[Dec 05, 2025] Verified Professional-Cloud-DevOps-Engineer dumps and 200 unique questions
Professional-Cloud-DevOps-Engineer Dumps for Pass Guaranteed - Pass Professional-Cloud-DevOps-Engineer Exam 2025
NEW QUESTION # 85
You are configuring the frontend tier of an application deployed in Google Cloud The frontend tier is hosted in ngmx and deployed using a managed instance group with an Envoy-based external HTTP(S) load balancer in front The application is deployed entirely within the europe-west2 region: and only serves users based in the United Kingdom. You need to choose the most cost-effective network tier and load balancing configuration What should you use?
- A. Standard Tier with a regional load balancer
- B. Premium Tier with a global load balancer
- C. Premium Tier with a regional load balancer
- D. Standard Tier with a global load balancer
Answer: C
Explanation:
Explanation
The most cost-effective network tier and load balancing configuration for your frontend tier is to use Premium Tier with a regional load balancer. Premium Tier is a network tier that provides high-performance and low-latency network connectivity across Google's global network. A regional load balancer is a load balancer that distributes traffic within a single region. Since your application is deployed entirely within the europe-west2 region and only serves users based in the United Kingdom, you can use Premium Tier with a regional load balancer to optimize the network performance and cost.
NEW QUESTION # 86
You support a popular mobile game application deployed on Google Kubernetes Engine (GKE) across several Google Cloud regions. Each region has multiple Kubernetes clusters. You receive a report that none of the users in a specific region can connect to the application. You want to resolve the incident while following Site Reliability Engineering practices. What should you do first?
- A. Use Stackdriver Logging to filter on the clusters in the affected region, and inspect error messages in the logs.
- B. Reroute the user traffic from the affected region to other regions that don't report issues.
- C. Use Stackdriver Monitoring to check for a spike in CPU or memory usage for the affected region.
- D. Add an extra node pool that consists of high memory and high CPU machine type instances to the cluster.
Answer: B
NEW QUESTION # 87
You are managing an application that exposes an HTTP endpoint without using a load balancer. The latency of the HTTP responses is important for the user experience. You want to understand what HTTP latencies all of your users are experiencing. You use Stackdriver Monitoring. What should you do?
- A. * In your application, create a metric with a metricKind set to CUMULATIVE and a valueType set to DOUBLE.
* In Stackdriver's Metrics Explorer, use a Line graph to visualize the metric. - B. * In your application, create a metric with a metricKind set to gauge and a valueType set to distribution.
* In Stackdriver's Metrics Explorer, use a Heatmap graph to visualize the metric. - C. * In your application, create a metric with a metricKind set to DELTA and a valueType set to DOUBLE.
* In Stackdriver's Metrics Explorer, use a Slacked Bar graph to visualize the metric. - D. * In your application, create a metric with a metricKind. set toMETRlc_KIND_UNSPECIFIEDanda valueType set to INT64.
* In Stackdriver's Metrics Explorer, use a Stacked Area graph to visualize the metric.
Answer: C
NEW QUESTION # 88
You are deploying a Cloud Build job that deploys Terraform code when a Git branch is updated. While testing, you noticed that the job fails. You see the following error in the build logs:
Initializing the backend. ..
Error: Failed to get existing workspaces : querying Cloud Storage failed: googleapi : Error
403
You need to resolve the issue by following Google-recommended practices. What should you do?
- A. Grant the roles/ owner Identity and Access Management (IAM) role to the Cloud Build service account on the project.
- B. Grant the roles/ storage. objectAdmin Identity and Access Management (IAM) role to the Cloud Build service account on the state file bucket.
- C. Change the Terraform code to use local state.
- D. Create a storage bucket with the name specified in the Terraform configuration.
Answer: B
Explanation:
Explanation
The correct answer is D. Grant the roles/storage.objectAdmin Identity and Access Management (IAM) role to the Cloud Build service account on the state file bucket.
According to the Google Cloud documentation, Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure1. Cloud Build uses a service account to execute your build steps and access resources, such as Cloud Storage buckets2. Terraform is an open-source tool that allows you to define and provision infrastructure as code3. Terraform uses a state file to store and track the state of your infrastructure4.
You can configure Terraform to use a Cloud Storage bucket as a backend to store and share the state file across multiple users or environments5.
The error message indicates that Cloud Build failed to access the Cloud Storage bucket that contains the Terraform state file. This is likely because the Cloud Build service account does not have the necessary permissions to read and write objects in the bucket. To resolve this issue, you need to grant the roles/storage.objectAdmin IAM role to the Cloud Build service account on the state file bucket. This role allows the service account to create, delete, and manage objects in the bucket6. You can use the gcloud command-line tool or the Google Cloud Console to grant this role.
The other options are incorrect because they do not follow Google-recommended practices. Option A is incorrect because it changes the Terraform code to use local state, which is not recommended for production or collaborative environments, as it can cause conflicts, data loss, or inconsistency. Option B is incorrect because it creates a new storage bucket with the name specified in the Terraform configuration, but it does not grant any permissions to the Cloud Build service account on the new bucket. Option C is incorrect because it grants the roles/owner IAM role to the Cloud Build service account on the project, which is too broad and violates the principle of least privilege. The roles/owner role grants full access to all resources in the project, which can pose a security risk if misused or compromised.
NEW QUESTION # 89
Your company uses a CI/CD pipeline with Cloud Build and Artifact Registry to deploy container images to Google Kubernetes Engine (GKE). Images are tagged with the latest commit hash and promoted to production after successful testing in the development and pre-production environments. A recent production deployment caused the application to fail due to untested integration functionality, requiring a disruptive manual rollback. During the rollback, you noticed many old and unused container images accumulating in Artifact Registry. You need to improve rollout and rollback management and clean up the old container images. What should you do?
- A. Deploy Cloud Service Mesh across the GKE clusters, and manually clean up Artifact Registry images.
- B. Adopt Cloud Deploy for managing deployments, and implement an Artifact Registry cleanup policy.
- C. Set up a rollback pipeline in Cloud Build, and implement an Artifact Registry cleanup policy.
- D. Adopt Cloud Deploy for managing deployments, and schedule a Cloud Build job for container image cleanup.
Answer: B
NEW QUESTION # 90
You are the Operations Lead for an ongoing incident with one of your services. The service usually runs at around 70% capacity. You notice that one node is returning 5xx errors for all requests. There has also been a noticeable increase in support cases from customers. You need to remove the offending node from the load balancer pool so that you can isolate and investigate the node. You want to follow Google-recommended practices to manage the incident and reduce the impact on users. What should you do?
- A. 1 . Drain traffic from the unhealthy node and remove the old node from service.2. Add a new node to the pool, wait for the new node to report as healthy, and then serve traffic to the new node.3. Monitor traffic to ensure that the pool is healthy and is handling traffic appropriately.4. Communicate your actions to the incident team.
- B. 1 . Drain traffic from the unhealthy node and remove the node from service.2. Monitor traffic to ensure that the error is resolved and that the other nodes in the pool are handling the traffic appropriately.3. Scale the pool as necessary to handle the new load.4. Communicate your actions to the incident team.
- C. 1. Communicate your intent to the incident team.2. Add a new node to the pool, and wait for the new node to report as healthy.3. When traffic is being served on the new node, drain traffic from the unhealthy node, and remove the old node from service.
- D. 1. Communicate your intent to the incident team.2. Perform a load analysis to determine if the remaining nodes can handle the increase in traffic offloaded from the removed node, and scale appropriately.3. When any new nodes report healthy, drain traffic from the unhealthy node, and remove the unhealthy node from service.
Answer: D
NEW QUESTION # 91
You are building and running client applications in Cloud Run and Cloud Functions Your client requires that all logs must be available for one year so that the client can import the logs into their logging service You must minimize required code changes What should you do?
- A. Update all images in Cloud Run and all functions in Cloud Functions to send logs to both Cloud Logging andthe client's logging service Ensure that all the ports required to send logs are open in the VPC firewall
- B. Create a storage bucket and appropriate VPC firewall rules Update all images in Cloud Run and allfunctions in Cloud Functions to send logs to a file within the storage bucket
- C. Create a Pub/Sub topic subscription and logging sink Configure the logging sink to send all logs into thetopic Give your client access to the topic to retrieve the logs
- D. Create a logs bucket and logging sink. Set the retention on the logs bucket to 365 days Configure thelogging sink to send logs to the bucket Give your client access to the bucket to retrieve the logs
Answer: D
NEW QUESTION # 92
Your application images are built wing Cloud Build and pushed to Google Container Registry (GCR). You want to be able to specify a particular version of your application for deployment based on the release version tagged in source control. What would you do when you push the image?
- A. Supply the source control tag as a parameter within the image name.
- B. Use GCR digest versioning to match the image to the tag in source control.
- C. Use Cloud Build to include the release version tag in the application image.
- D. Reference the image digest in the source control tag.
