ACE Sample Questions, Practice Test & Simulator | Associate Cloud Engineer

ACE is Google Cloud’s Associate Cloud Engineer certification for candidates who need practical Google Cloud deployment, IAM, networking, operations, and troubleshooting judgment. If you are searching for ACE sample questions, a practice test, mock exam, or exam simulator, this is the main IT Mastery page to start on web and continue on iOS or Android with the same account.

What this ACE practice page gives you

• a direct route into the IT Mastery simulator for ACE
• topic drills and mixed sets across projects, IAM, compute, storage, networking, monitoring, and troubleshooting
• detailed explanations that show why the best Google Cloud answer is correct
• a clear free-preview path before you subscribe
• the same account across web and mobile

Who ACE is for

• cloud administrators, platform engineers, and DevOps-focused candidates who deploy and operate workloads on Google Cloud
• support or operations teams that need stronger project, IAM, network, and managed-service judgment
• learners moving from general cloud knowledge into hands-on Google Cloud implementation and troubleshooting decisions

ACE exam snapshot

• Vendor: Google Cloud
• Official exam name: Associate Cloud Engineer
• Exam code: ACE
• Exam time: 2 hours
• Question styles: multiple choice and multiple select
• Recommended experience: 6+ months hands-on Google Cloud work

ACE questions usually reward the answer that fixes the real control boundary first: project, IAM role, service account, network path, or operational signal. The best option is usually the simplest Google-managed service or scope that satisfies the requirement without overbuilding.

Topic coverage for ACE practice

What ACE questions usually test

• picking the right GCP scope first: organization, folder, project, VPC, subnet, or service account
• choosing the simplest managed service that satisfies the requirement without overengineering
• recognizing when the fix belongs in IAM, networking, logging, or deployment workflow rather than in application code
• troubleshooting from the operational signal first, such as logs, metrics, permissions, startup behavior, or routing

How to use the ACE simulator efficiently

1. Start with project hierarchy, billing, IAM, and service-account scope until you can tell when the fix belongs at the organization, folder, or project layer.
2. Move into deployment and implementation scenarios so Compute Engine, Cloud Run, GKE, storage, and networking choices feel routine.
3. Review every miss until you can explain why the right Google Cloud service, runtime, permission, or network boundary fits the scenario better than the distractors.
4. Finish with mixed and timed runs so deployment, operations, security, and troubleshooting decisions all feel normal under exam pace.

Free preview vs premium

• Free preview: a smaller web set so you can validate the question style and explanation depth.
• Premium: the full ACE question bank, focused drills, mixed sets, detailed explanations, and progress tracking across web and mobile.

24 ACE sample questions with detailed explanations

1.

Over the weekend, your organization’s primary Cloud Billing account was suspended because of a failed payment. On Monday you see that production Compute Engine VMs and Cloud SQL instances in a linked project have stopped, and you cannot create new resources. You must restore services quickly while avoiding unnecessary data migration or resource recreation. What should you do first?

Options:

• A. Create a new project with a different Cloud Billing account, recreate all resources there, and then delete the original project.
• B. Update the payment method to fix the issue and reactivate the existing Cloud Billing account, then restart the stopped resources in the same project.
• C. Export all data from Cloud Storage and Cloud SQL immediately, then update billing, because Google Cloud deletes all data as soon as billing is suspended.
• D. Wait for the next monthly invoice cycle; the resources will automatically restart once Google Cloud resumes charging the account.

Best answer: B

Explanation: The option that updates the payment method and reactivates the existing Cloud Billing account, then restarts resources, is correct because it:

• Directly addresses the root cause: the suspended billing account.
• Uses the same project and resources, recognizing that suspension usually stops/disabled resources but does not delete them immediately.
• Minimizes operational overhead and downtime by avoiding unnecessary migration or recreation of resources.

This matches Google Cloud’s documented behavior: restoring billing typically allows you to bring your workloads back online without losing resources.

2.

