Google Professional Cloud Architect 시험

Question No : 1

Your web application has several VM instances running within a VPC. You want to restrict communications between instances to only the paths and ports you authorize, but you don’t want to rely on static IP addresses or subnets because the app can autoscale .
How should you restrict communications?

• A.Use separate VPCs to restrict traffic
• B.Use firewall rules based on network tags attached to the compute instances
• C.Use Cloud DNS and only allow connections from authorized hostnames
• D.Use service accounts and configure the web application particular service accounts to have access

답을 확인하기

정답:

Question No : 2

You are using Cloud Shell and need to install a custom utility for use in a few weeks.
Where can you store the file so it is in the default execution path and persists across sessions?

• A.~/bin
• B.Cloud Storage
• C./google/scripts
• D./usr/local/bin

답을 확인하기

정답:
Explanation:
https://medium.com/google-cloud/no-localhost-no-problem-using-google-cloud-shell-as-my-full-time-development-environment-22d5a1942439

Question No : 3

You need to evaluate your team readiness for a new GCP project. You must perform the evaluation and create a skills gap plan incorporates the business goal of cost optimization. Your team has deployed two GCP projects successfully to date .
What should you do?

• A.Allocate budget for team training. Set a deadline for the new GCP project.
• B.Allocate budget for team training. Create a roadmap for your team to achieve Google Cloud certification based on job role.
• C.Allocate budget to hire skilled external consultants. Set a deadline for the new GCP project.
• D.Allocate budget to hire skilled external consultants. Create a roadmap for your team to achieve Google Cloud certification based on job role.

답을 확인하기

정답:
Explanation:
https://services.google.com/fh/files/misc/cloud_center_of_excellence.pdf

Question No : 4

One of the developers on your team deployed their application in Google Container Engine with the Dockerfile below.
They report that their application deployments are taking too long.



You want to optimize this Dockerfile for faster deployment times without adversely affecting the app’s functionality.
Which two actions should you take? Choose 2 answers.

• A.Remove Python after running pip.
• B.Remove dependencies from requirements.txt.
• C.Use a slimmed-down base image like Alpine linux.
• D.Use larger machine types for your Google Container Engine node pools.
• E.Copy the source after the package dependencies (Python and pip) are installed.

답을 확인하기

정답:
Explanation:
The speed of deployment can be changed by limiting the size of the uploaded app, limiting the complexity of the build necessary in the Dockerfile, if present, and by ensuring a fast and reliable internet connection.
Note: Alpine Linux is built around musl libc and busybox. This makes it smaller and more resource efficient than traditional GNU/Linux distributions. A container requires no more than 8 MB and a minimal installation to disk requires around 130 MB of storage. Not only do you get a fully-fledged Linux environment but a large selection of packages from the repository.
References:
https://groups.google.com/forum/#!topic/google-appengine/hZMEkmmObDU
https://www.alpinelinux.org/about/

Question No : 5

You are running a cluster on Kubernetes Engine to serve a web application. Users are reporting that a specific part of the application is not responding anymore. You notice that all pods of your deployment keep restarting after 2 seconds. The application writes logs to standard output. You want to inspect the logs to find the cause of the issue .
Which approach can you take?

• A.Review the Stackdriver logs for each Compute Engine instance that is serving as a node in the cluster.
• B.Review the Stackdriver logs for the specific Kubernetes Engine container that is serving the unresponsive part of the application.
• C.Connect to the cluster using gcloud credentials and connect to a container in one of the pods to read the logs.
• D.Review the Serial Port logs for each Compute Engine instance that is serving as a node in the cluster.

답을 확인하기

정답:

Question No : 6

Your organization has a 3-tier web application deployed in the same network on Google Cloud Platform. Each tier (web, API, and database) scales independently of the others Network traffic should flow through the web to the API tier and then on to the database tier. Traffic should not flow between the web and the database tier .
How should you configure the network?

• A.Add each tier to a different subnetwork.
• B.Set up software based firewalls on individual VMs.
• C.Add tags to each tier and set up routes to allow the desired traffic flow.
• D.Add tags to each tier and set up firewall rules to allow the desired traffic flow.