Answer: C
NEW QUESTION # 93
Your application images are built and pushed to Google Container Registry (GCR). You want to build an automated pipeline that deploys the application when the image is updated while minimizing the development effort. What should you do?
- A. Use Cloud Pub/Sub to trigger a Spinnaker pipeline.
- B. Use a custom builder in Cloud Build to trigger a Jenkins pipeline.
- C. Use Cloud Build to trigger a Spinnaker pipeline.
- D. Use Cloud Pub/Sub to trigger a custom deployment service running in Google Kubernetes Engine (GKE).
Answer: A
Explanation:
https://cloud.google.com/architecture/continuous-delivery-toolchain-spinnaker-cloud
https://spinnaker.io/guides/user/pipeline/triggers/pubsub/
The most efficient way to build an automated pipeline that deploys the application when the image is updated is to use Cloud Pub/Sub to trigger a Spinnaker pipeline. This way, you can leverage the built-in integration between GCR and Cloud Pub/Sub, and use Spinnaker as a continuous delivery platform for deploying your application .
NEW QUESTION # 94
You support the backend of a mobile phone game that runs on a Google Kubernetes Engine (GKE) cluster.
The application is serving HTTP requests from users. You need to implement a solution that will reduce the network cost. What should you do?
- A. Configure a Google Cloud HTTP Load Balancer as Ingress.
- B. Configure the VPC as a Shared VPC Host project.
- C. Configure your Kubernetes duster as a Private Cluster.
- D. Configure your network services on the Standard Tier.
Answer: D
Explanation:
Explanation
The Standard Tier network service offers lower network costs than the Premium Tier. This is the correct option to reduce the network cost for the application3.
NEW QUESTION # 95
You are currently planning how to display Cloud Monitoring metrics for your organization's Google Cloud projects. Your organization has three folders and six projects:
You want to configure Cloud Monitoring dashboards lo only display metrics from the projects within one folder You need to ensure that the dashboards do not display metrics from projects in the other folders You want to follow Google-recommended practices What should you do?
- A. Use the current app-one-dev, app-one-staging and app-one-prod projects as the scoping project for each folder
- B. Use the current app-one-prod project as the scoping project
- C. Create a single new scoping project
- D. Create new scoping projects for each folder
Answer: D
Explanation:
Explanation
The best option for configuring Cloud Monitoring dashboards to only display metrics from the projects within one folder is to create new scoping projects for each folder. A scoping project is a project that defines which resources are monitored by Cloud Monitoring. You can create new scoping projects for each folder by using the gcloud monitoring register-project command. This way, you can associate each scoping project with a folder and only monitor the resources within that folder. You can then configure Cloud Monitoring dashboards to use the scoping projects as data sources and only display metrics from the projects within one folder.
NEW QUESTION # 96
Your application runs on Google Cloud Platform (GCP). You need to implement Jenkins for deploying application releases to GCP. You want to streamline the release process, lower operational toil, and keep user data secure. What should you do?
- A. Implement Jenkins on local workstations.
- B. Implement Jenkins on Google Cloud Functions.
- C. Implement Jenkins on Compute Engine virtual machines.
- D. Implement Jenkins on Kubernetes on-premises
Answer: C
Explanation:
Explanation
Your application runs on Google Cloud Platform (GCP). You need to implement Jenkins for deploying application releases to GCP. You want to streamline the release process, lower operational toil, and keep user data secure. What should you do?
https://plugins.jenkins.io/google-compute-engine/
NEW QUESTION # 97
You are creating a CI/CD pipeline to perform Terraform deployments of Google Cloud resources Your CI/CD tooling is running in Google Kubernetes Engine (GKE) and uses an ephemeral Pod for each pipeline run You must ensure that the pipelines that run in the Pods have the appropriate Identity and Access Management (1AM) permissions to perform the Terraform deployments You want to follow Google-recommended practices for identity management What should you do?
Choose 2 answers
- A. Create a new JSON service account key for the Google service account store the key in the secret management store for the CI/CD tool and configure Terraform to use this key for authentication
- B. Create a new Kubernetes service account, and assign the service account to the Pods Use Workload Identity to authenticate as the Google service account
- C. Create a new Google service account, and assign the appropriate 1AM permissions
- D. Assign the appropriate 1AM permissions to the Google service account associated with the Compute Engine VM instances that run the Pods
- E. Create a new JSON service account key for the Google service account store the key as a Kubernetes secret, inject the key into the Pods, and set the boogle_application_credentials environment variable
Answer: B,C
Explanation:
Explanation
The best options for ensuring that the pipelines that run in the Pods have the appropriate IAM permissions to perform the Terraform deployments are to create a new Kubernetes service account and assign the service account to the Pods, and to use Workload Identity to authenticate as the Google service account. A Kubernetes service account is an identity that represents an application or a process running in a Pod. A Google service account is an identity that represents a Google Cloud resource or service. Workload Identity is a feature that allows you to bind Kubernetes service accounts to Google service accounts. By using Workload Identity, you can avoid creating and managing JSON service account keys, which are less secure and require more maintenance. You can also assign the appropriate IAM permissions to the Google service account that corresponds to the Kubernetes service account.
NEW QUESTION # 98
You are running an application on Compute Engine and collecting logs through Stackdriver. You discover that some personally identifiable information (Pll) is leaking into certain log entry fields. All Pll entries begin with the text userinfo. You want to capture these log entries in a secure location for later review and prevent them from leaking to Stackdriver Logging. What should you do?
- A. Create a basic log filter matching userinfo, and then configure a log export in the Stackdriver console with Cloud Storage as a sink.
- B. Use a Fluentd filter plugin with the Stackdriver Agent to remove log entries containing userinfo, and then copy the entries to a Cloud Storage bucket.
- C. Create an advanced log filter matching userinfo, configure a log export in the Stackdriver console with Cloud Storage as a sink, and then configure a tog exclusion with userinfo as a filter.
- D. Use a Fluentd filter plugin with the Stackdriver Agent to remove log entries containing userinfo, create an advanced log filter matching userinfo, and then configure a log export in the Stackdriver console with Cloud Storage as a sink.
Answer: B
Explanation:
Explanation
https://medium.com/google-cloud/fluentd-filter-plugin-for-google-cloud-data-loss-prevention-api-42bbb1308e76
NEW QUESTION # 99
You need to enforce several constraint templates across your Google Kubernetes Engine (GKE) clusters. The constraints include policy parameters, such as restricting the Kubernetes API. You must ensure that the policy parameters are stored in a GitHub repository and automatically applied when changes occur. What should you do?
- A. When there is a change in GitHub, use a web hook to send a request to Anthos Service Mesh, and apply the change.
- B. Configure Anthos Config Management with the GitHub repository. When there is a change in the repository, use Anthos Config Management to apply the change.
- C. Set up a GitHub action to trigger Cloud Build when there is a parameter change. In Cloud Build, run a gcloud CLI command to apply the change.
- D. Configure Config Connector with the GitHub repository. When there is a change in the repository, use Config Connector to apply the change.
Answer: B
Explanation:
The correct answer is C. Configure Anthos Config Management with the GitHub repository. When there is a change in the repository, use Anthos Config Management to apply the change.
According to the web search results, Anthos Config Management is a service that lets you manage the configuration of your Google Kubernetes Engine (GKE) clusters from a single source of truth, such as a GitHub repository1. Anthos Config Management can enforce several constraint templates across your GKE clusters by using Policy Controller, which is a feature that integrates the Open Policy Agent (OPA) Constraint Framework into Anthos Config Management2. Policy Controller can apply constraints that include policy parameters, such as restricting the Kubernetes API3. To use Anthos Config Management and Policy Controller, you need to configure them with your GitHub repository and enable the sync mode4. When there is a change in the repository, Anthos Config Management will automatically sync and apply the change to your GKE clusters5.
The other options are incorrect because they do not use Anthos Config Management and Policy Controller.
Option A is incorrect because it uses a GitHub action to trigger Cloud Build, which is a service that executes your builds on Google Cloud Platform infrastructure6. Cloud Build can run a gcloud CLI command to apply the change, but it does not use Anthos Config Management or Policy Controller. Option B is incorrect because it uses a web hook to send a request to Anthos Service Mesh, which is a service that provides a uniform way to connect, secure, monitor, and manage microservices on GKE clusters7. Anthos Service Mesh can apply the change, but it does not use Anthos Config Management or Policy Controller. Option D is incorrect because it uses Config Connector, which is a service that lets you manage Google Cloud resources through Kubernetes configuration. Config Connector can apply the change, but it does not use Anthos Config Management or Policy Controller.
Reference:
Anthos Config Management documentation, Overview. Policy Controller, Policy Controller. Constraint template library, Constraint template library. Installing Anthos Config Management, Installing Anthos Config Management. Syncing configurations, Syncing configurations. Cloud Build documentation, Overview.
Anthos Service Mesh documentation, Overview. [Config Connector documentation], Overview.
