary deployment mitigates impact, not the root cause.
---
🔍 Option B: Implement static code analysis in the CI pipeline
Static code analysis checks code for syntax errors, vulnerabilities, and stylistic issues without running it.
✅ When it helps: Identifies code quality issues early in the development cycle.
❌ Why it's rejected: Static analysis tools typically don’t validate environment variable presence, especially if they’re injected at runtime or through CI/CD secrets.
❌ Key factor missed: This doesn't validate runtime configuration or deployment settings.
...
Author: Carlos Garcia · Last updated May 31, 2026
You work for a company that offers a free photo processing application. You are designing the infrastructure for the backend service that processes the photos. The service:
* Uses Cloud Storage to store both unprocessed and processed photos.
* Can resume processing photos in the event of a failure.
* Is not suitable for containerization.
T...
To determine the most cost-effective solution for running the photo processing backend service, let's analyze the requirements and each deployment option.
---
✅ Key Factors from the Scenario:
Uses Cloud Storage: The system stores photos in Cloud Storage (object storage), which supports decoupled processing.
Can resume processing after failure: The service is fault-tolerant and stateless (or maintains progress in a recoverable manner).
Not suitable for containerization: This is critical—it rules out container-based services like Cloud Run and GKE.
No strict SLO for processing time: The system doesn’t need real-time processing, allowing flexibility in how and when it runs (ideal for cost savings).
Cost-effectiveness is the priority: We need to optimize cost, not performance or uptime.
---
🔍 Option Analysis:
A) Cloud Run
Rejected.
Cloud Run is a fully managed serverless platform for containerized applications.
Since the service cannot be containerized, Cloud Run is incompatible.
> ✅ Use when: The app is stateless, supports containerization, and benefits from scale-to-zero and rapid scaling.
---
B) Standard VMs with a 3-year committed use discount
Viable but not most cost-effective.
Provides predictable costs, suitable for long-running workloads.
Limitation: Even with a discount, it implies always-on infrastructure, which may not be needed here due to no time-based SL...
Author: Suresh · Last updated May 31, 2026
You manage a critical API running on Cloud Run that serves an average of 10,000 requests per minute. You need to define service level objectives (SLOs) for availability and latency to ensure that the API meets user expectations, which include 99.9% availability and a maximum latency of 200 ...
To choose the best option for defining and monitoring service level objectives (SLOs) for a critical Cloud Run API, we must carefully analyze the requirements and each option against those requirements. Let's break it down.
---
Requirements:
Traffic volume: 10,000 requests per minute → high traffic → needs robust monitoring.
Availability SLO: 99.9% availability.
Latency SLO: 200 ms maximum latency for 95% of requests.
Actionable monitoring: Must include alerts and measurable indicators.
---
Option A:
> Configure Cloud Monitoring to send alerts when average API latency exceeds 150 ms or the error rate surpasses 0.1%.
Pros: Includes monitoring and alerting. Takes latency and errors into account.
Cons: Uses average latency instead of percentile-based latency (95th percentile). Averaging can mask spikes, making it inadequate for a production-grade SLO.
When to use: Suitable for early-stage or less critical systems where detailed SLO tracking is not required.
❌ Rejected: Doesn't match the defined SLOs; average latency is not aligned with 95th percentile.
---
Option B:
> Prioritize latency as the only SLO, targeting 100 ms for 99% of requests.
Pros: Focuses on latency, and uses percentile-based measurement (99%).
Cons: Completely ignores availability, which is a required SLO. Also, latency target is more aggressive (100 ms vs. 200 ms) than needed.
When to use: When performance is the only concern, and availability can be assumed or is not a major risk.
...
Author: Liam · Last updated May 31, 2026
You are running a web application that connects to an AlloyDB cluster by using a private IP address in your default VPC. You need to run a database schema migration in your CI/CD pipeline by using Cloud Build before deploying a new vers...
To determine the correct approach, let’s analyze your requirements and each option:
---
✅ Requirements (from the prompt):
You're using AlloyDB with a private IP in the default VPC.
You need to run schema migrations from Cloud Build.
You want to follow Google-recommended security practices.
Key factors to consider:
Private IP usage → Cloud Build must have VPC access.
Secure credentials handling → avoid hardcoding, use IAM roles and Secret Manager.
Google-recommended practice → use private pools, least privilege, and IAM-based auth where possible.