Your team runs a small internal web app on a single Compute Engine VM in a Google Cloud project that is linked to your company’s primary billing account. Last month a misconfigured script caused unexpected charges. Finance now requires automated email alerts if this project’s monthly charges exceed $200, but they do not want a separate billing account, and the app must remain available at all times. What should you do to optimize the current setup?

Options:

• A. Unlink the project from the billing account as soon as charges reach $200 so that no additional charges can be incurred.
• B. Create a budget on the existing billing account scoped to this project with a $200 threshold and configure email alerts to the finance team.
• C. Create a new billing account dedicated to this project, link the project to it, and have finance manually review its charges every week.
• D. Move the VM to a new project that has no billing account attached so that it cannot incur unexpected charges.

Best answer: B

Explanation: Setting a budget on the existing billing account, scoped to the specific project, directly addresses all requirements: it provides automated alerts at the $200 spend level, does not require a new billing account, and keeps billing active so the VM and app continue to run. This approach optimizes operations and cost visibility using standard Google Cloud billing features without changing the current deployment.

3.

You are designing the data layer for a new mobile game running on Google Cloud. You must:

• Store player profile data as small JSON-like objects and support flexible queries (for example, filter by country, last login date, or player level).
• Ingest and store high-volume gameplay telemetry events (millions of writes per second globally) with single-digit-millisecond latency for recent lookups by player ID and time range.
• Use fully managed NoSQL services where possible.

Which of the following actions/solutions will meet these requirements? (Select TWO.)

Options:

• A. Store player profiles in Firestore in Native mode, and store gameplay telemetry in BigQuery using streaming inserts for real-time analytics queries by player and time.
• B. Store player profiles in Firestore in Native mode, and store gameplay telemetry in Cloud Bigtable in a dedicated cluster in the same region as the game servers.
• C. Store both player profiles and gameplay telemetry in Firestore in Native mode, using separate collections and composite indexes for telemetry queries.
• D. Store player profiles in Firestore in Native mode collections, and store gameplay telemetry in Cloud Bigtable, modeling rows to support efficient lookups by player ID and time range.
• E. Store player profiles in Cloud SQL for PostgreSQL and gameplay telemetry as JSON objects in Cloud Storage, querying both with Dataflow jobs.

Correct answers: B and D

Explanation: Both correct options choose Firestore for player profiles and Cloud Bigtable for telemetry:

• The choice that stores player profiles in Firestore and telemetry in Cloud Bigtable with a schema designed for lookups by player and time directly matches the access patterns: Firestore’s document model and indexing for profile queries, and Bigtable’s key-based, wide-column design for large-scale telemetry.
• The choice that stores profiles in Firestore and telemetry in Cloud Bigtable in a regional cluster colocated with game servers also fully meets the requirements, combining the same service split with good latency by placing Bigtable close to the application.

In both cases, the workload that needs flexible queries uses Firestore, and the workload that needs massive scale and ultra-low-latency key-based access uses Cloud Bigtable, which is the core differentiation the question is testing.

4.

You configured a Compute Engine VM with all required software and ran the following command:

1gcloud compute disks snapshot appserver-1 \
2  --snapshot-names=appserver-base \
3  --zone=us-central1-a

You want to standardize this OS and software configuration for new VMs in multiple zones. Based only on the exhibit, what should you do next?

Options:

• A. Create all future boot disks directly from the appserver-base snapshot, because snapshots are designed to be golden templates.
• B. Enable an automatic snapshot schedule on appserver-1 so new VMs automatically boot from the latest snapshot.
• C. Create a custom image from the appserver-base snapshot and use that image when creating new VMs.
• D. Create additional zonal snapshots from appserver-base in each zone where you need VMs and use those snapshots as boot sources.

Best answer: C

Explanation: The choice to create a custom image from the appserver-base snapshot and then use that image for new VMs aligns exactly with the goal of standardizing VM OS and software configurations. The exhibit confirms that a snapshot already exists, so the appropriate follow‑up is to convert that snapshot into a reusable golden image, which is how Compute Engine is designed to provide consistent templates.

5.

Your company has just created a new Google Cloud organization and wants to regularly analyze all projects for IAM and policy misconfigurations. You plan to use Cloud Asset Inventory together with Gemini Cloud Assist. Which of the following actions is NOT an appropriate part of this setup?

Options:

• A. Configure a Cloud Asset Inventory feed that publishes changes to a Pub/Sub topic, and trigger a Cloud Run function to notify the security team about newly created high-risk resources.
• B. Create a highly privileged service account with roles/owner on every project, download its JSON key, and share the key file with all engineers so they can run Gemini Cloud Assist analysis from their laptops.
• C. Enable the Cloud Asset Inventory API at the organization level and configure a scheduled export of all assets to a BigQuery dataset in a dedicated security project.
• D. Grant the security team roles/cloudasset.viewer at the organization level, and have them use Gemini Cloud Assist in the Cloud Console to review IAM and policy recommendations.

Best answer: B

Explanation: The choice that creates a highly privileged service account with roles/owner on every project and then shares its downloaded JSON key with all engineers is the incorrect action.

This approach violates multiple best practices:

• It breaks least privilege by granting Owner on every project, which includes powerful permissions like modifying IAM and deleting resources.
• It uses a long-lived service account key, which is more difficult to manage and rotate than user credentials or short-lived tokens.
• It shares that key file across many engineers, making it impossible to attribute actions to a single identity and greatly increasing the blast radius of a compromise.
• Gemini Cloud Assist can operate using users’ existing IAM permissions in the Cloud Console and centrally collected asset data; it does not require a shared, over-privileged key.

Because it is both unnecessary and unsafe, this option is the one action that is not appropriate for setting up Cloud Asset Inventory and Gemini Cloud Assist analysis.

6.

You manage several microservices running on GKE Autopilot in a single project. All Pods use the same Google Cloud service account shared-app-sa@project-id.iam.gserviceaccount.com via Workload Identity. After the security team removed the roles/pubsub.publisher role from this service account to follow least privilege, one microservice started logging 403 PERMISSION_DENIED errors when publishing to Pub/Sub, while other services still work. You want a long-term fix that avoids this type of conflict and follows least privilege. What should you do?

Options:

• A. Grant roles/pubsub.publisher to the user account that deployed the failing microservice so it can publish messages through that user’s credentials instead of the service account.
• B. Re-add roles/editor to the existing shared service account so all microservices have enough permissions, and rely on audit logs to detect misuse.
• C. Enable the Pub/Sub API on the project that hosts the cluster so that the microservice can call Pub/Sub without permission errors.
• D. Create a dedicated Google Cloud service account for each microservice, grant each service account only the roles it needs, and update each Kubernetes service account to use its own Google Cloud service account binding.

Best answer: D

Explanation: The choice to create a dedicated Google Cloud service account for each microservice, grant only needed roles, and update each Kubernetes service account binding directly addresses both the immediate problem and the long-term design.

It resolves the 403 error by allowing you to give roles/pubsub.publisher only to the service account used by the Pub/Sub–publishing microservice. At the same time, other microservices can continue using their own service accounts with more limited roles. This follows recommended patterns for service account strategy on Google Cloud: use workload-specific service accounts to balance manageability and least privilege.

7.

Your team is creating a new Google Cloud project for a microservices application on Cloud Run. A “developers” Google Group will build and deploy Cloud Run services and needs to view application logs for troubleshooting. They must not be able to modify IAM policies, manage billing, or delete the project. Which IAM configuration BEST follows the principle of least privilege?

Options:

• A. Grant the “developers” group the Cloud Run Admin role at the organization level so they can manage Cloud Run services in any project.
• B. Grant each developer the Owner role on the project so they can manage all aspects of the services they deploy.
• C. Grant the “developers” group the predefined roles Cloud Run Developer and Logs Viewer on the project.
• D. Grant the “developers” group the predefined roles Editor and Logs Viewer on the project.

Best answer: C

Explanation: Granting the “developers” group Cloud Run Developer and Logs Viewer on the project gives them:

• The ability to deploy and update Cloud Run services (Cloud Run Developer).
• Read access to logs for troubleshooting (Logs Viewer).
• No permissions to manage IAM, billing, or delete the project.

