––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Section 1: Compute Engine (25 Questions)
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Question: Your ML training needs maximum CPU performance with minimal memory. Which machine type is best?
Options:
A. n1-standard-8
B. n2-highmem-8
C. c2-standard-8
D. e2-highcpu-8
Answer: C
Explanation: c2-standard are Compute-optimized. n1-standard has balanced RAM/CPU; n2-highmem favors RAM; e2-highcpu is cost-optimized with lower single-thread performance.
Question: You must run a fault-tolerant batch job at 75% lower cost, interruptions acceptable. Which VM type?
Options:
A. On-demand VM
B. Preemptible VM
C. Committed-use VM
D. Reservation
Answer: B
Explanation: Preemptible VMs offer deep discounts but can be stopped anytime. On-demand is full price; committed/reservation require long-term commitment.
Question: (Select two) To ensure VMs survive underlying host maintenance and outages, you enable:
Options:
A. Automatic Restart
B. Live Migration
C. Preemptible flag
D. Deletion Protection
Answer: A, B
Explanation: Automatic Restart restarts VMs after crashes; Live Migration keeps VMs running during host maintenance. Preemptible are terminated; Deletion Protection prevents user-initiated deletes but not host events.
Question: A fintech startup needs dedicated servers for regulatory compliance. Which option isolates your VMs?
Options:
A. Shared-core E2
B. Sole-tenant nodes
C. Custom machine types
D. Regional PD
Answer: B
Explanation: Sole-tenant nodes reserve entire hosts for your VMs. E2 shared-core and custom machine types share hardware; PD is storage.
Question: You want to tailor vCPU/RAM ratio for a database workload. Which feature do you use?
Options:
A. Custom Machine Types
B. Predefined Machine Types
C. Autoscaling
D. Pod Spec
Answer: A
Explanation: Custom machine types allow you to pick exactly the CPU/RAM combination. Predefined give fixed ratios; autoscaling scales count, not shape; Pod Spec is Kubernetes.
Question: Scenario: You need nightly immutable VM templates including disks and metadata for dev/test. Which to use?
Options:
A. Disk Snapshots
B. Machine Images
C. Instance Templates
D. Custom Images
Answer: B
Explanation: Machine images capture VM config, metadata, attached disks, and allow recreate anywhere. Snapshots are disk-only; instance templates exclude disks; custom images are single-disk only.
Question: (Select two) To enforce per-instance OS patching and login via IAM, enable:
Options:
A. OS Login
B. Guest Attributes
C. Shielded VM
D. Instance OS Patch Management
Answer: A, D
Explanation: OS Login centralizes SSH access via IAM; OS Patch Management schedules patches. Guest Attributes is metadata; Shielded VMs defend against rootkits.
Question: You must snapshot a running VM’s persistent disk without downtime. Which approach?
Options:
A. Stop VM, then snapshot
B. gcloud compute disks snapshot (online)
C. dd copy inside VM
D. Disk image export
Answer: B
Explanation: GCP supports live disk snapshots via the snapshot API. Stopping is unnecessary; dd is manual and VM-bound; export is offline.
Question: You need regional redundancy for a boot disk. Which disk type?
Options:
A. Zonal SSD PD
B. Regional SSD PD
C. Local SSD
D. Balanced PD
Answer: B
Explanation: Regional Persistent Disks replicate synchronously in two zones. Zonal SSD PD and Balanced PD are zonal; Local SSD is ephemeral.
Question: Scenario: Your VMs run web servers. You want a single public IP routing to healthy VMs across zones. Which do you deploy?
Options:
A. Network Load Balancer + Instance Group
B. Internal Load Balancer
C. Cloud NAT
D. VPC Peering
Answer: A
Explanation: A Network (external) Load Balancer plus a multi-zonal managed instance group distributes traffic and health-checks. Internal LB is private; NAT is egress; peering is network connectivity.
Question: You require per-minute billing when a VM is idle. Which pricing model?
Options:
A. On-demand VM
B. Preemptible VM
C. Committed Use Discount
D. Sustained Use Discount
Answer: A
Explanation: On-demand VMs are billed for each minute/Hr regardless of load. Preemptible may be reclaimed; CUD and SUD are discount mechanisms, not billing granularity.
Question: (Select three) Which can you use as boot disk sources?
Options:
A. Public Image
B. Custom Image
C. Machine Image
D. Snapshot
E. Instance Template
Answer: A, B, D
Explanation: You can boot from a public image, your own custom image, or a disk snapshot. Machine images wrap disks+config; instance templates reference disks but aren’t bootable sources.
Question: You want to tag web-server VMs to apply a firewall rule. Which do you set on the instance?
Options:
A. Label
B. Tag
C. Metadata key
D. Service Account
Answer: B
Explanation: Network tags identify VMs for firewall and routes. Labels are for organization; metadata is free-form; service account handles IAM.
Question: Scenario: You need to automate daily shutdown of non-prod VMs to save cost. Which GCP service can schedule that?