---
🔍 Option Analysis:
---
A) Set up a Cloud Build private pool to access the database through a static external IP address. Configure the database to only allow connections from this IP address.
Pros:
Allows controlling access via IP whitelisting.
Cons:
❌ Breaks the security model: AlloyDB is accessed via private IP, not intended to be exposed to external IPs.
❌ Requires external IP exposure, violating best practices for private VPC access.
❌ IP-based access control is less secure than IAM and service accounts.
When to use:
Rarely. For public IP databases or legacy systems that need to control access via static IPs.
❌ Rejected: Violates private networking model and security best practices.
---
B) Create a service account that has permission to access the database. Configure Cloud Build to use this service account and execute the schema migration script in a private pool.
Pros:
✅ Uses a Cloud Build private pool — required to access the private IP of AlloyDB.
✅ Uses a service account with least privilege — aligned with Google IAM best practices.
✅ Avoids hardcoding credentials; relies on IAM roles and service accounts.
✅ Secure, scalable, and automatable.
When ...
Author: Olivia Johnson · Last updated May 31, 2026
You use Artifact Registry to store container images built with Cloud Build. You need to ensure that all existing and new images are continuously scanned for vulnerabilities. You ...
Let's analyze the options based on the key requirements:
Requirements:
Continuously scan all existing and new images for vulnerabilities.
Track who pushed each image to the registry.
---
Option A
Configure Artifact Registry to automatically scan new images and periodically re-scan all images.
Use Cloud Audit Logs to track image uploads and identify the user who pushed each image.
Analysis:
Artifact Registry supports automatic scanning of new images.
Periodic re-scanning of all images ensures existing images are not left unchecked.
Cloud Audit Logs provide reliable, built-in logging for tracking who pushed images.
This satisfies both continuous scanning (new + existing) and user tracking.
Use case: Ideal when you want an integrated solution with continuous vulnerability scanning and detailed user audit tracking.
---
Option B
Configure Artifact Registry to send vulnerability scan results to a Cloud Storage bucket.
Use a separate script to parse results and notify a security team.
Analysis:
While sending scan results to Cloud Storage is possible, it doesn’t inherently guarantee continuous or periodic scans.
Requires custom scripting for parsing and notifications, adding complexity.
No mention of tracking who pushed images.
Use case: More suited if you want custom processing or alerting workflows but not optimal for integrated continuous scanning and user audit tracking.
---
Option C
Configure Artifact Registry to automatically re-scan ima...
Author: Ming · Last updated May 31, 2026
You manage a retail website for your company. The website consists of several microservices running in a GKE Standard node pool with node autoscaling enabled. Each microservice has resource limits and a Horizontal Pod Autoscaler configured. During a busy period, you receive alerts for one of the microservices. When you check the Pods, hal...
Let's analyze the situation and the options carefully:
Scenario Summary:
Microservices run in a GKE Standard node pool with node autoscaling enabled.
Each microservice has resource limits and an Horizontal Pod Autoscaler (HPA).
During busy periods:
Half of the Pods show OOMKilled status (out-of-memory kills).
The number of Pods is at the minimum autoscaling limit.
This means:
Pods are running out of memory (OOMKilled).
The number of Pods is not scaling out, stuck at the minimum number.
Node autoscaling is enabled but does not appear to be triggered yet (or cannot help if pods cannot be scheduled).
---
Evaluating the options:
---
A) Update the node pool to use a machine type with more memory.
This increases the memory available per node.
Useful if the current nodes are under-provisioned and the Pods cannot fit due to memory constraints.
However, since the pods are OOMKilled, this points more to pod-level memory limits being too low, not necessarily node memory shortage.
Node autoscaling is enabled, so if the cluster needed more capacity, it should scale nodes automatically, unless the maximum node count limit is already reached (which is not mentioned).
This option is a possible solution if node memory is the bottleneck for pod scheduling, but OOMKilled specifically indicates pod-level memory exhaustion, not node memory shortage.
Use this when pods are scheduled but nodes run out of memory.
---
B) Increase the maximum number of nodes in the node pool.
Increasing max node count lets the cluster autoscaler add more nodes under load.
But here, pods are OOMKilled, and the number of pods is at the minimum autoscaling limit (not scaling out).
The problem is pods being killed, not lack of nodes or node autoscaling limits.