These roles are applied at the project scope, which matches the requirement to work only in that project, and they avoid the overly broad permissions of basic roles like Owner and Editor. This is the clearest application of least privilege for the described developer persona.

8.

You run a nightly batch Dataflow job that loads data into BigQuery. When there is an incident, the on-call engineer currently searches Cloud Logging to infer whether the job succeeded or failed. You want to simplify operations while following least privilege. What should you do?

Options:

• A. Grant the on-call group the Dataflow Viewer role on the project and have them use the Dataflow Jobs page in the console to see job state and errors.
• B. Modify the Dataflow pipeline code to write a status file to Cloud Storage at the end of each run and grant the on-call group Storage Object Viewer on the bucket.
• C. Grant the on-call group the Owner role on the project so they can access all logs, metrics, and Dataflow configuration without restrictions.
• D. Export all Dataflow logs to BigQuery, build a custom dashboard to show job success or failure, and grant the on-call group the BigQuery Admin role.

Best answer: A

Explanation: Granting the on-call group the Dataflow Viewer role and directing them to the Dataflow Jobs page uses Dataflow’s built-in visibility into job state. It lets them quickly see whether a job is running, failed, or succeeded and inspect errors, while keeping permissions read-only and narrow at the project level, satisfying both simplification and least-privilege goals.

9.

Your company uses Cloud NGFW to control traffic between Compute Engine app VMs and database VMs across several projects. Current rules list many individual VM IPs, and VMs are sometimes moved between subnets and projects. You want rules that refer to logical app and db groups instead of IPs and continue working after such moves. Which of the following actions/solutions will meet these requirements? (Select TWO.)

Options:

• A. Add a Cloud Armor policy to the external HTTP(S) load balancer fronting the application to control which clients can reach it, instead of using Cloud NGFW between the app and database tiers.
• B. Update all instance templates and VM provisioning workflows so app and database VMs automatically receive ‘app-tier’ and ‘db-tier’ secure tags, then configure Cloud NGFW rules that match on those secure tags instead of specific VM IPs.
• C. Create Cloud NGFW address groups that contain the IP ranges of each app and database subnet, and write rules that allow traffic from the app subnets to the database subnets.
• D. Create organization-level secure tags such as ‘app-tier’ and ‘db-tier’, attach them to the respective VMs, and update Cloud NGFW rules to use those secure tags as sources and destinations instead of IP ranges.
• E. Grant the application VM service accounts the Cloud SQL Client role and rely on IAM to prevent unauthorized VMs from connecting to the database.

Correct answers: B and D

Explanation: The options that define and use secure tags for app and database tiers directly satisfy the requirement to avoid IP-based rules and instead base Cloud NGFW policies on logical groups. In both cases, Cloud NGFW rules match traffic using secure tags assigned to VMs, so the policy remains correct even if VM IP addresses, subnets, or projects change, as long as the tags correctly represent the VM’s role.

10.

You are auditing IAM on a project that hosts several Cloud Storage buckets. The current project-level IAM policy is shown below.

Developers in dev-team@example.com only need to read objects from a single bucket, gcs-logs-dev. To better follow least-privilege access control, what is the most appropriate change?

Options:

• A. Remove roles/editor from dev-team@example.com at the project level and grant roles/storage.objectViewer on bucket gcs-logs-dev to dev-team@example.com.
• B. Change the dev-team@example.com role from roles/editor to roles/viewer at the project level so they cannot modify resources.
• C. Keep roles/editor for dev-team@example.com at the project level and also grant roles/storage.admin on bucket gcs-logs-dev so they can manage objects there.
• D. Create a custom role at the project level that includes all Storage read and write permissions and assign it individually to each developer instead of using the group.

Best answer: A

Explanation: The choice to remove roles/editor from dev-team@example.com at the project level and grant roles/storage.objectViewer on bucket gcs-logs-dev is best because it:

• Directly addresses the exhibit’s problem line where the dev group has roles/editor at the project level, which is overly broad.
• Uses a predefined Storage role that focuses on object read access instead of generic project-wide capabilities.
• Applies the role at the bucket level, limiting access exactly to the resource developers need, which is the essence of least privilege.

