Exclusive Offer: 20% OFF All Certification Exams — Use Code CERTIFY20!
Google Associate-Cloud-Engineer Exam Dumps
Google Cloud Certified - Associate Cloud Engineer
( 560 Reviews )
Total Questions : 332
Update Date : May 28,2026
PDF Only
$49$88.2
Test Engine
$59
$106.2
PDF + Test Engine
$69
$124.2
Latest Associate-Cloud-Engineer Results – Dumps That Deliver
Your success starts here! 2207+ learners already passed with our Associate-Cloud-Engineer Dumps PDF.
32
Customers Passed Google Associate-Cloud-Engineer
99%
Average Score In Real Exam At Testing Centre
93%
Questions came word by word from this dump
Choosing the Right Path for Your Associate-Cloud-Engineer Exam Preparation
Welcome to CertifyCerts’s complete guide for the Google Cloud Certified - Associate Cloud Engineer exam. Whether you’re just starting your cloud journey or aiming to boost your Google expertise, our Associate-Cloud-Engineer study materials are designed to help you prepare confidently and pass your exam on the first try.
What You’ll Get with CertifyCerts’s Associate-Cloud-Engineer Study Material
Our Associate-Cloud-Engineer Dumps PDF and online practice tools are built to make your preparation smooth, effective, and results-driven. Here’s what sets our materials apart:
Comprehensive Coverage
We’ve broken down every topic and concept covered in the Associate-Cloud-Engineer exam — from Google fundamentals to advanced architectural principles. Each concept is explained in simple, easy-to-understand language, making even complex topics feel approachable.
Real Exam Practice
Our online test engine lets you experience the real exam environment before test day. You’ll get access to a wide range of practice questions aligned with the latest exam objectives — complete with detailed explanations for correct and incorrect answers. It’s the perfect way to measure your progress and sharpen your test-taking skills.
Smart Exam Strategies
Passing the Associate-Cloud-Engineer isn’t just about memorizing facts — it’s about strategy. Our guide includes expert tips on managing time, tackling tricky questions, and staying calm under pressure so you can perform your best on exam day.
Hands-On Scenarios
We go beyond theory. You’ll explore real-world Google use cases and architecture examples that help you connect concepts to practical, day-to-day challenges in the IT field.
Why CertifyCerts?
Built by Google Experts
Our Associate-Cloud-Engineer Questions and Answers are developed by certified Google professionals who understand the exam inside out. You’re learning from people who’ve been through it and know what it takes to pass.
Full Exam Coverage
No shortcuts here — we cover every domain and objective of the Associate-Cloud-Engineer certification to make sure you’re ready for anything the exam throws your way.
Engaging and Easy to Learn
We believe learning should never feel boring. Our materials are structured in a clear, engaging way that keeps you motivated and focused throughout your preparation journey.
Proven Results
Thousands of learners have trusted CertifyCerts to earn their Google certifications — and their success stories speak for themselves. With our help, you can be next.
Start Your Google Journey Today
Take the first step toward becoming a certified Google Cloud Certified with CertifyCerts. Our up-to-date, expertly curated Associate-Cloud-Engineer study materials will guide you every step of the way — from your first study session to your certification success.
Get started today — your Google career breakthrough begins with CertifyCerts!
Google Associate-Cloud-Engineer Sample Question Answers
Question # 1
(You have an application running inside a Compute Engine instance. You want to provide the application with secure access to a BigQuery dataset. You must ensure that credentials are only valid for a short period of time, and your application will only have access to the intended BigQuery dataset. You want to follow Google-recommended practices and minimize your operational costs. What should you do?)
A. Attach a custom service account to the instance, and grant the service account the BigQuery Data Viewer IAM role on the project. B. Attach a new service account to the instance every hour, and grant the service account the BigQuery Data Viewer IAM role on the dataset. C. Attach a custom service account to the instance, and grant the service account the BigQuery Data Viewer IAM role on the dataset. D. Attach a new service account to the instance every hour, and grant the service account the BigQuery Data Viewer IAM role on the project.