Options:
A. Cloud Scheduler + Cloud Functions
B. OS Patch Management
C. Instance Scheduler (Marketplace)
D. Deployment Manager
Answer: A, C (Select two)
Explanation: Both Cloud Scheduler invoking Cloud Functions or the prebuilt Instance Scheduler solution automate start/stop. OS Patch Management handles OS patches; Deployment Manager is infra as code.
Question: Which feature protects against VM root-kit installation and boot-time attacks?
Options:
A. Shielded VM
B. Live Migration
C. Host Maintenance Policies
D. Automatic Restart
Answer: A
Explanation: Shielded VMs use Secure Boot, vTPM, and integrity monitoring. Live migration and automatic restart address availability.
Question: You need to isolate sensitive network traffic between two VPCs without public routing. Which do you use?
Options:
A. VPC Peering
B. VPN
C. Cloud Interconnect
D. NAT
Answer: A
Explanation: VPC Peering allows private IP connectivity directly. VPN and Interconnect traverse external or dedicated links; NAT is egress.
Question: (Select two) For a production database VM, which storage/backup options give fast restore and point-in-time recovery?
Options:
A. Regional SSD PD
B. Snapshots
C. Persistent Disk backups in Filestore
D. Filestore NFS
Answer: A, B
Explanation: Regional SSD PD is highly available; snapshots can be scheduled and used for point-in-time restores. Filestore is for file shares.
Question: Your application must maintain a consistent hostname on restart. Which instance setting?
Options:
A. Assign a static internal IP via reservation
B. Use ephemeral IP
C. Enable live migration
D. Use managed instance group
Answer: A
Explanation: Reserving an internal static IP ensures the VM always gets the same IP/hostname mapping. Ephemeral changes on stop/start.
Question: Scenario: A global image holds sensitive data; you must restrict its use to only your security team. How?
Options:
A. Set Image IAM policy granting only their group’s role
B. Use Organization Policy to deny all
C. Put image in public projects
D. Use a firewall rule
Answer: A
Explanation: IAM on the image resource controls who can use it. Org Policy could enforce broader controls; public would expose it.
Question: You need to monitor VM CPU, disk, and network with alerts. Which service do you use?
Options:
A. Cloud Monitoring
B. Cloud Logging
C. Cloud Trace
D. Cloud Build
Answer: A
Explanation: Cloud Monitoring gathers metrics and sends alerts. Logging collects logs; Trace is for distributed traces.
Question: Which metadata server endpoint would a VM use to retrieve its service account credentials?
Options:
A. http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
B. http://169.254.169.254/latest/meta-data/iam/security-credentials/
C. http://metadata.google.internal/computeMetadata/v1/project/attributes/
D. None—Use gcloud CLI
Answer: A
Explanation: GCE metadata uses metadata.google.internal. The AWS-style endpoint is wrong.
Question: (Select two) To migrate VMs from on-prem VMware to Compute Engine with minimal downtime, you can use:
Options:
A. Migrate for Compute Engine (Velostrata)
B. gcloud compute scp
C. Transfer Appliance
D. VM Import
Answer: A, D
Explanation: Migrate for Compute Engine streams VMs live; VM Import can import images. SCP is manual file copy; Transfer Appliance is offline bulk storage.
Question: Your web app requires low-latency local disk I/O. Which storage do you attach?
Options:
A. Zonal SSD Persistent Disk
B. Local SSD
C. Balanced PD
D. Regional HDD PD
Answer: B
Explanation: Local SSD gives sub-millisecond latency but is ephemeral and non-shareable.
Question: Which IAM role is needed to create, start, and stop Compute Engine VMs?
Options:
A. roles/compute.admin
B. roles/owner
C. roles/viewer
D. roles/editor
Answer: A
Explanation: compute.admin covers full Compute Engine management. Editor includes it but is broader; Viewer is read-only; Owner is too broad.
Question: Scenario: You need advanced networking (alias IPs, VPC-native) for GKE later. When creating VM subnets, enable:
Options:
A. Private Google Access
B. VPC-native (alias IP)
C. Cloud Router
D. Flow Logs
Answer: B
Explanation: VPC-native with alias IP is required for advanced container networking. Private Google Access is for private GCP APIs; Cloud Router is BGP; Flow Logs are logging.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Section 2: Google Kubernetes Engine (25 Questions)
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Question: You need full control of node scaling and upgrades. Which GKE mode do you choose?
Options:
A. Autopilot
B. Standard
C. Cloud Run
D. Compute Engine
Answer: B
Explanation: Standard GKE exposes node pools and cluster upgrades. Autopilot abstracts nodes entirely.
Question: Scenario: Your team wants to enforce that Pods cannot talk to each other unless explicitly allowed. Which do you deploy?
