Professional-Cloud-DevOps-Engineer Google Cloud Certified - Professional Cloud DevOps Engineer Exam Free Practice Exam Questions (2025 Updated)

The best option for configuring Cloud Monitoring dashboards to only display metrics from the projects within one folder is to create new scoping projects for each folder. A scoping project is a project that defines which resources are monitored by Cloud Monitoring. You can create new scoping projects for each folder by using the gcloud monitoring register-project command. This way, you can associate each scoping project with a folder and only monitor the resources within that folder. You can then configure Cloud Monitoring dashboards to use the scoping projects as data sources and only display metrics from the projects within one folder.

The best option for implementing a scalable solution to support global Prometheus querying and minimize management overhead is to use Google Cloud Managed Service for Prometheus. Google Cloud Managed Service for Prometheus is a fully managed service that allows you to collect, query, and visualize metrics from your GKE clusters using Prometheus-based tooling. You can use Google Cloud Managed Service for Prometheus to query metrics across multiple clusters and regions using a global view. You can also use Google Cloud Managed Service for Prometheus to integrate with other Google Cloud services, such as Cloud Monitoring, Cloud Logging, and BigQuery. By using Google Cloud ManagedService for Prometheus, you can avoid managing and scaling your own Prometheus servers and focus on your application performance.

https://cloud.google.com/build/docs/securing-builds/use-encrypted-credentials

OOMKilled means the containers exceeded their allocated memory. Since the HPA isn't scaling up (stuck at min), this indicates the issue is not scale-related but container memory limits are too low.

"Pods terminated with OOMKilled have exceeded their memory limits. You should adjust the container's resource requests and limits."

— Kubernetes OOMKill Debug Guide

Scaling the number of replicas won't help if each replica crashes. You need to increase memory limits so pods can run reliably before autoscaling can even work.

https://cloud.google.com/blog/topics/retail/preparing-for-peak-holiday-season-while-wfh

https://devops.com/when-it-disaster-strikes-part-3-conducting-a-blameless-post-mortem/

Reason : Incident has not occurred yet, even when development team is already pushing new features multiple times a week. The option A says, to define an error budget "policy", not to define error budget(It is already present). Just simple means to bring in all stakeholders, and decide how to consume the error budget effectively that could bring balance between feature deployment and reliability.

The goals of this policy are to: -- Protect customers from repeated SLO misses -- Provide an incentive to balance reliability with other featureshttps://sre.google/workbook/error-budget-policy/

To securely connect Cloud Build to an AlloyDB cluster using a private IP address and adhere to Google-recommended security practices, you need to address two main aspects:

Network Connectivity:Ensuring Cloud Build can reach the private IP of the AlloyDB cluster.

Authentication/Credential Management:Securely authenticating Cloud Build to the AlloyDB cluster.

Let's break down why Option B is the most suitable:

Cloud Build Private Pool:AlloyDB is accessed via a private IP in your VPC. Cloud Build's default build environment runs on Google-managed infrastructure outside your VPC and cannot directly access private IP addresses. To enable this, you must use aCloud Build private pool. A private pool can be configured with VPC peering to your default VPC, allowing build steps running within that pool to access resources like your AlloyDB cluster via their private IPs. Option B correctly includes "execute the schema migration script in a private pool."  

Service Account with Permissions (IAM Database Authentication):AlloyDB supports IAM database authentication. This is a Google-recommended security practice because it allows you to manage database access using Google Cloud's Identity and Access Management (IAM) rather than relying on traditional database passwords.  

You would create a dedicated service account for Cloud Build (or use the private pool's service account).

This service account would be granted the necessary IAM roles to connect to the AlloyDB instance (e.g., roles/alloydb.client) and a database-level IAM role for login (e.g., roles/alloydb.user or roles/alloydb.admin depending on the permissions needed for schema migration).  

Cloud Build would then be configured to use this service account. The "permission to access the database" in Option B refers to these IAM permissions. This method avoids managing and distributing database passwords.

Analyzing the options:

A. Set up a Cloud Build private pool to access the database through a static external IP address...

While using a private pool is correct for network access, routing this through a staticexternalIP for a resource that has aprivateIP is generally not the first-choice secure pattern if direct private access is feasible. It adds complexity and a potential external exposure point, even if firewalled. The aim is to keep traffic within the private network as much as possible.

B. Create a service account that has permission to access the database. Configure Cloud Build to use this service account and execute the schema migration script in a private pool.

This option correctly combines the use of aprivate pool(for private IP network access) with aservice account having permissions(strongly implying IAM database authentication for AlloyDB, which is a best practice). This is a secure and robust approach.

C. Add the database username and encrypted password to the application configuration file...

Storing credentials, even if "encrypted" (the method and key management for encryption are unspecified and problematic), in application configuration files checked into source control or packaged with the application is a significant security risk and not a recommended practice.

D. Add the database username and password to Secret Manager. When running the schema migration script, retrieve the username and password from Secret Manager.

UsingSecret Managerto store database usernames and passwords is a Google-recommended practiceifyou are using password-based authentication. However, this optionalonedoes not solve the network connectivity issue for Cloud Build to reach the private IP of AlloyDB. You would still need a private pool. While D is good for secret management, B offers a more comprehensive solution that includes both the network aspect and implies a more modern authentication method (IAM database auth). If the question forced a choice between only doing secure credential storage (D) or doing IAM auth + private networking (B), B is more complete for the overall task.  

Conclusion:Option B is the most aligned with Google-recommended security practices as it addresses both the necessary private network connectivity via a Cloud Build private pool and promotes the use of IAM-based database authentication for AlloyDB, which is generally preferred over managing passwords.