Increasing node count max is useful when the cluster is at node limit and cannot schedule mo...
Author: Matthew · Last updated May 31, 2026
You are configuring a Cl pipeline. The build step for your Cl pipeline integration testing requires access to APIs inside your private VPC network. Your security team requires that you do not expose API traffic publi...
Let's analyze each option carefully based on your requirements:
Requirements:
Build step requires access to APIs inside a private VPC network.
Must not expose API traffic publicly (security team restriction).
Solution should minimize management overhead.
---
Option A: Use Cloud Build private pools to connect to the private VPC.
What it is: Cloud Build private pools allow you to run builds on workers inside your private VPC network. This gives direct, private access to resources within the VPC without exposing traffic publicly.
Why it fits: It provides secure, private network access to internal APIs. Since the build workers are in the private network, API calls don’t leave the private VPC, meeting the security requirement.
Management overhead: Minimal, because Cloud Build manages the worker lifecycle; you don’t have to maintain VMs or load balancers.
Scenario: Ideal when you want your build or integration testing environment to run securely inside a private network without exposing endpoints publicly.
---
Option B: Use Cloud Build to create a Compute Engine instance in the private VPC. Run the integration tests on the VM by using a startup script.
What it is: This means spinning up a VM inside the private VPC dynamically, running tests on it, then cleaning it up.
Why it’s less ideal: While it keeps traffic private, this adds operational complexity:
You have to manage VM lifecycle yourself.
More manual scripting and orchestration.
Longer build times because VM provisioning is slower.
Scenario: Could be used if you require custom environments that can’t run on Cloud Build workers, but at the cost of management overhead.
---
Option C: Use Cloud Build as a pipeline runner. Configure a cross-region internal Application Load Balancer for API access.
What it is: An internal Application Load Balance...
Author: Zara1234 · Last updated May 31, 2026
You are deploying a new version of your application to a multi-zone Google Kubernetes Engine (GKE) cluster. The deployment is progressing smoothly, but you notice that some Pods in a specific zone are experiencing higher error rates. You need to select...
Let's analyze each option in the context of selectively rolling back updates only for Pods in a specific zone, with minimal user impact.
---
Option A: Scale down the Pods in the affected zone. Redeploy the new version of the application.
Pros: Scaling down affected Pods will remove the faulty Pods from serving traffic.
Cons: Redeploying the new version to the affected zone will reintroduce the problematic version. This does not roll back the version in the affected zone; it simply removes Pods temporarily but then redeploys the problematic version again.
Conclusion: This option doesn’t achieve a rollback of the problematic Pods; it only causes potential downtime or unavailability in the affected zone temporarily. So, not suitable for selective rollback.
---
Option B: Drain the affected nodes. Redeploy the new version of the application to the remaining nodes.
Pros: Draining nodes in the affected zone will move workloads away from those nodes.
Cons: This approach removes Pods entirely from the affected zone, which reduces capacity in that zone. Also, redeploying to remaining nodes means you’re not fixing the problematic Pods but avoiding the zone altogether. It doesn’t roll back the version in the affected zone specifically.
Conclusion: It reduces availability in the affected zone and doesn’t selectively rollback Pods. It's more a workaround than a rollback. Not ideal if you want minimal user impact and selective rollback.
---
Option C: Modify the Deployment to use the Pod template from the previous version of your application. Perform a rolling update to replace the Pods in the affected zone.
Pros: This option suggests updating the Deployment to revert only Pods in the problematic zone back to the previous working version. This matches the requirem...
Author: Liam123 · Last updated May 31, 2026
You work for a healthcare company and regulations require you to create all resources in a United States-based region. You attempted to create a secret in Secret Manager but received the following error message:
Constraint constraints/gcp.resourceLocations violated for [orgpolicy:projects/000000] attemp...
Let's break down the problem and analyze each option based on the constraints and compliance requirements:
---
Problem Summary:
You need to create a Secret Manager secret.
Your organization policy restricts resource locations (constraints/gcp.resourceLocations).
You tried to create the secret in the global location, which is disallowed.
Regulations require all resources to be created in a US-based region (i.e., within specific US regions, not global or other regions).
The error indicates you violated the location constraint by trying to create a secret in global.
---
Option A: Remove the organization policy referenced in the error message.
What it means: Removing the organization policy that enforces location restrictions would allow you to create resources anywhere, including globally.
Why it's not suitable: Regulations require resources to stay within US regions for compliance reasons. Removing the policy would break compliance and is therefore not acceptable.
When to use: Only if compliance is not a factor or if the policy is incorrectly applied and needs revision, but here compliance is critical.
---
Option B: Create the secret with an automatic replication policy.
What it means: Automatic replication stores the secret data redundantly in multiple Google-managed locations globally.
Why it's not suitable: Since automatic replication uses global locations behind the scenes, it violates the organization's location constraint and regulations that require US-only data residency.
When to use: For ease of management without compliance restrictions on data residency.
---
Option C: Create the secret with a user-managed replication policy.
What it means: User-managed replication lets you explicitly select which regions the secret is stored in.
Why it's suitable: You can specify only US-based regions...
Author: Ryan · Last updated May 31, 2026
You are responsible for creating development environments for your company's development team. You want to create environments with identical IDEs for all developers while ensuring that these environments are not exposed to public networks. You ne...
Let's analyze each option based on key factors: identical IDE environments, network exposure (security), cost-effectiveness, and developer productivity.
---
Option A:
Create multiple Compute Engine VM instances with a public IP address and use a Public NAT gateway. Configure an instance schedule to shut down the VMs.
Pros: Easy to access VMs via public IP; straightforward setup.
Cons: VMs are exposed to public networks due to public IPs, even if behind NAT. This can pose security risks. Also, running multiple VMs with public IPs may incur higher costs. Developer productivity can be impacted if security concerns slow down access or require complex firewall rules.
Scenario where useful: When easy remote access is needed and security requirements are minimal.
---
Option B:
Create multiple Compute Engine VM instances without a public IP address. Configure an instance schedule to shut down the VMs.
Pros: VMs are not exposed to the public internet (more secure). Cost-effective as no public IP charges. Scheduling shutdowns saves costs when VMs are idle. Developers connect via VPN or Cloud VPN/Interconnect.
Cons: Requires private connectivity setup (VPN or Cloud IAP), which adds complexity but is manageable.
Scenario where useful: When security is critical and public exposure must be avoided, but you want to use familiar Compute Engine VMs.
---
Option C:
Create a Cloud Workstations private cluster. Create a workstation configuration with an idleTimeout parameter.
Pros: Cloud Workstations provides managed, consistent development environments with private networking, ideal for identical IDEs. idleTimeout helps to save cost by shutting down inactive workstations. Enhanced s...
Author: ThunderBear · Last updated May 31, 2026
Your company uses Cloud Deploy with multiple delivery pipelines for deploying applications to different environments. Your development team currently lacks access to any of these pipelines. You need to grant the team access to only ...
Let's analyze each option carefully based on Google-recommended IAM best practices, least privilege principle, and how Cloud Deploy permissions work.
---
A) Grant the development team the `roles/clouddeploy.operator` role, then add deny conditions to all pipelines other than the development pipeline.
Pros: `roles/clouddeploy.operator` is a predefined role designed for operating delivery pipelines, which is appropriate for managing pipelines.
Cons: Google IAM does not natively support deny policies or deny conditions; it supports only allow-based permissions. You cannot "deny" access selectively via IAM conditions — conditions can only restrict access positively.
Conclusion: This is not feasible because deny policies are not supported, so restricting other pipelines this way cannot be implemented.
---
B) Create a custom IAM role with all `clouddeploy.automations.` permissions and allow policy only on the development pipeline. Grant this custom role to the team.
Pros: Custom roles allow precise permission tailoring, following the principle of least privilege. `clouddeploy.automations.` might cover necessary deployment automation actions.
Cons: The custom role is built only on automations permissions, which might not be sufficient for full pipeline operation (e.g., viewing pipeline details or managing stages might need other permissions). Also, custom roles require ongoing maintenance and may lead to complexity.
Conclusion: While technically possible, this is more complex and error-prone. Also, the permissions chosen might be incomplete or too narrow depending on actual required tasks. Not the recommended practice for simple access to a pipeline.
---
C) Grant the development team the `roles/clouddeploy.operator` role in a policy file and apply it to the development target....
Author: ThunderBear · Last updated May 31, 2026
Your company has recently experienced several production service issues. You need to create a Cloud Monitoring dashboard to troubleshoot the issues, and you want to use the dashboard to distinguish between failures in...