Options:
A. NetworkPolicy with default deny
B. PodSecurityPolicy
C. RBAC RoleBinding
D. ResourceQuota
Answer: A
Explanation: NetworkPolicy controls Pod-to-Pod traffic. PSP covers host security; RBAC covers API auth; ResourceQuota limits resource usage.
Question: (Select two) To autoscale your GKE cluster when Pods are pending, enable:
Options:
A. Horizontal Pod Autoscaler
B. Vertical Pod Autoscaler
C. Cluster Autoscaler
D. PodDisruptionBudget
Answer: A, C
Explanation: HPA scales Pod replicas; CA adds/removes nodes to satisfy scheduling. VPA adjusts Pod resources; PDB protects availability during evictions.
Question: Which workload type provides stable network IDs and persistent storage?
Options:
A. Deployment
B. DaemonSet
C. StatefulSet
D. ReplicaSet
Answer: C
Explanation: StatefulSets assign stable DNS names and attach PersistentVolumes. Deployments/ReplicaSets are stateless; DaemonSets run one Pod per node.
Question: Scenario: You need to run a Pod on every node (e.g. logging agent). Which controller?
Options:
A. Deployment
B. DaemonSet
C. StatefulSet
D. Job
Answer: B
Explanation: DaemonSets ensure one Pod per node. Jobs run to completion; Deployments manage a ReplicaSet.
Question: To give a service an external TCP load-balanced IP, you create a Service of type:
Options:
A. ClusterIP
B. NodePort
C. LoadBalancer
D. ExternalName
Answer: C
Explanation: LoadBalancer provisions a cloud LB and external IP. NodePort exposes a port on each node; ClusterIP is internal only.
Question: (Select two) You want to limit each container to max 500 mCPU and 1 Gi RAM. Configure in Pod spec:
Options:
A. resources.requests.cpu = 500m
B. resources.limits.cpu = 500m
C. resources.requests.memory = 1Gi
D. resources.limits.memory = 1Gi
Answer: B, D
Explanation: limits enforce maximum. requests reserve minimum. You could set both, but the question asks to cap.
Question: To upgrade the control plane without downtime, you issue:
Options:
A. gcloud container clusters upgrade --master
B. kubectl apply -f upgrade.yaml
C. terraform apply
D. helm upgrade
Answer: A
Explanation: gcloud container clusters upgrade --master upgrades the control plane. kubectl/helm apply workload resources, not control plane.
Question: You need to restrict API-server access to only your office IP. Which feature do you enable?
Options:
A. Authorized Networks
B. Private Cluster
C. VPC Peering
D. Cloud NAT
Answer: A
Explanation: Authorized Networks on the control plane allow whitelisted CIDRs. Private clusters restrict master endpoint to VPC only.
Question: Scenario: A Pod fails the readinessProbe. What happens?
Options:
A. It is restarted immediately
B. It is removed from Service endpoints
C. It is evicted from the node
D. It is deleted permanently
Answer: B
Explanation: readinessProbe failure only prevents new traffic; livenessProbe failure restarts the container.
Question: (Select two) For CI/CD you want to apply Kubernetes manifests in version control. Which tools fit?
Options:
A. Cloud Build with kubectl
B. GitOps with Config Sync (Anthos)
C. Deployment Manager
D. gcloud compute ssh
Answer: A, B
Explanation: Cloud Build can run kubectl apply; Config Sync pulls manifests automatically. Deployment Manager is GCP-native infra as code, not k8s-native; ssh is manual.
Question: Which command opens a shell inside a running Pod?
Options:
A. kubectl exec -it <pod> -- /bin/sh
B. kubectl run
C. kubectl logs
D. kubectl port-forward
Answer: A
Explanation: exec runs commands inside containers. run creates new Pods; logs prints container logs; port-forward forwards ports.
Question: Scenario: You want to prevent eviction of at least 2 replicas during maintenance. Which do you configure?
Options:
A. PodDisruptionBudget minAvailable=2
B. ReplicaSet replicas=2
C. ResourceQuota
D. LimitRange
Answer: A
Explanation: PDB minAvailable ensures at least 2 Pods remain during voluntary disruptions.
Question: To store sensitive keys and mount them into Pods, use:
Options:
A. ConfigMap
B. Secret
C. PersistentVolume
D. EmptyDir
Answer: B
Explanation: Secrets are designed for sensitive data. ConfigMaps are for non-sensitive; PV/EmptyDir are storage.
Question: You need per-namespace CPU/memory quotas. Which object?
Options:
A. ResourceQuota
B. LimitRange
C. Namespace
D. ClusterRole
Answer: A
Explanation: ResourceQuota sets total resource caps per namespace; LimitRange sets defaults/limits per Pod/container.
Question: Scenario: You cannot pull certain public images due to compliance. Which Admission Controller do you enable?
Options:
A. Binary Authorization
B. PodSecurityPolicy
C. NetworkPolicy
D. RBAC
Answer: A
Explanation: Binary Authorization enforces signed images from allowed registries.
Question: Which add-on lets you view traces and service mesh metrics on GKE?