References (General Concepts):

Cloud Build Private Pools for VPC Access:Google Cloud documentation for Cloud Build explicitly details using private pools to connect to resources in a VPC network.

See:https://www.google.com/search?q=https://cloud.google.com/build/docs/private-pools/accessing-private-resources-with-private-pools

AlloyDB IAM Database Authentication:Google Cloud documentation for AlloyDB highlights IAM database authentication as a secure method.

See:https://www.google.com/search?q=https://cloud.google.com/alloydb/docs/iam-authentication

Secret Manager:If password authentication were the only option, Secret Manager would be the recommended way to store those credentials.

See:https://cloud.google.com/secret-manager

Option B synergizes the benefits of private networking and modern IAM-based authentication for a comprehensive secure solution.

https://cloud.google.com/storage/docs/best-practices

https://cloud.google.com/build/docs/speeding-up-builds#caching_directories_with_google_cloud_storage

Caching directories with Google Cloud Storage To increase the speed of a build, reuse the results from a previous build. You can copy the results of a previous build to a Google Cloud Storage bucket, use the results for faster calculation, and then copy the new results back to the bucket. Use this method when your build takes a long time and produces a small number of files that does not take time to copy to and from Google Cloud Storage.

   upvoted 2 times

Eliminate bad monitoring : Unactionable alerts (i.e., spam)https://cloud.google.com/blog/products/management-tools/meeting-reliability-challenges-with-sre-principles

agree with kyubiblaze about having to remove unactionable items aka spam: "good monitoring alerts on actionable problems" @https://cloud.google.com/blog/products/management-tools/meeting-reliability-challenges-with-sre-principles

The best option for selecting a deployment and testing strategy that meets your requirements is to use blue/green deployment and canary testing. A blue/green deployment is a deployment strategy that involves creating two identical environments, one running the current version of the application (blue) and one running the new version of the application (green). The traffic is switched from blue to green after testing the new version, and if any issues are discovered, the traffic can be switched back to blue instantly. This way, you can reduce the complexity of release deployments and minimize the duration of deployment rollbacks. A canary testing is a testing strategy that involves releasing a new version of an application to a subset of users or servers and monitoring its performance and reliability. This way, you can test real production traffic with a gradual increase in the number of affected users.

https://cloud.google.com/logging/docs/logs-based-metrics#counter-metric

The correct answer is B. Store the password in Secret Manager and mount the secret as a volume within the application.

Secret Manager is a service that allows you to securely store and manage sensitive data such as passwords, API keys, certificates, and tokens.You can use Secret Manager to rotate your secrets automatically or manually, and access them from your Cloud Run applications1.

There are two ways to use secrets from Secret Manager in Cloud Run:

As environment variables: You can set environment variables that point to secrets in Secret Manager. Cloud Run will resolve the secrets at runtime and inject them into the environment of your application. However, this method has some limitations, such as:

The environment variables are cached for up to 10 minutes, so you may not get the latest version of the secret immediately.

The environment variables are visible in plain text in the Cloud Console and the Cloud SDK, which may expose sensitive information.

The environment variables are limited to 4 KB of data, which may not be enough for some secrets.2

As file system volumes: You can mount secrets from Secret Manager as files in a volume within your application. Cloud Run will create a tmpfs volume and write the secrets as files in it. This method has some advantages, such as:

The files are updated every 30 seconds, so you can get the latest version of the secret faster.

The files are not visible in the Cloud Console or the Cloud SDK, which provides better security.

The files can store up to 64 KB of data, which allows for larger secrets.3

Therefore, for your use case, it is better to use the second method and mount the secret as a file system volume within your application. This way, you can ensure that your application has the latest password, and you can deploy it with no downtime.

To mount a secret as a file system volume in Cloud Run, you can use the following command:

gcloud beta run deploy SERVICE --image IMAGE_URL --update-secrets=/path/to/file=secretName:version

where:

SERVICE is the name of your Cloud Run service.

IMAGE_URL is the URL of your container image.

/path/to/file is the path where you want to mount the secret file in your application.

secretName is the name of your secret in Secret Manager.

version is the version of your secret.You can uselatestto get the most recent version.3

You can also use the Cloud Console to mount secrets as file system volumes. For more details, seeMounting secrets from Secret Manager.

The correct answer is B. Apply the constraints/iam.disableServiceAccountKeyCreation constraint to the organization.

According to the Google Cloud documentation, the constraints/iam.disableServiceAccountKeyCreation constraint is an organization policy constraint that prevents the creation of user-managed service account keys1.User-managed service account keys are long-lived credentials that can be downloaded as JSON or P12 files and used to authenticate as a service account2.These keys pose severe security risks if they are leaked, stolen, or misused by unauthorized entities34.By applying this constraint to the organization, you can completely eliminate the risks associated with the use of JSON service account keys and enforce a more secure alternative for authentication, such as Workload Identity or short-lived access tokens12. This also minimizes operational overhead by avoiding the need to manage, rotate, or revoke user-managed service account keys.

The other options are incorrect because they do not completely eliminate the risks associated with the use of JSON service account keys. Option A is incorrect because it only restricts the IAM permissions to create, list, get, delete, or sign service account keys, but it does not prevent existing keys from being used or leaked. Option C is incorrect because it only disables the upload of user-managed service account keys, but it does not prevent the creation or download of such keys. Option D is incorrect because it only limits the IAM role that can create and manage service account keys, but it does not prevent the keys from being distributed or exposed to unauthorized entities.

https://sre.google/workbook/implementing-slos/

https://cloud.google.com/architecture/adopting-slos/

Latency is commonly measured as a distribution. Given a distribution, you can measure various percentiles. For example, you might measure the number of requests that are slower than the historical 99th percentile.