This change both narrows the permissions (from edit to read-only) and narrows the scope (from project to a single bucket).

11.

You must implement a small background service that processes Pub/Sub messages. The team wants a fully managed Google Cloud compute option where developers only write and deploy function source code and do not build container images or manage servers. Which platform should you choose?

Options:

• A. Compute Engine virtual machine instances
• B. Cloud Run (fully managed) service
• C. GKE Autopilot cluster
• D. Cloud Run functions (2nd gen)

Best answer: D

Explanation: Cloud Run functions (2nd gen) is designed for event-driven or HTTP-triggered workloads where you only provide function source code. Google Cloud builds and manages the container image, handles autoscaling, and abstracts away servers and Kubernetes. This directly matches the requirement that the team wants a fully managed option without building containers or managing servers.

12.

Your company must retain all Cloud Audit Logs from several Google Cloud projects for 7 years to meet regulatory requirements. The logs are accessed only during rare compliance investigations (about once per year), and manual review is acceptable. The team wants to minimize ongoing storage cost and avoid managing additional databases. How should you export the logs?

Options:

• A. Create a log sink that exports the logs to a Cloud SQL instance and store them in a relational table for long-term retention.
• B. Create a log sink that exports the logs to a Cloud Storage bucket, and use lifecycle rules to move objects to lower-cost storage classes for long-term retention.
• C. Create a log sink that exports the logs to a BigQuery dataset with a 7-year table expiration, and run queries when investigations are required.
• D. Create a log sink that streams the logs to Pub/Sub and then forwards them to an external SIEM platform for long-term storage and analysis.

Best answer: B

Explanation: The choice to export logs to a Cloud Storage bucket and use lifecycle rules aligns perfectly with the scenario:

• Cloud Storage provides durable, long-term storage suitable for multi-year retention.
• Lifecycle rules can automatically move older logs into low-cost storage classes (for example, Coldline or Archive), greatly reducing cost for rarely accessed data.
• No database or cluster needs to be managed; Cloud Storage is a fully managed object store with very low operational overhead.

This directly meets the requirements: 7-year retention, rare access, cost minimization, and avoiding additional databases.

13.

You run a public web application on Cloud Run behind a global HTTP(S) load balancer. During a recent incident, the service returned many HTTP 500 responses for several minutes, but no one was paged. You already see detailed request logs in Cloud Logging. You want an automated alert when the rate of 5xx responses exceeds 5% of all responses over a 5‑minute window. What should you do?

Options:

• A. Export the HTTP request logs to BigQuery and schedule a query every 5 minutes that emails the team when the 5xx-to-total-response ratio exceeds 5%.
• B. Configure an uptime check in Cloud Monitoring for the application endpoint and create an alert policy that triggers when the uptime check fails for more than 5 minutes.
• C. Create a log-based alert in Cloud Logging that matches HTTP 500 entries and triggers if more than 100 such log entries appear in 5 minutes.
• D. Configure a metric-based alert policy in Cloud Monitoring that uses the built-in HTTP request and 5xx response metrics to trigger when the 5xx ratio exceeds 5% over 5 minutes.

Best answer: D

Explanation: The choice to configure a metric-based alert policy in Cloud Monitoring using built-in HTTP request and 5xx metrics is correct because it:

• Directly supports numeric thresholds and ratios over a time window.
• Uses existing Cloud Run or load balancer metrics without extra plumbing.
• Evaluates conditions continuously and near real time, ideal for incident response.
• Accurately implements the requirement to alert when the 5xx percentage exceeds 5% over 5 minutes, not just when a raw count passes a threshold.

14.

A company hosts static website assets in a Cloud Storage bucket located in the us-central1 regional location. During a recent us-central1 regional outage, the website became unavailable worldwide. Management now requires that the static content remain stored only in the United States but stay available even if a single U.S. region fails. What should you do to address the root cause?