Options:
A. Anthos Service Mesh
B. Cloud Logging
C. Cloud Monitoring
D. Cloud Profiler
Answer: A
Explanation: Anthos Service Mesh (managed Istio) provides telemetry. Logging/Monitoring collect logs/metrics; Profiler profiles code.
Question: To ensure all Pods are scheduled with a specific GPU, define:
Options:
A. nodeSelector: gpu=true
B. affinity podAffinity
C. taints/tolerations
D. hostPath volume
Answer: A
Explanation: nodeSelector assigns Pods to nodes with matching labels (e.g. gpu=true). Taints/tolerations also work but need node taint first.
Question: Scenario: A sensitive workload must never communicate with other namespaces. Which enforce?
Options:
A. Namespace NetworkPolicy default deny
B. PodSecurityPolicy
C. RoleBinding
D. ResourceQuota
Answer: A
Explanation: Namespace-scoped NetworkPolicy default-deny isolates traffic. PSP and RBAC are for security, not network.
Question: Which command scales a Deployment named “web” to 5 replicas?
Options:
A. kubectl scale deployment web --replicas=5
B. kubectl set replicas web 5
C. kubectl edit deployment web
D. kubectl apply --scale
Answer: A
Explanation: scale is the proper subcommand. set, edit nor apply --scale don’t exist.
Question: To run background cleanup at cluster level, use:
Options:
A. CronJob
B. Job
C. DaemonSet
D. Deployment
Answer: A
Explanation: CronJob runs Jobs on schedule. Job runs once immediately; DaemonSet/Deployment manage long-lived Pods.
Question: You need to upgrade node pools automatically to latest node image. Which setting?
Options:
A. Enable Node Auto-Upgrade
B. Enable Node Auto-Repair
C. Cluster Autoscaler
D. Maintenance Window
Answer: A
Explanation: Auto-Upgrade config updates node pool version automatically. Auto-Repair fixes unhealthy nodes.
Question: Which GKE log stream shows Kubernetes API requests?
Options:
A. Audit Logs
B. System Logs
C. Workload Logs
D. Firewall Logs
Answer: A
Explanation: Audit Logs record API calls. System logs cover node components; Workload logs cover container output.
Question: (Select two) To enforce image pull secrets in all namespaces, use:
Options:
A. ImagePullSecrets in ServiceAccount
B. Namespace default imagePullPolicy
C. Admission Controller requiring pull secrets
D. RBAC restrict pull
Answer: A, C
Explanation: Embedding pull secrets in default ServiceAccount and using an admission controller enforces it. imagePullPolicy is for caching; RBAC doesn’t restrict image registry access.
Question: Scenario: You want separate node pools for Linux and Windows workloads. How?
Options:
A. Create two node pools with different OS images
B. Use taints only
C. Single node pool accepts both
D. Use StatefulSet OS selector
Answer: A
Explanation: GKE node pools can specify Windows or Linux node images; taints complement but pool OS must match.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Section 3: App Engine (25 Questions)
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Question: Which App Engine environment automatically scales to zero when idle?
Options:
A. Standard
B. Flexible
C. Managed VMs
D. Dedicated
Answer: A
Explanation: Standard scales to zero; Flexible always keeps min 1 instance.
Question: You need a custom runtime via Dockerfile. Which environment?
Options:
A. Standard
B. Flexible
C. Auto
D. Basic
Answer: B
Explanation: Flexible uses Docker; Standard uses predefined runtimes.
Question: (Select two) To schedule a task every 30 minutes, you configure:
Options:
A. cron.yaml
B. dispatch.yaml
C. app.yaml handlers
D. Task Queues push queues
Answer: A, D
Explanation: cron.yaml defines schedules; push queues use Task Queues for asynchronous work. dispatch.yaml is URL routing.
Question: You want to route /chat/* URLs to a “chat” service. Which file?
Options:
A. dispatch.yaml
B. app.yaml
C. index.yaml
D. cron.yaml
Answer: A
Explanation: dispatch.yaml maps URL patterns across services. app.yaml configures a single service.
Question: To split traffic 20/80 between v2 and v1 of “api” service, use:
Options:
A. gcloud app services set-traffic api --splits v2=0.2,v1=0.8
B. Update app.yaml
C. Modify dispatch.yaml
D. Adjust firewall
Answer: A
Explanation: gcloud app services set-traffic adjusts percentage per version.
Question: Scenario: You need unlimited background processing longer than 60 sec. Which environment?
Options:
A. Standard with Task Queue
B. Flexible
C. Standard manual scaling
D. Cron job only
Answer: B
Explanation: Flexible has 60 min request timeout; Standard max request time is shorter (~60 sec).
Question: Which App Engine feature caches static assets at Google’s edge by default?
Options:
A. CDN (built-in)
B. Memcache
C. Cloud CDN
D. Dispatch
Answer: A
Explanation: App Engine automatically serves static files via its edge cache. Cloud CDN is for Compute Engine.
Question: To connect Standard app to a VPC-only Cloud SQL instance, you must configure:
Options:
A. Serverless VPC Access Connector
B. Public IP + SSL
C. Cloud NAT
D. VPN
Answer: A
Explanation: VPC Access Connector bridges Standard environment to VPC networks.
Question: Which runtime is supported only in Flexible and not Standard?
Options:
A. Java 8
B. Python 2.7
C. PHP 7.4
D. .NET Core
Answer: D
Explanation: .NET Core is Flexible-only. PHP, Java, Python have Standard support (depending on versions).
Question: For sticky sessions in Standard, you enable:
Options:
A. session_affinity in dispatch
B. session_affinity in app.yaml
C. version traffic splitting
D. firewall rules
Answer: B
Explanation: session_affinity setting in app.yaml enables IP-based sticky sessions.
Question: To restrict incoming traffic to your GCP project’s VPC, you set:
Options:
A. App Engine Firewall rules
B. dispatch.yaml
C. cron.yaml
D. IAM roles
Answer: A
Explanation: App Engine Firewall allows or denies traffic by IP.
Question: You need to view request latency distribution for your service. Which do you use?
Options:
A. Cloud Trace
B. Cloud Logging
C. Cloud Monitoring uptime checks
D. BigQuery
Answer: A
Explanation: Cloud Trace shows latency histograms and distributed traces. Logging shows raw logs; Monitoring shows metrics.
Question: Scenario: You must pre-warm 5 instances before traffic. Which Standard setting?
Options:
A. basic_scaling with idle_timeout
B. manual_scaling instances=5
C. automatic_scaling max_idle_instances=5
D. dispatch warmup
Answer: C
Explanation: automatic_scaling max_idle_instances reserves idle instances. basic/manual scaling behave differently.
Question: For long-running WebSocket connections, which environment supports it?
Options:
A. Flexible
B. Standard
C. Both
D. Neither
Answer: A
Explanation: Flexible allows WebSocket and long-lived TCP; Standard does not.
Question: (Select two) Which files belong to App Engine Standard service config?
Options:
A. app.yaml
B. cron.yaml
C. index.html
D. Dockerfile
Answer: A, B
Explanation: app.yaml and cron.yaml are GAE config. index.html is app code; Dockerfile is Flexible.
Question: You need to rollback to a previous version immediately. Which action?
Options:
A. gcloud app versions migrate
B. Edit app.yaml
C. Scale down traffic in dispatch
D. Delete current version
Answer: A
Explanation: versions migrate switches traffic to a specified version. Deleting may cause outages.
Question: To view Datastore composite-index builds, you consult:
Options:
A. index.yaml
B. dispatch.yaml
C. app.yaml
D. cron.yaml
Answer: A
Explanation: index.yaml defines composite indexes for Cloud Datastore/Firestore in Datastore mode.
Question: Scenario: You must run a resource-intensive batch job daily. Which is best?
Options:
A. Standard cron with Task Queue
B. Flexible cron service
C. App Engine doesn’t support Batch
D. Cloud Composer
Answer: B
Explanation: Flexible environment handles heavy workloads; Standard has strict request limits. Cloud Composer is for workflows, not GAE.
Question: Which App Engine setting defines instance class (F1, F2, etc.)?
Options:
A. instance_class in app.yaml
B. service: in dispatch
C. runtime in app.yaml
D. instance_type in cron.yaml
Answer: A
Explanation: instance_class under automatic_scaling in app.yaml sets F1, F2 sizes.
Question: To secure environment variables from code, use:
Options:
A. Secret Manager + runtime config
B. inline in app.yaml
C. dispatch.yaml
D. cron.yaml
Answer: A
Explanation: Secret Manager combined with runtime config or direct Secret Manager access stores secrets securely. Inline is insecure.
Question: For near-zero downtime deploys with migration of websocket connections, use:
Options:
A. flexible version with traffic gradual rollout
B. standard version split traffic
C. dispatch warmup
D. cannot support websocket in standard
Answer: A
Explanation: Flexible supports WebSockets; you can split traffic gradually. Standard doesn’t support WebSockets.
Question: Which App Engine feature automatically scales the number of instances based on request rate?
Options:
A. automatic_scaling
B. basic_scaling
C. manual_scaling
D. resident_scaling
Answer: A
Explanation: automatic_scaling adjusts instance count to match load. basic and manual have fixed behaviors.
Question: Scenario: You need to debug one-off traffic for a suspect version. How do you isolate that traffic?
Options:
A. Traffic splitting 100% to debug version
B. Edit dispatch.yaml
C. Use firewall rule
D. Delete other versions
Answer: A
Explanation: Splitting traffic directs some or all traffic to a specified version without downtime.
Question: Which metric indicates instance startup latency?