NEW QUESTION # 100
You need to define Service Level Objectives (SLOs) for a high-traffic multi-region web application. Customers expect the application to always be available and have fast response times. Customers are currently happy with the application performance and availability. Based on current measurement, you observe that the 90th percentile of latency is 120ms and the 95th percentile of latency is 275ms over a 28-day window. What latency SLO would you recommend to the team to publish?
- A. 90th percentile - 250ms
95th percentile - 400ms - B. 90th percentile - 100ms
95th percentile - 250ms - C. 90th percentile - 120ms
95th percentile - 275ms - D. 90th percentile - 150ms
95th percentile - 300ms
Answer: C
NEW QUESTION # 101
Your company has a Google Cloud resource hierarchy with folders for production test and development Your cyber security team needs to review your company's Google Cloud security posture to accelerate security issue identification and resolution You need to centralize the logs generated by Google Cloud services from all projects only inside your production folder to allow for alerting and near-real time analysis. What should you do?
- A. Create an aggregated log sink associated with the production folder that uses a Cloud Logging bucket as the destination
- B. Enable the Workflows API and route all the logs to Cloud Logging
- C. Create an aggregated log sink associated with the production folder that uses a Pub Sub topic as the destination
- D. Create a central Cloud Monitoring workspace and attach all related projects
Answer: A
Explanation:
The best option for centralizing the logs generated by Google Cloud services from all projects only inside your production folder is to create an aggregated log sink associated with the production folder that uses a Cloud Logging bucket as the destination. An aggregated log sink is a log sink that collects logs from multiple sources, such as projects, folders, or organizations. A Cloud Logging bucket is a storage location for logs that can be used as a destination for log sinks. By creating an aggregated log sink with a Cloud Logging bucket, you can collect and store all the logs from the production folder in one place and allow for alerting and near-real time analysis using Cloud Monitoring and Cloud Operations.
NEW QUESTION # 102
Your organization recently adopted a container-based workflow for application development. Your team develops numerous applications that are deployed continuously through an automated build pipeline to the production environment. A recent security audit alerted your team that the code pushed to production could contain vulnerabilities and that the existing tooling around virtual machine (VM) vulnerabilities no longer applies to the containerized environment. You need to ensure the security and patch level of all code running through the pipeline. What should you do?
- A. Set up Container Analysis to scan and report Common Vulnerabilities and Exposures.
- B. Reconfigure the existing operating system vulnerability software to exist inside the container.
- C. Implement static code analysis tooling against the Docker files used to create the containers.
- D. Configure the containers in the build pipeline to always update themselves before release.
Answer: C
Explanation:
https://cloud.google.com/binary-authorization
Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.
NEW QUESTION # 103
You recently deployed your application in Google Kubernetes Engine (GKE) and now need to release a new version of the application You need the ability to instantly roll back to the previous version of the application in case there are issues with the new version Which deployment model should you use?
- A. Perform A. B testing, and test your application periodically after the deployment is complete
- B. Perform a rolling deployment and test your new application after the deployment is complete
- C. Perform a blue/green deployment and test your new application after the deployment is complete
- D. Perform a canary deployment, and test your new application periodically after the new version is deployed
Answer: C
NEW QUESTION # 104
You are currently planning how to display Cloud Monitoring metrics for your organization's Google Cloud projects. Your organization has three folders and six projects:
You want to configure Cloud Monitoring dashboards lo only display metrics from the projects within one folder You need to ensure that the dashboards do not display metrics from projects in the other folders You want to follow Google-recommended practices What should you do?
- A. Use the current app-one-dev, app-one-staging and app-one-prod projects as the scoping project for each folder
- B. Use the current app-one-prod project as the scoping project
- C. Create a single new scoping project
- D. Create new scoping projects for each folder
Answer: D
Explanation:
Explanation
The best option for configuring Cloud Monitoring dashboards to only display metrics from the projects within one folder is to create new scoping projects for each folder. A scoping project is a project that defines which resources are monitored by Cloud Monitoring. You can create new scoping projects for each folder by using the gcloud monitoring register-project command. This way, you can associate each scoping project with a folder and only monitor the resources within that folder. You can then configure Cloud Monitoring dashboards to use the scoping projects as data sources and only display metrics from the projects within one folder.
NEW QUESTION # 105
......
Latest 100% Passing Guarantee - Brilliant Professional-Cloud-DevOps-Engineer Exam Questions PDF: https://pdfpractice.actual4dumps.com/Professional-Cloud-DevOps-Engineer-study-material.html