Options:

• A. Create an additional Cloud Storage bucket in europe-west1 and configure the website to read from either bucket.
• B. Migrate the objects to a new Cloud Storage bucket in the US multi-region and update the website to use this bucket as the origin.
• C. Keep the us-central1 bucket but enable Cloud CDN with cache keys distributed across multiple edge locations worldwide.
• D. Change the existing us-central1 bucket’s storage class to Nearline to improve durability during outages.

Best answer: B

Explanation: Migrating to a Cloud Storage bucket in the US multi-region provides built-in cross-region redundancy within the United States. If one U.S. region fails, other regions in the multi-region still serve the data, maintaining website availability. At the same time, data residency is preserved because all replicas stay within U.S. regions.

15.

In Cloud SQL and AlloyDB, which feature is specifically designed to analyze query workloads and provide recommendations to create or drop indexes to improve performance?

Options:

• A. Index advisor
• B. Cloud Monitoring
• C. Database Migration Service
• D. Query Insights

Best answer: A

Explanation: The option describing index advisor is correct because index advisor is explicitly designed to analyze query patterns for Cloud SQL and AlloyDB and then recommend indexes to create or drop to improve performance.

16.

Which TWO of the following statements about adopting infrastructure as code (IaC) for an existing, manually created Google Cloud environment are INCORRECT and should NOT be followed? (Select TWO.)

Options:

• A. To bring an existing Compute Engine VM under Terraform management, you must delete and recreate the VM so that Terraform can fully own its lifecycle.
• B. Once a resource is managed by IaC, you should avoid making manual changes in the Google Cloud console or via gcloud, because those changes can cause configuration drift between the code and the actual resource.
• C. A safe migration pattern is to begin managing shared, relatively static infrastructure (for example, VPC networks and subnets) with IaC first, and migrate more dynamic application resources later.
• D. It is safe and recommended to let both Terraform and Google Cloud Deployment Manager manage the same resource concurrently, as long as you configure matching names and settings in both tools.
• E. You can use tools such as Terraform import or Config Connector to start managing existing resources without recreating them, as long as the IaC configuration matches the current live settings.

Correct answers: A and D

Explanation: The statement claiming that you must delete and recreate a Compute Engine VM to bring it under Terraform management is incorrect because Terraform supports importing existing resources into state, allowing you to manage them without downtime or data loss. The statement suggesting that it is safe and recommended for both Terraform and Deployment Manager to manage the same resource is also incorrect, as dual control of a single resource by different IaC tools is a known anti‑pattern that leads to conflicting updates, broken plans, and potential service disruption.

17.

You scheduled a BigQuery query to populate a reporting table. The table was not updated, so you open the job details shown in the following exhibit.

Using only the information in the exhibit, how should you interpret the status of this job?

 1BigQuery job details
 2
 3Job ID:        daily_report_2025_01_15_00_00
 4Job type:      Query
 5Start time:    2025-01-15 00:00:02 UTC
 6End time:      2025-01-15 00:00:09 UTC
 7Status:        Failed
 8
 9Error:
10  Reason:   invalidQuery
11  Location: line 5, column 12
12  Message:  Unrecognized name: revenue_total at [5:12]

Options:

• A. The query completed successfully but returned no rows.
• B. The query failed because the SQL references a column name that BigQuery does not recognize.
• C. The query is still running and may finish later.
• D. The query succeeded, but a later load step into the table failed.

Best answer: B

Explanation: The choice stating that the query failed because the SQL references a column name that BigQuery does not recognize matches both the job status and the error details. The Status: Failed line confirms the job did not succeed, and the Error message Unrecognized name: revenue_total with Reason: invalidQuery clearly points to an invalid reference in the SQL text as the cause of the failure.

18.

You are troubleshooting a Cloud SQL for PostgreSQL instance that users report is frequently slow. You want to use built-in Google Cloud tools to find and optimize the most expensive queries. Which of the following actions is NOT an appropriate approach for this task?

Options:

• A. Disable Query Insights on the instance and rely only on high-level CPU utilization graphs to diagnose slow queries.
• B. Use Query Insights to filter queries by database and time range, then drill down into specific slow queries to inspect their text and execution trends.
• C. Enable Query Insights on the Cloud SQL instance and review the list of top queries by latency to find slow statements.
• D. Review index advisor recommendations for the instance and consider creating suggested indexes after testing their impact in a non-production environment.