Options:
A. Response Latency p95
B. Instance Startup Time
C. CPU utilization
D. Memory usage
Answer: B
Explanation: Instance Startup Time measures how long to start an instance. Others measure performance.
Question: To test a new library in isolation without affecting prod, you deploy to:
Options:
A. New version with 0% traffic
B. New service
C. New project
D. Delete prod version then deploy
Answer: A
Explanation: Deploying a new version and setting its traffic to 0% leaves it idle for testing. New service duplicates routing.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Section 4: Cloud Functions (25 Questions)
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Question: Scenario: You need to process images uploaded to a bucket. Which trigger type?
Options:
A. HTTP
B. Pub/Sub
C. Cloud Storage
D. Scheduler
Answer: C
Explanation: A Cloud Storage trigger fires on object create/update.
Question: To allow public invocation of an HTTP Function, you grant which?
Options:
A. roles/cloudfunctions.invoker to allUsers
B. roles/owner to allUsers
C. IAM disable
D. VPC Connector
Answer: A
Explanation: roles/cloudfunctions.invoker on allUsers allows unauthenticated HTTP access. Owner is too broad.
Question: Which Gen supports Docker container images?
Options:
A. Gen1 only
B. Gen2 only
C. Both
D. Neither
Answer: B
Explanation: 2nd-gen Cloud Functions allow custom container images; Gen1 only source code.
Question: (Select two) To reduce cold starts, you configure:
Options:
A. --min-instances
B. --timeout
C. --memory
D. --vpc-connector
Answer: A, C
Explanation: min-instances keeps instances warm; higher memory allocates more CPU, reducing cold-start latency.
Question: You need to call a private Cloud SQL instance. You configure:
Options:
A. Serverless VPC Connector
B. Public IP + SSL
C. Cloud NAT
D. Shared VPC
Answer: A
Explanation: VPC Connector attaches functions to your VPC for private Cloud SQL connectivity.
Question: What’s the maximum timeout for a Gen2 Function?
Options:
A. 9 min
B. 60 min
C. 10 min
D. 1 min
Answer: B
Explanation: Gen2 supports up to 60 min; Gen1 max is 9 min.
Question: Scenario: A function fails and you want no retries. Which flag on deploy?
Options:
A. --no-retry
B. --retry=0
C. cannot disable
D. --disable-retry
Answer: A
Explanation: --no-retry disables retries on background functions. retry=0 is not valid.
Question: To view your function’s execution logs, use:
Options:
A. Cloud Logging
B. Cloud Monitoring
C. Cloud Trace
D. Error Reporting
Answer: A
Explanation: Cloud Logging captures console.log outputs and system logs. Monitoring charts metrics.
Question: You need environment variables defined per function. Pass via:
Options:
A. --set-env-vars
B. app.yaml
C. cron.yaml
D. dispatch.yaml
Answer: A
Explanation: gcloud functions deploy --set-env-vars sets env vars. YAML files are for App Engine.
Question: Which default concurrency value does Gen2 use?
Options:
A. 1
B. 10
C. 80
D. 100
Answer: B
Explanation: Gen2 concurrency defaults to 10; Gen1 is always 1.
Question: (Select two) Which runtimes are available in Gen1?
Options:
A. Node.js 10
B. Go 1.13
C. Java 11
D. Ruby 2.7
Answer: A, B
Explanation: Gen1 supports Node.js, Python, Go, Java 8. Java 11 and Ruby only in Gen2.
Question: Scenario: You want to trigger a function every hour. Which service do you integrate?
Options:
A. Cloud Scheduler + Pub/Sub
B. HTTP + cron.yaml
C. Cloud Tasks
D. Cloud Composer
Answer: A
Explanation: Scheduler publishes to Pub/Sub, which triggers the function. HTTP + cron.yaml is App Engine.
Question: To restrict function deployment to certain regions, you set:
Options:
A. --region flag
B. IAM location policy
C. Org policy constraint
D. --vpc-connector
Answer: A
Explanation: Specify --region when deploying. Org policies can constrain but simplest is the flag.
Question: Which permission permits updating function code/config?
Options:
A. roles/cloudfunctions.developer
B. roles/cloudfunctions.invoker
C. roles/owner
D. roles/viewer
Answer: A
Explanation: developer role allows create/update; invoker only calls the function.
Question: You need to test a function’s HTTP endpoint locally. Which do you use?
Options:
A. Functions Framework
B. gcloud emulator
C. Cloud Shell only
D. cannot test locally
Answer: A
Explanation: Functions Framework simulates the Functions runtime locally.
Question: To control egress to the internet, you deploy:
Options:
A. Serverless VPC Connector + Cloud NAT
B. Public IP
C. Cloud DNS
D. Firewall Rule
Answer: A
Explanation: VPC Connector plus NAT routes egress through VPC, enabling firewall/NAT control.
Question: Scenario: You must version your functions for canary releases. How?