To solve this problem, we need to focus on the core goal:
---
✅ Goal:
Create a Cloud Monitoring dashboard to troubleshoot service issues and distinguish failures:
In your own service
From those caused by Google Cloud services
---
🔍 Key Requirements:
You want visual insight into failures.
You need to differentiate root causes (your service vs Google services).
You’re not just alerting — you want contextual awareness while troubleshooting.
You want to leverage Google's known issue visibility.
---
Option Analysis:
---
A) Create a log-based metric to track cloud service errors, and display the metric on the dashboard.
Pros:
Can give insight into specific log patterns.
Customizable.
Cons:
❌ Only works for logs your systems emit.
❌ Does not include Google Cloud service health, unless you're logging their client failures.
❌ Requires effort to define error patterns for each possible service failure.
Not the best for root cause differentiation between Google vs your app.
❌ Rejected: Limited visibility into Google service issues.
---
B) Create a logs widget to display system errors from Cloud Logging on the dashboard.
Pros:
Shows raw logs — may help during troubleshooting.
Cons:
❌ Doesn't provide summary or correlation with Google Cloud issues.
❌ Logs from your services only — doesn’t show Google Cloud service status.
❌ No high-level differentiation — hard to spot root causes.
When to use:
Useful during deep dive debugging, not for high-level dashboards.
❌ Rejected: Not useful for high-level root cause comparison.
---
C) Create an alerting policy for ...
Author: Deepak · Last updated May 31, 2026
Your company wants to implement a CD pipeline in Cloud Deploy for a web service deployed to GKE. The web service currently does not have any automated testing. The Quality Assurance team must manually verify any new releases of the web serv...
Let's analyze the situation and the options carefully:
---
Scenario Recap:
A web service deployed to GKE (Google Kubernetes Engine).
No automated testing exists currently.
Quality Assurance (QA) must manually verify every new release before production traffic is served.
Goal: Design a CD pipeline using Cloud Deploy that respects this manual QA gate.
---
Key Factors to Consider:
1. Manual QA validation is required before production traffic
This implies some form of approval gate between deploying the new version and shifting traffic to production.
2. No automated testing means we cannot rely on automatic promotion based on test success.
3. Traffic control during deployment to avoid serving unverified code.
4. Use of Canary vs Standard deployment strategy:
Standard deployment: Typically means a direct, full replacement deployment without gradual traffic shifting.
Canary deployment: Gradually shifts traffic to the new version, allowing partial exposure to users before full rollout.
---
Option-by-Option Analysis
---
A) Create a single pipeline stage, and use a standard deployment strategy.
Single stage means the entire deployment happens at once.
Standard deployment switches the live version directly.
Because there is no automated testing and manual QA is needed before production traffic, a single stage with immediate cutover would not allow manual validation.
QA would not have a chance to verify the release before it hits production users.
Rejected because it does not support manual approval before traffic shifts.
---
B) Create a single pipeline stage, and use a canary deployment strategy.
Single stage means deployment is done in one stage.
Canary allows gradual traffic shifting.
However, with a single stage, even if it's canary, the pipeline itself is a single unit.
Without splitting into multiple stages, it is difficult to pause the pipeline for manual approval after the canary deployment but before full traffic shift.
The manual QA step needs to happen between canary traff...
Author: Michael · Last updated May 31, 2026
You manage your company's primary revenue-generating application. You have an error budget policy in place that freezes production deployments when the application is close to breaching its SLO. A number of issues have recently occurred, and the application has exhausted its error budget. You need to deploy a new release to the application th...
To determine the correct course of action, let's break down the scenario and assess each option based on SRE best practices, error budget policy, and the critical business need.
---
✅ Context Recap:
You have a critical revenue-generating application.
An error budget policy is enforced — production deployments are frozen when the budget is exhausted.
The app has exhausted its error budget due to recent issues.
A new release contains a feature urgently needed by your largest customer.
The release has passed unit tests.
---
🧠 Key Factors to Consider:
1. SLO/Error Budget Policy Discipline:
The error budget is meant to balance innovation with reliability.
Exhausting the error budget implies risk to system reliability is high — deployments are usually halted to avoid further instability.
2. Urgent Business Need:
The new feature is urgent for your largest customer — business pressure is high.
3. Mitigating Risk:
Proceeding with a full rollout after an error budget is exhausted is risky.