Best answer: A

Explanation: The choice that disables Query Insights and relies only on high-level CPU utilization is incorrect for this scenario. CPU charts can confirm that the instance is under load but do not reveal which specific queries are responsible. Query Insights and the index advisor are explicitly designed to provide query-level visibility and tuning recommendations, so turning them off goes against best practice when investigating slow queries.

19.

A team enables Cloud Profiler on their production microservices to continuously capture CPU and memory profiles and identify hot code paths that waste resources. They plan to refactor the code paths that consume the most CPU to reduce the number of vCPUs required. Which primary cloud principle does this practice most directly support?

Options:

• A. Performance and cost optimization through more efficient resource usage
• B. High availability by distributing workloads across multiple regions
• C. Security hardening by enforcing least privilege IAM policies
• D. Infrastructure automation by defining all resources using Terraform

Best answer: A

Explanation: The choice that describes performance and cost optimization through more efficient resource usage matches both the stated use of Cloud Profiler and the outcome the team wants:

• They are using Cloud Profiler to find hot code paths and high CPU/memory usage patterns.
• Their goal is to refactor these parts so the service uses fewer vCPUs.

This is exactly how Cloud Profiler supports performance efficiency and cost optimization: by enabling code-level improvements that reduce resource consumption while maintaining or improving throughput and latency.

20.

Your team is troubleshooting intermittent 500 errors from a Cloud Run service. The application writes structured JSON logs with custom fields and labels. You want to inspect the full JSON payload and relevant labels for specific failing requests. Which action is NOT a recommended way to view this detailed context in Cloud Logging?

Options:

• A. Filter in Logs Explorer using field paths such as jsonPayload.error.code="INTERNAL" and resource.labels.service_name to focus on failing requests.
• B. Use Logs Explorer, click an individual log entry, and expand the jsonPayload and labels sections to see all nested fields.
• C. In Logs Explorer, configure additional table columns for fields like jsonPayload.user_id and labels.cloud_run_service to quickly see context per row.
• D. Export logs to Cloud Storage as raw JSON and write a custom script to parse every entry whenever you need to inspect details.

Best answer: D

Explanation: The option that exports logs to Cloud Storage and relies on a custom script to parse every entry is not a recommended approach for basic troubleshooting. It introduces extra steps, storage, and maintenance when Cloud Logging already provides a rich UI and query language that understands structured JSON fields and labels. For quickly viewing detailed context for specific 500 errors, you should use Logs Explorer directly, not build your own parser.

21.

You run a stateless web API on GKE that sometimes sees CPU spikes during traffic peaks. You want Kubernetes to automatically handle scaling while you keep managing only the Deployment and Service manifests. Which of the following configuration ideas is INCORRECT for this scenario?

Options:

• A. Deploy a Vertical Pod Autoscaler in Auto mode for the Deployment with the goal of increasing or decreasing the number of pod replicas based on CPU utilization.
• B. If pods are frequently throttled because CPU requests are too low, add a Vertical Pod Autoscaler to recommend or adjust CPU requests while continuing to use an HPA for replica scaling.
• C. Use a Horizontal Pod Autoscaler that targets the Deployment and configures CPU-based scaling so additional replicas are created when CPU usage is high.
• D. Create a Horizontal Pod Autoscaler for the Deployment that scales the number of pod replicas between 2 and 10 based on average CPU utilization.

Best answer: A

Explanation: The option that proposes using a Vertical Pod Autoscaler in Auto mode to increase or decrease the number of pod replicas based on CPU utilization is incorrect. VPA does not manage replica counts; it manages CPU and memory requests/limits for individual pods.

Replica scaling is the job of HPA. Treating VPA as a mechanism to add or remove pods conflates horizontal and vertical scaling responsibilities and indicates a wrong mental model, which is why this configuration idea is the one that should be avoided.

22.

Your team runs a public web application behind an external HTTP(S) load balancer. To improve security, you plan to use Cloud Armor. Which of the following actions is NOT an appropriate use of Cloud Armor in this scenario?