Options:
A. Deploy new function with version suffix and adjust callers
B. gcloud functions split-traffic
C. Use Cloud Run instead
D. Use App Engine
Answer: A
Explanation: Cloud Functions has no built-in traffic splitting; deploy parallel functions.
Question: Which metric indicates function invocation latency?
Options:
A. execution_count
B. execution_times
C. latency
D. error_count
Answer: C
Explanation: “user_latency” metric shows invocation latency. execution_count is count; times is histogram.
Question: (Select two) Which environments support Docker containers?
Options:
A. Cloud Functions Gen2
B. Cloud Functions Gen1
C. Cloud Run
D. App Engine Standard
Answer: A, C
Explanation: Gen2 Functions and Cloud Run support custom containers. Gen1 only source; App Engine Standard uses runtimes.
Question: You need a function to run inside a specific VPC subnet. Which setting?
Options:
A. --vpc-connector-subnet
B. --region
C. --timeout
D. --memory
Answer: A
Explanation: vpc-connector-subnet specifies the subnet for the connector. Others irrelevant.
Question: To reduce cold starts but control cost, set:
Options:
A. --min-instances and --max-instances
B. --concurrency
C. --timeout
D. --region
Answer: A
Explanation: min-instances keeps warm; max-instances caps cost. concurrency and timeout don’t warm instances.
Question: How do you disable a function temporarily?
Options:
A. Remove its trigger
B. gcloud functions disable
C. Set IAM deny on invoker
D. Cannot disable
Answer: A or C (Select two)
Explanation: Removing the trigger (e.g. unbinding Pub/Sub) or revoking invoker IAM both stop invocations. No direct disable command.
Question: Which command deletes a function named “processImage”?
Options:
A. gcloud functions delete processImage
B. gcloud functions rm processImage
C. gcloud delete function processImage
D. gcloud function remove processImage
Answer: A
Explanation: Correct syntax is gcloud functions delete <NAME>.
Question: Which environment variable provides the project ID?
Options:
A. GCP_PROJECT
B. GOOGLE_CLOUD_PROJECT
C. PROJECT_ID
D. CLOUDSDK_CORE_PROJECT
Answer: B
Explanation: GOOGLE_CLOUD_PROJECT is automatically set. CLOUDSDK_CORE_PROJECT is local gcloud config.
Question: Scenario: Your function must process up to 1,000 concurrent Pub/Sub messages. Which setting?
Options:
A. Increase concurrency in Cloud Run instead
B. Cloud Functions will scale automatically up to quota
C. Set --max-instances to 1000
D. Set --concurrency to 10
Answer: B
Explanation: Cloud Functions (Gen2) auto-scales instances based on load up to project quota. max-instances caps; concurrency controls requests per instance.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Section 5: Cloud Run (25 Questions)
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Question: Which gcloud command deploys a Docker image to Cloud Run?
Options:
A. gcloud run deploy
B. docker run
C. gcloud compute instances create
D. gcloud functions deploy
Answer: A
Explanation: gcloud run deploy deploys containers to Cloud Run.
Question: To expose your service publicly, you add which flag?
Options:
A. --allow-unauthenticated
B. --public
C. --ingress all
D. --region global
Answer: A
Explanation: allow-unauthenticated makes the service reachable to all.
Question: Default concurrency per Cloud Run container is:
Options:
A. 80
B. 1
C. 10
D. 100
Answer: A
Explanation: Cloud Run default is 80 concurrent requests per container.
Question: (Select two) To mount a secret from Secret Manager, you use:
Options:
A. --set-secrets
B. --set-env-vars
C. SecretVolume in YAML
D. --vpc-connector
Answer: A, C
Explanation: set-secrets CLI flag or SecretVolume mount in YAML pulls secrets in. env-vars can reference but mount is set-secrets.
Question: What’s the maximum request timeout?
Options:
A. 10 min
B. 60 min
C. 5 min
D. 1 min
Answer: A
Explanation: Cloud Run supports up to 10 minutes per request.
Question: To keep 3 containers always warm, set:
Options:
A. --min-instances=3
B. --max-instances=3
C. --concurrency=3
D. --timeout=3
Answer: A
Explanation: min-instances reserves that many warm containers. max limits scaling; concurrency and timeout are different.
Question: You need your service to only accept traffic from internal VPC. Which flag?
Options:
A. --ingress internal
B. --allow-unauthenticated
C. --vpc-connector
D. --no-traffic
Answer: A
Explanation: ingress set to internal restricts to VPC and in-cluster traffic.
Question: (Select two) To autoscale based on Pub/Sub queue depth, integrate:
Options:
A. Pub/Sub push subscription
B. HTTP polling
C. Cloud Tasks
D. Direct DB connection
Answer: A, C
Explanation: Cloud Run can be invoked by a push subscription or by pulling via Cloud Tasks. Polling and direct DB are not native triggers.
Question: Which setting caps the maximum number of containers?
Options:
A. --max-instances
B. --min-instances
C. --concurrency
D. --cpu
Answer: A
Explanation: max-instances restricts scaling ceiling.