Controlled, safe rollout mechanisms are needed to balance reliability and urgency.
---
🔍 Option Analysis:
---
A) Delay the deployment of the feature until the error budget is replenished.
Pros:
✅ Strict adherence to error budget policy.
✅ Avoids further risk to production stability.
Cons:
❌ Ignores urgent customer need.
❌ Can harm customer trust or revenue if the feature is time-sensitive.
Too rigid — not always practical in real-world high-pressure scenarios.
When to use:
For less critical updates or when customer need is not urgent.
❌ Rejected: Prioritizes reliability, but doesn't account for business urgency.
---
B) Re-run the unit tests, and start the deployment of the feature if the tests pass.
Pros:
Ensures test quality.
Cons:
❌ Unit tests already passed — this adds no new value.
❌ Ignores the error budget policy.
❌...
Author: Noah · Last updated May 31, 2026
You work for a company that manages highly sensitive user data. You are designing the Google Kubernetes Engine (GKE) infrastructure for your company, including several applications that will be deployed in development and production environments. Your design must protect data from un...
Let's analyze each option carefully, considering the key factors:
Key factors to consider:
Protection of highly sensitive user data from unauthorized access, especially between applications.
Separation of development and production environments to avoid accidental data leakage or interference.
Minimizing management overhead, meaning fewer clusters are preferred unless security or isolation demands more.
Kubernetes namespaces provide logical isolation but not strong security boundaries by themselves.
Clusters provide stronger isolation but add operational overhead.
---
Option A: One cluster for the organization with separate namespaces for each application and environment combination.
Pros:
Minimizes number of clusters → less management overhead.
Using namespaces per application and environment helps isolate resources logically.
Cons:
Kubernetes namespaces are a weak isolation boundary for sensitive data.
If someone gains cluster-level access, they may access data across namespaces.
Doesn't provide strong security separation between development and production environments.
Use case: Good for less sensitive environments or when strict isolation isn't required.
---
Option B: One cluster for each application with separate namespaces for production and development environments.
Pros:
Strong isolation between applications because each app gets its own cluster.
Production and development separated logically via namespaces.
Limits blast radius: if one app cluster is compromised, others remain safe.
Cons:
Increased management overhead due to multiple clusters (one per app).
Development and production environments share the same cluster, relying on namespaces which are weaker boundaries.
Use case: When application-level isolation is critical, but dev/prod isolation is less critical or manageable via namespaces.
---
Option C: One cluster for each environment (devel...
Author: Sofia2021 · Last updated May 31, 2026
You are developing a Node.js utility on a workstation in Cloud Workstations by using Code OSS. The utility is a simple web page, and you have already confirmed that all necessary firewall rules are in place. You tested the application by starting it on port 3000 on your workstation in Cloud Workstations, but you need...
To solve this problem, let’s walk through the situation, goals, and evaluate the options with Google-recommended security practices in mind.
---
✅ Scenario Summary:
You're using Cloud Workstations and developing a Node.js web utility.
The app runs on port 3000.
You’ve confirmed firewall rules are not the problem.
You need to access the web page from your local machine.
You must follow Google-recommended security practices.
---
🎯 Key Requirements:
Secure access to a web app running inside Cloud Workstations.
Avoid exposing services publicly (no open IPs).
Utilize built-in, secure preview mechanisms where available.
---
🔍 Option Analysis:
---
A) Use a browser running on a bastion host VM.
Pros:
Could theoretically access internal services.
Cons:
❌ Overkill and unnecessary for Cloud Workstations.
❌ Requires manual setup and adds operational complexity.
❌ Not a Google-recommended pattern for development previews.
❌ Doesn’t help if you want to access the preview in your local browser.
When to use:
For accessing internal resources from a secure jump host — not ideal for dev previews.
❌ Rejected: Too complex, unnecessary for workstation previews.
---
B) Run the `gcloud compute start-iap-tunnel` command to the Cloud Workstations VM.
Pros:
Uses Identity-Aware Proxy (IAP) — secure and controlled.
Cons:
❌ Cloud Workstations are managed environments, not traditional Compute Engine VMs.
❌ This command is for Compute Engine instances, not applicable to Cloud Workstations.
❌ Unsupported method for this us...
Author: RadiantJaguar56 · Last updated May 31, 2026
Your team is preparing to launch a new API in Cloud Run. The API uses an OpenTelemetry agent to send distributed tracing data to Cloud Trace to monitor the time each request takes. The team has noti...