Answer: C
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The core requirements are secure access to a specific BigQuery dataset from a Compute Engine
instance, using short-lived credentials, adhering to Google's best practices, and minimizing
operational overhead.
A. Project-level IAM role: Granting the BigQuery Data Viewer role at the project level gives the
service account broad access to all BigQuery datasets within that project. This violates the principle
of least privilege, a fundamental security best practice, as the application should only have access to
the designated dataset.
B. Hourly new service account with dataset-level role: While this aims to achieve short-lived
credentials, the operational burden of creating, attaching, and managing IAM policies for a new
service account every hour is significant and not a Google-recommended practice for routine access.
It introduces unnecessary complexity and potential for errors.
C. Custom service account with dataset-level IAM role: This is the recommended and most efficient
approach. You create a dedicated Google Cloud service account specifically for this application. You
then grant this service account the necessary IAM role (e.g., BigQuery Data Viewer, or a more specific
custom role) directly on the target BigQuery dataset. When the Compute Engine instance runs as this
service account, the Google Cloud client libraries automatically handle the acquisition and rotation
of short-lived OAuth 2.0 access tokens from the instance's metadata server. This eliminates the need
to manage long-lived credentials (like service account keys) and ensures the application only has
access to the intended dataset. This adheres to the principle of least privilege and minimizes
operational costs.
D. Hourly new service account with project-level role: This option combines the high operational
overhead of frequently creating new service accounts with the security risk of granting overly
permissive project-level access. It is not a recommended practice.
Therefore, the most secure, cost-effective, and operationally efficient solution is to create a custom
service account, attach it to the Compute Engine instance, and grant it the appropriate BigQuery IAM
role specifically on the target dataset. The platform handles the short-lived credentials automatically.
Google Cloud Documentation Reference:
Creating and enabling service accounts for instances:
service-accounts - Emphasizes the importance of the principle of least privilege and avoiding
the management of long-lived service account keys when possible (relying on the metadata server
for short-lived tokens).
Question # 2
(Your company was recently impacted by a service disruption that caused multiple Dataflow jobs to get stuck, resulting in significant downtime in downstream applications and revenue loss. You were able to resolve the issue by identifying and fixing an error you found in the code. You need to design a solution with minimal management effort to identify when jobs are stuck in the future to ensure that this issue does not occur again. What should you do?)
A. Set up Error Reporting to identify stack traces that indicate slowdowns in Dataflow jobs. Set up alerts based on these log entries. B. Use the Personalized Service Health dashboard to identify issues with Dataflow jobs across regions. C. Update the Dataflow job configurations to send messages to a Pub/Sub topic when there are delays. Configure a backup Dataflow job to process jobs that are delayed. Use Cloud Tasks to trigger an alert when messages are pushed to the Pub/Sub topic. D. Set up Cloud Monitoring alerts on the data freshness metric for the Dataflow jobs to receive a notification when a certain threshold is reached.
Answer: D
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The goal is to proactively identify stuck Dataflow jobs with minimal management effort. Let's analyze
each option:
A. Error Reporting for slowdowns: Error Reporting primarily focuses on capturing and aggregating
exceptions and errors (stack traces). While a stuck job might eventually throw an error, it might also
just become unresponsive without generating explicit errors. Relying solely on Error Reporting might
not provide timely detection of stuck jobs. Identifying stack traces that indicate slowdowns can also
be complex and require significant manual configuration and analysis.
B. Personalized Service Health dashboard: The Personalized Service Health dashboard provides
information about Google Cloud service incidents that might be affecting your resources. While it
can alert you to broader Dataflow service outages, it won't specifically identify individual stuck jobs
due to application-level errors or logic within your Dataflow pipeline.