Question: To route 10% of traffic to a new revision, use:
Options:
A. gcloud run services update-traffic --to-revisions new=10,old=90
B. kubectl split
C. dispatch.yaml
D. IAM policy
Answer: A
Explanation: update-traffic CLI sets traffic splits between revisions.
Question: You need static outbound IPs from Cloud Run. You configure:
Options:
A. VPC Connector + Cloud NAT
B. --source IP
C. --allow-unauthenticated
D. --ingress internal
Answer: A
Explanation: A Serverless VPC Connector plus NAT Gateway gives stable egress IPs.
Question: Which IAM role allows calling (invoking) a Cloud Run service?
Options:
A. roles/run.invoker
B. roles/run.admin
C. roles/run.viewer
D. roles/observer
Answer: A
Explanation: run.invoker permits invoking a service. run.admin manages service.
Question: To limit request parallelism per container, adjust:
Options:
A. --concurrency
B. --cpu
C. --memory
D. --timeout
Answer: A
Explanation: concurrency flag sets how many simultaneous requests a container handles.
Question: Scenario: You have a public service but want to restrict only your organization. You remove allow-unauthenticated and grant invoker to:
Options:
A. your-org’s allUsers group
B. your-org’s authenticatedUsers
C. allAuthenticatedUsers
D. no one
Answer: B
Explanation: authenticatedUsers restricts to signed-in users in your org. allUsers is public; allAuthenticatedUsers is any Google user.
Question: To view logs for a revision, you go to:
Options:
A. Cloud Logging
B. Cloud Monitoring
C. Cloud Trace
D. Cloud Build
Answer: A
Explanation: Cloud Run logs appear in Cloud Logging under the service name.
Question: Which metric indicates container instance CPU utilization?
Options:
A. CPU/utilization
B. requests_per_second
C. memory_usage
D. concurrency
Answer: A
Explanation: CPU utilization metric shows vCPU use. Others are different.
Question: (Select two) Which allow you to deploy from GitHub on push?
Options:
A. Cloud Build trigger → Cloud Run deploy
B. gcloud run deploy --source
C. Cloud Deploy
D. App Engine
Answer: A, B
Explanation: Cloud Build triggers can build/deploy; gcloud run deploy --source builds from source. Cloud Deploy is CD pipeline; App Engine is different.
Question: Scenario: You need to debug only 1% traffic to a new revision. Which do you do?
Options:
A. Split traffic 1% to new
B. Deploy as separate service
C. Delete old revision
D. Update firewall
Answer: A
Explanation: Traffic splitting to the new revision by 1% is the canary pattern.
Question: Which Cloud Run variant runs on your GKE cluster?
Options:
A. Cloud Run for Anthos
B. Cloud Run (managed)
C. Cloud Functions
D. App Engine Flex
Answer: A
Explanation: Anthos edition deploys to GKE; managed runs on Google-managed infrastructure.
Question: To encrypt container root filesystem with CMEK, you must:
Options:
A. Use a customer-managed KMS key on the service
B. Cannot encrypt at Cloud Run layer
C. Use Shielded VMs
D. Enable Confidential Containers
Answer: B
Explanation: Cloud Run does not support CMEK on container FS. You must wrap image storage encryption outside of Cloud Run.
Question: Which header carries the original client IP to your container?
Options:
A. X-Forwarded-For
B. Host
C. User-Agent
D. Content-Type
Answer: A
Explanation: X-Forwarded-For lists client IPs behind proxies.
Question: You must enforce request size limit at 10 MiB. Which flag?
Options:
A. --max-request-bytes
B. --concurrency
C. --timeout
D. --cpu
Answer: A (YAML override)
Explanation: In YAML you can set maxRequestBytes. CLI flag doesn’t exist; must edit service config.
Question: To restrict outbound calls to only your on-prem database over VPN, you configure:
Options:
A. VPC Connector + Private Service Connect
B. Public egress
C. Ingress internal
D. Concurrency=1
Answer: A
Explanation: VPC Connector + Private Service Connect or NAT routes egress through your VPN network. Others irrelevant.
Question: For canary DB schema migration requiring dual-write, you deploy two revisions and:
Options:
A. Split traffic 50/50 during migration
B. Use two separate services
C. Use direct GKE rollout
D. Run job on Compute Engine
Answer: A
Explanation: Splitting traffic between revisions lets you test new logic under load.
Question: Which setting avoids too many containers on node pools in Anthos?
Options:
A. Kubernetes ResourceQuota
B. --max-instances
C. --concurrency
D. --min-instances
Answer: A
Explanation: In Anthos, ResourceQuota caps Pods and thus indirectly nodes. Cloud Run flags don’t apply on GKE.

GCP Associate Engineer Exam training (Compute Engine, gke, app engine, cloud functions, cloud run)

Subscribe to my newsletter

Anusree Anilkumar

Anusree Anilkumar