Let's analyze each option carefully in the context of Cloud Run, OpenTelemetry, and distributed tracing with Cloud Trace, focusing on why traces might be inconsistent.
---
Problem Context:
The API runs in Cloud Run.
It uses OpenTelemetry agent to send tracing data.
Traces are inconsistent, meaning some traces may be missing or partial.
Need to fix trace collection.
---
Key Technical Points:
Cloud Run CPU allocation matters: by default, Cloud Run only allocates CPU while the request is being processed (during HTTP request lifecycle).
Background processes, such as the OpenTelemetry agent sending data asynchronously after the response, might not run if CPU is deallocated.
Health checks are primarily used to verify service availability, not related to tracing.
Increasing CPU limits affects max CPU available but not when CPU is allocated.
CPU allocation mode (always-on vs. only during request) affects if background tasks can run outside the request lifecycle.
---
Option Analysis:
---
A) Use an HTTP health check.
Health checks ensure that Cloud Run service instances are healthy and restart unhealthy instances.
Does not affect CPU allocation or timing of background tasks.
Won’t solve inconsistent tracing because trace export happens asynchronously and might be cut off due to CPU being unavailable after request.
Use case: Useful for ensuring service uptime, not for background processing timing.
---
B) Configure CPU to be always-allocated.
This means CPU remains allocated even after HTTP response is sent.
OpenTelemetry agent running background threads or async trace e...
Author: Amelia · Last updated May 31, 2026
You recently created a Cloud Build pipeline for deploying Terraform code stored in a GitHub repository. You make Terraform code changes in short-lived branches and sometimes use tags during development. You tag releases with a semantic version when they are ready for deployment. You require your pipeli...
✅ Goal Summary:
You want to automate Terraform deployments using Cloud Build when a new semantic version tag (like `1.0.0`, `2.1.3`, etc.) is pushed to a GitHub repository. You:
Use short-lived branches and sometimes non-semantic tags during development.
Only want to deploy when a release is ready (i.e., tagged with a semantic version).
Want to minimize operational overhead — automation is key.
---
🎯 Key Requirements:
Trigger only on semantic version tags, like `1.2.3`, not on branches or other tags.
Avoid triggering on dev/test branches or random tags (e.g., `test`, `v1-beta`).
Use a tag-based trigger, not branch-based.
---
🔍 Option Analysis:
---
A) Create a build trigger with the `\d+\.\d+\.\d+` tag pattern.
Pros:
✅ Matches only semantic version tags, e.g., `1.0.0`, `2.5.1`, etc.
✅ Avoids triggering on non-release branches or test tags.
✅ Minimal operational overhead: fully automates deployments on valid releases.
✅ Aligns perfectly with the GitOps model for tagging releases.
When to use:
When your deployment strategy relies on semantic versioning for releases.
✅ Selected: Best matches the use case with precision and automation.
---
B) Create a build trigger with the `\d+\.\d+\.\d+` branch pattern.
Cons:
❌ Semantic versions are used for tags, not branches.
❌ This won't match your intended release flow, which uses tags.
❌ Rejected: Wrong trigger type — branches, not tags.
---
C) Create a bu...
Author: Henry · Last updated May 31, 2026
You manage a microservice that provides a public-facing API (Service A). Service A is time-critical and has a response SLO of 500 ms. Service A makes synchronous calls to internal API (Service B) that is known to become unreliable under heavy load, resulting in connection timeout errors or 500 errors. Service B is used to collect request infor...
To select the best approach for this scenario, let’s break down the key constraints and evaluate each option accordingly.
---
✅ Scenario Summary:
Service A is public-facing, time-critical, and has an SLO of 500ms.
Service B is internal, not highly reliable under load — it can timeout or return 500 errors.
Service B is not essential for the immediate response but collects data (e.g., logs or telemetry).
Goal: Avoid impacting Service A users when Service B becomes unreliable, while maintaining the 500ms response SLO.
---
🎯 Key Design Goals:
Protect Service A's latency and availability — it must stay fast and responsive even if Service B fails.
Fail fast or degrade gracefully when calling Service B.
Prefer resilience patterns like circuit breakers, fallbacks, or asynchronous processing.
Avoid approaches that introduce latency, coupling, or additional load on Service B during failure.