C. Pub/Sub messages for delays, backup job, and Cloud Tasks alerts: This approach involves
significant custom implementation and management. You would need to instrument your Dataflow
jobs to detect delays, send messages to Pub/Sub, manage a backup job, and configure Cloud Tasks
for alerting. This adds considerable operational overhead and complexity.
D. Cloud Monitoring alerts on data freshness metric: Dataflow provides built-in metrics, including
"data freshness" (or similar metrics like "system lag" or "processing time"), which indicate how far
behind the pipeline is in processing data. If a job gets stuck, the data freshness will deteriorate
beyond an acceptable threshold. Cloud Monitoring allows you to easily set up alerts based on these
built-in metrics. This requires minimal custom coding and leverages the platform's existing
monitoring capabilities, aligning with the "minimal management effort" requirement.
Therefore, setting up Cloud Monitoring alerts on relevant Dataflow metrics like data freshness is the
most efficient and recommended way to detect stuck Dataflow jobs with minimal management
a comprehensive list of Dataflow metrics that can be used for monitoring and alerting.
Question # 3
(Your company was recently impacted by a service disruption that caused multiple Dataflow jobs to get stuck, resulting in significant downtime in downstream applications and revenue loss. You were able to resolve the issue by identifying and fixing an error you found in the code. You need to design a solution with minimal management effort to identify when jobs are stuck in the future to ensure that this issue does not occur again. What should you do?)
A. Set up Error Reporting to identify stack traces that indicate slowdowns in Dataflow jobs. Set up alerts based on these log entries. B. Use the Personalized Service Health dashboard to identify issues with Dataflow jobs across regions. C. Update the Dataflow job configurations to send messages to a Pub/Sub topic when there are delays. Configure a backup Dataflow job to process jobs that are delayed. Use Cloud Tasks to trigger an alert when messages are pushed to the Pub/Sub topic. D. Set up Cloud Monitoring alerts on the data freshness metric for the Dataflow jobs to receive a notification when a certain threshold is reached.
Answer: D
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The goal is to proactively identify stuck Dataflow jobs with minimal management effort. Let's analyze
each option:
A. Error Reporting for slowdowns: Error Reporting primarily focuses on capturing and aggregating
exceptions and errors (stack traces). While a stuck job might eventually throw an error, it might also
just become unresponsive without generating explicit errors. Relying solely on Error Reporting might
not provide timely detection of stuck jobs. Identifying stack traces that indicate slowdowns can also
be complex and require significant manual configuration and analysis.
B. Personalized Service Health dashboard: The Personalized Service Health dashboard provides
information about Google Cloud service incidents that might be affecting your resources. While it
can alert you to broader Dataflow service outages, it won't specifically identify individual stuck jobs
due to application-level errors or logic within your Dataflow pipeline.
C. Pub/Sub messages for delays, backup job, and Cloud Tasks alerts: This approach involves
significant custom implementation and management. You would need to instrument your Dataflow
jobs to detect delays, send messages to Pub/Sub, manage a backup job, and configure Cloud Tasks
for alerting. This adds considerable operational overhead and complexity.
D. Cloud Monitoring alerts on data freshness metric: Dataflow provides built-in metrics, including
"data freshness" (or similar metrics like "system lag" or "processing time"), which indicate how far
behind the pipeline is in processing data. If a job gets stuck, the data freshness will deteriorate
beyond an acceptable threshold. Cloud Monitoring allows you to easily set up alerts based on these
built-in metrics. This requires minimal custom coding and leverages the platform's existing
monitoring capabilities, aligning with the "minimal management effort" requirement.
Therefore, setting up Cloud Monitoring alerts on relevant Dataflow metrics like data freshness is the
most efficient and recommended way to detect stuck Dataflow jobs with minimal management
a comprehensive list of Dataflow metrics that can be used for monitoring and alerting.
