Professional-Cloud-Architect Google Certified Professional - Cloud Architect (GCP) Questions and Answers

https://cloud.google.com/storage/docs/locations

Coldline Storage is the best choice for data that you plan to access at most once a year, due to its slightly lower availability, 90-day minimum storage duration, costs for data access, and higher per-operation costs. For example:

Cold Data Storage - Infrequently accessed data, such as data stored for legal or regulatory reasons, can be stored at low cost as Coldline Storage, and be available when you need it.

Disaster recovery - In the event of a disaster recovery event, recovery time is key. Cloud Storage provides low latency access to data stored as Coldline Storage.

https://cloud.google.com/solutions/iot/

https://cloud.google.com/solutions/designing-conne cted-vehicle-platform

https://cloud.google.com/solutions/designing-connected-vehicle- platform#data_ingestion

http://www.eweek.com/big-data-and-analytics/google-touts-value-of-cloud-iot-core-for-analyzing-conne cted-car-data

https://cloud.goog le.com/solutions/iot/

The push endpoint can be a load balancer.

A container cluster can be used.

Cloud Pub/Sub for Stream Analytics

The Avro binary format is the preferred format for loading compressed data. Avro data is faster to load because the data can be read in parallel, even when the data blocks are compressed.

Cloud Storage supports streaming transfers with the gsutil tool or boto library, based on HTTP chunked transfer encoding. Streaming data lets you stream data to and from your Cloud Storage account as soon as it becomes available without requiring that the data be first saved to a separate file. Streaming transfers are useful if you have a process that generates data and you do not want to buffer it locally before uploading it, or if you want to send the result from a computational pipeline directly into Cloud Storage.

Capacity planning, TCO calculations, opex/capex allocation From the case study, it can conclude that Management (CXO) all concern rapid provision of resources (infrastructure) for growing as well as cost management, such as Cost optimization in Infrastructure, trade up front capital expenditures (Capex) for ongoing operating expenditures (Opex), and Total cost of ownership (TCO)

https://cloud.google.com/solutions/data-lifecycle-cloud-platform

https://cloud.google.com/solutions/designing-connected-vehicle-platform

https://cloud.google.com/community/tutorials/pci-tokenizer Deterministic output means that a given set of inputs (card number, expiration, and userID) will always generate the same token. This is useful if you want to rely on the token value to deduplicate your token stores. You can simply match a newly generated token to your existing catalog of tokens to determine whether the card has been previously stored. Depending on your application architecture, this can be a very useful feature. However, this could also be accomplished using a salted hash of the input values.

According to the Google Cloud Architecture Framework for modernizing applications, Google Kubernetes Engine (GKE) is the most suitable compute platform for services requiring high scalability and availability. Cymbal’s AI-powered virtual agents must handle "anticipated growth" and fluctuating customer demands from their web and mobile apps. GKE’s Horizontal Pod Autoscaler (HPA) and Cluster Autoscaler ensure that the compute resources expand automatically during peak shopping hours and shrink during low-traffic periods to "minimize costs."

GKE is explicitly mentioned in Cymbal’s "Existing Technical Environment" as their preferred platform for containerized applications. Leveraging GKE for the virtual agents allows the development team to use a microservices approach, isolating the agent's logic from other catalog enrichment tasks. Option D (Single large VM) is a "legacy" approach that creates a single point of failure and does not scale efficiently. Option A (Cloud SQL) is a database service, not a compute resource for running agent logic. While Vertex AI Agent Builder (Option B) is the tool used to create the agents, the underlying compute that hosts the integrated application and handles the traffic orchestration is best served by a managed Kubernetes environment like GKE, which aligns with their requirement for "Scalability and Performance."

According to the Google Cloud Migration Framework, a phased approach (also known as a Phased Migration) is the highly recommended best practice for complex enterprise workloads like Cymbal's product catalog. This strategy minimizes business risk and operational disruption by avoiding the "Big Bang" approach (Option D), which is often cited in the Google Cloud Architecture Framework as being high-risk for large-scale migrations.

By starting with a pilot project focused on a specific product category, Cymbal can validate the technical architecture of their new generative AI tools—such as Vertex AI Search and Retail API—in a controlled environment. This allows the team to refine the Human-in-the-Loop (HITL) review processes and ensure that the AI-generated attributes and descriptions meet their accuracy standards before a global rollout. This "crawl-walk-run" methodology aligns with the Google Cloud Adoption Framework, specifically the "Scale" and "Learn" themes, by allowing the organization to build expertise and adjust governance policies based on real-world results from the pilot.

Furthermore, a gradual expansion helps in managing costs effectively, as Cymbal can optimize resource allocation (like moving from on-premises databases to Cloud Spanner or Cloud SQL) based on the performance metrics observed during the initial phase. Options A and B are too prescriptive regarding specific compute choices without first establishing a successful migration pattern and do not address the primary requirement of "proper change management" and risk mitigation.

According to Google Cloud Hybrid Connectivity documentation, Cloud VPN is the standard and recommended solution for establishing a secure, encrypted connection over the public internet between an on-premises network and a Google Cloud VPC. This aligns with Cymbal’s requirement for "secure communication" while maintaining manageability. Unlike SSH tunnels (Option B), which are fragile and difficult to scale at an enterprise level, Cloud VPN utilizes IPsec protocols to create a stable and encrypted site-to-site tunnel.

+1

To satisfy the "secure and manageable" criteria, the implementation must include strictly defined VPC Firewall Rules. This ensures the principle of least privilege is applied, restricting on-premises systems to only the necessary cloud resources and ports required for their specific business functions. VPC Peering (Option D) is technically incorrect here as it is designed for connecting two VPCs within the cloud, not for on-premises to cloud connectivity. A Bastion Host (Option A) provides a secure gateway for administrative login (SSH/RDP) but does not provide the transparent, network-level connectivity required for the automated "legacy file-based integrations" and "data transfers" mentioned in Cymbal’s environment. By using Cloud VPN with granular firewalling, Cymbal achieves a secure extension of their data center into Google Cloud.

According to the Google Cloud Architecture Framework: Performance Excellence, Local SSDs are the optimal choice for "scratch" space, temporary files, and workloads requiring the lowest possible latency and highest IOPS. Unlike Persistent Disks (Option C) or Filestore (Option B), which are network-attached, Local SSDs are physically attached to the server that hosts the virtual machine instance.

This physical proximity eliminates network latency, providing sub-millisecond access times which are critical for "frequently accessed and modified" temporary files during AI training and inference. For generative AI, where data shuffling and checkpointing are intensive, the high throughput of Local SSDs prevents the storage layer from becoming a bottleneck for the expensive GPU/TPU accelerators.

While the data on Local SSDs is ephemeral (lost if the VM is deleted or undergoes certain maintenance events), this perfectly matches Cymbal's requirement for "temporary files." Furthermore, Local SSDs can be more cost-effective than provisioning high-performance Persistent Disks of equivalent speed, as their performance is not tied to the disk size. Cloud Storage (Option A) is unsuitable for this specific use case due to the significantly higher latency of object-based storage compared to block-based local storage.

The Google Cloud database migration path follows a "like-for-like" managed service strategy. Cloud SQL is the recommended destination for MySQL and SQL Server workloads that do not require the massive horizontal scale of Spanner, fitting Cymbal’s "Technical Stack Modernization" goals. Memorystore is the managed service for Redis, and Firestore is the native NoSQL replacement for MongoDB.

For the image storage requirement, Cloud Storage Coldline is the mathematically correct choice for data accessed "less and less frequently" with a retention period exceeding 90 days. According to Cloud Storage documentation, Coldline is specifically designed for data accessed at most once a quarter (90 days). Using Object Lifecycle Management to move images from Standard to Coldline allows Cymbal to "reduce costs" while keeping images "immediately accessible" (unlike Archive storage, which may have different trade-offs). Option C is less optimal because Nearline is intended for 30-day access patterns; given the images stay for 90+ days and usage drops significantly, the deeper savings of Coldline are preferred. Option A is over-engineered (Spanner for all) and expensive, while Option B contradicts the requirement to "reduce costs" by increasing operational overhead

According to Google Cloud Storage documentation, the soft-delete policy is a feature enabled by default on new buckets (starting in 2024) to protect against accidental or malicious deletion. It retains deleted objects for a specified retention period (default is seven days). For workloads involving large files—such as the video files Cymbal uses for Vertex AI training—this policy can lead to unexpected cost spikes.

When soft-delete is active, objects that are deleted are not immediately removed from the billing cycle; instead, they continue to incur charges at the same rate as "live" objects until the retention period expires. In an AI training environment where datasets are frequently updated, replaced, or temporary "scratch" files are created and deleted, the volume of soft-deleted bytes can quickly double or triple the effective storage footprint.

Options B and D are incorrect because moving from dual-region or multi-region to a single region would actually reduce storage costs, as regional storage is priced lower. Option A is incorrect because disabling the policy would stop the retention of deleted bytes, thereby lowering the bill. Therefore, checking for an active or recently enabled soft-delete policy is the standard troubleshooting step for sudden increases in storage costs associated with high-churn, large-file datasets.

A "cloud-first" modernization strategy for a retail product catalog typically involves moving from legacy relational databases to high-performance, managed services. AlloyDB for PostgreSQL is Google Cloud's premier choice for demanding transactional workloads. It offers superior performance (up to 4x faster than standard PostgreSQL) and built-in high availability, making it ideal for the low-latency requirements of web applications and AI virtual agents.

Option A follows the architecturally sound pattern of separating structured data from unstructured assets. Cloud Storage is the industry standard for storing "product images," providing massive scalability, high availability, and low cost through lifecycle management.

Option B is less ideal because Bigtable is not designed for storing binary image blobs efficiently, and Spanner can be significantly more expensive and complex to manage if global multi-region consistency is not a strict requirement for the "minimizing operational costs" goal. Option C is incorrect because Filestore (NFS) is not a suitable primary database for a modern web application catalog. Option D is technically flawed as Cloud Storage is not an efficient primary database for structured application queries, and BigQuery is an analytical warehouse, not an image store. By combining AlloyDB and Cloud Storage, Cymbal achieves a performant, scalable, and cost-optimized foundation for their digital transformation.

https://cloud .google.com/iam/docs/understanding-service-accounts

According to Google Cloud documentation on Application Performance Management (APM), Cloud Profiler is the most effective tool for identifying resource-intensive parts of an application's source code. For Altostrat's Java-based media processing pipeline, which likely involves CPU-intensive tasks such as metadata extraction or transcoding, understanding exactly which methods or lines of code consume the most CPU or memory is critical.

Cloud Profiler is a statistical, low-overhead profiler that continuously gathers performance data (CPU usage, heap allocation, etc.) from production applications with less than 0.5% impact on performance. It presents this data in an interactive flame graph, allowing developers to pinpoint bottlenecks in the media processing logic.

While Cloud Trace (Option C) is excellent for monitoring latency across distributed services, it primarily tracks the "outer shell" of the request—showing how long a function took to execute or how long an external API call lasted—but does not provide the deep, code-level insight into internal Java method execution that Profiler does. Cloud Logging (Option A) is useful for troubleshooting specific events but is not a performance analysis tool, and Snapshot Debugger (Option D) is designed for inspecting variables at specific execution points rather than aggregate performance profiling. Given Altostrat's goal to "Optimize cloud storage costs" and "Accelerate... operational workflows," using Cloud Profiler to create more efficient, less resource-hungry processing code is the architecturally sound choice.

According to the Google Cloud Architecture Framework and Google Cloud Armor documentation, Google Cloud Armor is the enterprise-grade solution for protecting applications and services against Distributed Denial of Service (DDoS) attacks and web-based exploits. Altostrat requires a solution that addresses "multi-vector" attacks at "various layers," specifically the Network/Transport layers (L3/L4) and the Application layer (L7).

Google Cloud Armor provides built-in, always-on protection against L3 and L4 volumetric attacks at the edge of Google’s network, preventing malicious traffic from reaching the backend GKE clusters or Cloud Run functions. For L7 (Application Layer) protection, Cloud Armor offers Web Application Firewall (WAF) capabilities, including pre-configured rule sets (based on OWASP Top 10), rate limiting, and Adaptive Protection. The latter uses machine learning to detect anomalies in traffic patterns specific to Altostrat’s applications, automatically suggesting rules to block sophisticated botnets or application-layer floods.

While Cloud NGFW (Option B) provides essential network filtering, it lacks the native L7 inspection and global DDoS scrubbing capabilities inherent to Cloud Armor. VPC Service Controls (Option A) focus on data exfiltration and API security perimeters, and Security Command Center (Option D) is a posture management and threat detection tool rather than an active traffic mitigation service. Deploying Cloud Armor at the global load balancing tier ensures Altostrat maintains the high availability and reliability required for its global media streaming audience.

According to Google Cloud Compute Engine documentation, Spot VMs (formerly Preemptible VMs) are the most cost-effective choice for fault-tolerant, batch processing workloads. Since Altostrat’s jobs are "not time-critical" and can "tolerate occasional interruptions," Spot VMs offer a significant discount—typically 60-91%—compared to standard on-demand prices.

The "Reliability and cost management" priority mentioned in the executive statement is directly addressed by utilizing the spare capacity that Spot VMs provide. While these instances can be reclaimed by Google Cloud at any time (preempted) with a 30-second notice, Altostrat’s batch processing architecture (likely running on GKE or managed instance groups) can automatically reschedule these tasks when capacity becomes available again.

Option A (Reserved instances) requires a long-term commitment (1 or 3 years) and is better suited for predictable, constant workloads, not fluctuating batch jobs. Option C (Standard VMs) is unnecessarily expensive for workloads that do not require 100% uptime. Option D (Cloud Run functions) is excellent for event-driven, short-lived tasks but can become more expensive than Spot VMs for heavy, long-running batch computational demands. By leveraging Spot VMs, Altostrat achieves its goal of optimizing cloud storage and compute costs while maintaining the scalability required for its vast media library.

According to the Apigee API Platform documentation, the Quota policy is the primary mechanism used to enforce business-level constraints by limiting the number of request messages an API proxy allows over a specific period of time (such as a minute, hour, day, week, or month). For a media company like Altostrat, which aims to "unlock new revenue streams through targeted marketing" and "drive revenue growth," managing API consumption is critical for cost predictability and monetization strategies.

Google Cloud distinguishes between Spike Arrest and Quota policies. While Spike Arrest is designed for operational safety—protecting backend systems from sudden traffic bursts—the Quota policy is specifically used to enforce business contracts, Service Level Agreements (SLAs), and cost management. By configuring a Quota policy, Altostrat can ensure that no single consumer or application exceeds the total volume of calls that would result in unexpected infrastructure costs or exceed the limits of their current subscription tier.

Options A and B (API Key and OAuth) are essential for authentication and authorization—identifying who is making the call—but they do not inherently limit the volume of calls. Option D (XML threat protection) is a security measure to prevent malformed payload attacks. Therefore, to meet the specific business requirement of "Reliability and cost management," implementing Quota policies within Apigee is the architecturally correct choice to prevent API abuse and manage operational expenditure.

According to the Google Cloud Architecture Framework: Software Development and Delivery section, unit testing is the foundational practice for verifying the smallest parts of an application—such as functions, classes, or individual microservices—in complete isolation. The requirement specifically asks for a method to ensure services function correctly "in isolation," which is the primary definition of a unit test.

In Altostrat’s modernized CI/CD environment, unit tests are executed early in the pipeline (the "left" side of DevSecOps). They typically use "mocks" or "stubs" to simulate external dependencies like BigQuery, Cloud Storage, or other microservices. This ensures that the internal logic of a specific service—for instance, the metadata extraction logic or the pricing algorithm—is mathematically and logically sound before it interacts with the rest of the system.

While Integration testing (Option D) is vital for ensuring services talk to each other correctly, it does not test them "in isolation." End-to-end testing (Option C) validates the entire user journey but is slow and complex to debug. Load testing (Option B) focuses on performance under stress rather than functional correctness. To meet the technical requirement of "Modernize CI/CD for containerized deployments," Altostrat must prioritize a robust suite of unit tests to provide developers with rapid feedback and ensure the high reliability of their operational workflows.

https://cloud.google.com/run/docs/multiple-regions

According to Google Cloud Architecture Framework and Cloud KMS documentation, when a customer requires direct control and auditability over the encryption keys used for data at rest, Customer-Managed Encryption Keys (CMEK) is the recommended path.

While Google Cloud encrypts all data at rest by default using Google-managed keys (Option B), Altostrat specifically requires control and auditability. By using CMEK through Cloud Key Management Service (Cloud KMS), Altostrat can manage the key rotation schedules, revoke access to keys immediately to "kill" access to the data, and view detailed logs in Cloud Audit Logs every time the key is used to encrypt or decrypt a media asset.

Option D is superior to Option C because client-side encryption with a self-managed HashiCorp Vault adds significant operational overhead and complexity, contradicting the business requirement to "Simplify infrastructure management." CMEK integrates natively with Cloud Storage, allowing for a seamless experience while meeting the strict security requirements for sensitive documentaries and interviews. Furthermore, the use of IAM roles and groups for fine-grained access control aligns with the principle of least privilege, ensuring that only authorized service accounts and users can access the sensitive buckets and the keys required to decrypt them.

https://cloud.google.com/blog/products/management-tools/how-to-use-pubsub-as-a-cloud-monitoring-notification-channel

https://cloud.google.com/solutions/iot -overview

https://cloud.google.com/iot/quotas

https://cloud.google.com/support/bulletins

Stackdriver Logging allows you to store, search, analyze, monitor, and alert on log data and events from Google Cloud Platform and Amazon Web Services (AWS). Our API also allows ingestion of any custom log data from any source. Stackdriver Logging is a fully managed service that performs at scale and can ingest application and system log data from thousands of VMs. Even better, you can analyze all that log data in real time.

B: With Container Engine, Google will automatically deploy your cluster for you, update, patch, secure the nodes.

Kubernetes Engine's cluster autoscaler automatically resizes clusters based on the demands of the workloads you want to run.

C: Solutions like Datastore, BigQuery, AppEngine, etc are truly NoOps.

App Engine by default scales the number of instances running up and down to match the load, thus providing consistent performance for your app at all times while minimizing idle instances and thus reducing cost.

Note: At a high level, NoOps means that there is no infrastructure to build out and manage during usage of the platform. Typically, the compromise you make with NoOps is that you lose control of the underlying infrastructure.

https://kubernetes.io/docs/concepts/services-networking/ingress /

Overview of storage classes, price, and use cases https://cloud.google.com/storage/docs/storage-classes

Why export logs? https://cloud.google.com/logging/docs/export/

StackDriver Quotas and Limits for Monitoring https://cloud.google.c om/monitoring/quotas

The BigQuery pricing. https://clou d.google.com/bigquery/pricing

According to the Google Cloud Security Foundations Guide and VPC Service Controls (VPC-SC) documentation, the most effective way to prevent data exfiltration is to establish a service perimeter. This perimeter creates a virtual boundary that prevents sensitive data from being moved to unauthorized projects or outside the Google Cloud network.

For the Vertex AI environment specifically, the two critical services that must be protected are aiplatform.googleapis.com (the core Vertex AI API) and notebooks.googleapis.com (which governs Vertex AI Workbench instances). Including these in a service perimeter ensures that data within the Cymbal Retail project cannot be copied to external Cloud Storage buckets or other unauthorized APIs, even if a user has valid IAM permissions.

Option A is incorrect because ml.googleapis.com is the legacy AI Platform API, and document.googleapis.com (Document AI) does not cover the broader Vertex AI or Workbench environment. Option B (VPC Flow Logs) provides visibility but is a detective control, not a preventative one against exfiltration. Option D (Private Google Access) allows internal IPs to reach Google APIs but does not restrict where that data can go once the connection is made. Therefore, Option C provides the robust, enterprise-grade security required for sensitive data like fraud detection and customer churn models.

In modern DevOps on Google Cloud, the Cloud Build GitHub App (Option D) is the gold standard for integration. It is more secure and feature-rich than older webhook methods because it uses short-lived tokens and provides direct feedback (checks) within the GitHub UI. A critical part of this question is the security of credentials. Option B suggests checking a service account key into source code, which is a massive security "anti-pattern" and a common distractor in Google Cloud exams. Option D is the most efficient because Cloud Build handles the deployment to Cloud Run natively using its built-in service account permissions, eliminating the need for manual secret management or external configuration tools like Config Sync (Option C) for a simple application deployment.

https://cloud.google.com/storage/docs/gcs-fuse#notes

Cloud Filestore: Cloud Filestore is a scalable and highly available shared file service fully managed by Google. Cloud Filestore provides persistent storage ideal for shared workloads. It is best suited for enterprise applications requiring persistent, durable, shared storage which is accessed by NFS or requires a POSIX compliant file system.

https://cloud.google.com /pubsub/docs/publisher?hl=en#batching

https://cloud.google.com/kubernetes-engine/d ocs/concepts/private-cluster-concept#overview

The case does not call out the throughput being an issue. However, to achieve 99.99%, you need to have 4 connections as per Google recommendations. However, in the options only A has the option to add an additional Interconnect connection. https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview#availability

https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#disableexternalip

Binary Authorization to ensure only verified containers are deployed To ensure deployment are secure and and consistent, automatically scan images for vulnerabilities with container analysis (https://cloud.google.com/docs/ci-cd/overview?hl=en &skip_cache=true)

https://cloud.google.com/security/compliance/hipaa

based on the requirement of secure and high-performance connection between on-premises systems to Google Cloud

https://cloud.google.com/network-connectivity/docs/interconnect/tutorials/partner-creating-9999-availability

503 is service unavailable error. If the database was online everyone would get the 503 error.

https://cloud.google.com/docs/quota#capping_usage

Follow these rules of thumb when deciding whether to use gsutil or Storage Transfer Service:

When transferring data from an on-premises location, use gsutil.

When transferring data from another cloud storage provider, use Storage Transfer Service.

Otherwise, evaluate both tools with respect to your specific scenario.

Use this guidance as a starting point. The specific details of your transfer scenario will also help you determine which tool is more appropriate

https://cloud.google.com/storage-transfer/docs/overview

https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-ssh

D: Handling "Unable to connect on port 22" error message

Possible causes include:

There is no firewall rule allowing SSH access on the port. SSH access on port 22 is enabled on all Compute Engine instances by default. If you have disabled access, SSH from the Browser will not work. If you run sshd on a port other than 22, you need to enable the access to that port with a custom firewall rule.

The firewall rule allowing SSH access is enabled, but is not configured to allow connections from GCP Console services. Source IP addresses for browser-based SSH sessions are dynamically allocated by GCP Console and can vary from session to session.

Note: The principle of least privilege and separation of duties are concepts that, although semantically different, are intrinsically related from the standpoint of security. The intent behind both is to prevent people from having higher privilege levels than they actually need

Principle of Least Privilege: Users should only have the least amount of privileges required to perform their job and no more. This reduces authorization exploitation by limiting access to resources such as targets, jobs, or monitoring templates for which they are not authorized.

Separation of Duties: Beyond limiting user privilege level, you also limit user duties, or the specific jobs they can perform. No user should be given responsibility for more than one related function. This limits the ability of a user to perform a malicious action and then cover up that action.

https://cloud.google.com/datastore/docs/concepts/overview

Common workloads for Google Cloud Datastore:

User profiles

Product catalogs

Game state

https://cloud.google.com/iam/docs/understanding-service-accounts

Migrating data to Google Cloud Platform

Let’s say that you have some data processing that happens on another cloud provider and you want to transfer the processed data to Google Cloud Platform. You can use a service account from the virtual machines on the external cloud to push the data to Google Cloud Platform. To do this, you must create and download a service account key when you create the service account and then use that key from the external process to call the Cloud Platform APIs.

https://cloud.google.com/blog/products/databases/getting-started-with-time-series-trend-predic tions-using-gcp