---
🔍 Option Analysis:
---
A) Increase the size of the queue in front of the thread pool used by Service A instances.
Pros:
Might absorb short bursts of load.
Cons:
❌ Does not address unreliable downstream (Service B).
❌ Larger queues can cause longer delays or even resource exhaustion.
❌ This approach risks latency SLO violations in Service A under load or when Service B is unresponsive.
When to use:
Rarely — typically when you’re smoothing burst traffic within a stable system, not when protecting from a flaky downstream.
❌ Rejected: Adds latency, does not help with SLO or availability.
---
B) Implement retry logic with exponential back-offs when calling Service B.
Pros:
Handles transient failures gracefully.
Cons:
❌ Increases latency — multiple retries can push response time well over 500ms.
❌ Worsens load on Service B during its degraded state — causing a retry storm.
❌ Violates Service A’s SLO and doesn’t isolate Service A from Service B’s failures.
When to use:
For non-critical background tasks or in asynchronous flows, ...
Author: NightmareDragon2025 · Last updated May 31, 2026
Your company is migrating its production systems to Google Cloud. You need to implement site reliability engineering (SRE) practices during the migration to minimize customer impact from pote...
Great question! When migrating production systems to Google Cloud and implementing Site Reliability Engineering (SRE) practices, the goal is to minimize customer impact during incidents by improving reliability, observability, and response processes.
Let's evaluate each option carefully:
---
A) Create up-to-date playbooks with instructions for debugging and mitigating issues.
Reasoning:
Playbooks are a core SRE practice because they document standardized, repeatable steps for diagnosing and resolving incidents quickly.
Having up-to-date, well-maintained runbooks ensures faster recovery and reduces the risk of human error during stressful incidents.
This improves incident response and reduces customer impact.
Conclusion: Good practice, should be selected.
---
B) Ensure that all teams can modify the production environment to resolve issues.
Reasoning:
Granting all teams the ability to modify production increases the risk of accidental changes or misconfigurations, which can cause more incidents.
SRE best practices emphasize controlled access and strict change management to maintain system stability.
Generally rejected unless the team is highly trusted and follows strict governance, but even then, least privilege access is preferred.
Conclusion: Not a good practice; should be rejected.
---
C) Create an alerting mechanism for your SRE team based on your system's internal behavior.
Reasoning:
Alerting based on internal system behavior (metrics, logs, errors) enables early detection of issues before customers notice.
Helps the SRE team proactively...
Author: Kai · Last updated May 31, 2026
You are deploying a new web application on Cloud Run in your Google Cloud project. You expect traffic to range from 10 requests per second during off-peak hours to 1000 requests per second during peak hours. You want to use autoscaling to efficiently handle the change...
Let's analyze each option carefully considering key factors like traffic variability, autoscaling behavior, resource quotas, and operational efficiency:
---
A) Manually adjust the number of instances based on observed traffic patterns throughout the day.
Reasoning:
Manually adjusting instances is labor-intensive and error-prone, especially with traffic ranging widely (10 to 1000 rps). It is not responsive to sudden traffic spikes or drops, which can lead to under-provisioning (poor user experience) or over-provisioning (waste of resources).
When to use:
This might be acceptable for very predictable, low-variation workloads or during initial testing phases.
Rejected because:
It doesn't efficiently handle dynamic scaling nor ensure autoscaler respects quotas automatically.
---
B) Define appropriate resource limits for the Cloud Run service, and ensure your project has sufficient resource quotas to accommodate the desired scaling range.
Reasoning:
Setting resource limits (CPU, memory per instance) helps control resource consumption per instance. Ensuring the project’s resource quotas (e.g., maximum CPUs, max instances) can support scaling up to handle 1000 rps is crucial to avoid hitting quota limits that cause autoscaling to fail.
This option does not define the scaling policy itself but is essential to enable autoscaling within safe bounds.
When to use:
Always use this as a foundational step before or alongside autoscaling configuration to avoid quota exhaustion.
Accepted because:
It supports autoscaling by ensuring resource availability and control.
---
C) Configure the autoscaler to scale based on CPU utilization with a target of 80%.
Reasoning:
CPU utilization is a common autoscaling metric in Cloud Run. Targeting 80% CPU utilization means new instances will spin up when existing ones are heavily loaded, and scale down when load is low.
However, CPU utilization might not perfectly correlate w...