Question # 4
(You manage a VPC network in Google Cloud with a subnet that is rapidly approaching its private IP address capacity. You expect the number of Compute Engine VM instances in the same region to double within a week. You need to implement a Google-recommended solution that minimizes operational costs and does not require downtime. What should you do?)
A. Create a second VPC with the same subnet IP range, and connect this VPC to the existing VPC by using VPC Network Peering. B. Delete the existing subnet, and create a new subnet with double the IP range available. C. Use the Google Cloud CLI tool to expand the primary IP range of your subnet. D. Permit additional traffic from the expected range of private IP addresses to reach your VMs by configuring firewall rules.
Answer: C
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The problem states that a subnet is nearing its IP address capacity, and the requirement is to expand
it without downtime and with minimal operational cost, following Google-recommended practices.
A. Creating a second VPC with the same subnet IP range and peering: While VPC Network Peering
allows communication between VPCs, having overlapping IP ranges is generally not recommended
and can lead to routing complexities if not managed carefully. It also adds operational overhead of
managing two VPCs. This is not the most straightforward or cost-effective solution for simply
expanding IP capacity within the same logical network.
B. Deleting and recreating the subnet: Deleting a subnet that contains active VM instances will cause
downtime for those instances, violating a key requirement.
C. Using the Google Cloud CLI tool to expand the primary IP range of your subnet: Google Cloud
allows you to expand the primary IP range of an existing subnet after it's created, as long as there are
no conflicting subnets in the VPC. This operation does not require deleting the subnet or restarting
the existing VMs within it, thus avoiding downtime. It's a direct and cost-effective way to increase the
available IP address space within the existing subnet. This is a Google-recommended practice for
handling subnet capacity issues.
D. Permitting additional traffic with firewall rules: Firewall rules control network traffic based on IP
ranges, protocols, and ports. They do not increase the number of available private IP addresses
within the subnet. This option does not address the core issue of IP address exhaustion.
Therefore, expanding the primary IP range of the existing subnet using the Google Cloud CLI is the
recommended solution that meets all the requirements: addressing IP capacity, minimizing
(Your company uses a multi-cloud strategy that includes Google Cloud. You want to centralize application logs in a third-party software-as-a-service (SaaS) tool from all environments. You need to integrate logs originating from Cloud Logging, and you want to ensure the export occurs with the least amount of delay possible. What should you do?)
A. Use a Cloud Scheduler cron job to trigger a Cloud Function that queries Cloud Logging and sends the logs to the SaaS tool. B. Create a Cloud Logging sink and configure Pub/Sub as the destination. Configure the SaaS tool to subscribe to the Pub/Sub topic to retrieve the logs. C. Create a Cloud Logging sink and configure Cloud Storage as the destination. Configure the SaaS tool to read the Cloud Storage bucket to retrieve the logs. D. Create a Cloud Logging sink and configure BigQuery as the destination. Configure the SaaS tool to query BigQuery to retrieve the logs.
Answer: B
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The requirement is to export logs from Cloud Logging to a third-party SaaS tool with the least amount
of delay possible. Let's analyze each option:
A. Cloud Scheduler, Cloud Function, and querying Cloud Logging: This approach introduces a delay
based on the Cloud Scheduler's cron job frequency. The Cloud Function would periodically query
Cloud Logging, which might not capture the logs in real-time. This does not meet the "least amount
of delay possible" requirement.
B. Cloud Logging sink to Pub/Sub, SaaS tool subscribing to Pub/Sub: Cloud Logging sinks can be
configured to export logs in near real-time as they are ingested into Cloud Logging. Pub/Sub is a
messaging service designed for asynchronous and near real-time message delivery. By configuring
the sink to send logs to a Pub/Sub topic, and having the SaaS tool subscribe to this topic, logs can be
delivered to the SaaS tool with minimal delay. This aligns with the requirement for immediate
export.