답을 확인하기

정답:
Explanation:
https://aws.amazon.com/blogs/aws/building-three-tier-architectures-with-security-groups/
Google Cloud Platform (GCP) enforces firewall rules through rules and tags. GCP rules and tags can be defined once and used across all regions.
References:
https://cloud.google.com/docs/compare/openstack/ https://aws.amazon.com/it/blogs/aws/building-three-tier-architectures-with-security-groups/

Question No : 7

You want to optimize the performance of an accurate, real-time, weather-charting application. The data comes from 50,000 sensors sending 10 readings a second, in the format of a timestamp and sensor reading. Where should you store the data?

• A.Google BigQuery
• B.Google Cloud SQL
• C.Google Cloud Bigtable
• D.Google Cloud Storage

답을 확인하기

정답:
Explanation:
It is time-series data, So Big Table. https://cloud.google.com/bigtable/docs/schema-design-time-series
Google Cloud Bigtable is a scalable, fully-managed NoSQL wide-column database that is suitable for both real-time access and analytics workloads.
Good for:
✑ Low-latency read/write access
✑ High-throughput analytics
✑ Native time series support
✑ Common workloads:
✑ IoT, finance, adtech
✑ Personalization, recommendations
✑ Monitoring
✑ Geospatial datasets
✑ Graphs
References: https://cloud.google.com/storage-options/

Question No : 8

Your organization wants to control IAM policies for different departments independently, but centrally.
Which approach should you take?

• A.Multiple Organizations with multiple Folders
• B.Multiple Organizations, one for each department
• C.A single Organization with Folder for each department
• D.A single Organization with multiple projects, each with a central owner

답을 확인하기

정답:
Explanation:
Folders are nodes in the Cloud Platform Resource Hierarchy. A folder can contain projects, other folders, or a combination of both. You can use folders to group projects under an organization in a hierarchy. For example, your organization might contain multiple departments, each with its own set of GCP resources. Folders allow you to group these resources on a per-department basis. Folders are used to group resources that share common IAM policies. While a folder can contain multiple folders or resources, a given folder or resource can have exactly one parent.
References: https://cloud.google.com/resource-manager/docs/creating-managing-folders

Question No : 9

Your customer is receiving reports that their recently updated Google App Engine application is taking approximately 30 seconds to load for some of their users. This behavior was not reported before the update .
What strategy should you take?

• A.Work with your ISP to diagnose the problem.
• B.Open a support ticket to ask for network capture and flow data to diagnose the problem, then roll back your application.
• C.Roll back to an earlier known good release initially, then use Stackdriver Trace and logging to diagnose the problem in a development/test/staging environment.
• D.Roll back to an earlier known good release, then push the release again at a quieter period to investigate. Then use Stackdriver Trace and logging to diagnose the problem.

답을 확인하기

정답:
Explanation:
Stackdriver Logging allows you to store, search, analyze, monitor, and alert on log data and events from Google Cloud Platform and Amazon Web Services (AWS). Our API also allows ingestion of any custom log data from any source. Stackdriver Logging is a fully managed service that performs at scale and can ingest application and system log data from thousands of VMs. Even better, you can analyze all that log data in real time.
References: https://cloud.google.com/logging/

Question No : 10

Your architecture calls for the centralized collection of all admin activity and VM system logs within your project.
How should you collect these logs from both VMs and services?

• A.All admin and VM system logs are automatically collected by Stackdriver.
• B.Stackdriver automatically collects admin activity logs for most services. The Stackdriver Logging agent must be installed on each instance to collect system logs.
• C.Launch a custom syslogd compute instance and configure your GCP project and VMs to forward all logs to it.
• D.Install the Stackdriver Logging agent on a single compute instance and let it collect all audit and access logs for your environment.

답을 확인하기

정답:
Explanation:
https://cloud.google.com/logging/docs/agent/default-logs

Question No : 11

You are managing an application deployed on Cloud Run for Anthos, and you need to define a strategy for deploying new versions of the application. You want to evaluate the new code with a subset of production traffic to decide whether to proceed with the rollout .
What should you do?

• A.Deploy a new revision to Cloud Run with the new version. Configure traffic percentage between revisions.
• B.Deploy a new service to Cloud Run with the new version. Add a Cloud Load Balancing instance in front of both services.
• C.In the Google Cloud Console page for Cloud Run, set up continuous deployment using Cloud Build for the development branch. As part of the Cloud Build trigger, configure the substitution variable TRAFFIC_PERCENTAGE with the percentage of traffic you want directed to a new version.
• D.In the Google Cloud Console, configure Traffic Director with a new Service that points to the new version of the application on Cloud Run. Configure Traffic Director to send a small percentage of traffic to the new version of the application.

답을 확인하기

정답:
Explanation:
https://cloud.google.com/run/docs/rollouts-rollbacks-traffic-migration

Question No : 12

Your customer support tool logs all email and chat conversations to Cloud Bigtable for retention and analysis.
What is the recommended approach for sanitizing this data of personally identifiable information or payment card information before initial storage?

• A.Hash all data using SHA256
• B.Encrypt all data using elliptic curve cryptography
• C.De-identify the data with the Cloud Data Loss Prevention API
• D.Use regular expressions to find and redact phone numbers, email addresses, and credit card numbers

답을 확인하기

정답:
Explanation:
Reference: https://cloud.google.com/solutions/pci-dss-compliance-ingcp#

Question No : 13

You team needs to create a Google Kubernetes Engine (GKE) cluster to host a newly built application that requires access to third-party services on the internet. Your company does not allow any Compute Engine instance to have a public IP address on Google Cloud. You need to create a deployment strategy that adheres to these guidelines .
What should you do?

• A.Create a Compute Engine instance, and install a NAT Proxy on the instance. Configure all workloads on GKE to pass through this proxy to access third-party services on the Internet
• B.Configure the GKE cluster as a private cluster, and configure Cloud NAT Gateway for the cluster subnet
• C.Configure the GKE cluster as a route-based cluster. Configure Private Google Access on the Virtual Private Cloud (VPC)
• D.Configure the GKE cluster as a private cluster. Configure Private Google Access on the Virtual Private Cloud (VPC)

답을 확인하기

정답:
Explanation:
A Cloud NAT gateway can perform NAT for nodes and Pods in a private cluster, which is a type of VPC-native cluster. The Cloud NAT gateway must be configured to apply to at least the following subnet IP address ranges for the subnet that your cluster uses:
Subnet primary IP address range (used by nodes)
Subnet secondary IP address range used for Pods in the cluster Subnet secondary IP address range used for Services in the cluster
The simplest way to provide NAT for an entire private cluster is to configure a Cloud NAT gateway to apply to all of the cluster's subnet's IP address ranges. https://cloud.google.com/nat/docs/overview

Question No : 14

Your company is designing its application landscape on Compute Engine. Whenever a zonal outage occurs, the application should be restored in another zone as quickly as possible with the latest application data. You need to design the solution to meet this requirement .
What should you do?

• A.Create a snapshot schedule for the disk containing the application data. Whenever a zonal outage occurs, use the latest snapshot to restore the disk in the same zone.
• B.Configure the Compute Engine instances with an instance template for the application, and use a regional persistent disk for the application data. Whenever a zonal outage occurs, use the instance template to spin up the application in another zone in the same region. Use the regional persistent disk for the application data.
• C.Create a snapshot schedule for the disk containing the application data. Whenever a zonal outage occurs, use the latest snapshot to restore the disk in another zone within the same region.
• D.Configure the Compute Engine instances with an instance template for the application, and use a regional persistent disk for the application data. Whenever a zonal outage occurs, use the instance template to spin up the application in another region. Use the regional persistent disk for the application data,

답을 확인하기

정답:
Explanation:
Regional persistent disk is a storage option that provides synchronous replication of data between two zones in a region. Regional persistent disks can be a good building block to use when you implement HA services in Compute Engine. https://cloud.google.com/compute/docs/disks/high-availability-regional-persistent-disk

Question No : 15

You created a pipeline that can deploy your source code changes to your infrastructure in instance groups for self healing.
One of the changes negatively affects your key performance indicator.
You are not sure how to fix it and investigation could take up to a week.
What should you do?

• A.Log in to a server, and iterate a fix locally
• B.Change the instance group template to the previous one, and delete all instances.
• C.Revert the source code change and rerun the deployment pipeline
• D.Log into the servers with the bad code change, and swap in the previous code

답을 확인하기

정답: