Associate Cloud Engineer · 25% of the exam

Deploying and implementing a cloud solution: free practice questions

5 sample questions from our 63-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Google Cloud exam.

1. You are deploying a containerized microservice to Cloud Run that exposes a REST API. The microservice reads configuration from environment variables. During deployment, you need to set an environment variable API_KEY to a value stored in Secret Manager. Which deployment method is most appropriate?

  • A. Use gcloud run deploy with the --set-env-vars flag and pass the secret value directly as a string
  • B. Use gcloud run deploy with the --set-secrets flag to reference the secret from Secret Manager, which Cloud Run automatically injects as an environment variable✓ Correct
  • C. Create a custom Dockerfile that retrieves the secret from Secret Manager during container build time and embeds it in the image
  • D. Deploy a Service Account key as an environment variable and use it to fetch the secret at runtime from within the application code
Explanation

Correct answer: (B) Cloud Run's --set-secrets flag (or secretRef in YAML) automatically injects secrets from Secret Manager as environment variables without embedding them in images or logs. Wrong answers: (A) Passing secret values directly in the command line exposes them in shell history and process listings; (C) Embedding secrets in container images at build time violates security best practices and makes rotation difficult; (D) Storing service account keys as environment variables is less secure than using Workload Identity or Secret Manager.

2. You are deploying a simple REST API using Cloud Run that reads configuration from a YAML file at startup. The YAML file is 2 MB and contains sensitive API keys. How should you provide this configuration to the Cloud Run service?

  • A. Package the YAML file in the container image and use environment variables to override sensitive values
  • B. Mount a Cloud Storage bucket as a filesystem volume and read the YAML from Cloud Storage at runtime
  • C. Store the configuration in Secret Manager and read it at container startup using the Secret Manager API✓ Correct
  • D. Use Cloud Run environment variables to pass the entire YAML content
  • E. Create a Cloud SQL database with configuration as records and query it at startup
Explanation

Option 2 is correct. Secret Manager is the appropriate service for storing sensitive data (API keys). Your container reads the secret at startup using the Secret Manager API. This keeps secrets out of container images and provides audit logging. Option 0 is incorrect; while you can package non-sensitive config in images, hardcoding or passing API keys via environment variables is insecure. Option 1 is incorrect; Cloud Run does not support direct filesystem mounts of Cloud Storage buckets; you would need to implement explicit object download logic. Option 3 is insecure for sensitive data and Cloud Run environment variable size limits (4 KB total) would not accommodate a 2 MB YAML file. Option 4 (Cloud SQL) is overkill for configuration management and adds unnecessary database overhead.

3. Your organization is migrating a legacy on-premises data warehouse to Google Cloud. The warehouse contains 50 TB of historical data that must be transferred securely and requires minimal downtime during cutover. The initial transfer is scheduled for a weekend. After the initial load, incremental daily changes must be replicated. Which GCP solution is most appropriate for this scenario?

  • A. Use gsutil -m cp to upload the 50 TB dataset to Cloud Storage in parallel, then use Cloud SQL Data Transfer Service for incremental updates
  • B. Use Google Cloud Storage Transfer Service to schedule a one-time bulk transfer of the 50 TB dataset, then use Dataflow for daily incremental replication
  • C. Use a combination of Cloud Data Transfer Appliance (physical device) for the initial 50 TB bulk transfer and a replication tool like Striim or Golden Gate for incremental changes✓ Correct
  • D. Use Cloud SQL Import/Export to directly import the on-premises database schema and data, with automatic change data capture (CDC) for incremental updates
Explanation

Correct answer: (C) For 50 TB of data, the Cloud Data Transfer Appliance (a physical device that ships data securely to Google Cloud) is ideal for the initial bulk load, avoiding bandwidth constraints. Third-party replication tools like Striim or Golden Gate then handle incremental CDC-based replication. Wrong answers: (A) gsutil is not suitable for 50 TB transfers and SQL Data Transfer Service is for cloud-to-cloud migrations; (B) Cloud Storage Transfer Service is designed for cloud-to-cloud transfers, not on-premises data, and Dataflow is for ETL, not replication; (D) Cloud SQL Import/Export is for database-specific formats and does not natively support continuous CDC without additional tooling.

4. You are configuring a Google Cloud HTTP(S) Load Balancer for a web application backend running on a GKE cluster. The load balancer receives requests from clients in multiple continents. Which two components must you configure to enable intelligent routing based on client location?

  • A. Backend services and Cloud Armor security policies
  • B. Cloud CDN and managed SSL certificates
  • C. Backend services in multiple regions and a Traffic Director policy✓ Correct
  • D. Backend services, URL maps, and Cloud DNS for geo-routing
  • E. Backend services, URL maps, and health checks to ensure proper routing✓ Correct
Explanation

Option 2 (Traffic Director) and option 4 (Backend services + URL maps + health checks) are correct, though for different reasons. Option 2 specifically mentions Traffic Director, which is designed for advanced geo-routing and global load balancing with traffic steering policies. Option 4 describes the core HTTP(S) LB components: backend services define regional backends, URL maps route traffic based on path/host, and health checks determine backend availability—together these enable multi-region routing. Option 0 includes Armor (security, not routing) along with backend services. Option 1 includes CDN (caching) and SSL, which are features but not specifically for geo-routing logic. Option 3 includes Cloud DNS, which is for domain name resolution, not load balancer routing configuration. The HTTP(S) Load Balancer inherently distributes traffic across regions using backend service affinity.

5. Your organization is setting up a VPC network with subnets in multiple regions. You need to restrict outbound traffic from your subnets to specific external services (e.g., only allow HTTPS to a partner API, block all other internet traffic). What is the minimal set of resources you need to configure?

  • A. Create a VPC, define subnets, and create firewall rules with direction egress on the subnets✓ Correct
  • B. Create a VPC, define subnets, create firewall rules with direction egress, and configure a Cloud NAT gateway
  • C. Create a VPC, define subnets, configure VPC Flow Logs, and create egress firewall rules
  • D. Create a VPC, define subnets, create an HTTP(S) load balancer, and attach firewall rules
Explanation

Option 0 is correct. You need a VPC, subnets, and egress firewall rules (direction=EGRESS with specific destination CIDRs/ports). This minimal setup restricts outbound traffic as required. Option 1 adds Cloud NAT, which is unnecessary if instances already have external IPs or you're only restricting outbound destinations via firewall rules (Cloud NAT is for providing outbound NAT to instances without external IPs). Option 2 includes VPC Flow Logs, which is monitoring, not a requirement for traffic restriction. Option 3 includes a load balancer, which is for inbound traffic distribution, not relevant to egress restriction. Note: Firewall rules must be the primary tool here; without them, you cannot restrict outbound traffic.

58 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free