C. Cloud Logging sink to Cloud Storage, SaaS tool reading Cloud Storage: Exporting logs to Cloud
Storage involves a batch-oriented approach. Logs are typically written to files periodically. The SaaS
tool would then need to poll or be configured to read these files, introducing a significant delay
compared to a streaming approach.
D. Cloud Logging sink to BigQuery, SaaS tool querying BigQuery: Similar to Cloud Storage, exporting
to BigQuery is more suitable for analytical purposes. The SaaS tool would need to periodically query
BigQuery, which introduces latency and is not the most efficient way to achieve near real-time log
delivery.
Therefore, configuring a Cloud Logging sink to Pub/Sub and having the SaaS tool subscribe to the
Pub/Sub topic provides the lowest latency for exporting logs.
comprehensive guide to exporting logs from Cloud Logging to various destinations, emphasizing
Pub/Sub for streaming.
Question # 6
(Your company has a rapidly growing social media platform and a user base primarily located in North Americ a. Due to increasing demand, your current on-premises PostgreSQL database, hosted in your United States headquarters data center, no longer meets your needs. You need to identify a cloud-based database solution that offers automatic scaling, multi-region support for future expansion, and maintains low latency.)
A. Use Bigtable. B. Use BigQuery. C. Use Spanner. D. Use Cloud SQL for PostgreSQL.
Answer: C
Explanation:
Comprehensive and Detailed In Depth
Explanation:
Let's evaluate each database option against the requirements: automatic scaling, multi-region
support, and low latency for a growing social media platform:
A. Bigtable: Bigtable is a highly scalable NoSQL database designed for large analytical and operational
workloads with low latency. It offers excellent horizontal scalability and can be deployed across
multiple regions for high availability and lower latency for a global user base. However, it's a NoSQL
database and might require significant changes to your existing PostgreSQL data model and
application code.
B. BigQuery: BigQuery is a fully managed, serverless data warehouse optimized for analytical queries
on large datasets. It's not designed for low-latency transactional workloads that a social media
platform would require for real-time user interactions. While it's globally available, its primary use
case is not operational database needs.
C. Spanner: Spanner is a globally distributed, horizontally scalable relational database service with
strong consistency. It offers automatic scaling, built-in multi-region and multi-continental
configurations for high availability and low latency across a global user base, and supports standard
SQL (with some extensions). This makes it a strong candidate for a rapidly growing platform needing
scalability, global presence, and low latency. While it's not directly PostgreSQL, it offers a relational
model and tools to aid migration.
D. Cloud SQL for PostgreSQL: Cloud SQL offers managed PostgreSQL instances with automatic scaling
capabilities. It supports high availability within a region and cross-region read replicas for disaster
recovery and read scaling. However, its multi-region capabilities for write operations and automatic
scaling across regions are more limited compared to Spanner. For a rapidly growing platform with a
primarily North American user base but future global expansion in mind and a need for low latency,
Spanner's architecture is better suited for true multi-region write capabilities and consistent low
latency globally.
Considering the requirements for automatic scaling, multi-region support for both reads and writes
with low latency for a growing user base, Spanner is the most appropriate choice.
offers scaling and regional HA, its multi-region write capabilities are not as robust as Spann
Question # 7
(Your company is migrating its workloads to Google Cloud due to an expiring data center contract. The on-premises environment and Google Cloud are not connected. You have decided to follow a liftand- shift approach, and you plan to modernize the workloads in a future project. Several old applications connect to each other through hard-coded internal IP addresses. You want to migrate these workloads quickly without modifying the application code. You also want to maintain all functionality. What should you do?)
A. Create a VPC with non-overlapping CIDR ranges compared to your on-premises network. When migrating individual workloads, assign each workload a new static internal IP address. B. Migrate your DNS server first. Configure Cloud DNS with a forwarding zone to your migrated DNS server. Then migrate all other workloads with ephemeral internal IP addresses. C. Migrate all workloads to a single VPC subnet. