1. An architect is designing a multi-tenant analytics platform on Google Cloud where each tenant's data must be completely isolated. The platform ingests streaming data via Pub/Sub and stores processed results in BigQuery for tenant reporting. The company expects to onboard up to 500 tenants within the next year. Which isolation model BEST balances security, scalability, and operational efficiency? (Select TWO)
- A. Create a dedicated GCP project per tenant, with tenant-specific Pub/Sub topics, Dataflow jobs, and BigQuery datasets; use a central management project for shared services.✓ Correct
- B. Use a single BigQuery dataset for all tenants with a 'tenant_id' column in every table, and rely on column-level security and VPC Service Controls to enforce isolation.
- C. Use a single GCP project with per-tenant BigQuery datasets and authorized views, combined with IAM bindings granting each tenant access only to their dataset.
- D. Deploy a separate GKE cluster per tenant in dedicated projects to run isolated Dataflow-equivalent processing workloads.
- E. Use a single Pub/Sub topic with tenant-ID-based message filtering at the subscriber level, and separate BigQuery datasets per tenant in a single project.
- F. Adopt a hybrid model: group tenants into pools of ~50 per GCP project, with per-tenant BigQuery datasets and Pub/Sub topics within each pool project, managed through a central Terraform-based IaC pipeline.✓ Correct
Explanation
Option A (dedicated project per tenant) provides the strongest isolation boundary on Google Cloud — projects are the primary security and billing boundary. However, at 500 tenants this introduces project management overhead, which is why it works best with strong automation. Option F (pooled tenants per project with IaC automation) balances security isolation (per-tenant datasets and topics) with operational scalability, avoiding the overhead of 500 individual projects while maintaining logical isolation through IAM and resource naming — this is a well-recognized pattern for scaling multi-tenant SaaS on GCP. A single BigQuery dataset with tenant_id (B) provides the weakest isolation — a misconfigured query could expose cross-tenant data, and column-level security alone is not sufficient for strict multi-tenant isolation. Per-tenant datasets with authorized views in a single project (C) is a partial approach but all tenants share project-level resources and quotas, creating noisy-neighbor risks at 500 tenants. Separate GKE clusters per tenant (D) is extremely expensive and operationally prohibitive. A single Pub/Sub topic with filter-based isolation (E) is fragile — subscriber misconfiguration could expose cross-tenant messages and does not provide true isolation.