Options:

• A. Create Cloud Armor rules to rate-limit excessive requests from abusive clients in order to mitigate application-layer DoS attempts.
• B. Disable Cloud Armor and rely only on VPC firewall rules, assuming they provide equivalent WAF and DDoS protection for the HTTP(S) load balancer.
• C. Attach a Cloud Armor security policy to the backend service of the HTTP(S) load balancer to block known malicious patterns before they reach the application.
• D. Use Cloud Armor to restrict access to a sensitive admin path on the web app to a limited set of trusted IP address ranges.

Best answer: B

Explanation: The choice that disables Cloud Armor and relies only on VPC firewall rules is incorrect because it misunderstands their roles. Cloud Armor is designed as a WAF and DDoS protection layer integrated with HTTP(S) load balancers, providing edge filtering, preconfigured WAF rules, rate limiting, and geo/IP-based controls. VPC firewalls alone cannot replicate these capabilities and operate deeper in the network, not at the global edge in front of the load balancer.

By removing Cloud Armor under the assumption that VPC firewall rules are equivalent, you violate defense-in-depth and lose important protections specifically targeted at HTTP(S) traffic, which is an unsafe configuration for a public web application.

23.

Your company runs most workloads in a single Google Cloud project. The finance team currently uses the Cloud Billing console cost charts but now wants to analyze costs by SKU, label, and project resource over time to identify optimization opportunities. They are comfortable using standard SQL and BI tools but do not want to manually download reports every month.

What should you do to best meet this requirement?

Options:

• A. Enable Cloud Billing export of detailed usage cost data to a BigQuery dataset for the billing account and let the finance team query it directly or connect it to their BI tool.
• B. Rely on the Cloud Billing console cost tables and export CSV files manually each month for the finance team to load into their BI tool.
• C. Export Cloud Billing data as log entries to Cloud Logging and use log‑based metrics to approximate SKU‑level and resource‑level costs over time.
• D. Create a budget with email alerts and use those alerts as the primary data source for the finance team’s cost optimization analysis.

Best answer: A

Explanation: Enabling Cloud Billing export of detailed usage cost data to BigQuery creates an automated, continuously updated dataset for the entire billing account. This dataset includes SKU‑level and resource‑level information and supports filtering and grouping by labels and other attributes.

Because the finance team is comfortable with SQL and BI tools, they can immediately use the BigQuery dataset for analysis and reporting. There is no need for recurring manual CSV exports, and the solution scales as usage grows. This directly satisfies the requirements: detailed analysis (by SKU and resource), queryable data, and no manual monthly downloads.

24.

You have a small GKE Autopilot cluster exposing a stateless HTTP webhook service to the public internet via an external HTTP(S) load balancer. An on-premises billing system sends infrequent but sometimes very bursty webhook requests, and during spikes the service returns 503 errors and your team struggles with Kubernetes tuning and operations. You want to handle burst traffic reliably while minimizing cluster management. What should you do?

Options:

• A. Deploy the webhook container to Cloud Run and expose it via a public HTTPS URL, allowing Cloud Run to autoscale based on request load.
• B. Replace the HTTP(S) load balancer with a TCP/UDP Network Load Balancer in front of the GKE service to improve scalability during bursts.
• C. Increase the node pool size and set a higher minimum replica count for the Deployment on the existing GKE Autopilot cluster.
• D. Create a new GKE Standard cluster with larger node machine types and enable cluster autoscaling for the webhook service.

Best answer: A

Explanation: Deploying the webhook container to Cloud Run and exposing it via a public HTTPS URL directly addresses all the requirements: it keeps the container-based implementation, supports public HTTP integration from the on-prem billing system, scales quickly to handle burst traffic, and greatly reduces operational burden by removing Kubernetes cluster management. This aligns with using Cloud Run for stateless, HTTP-based, bursty workloads where you want serverless autoscaling and minimal ops.

Need deeper concept review first?

If you want concept-first reading before heavier simulator work, use the companion guide at TechExamLexicon.com .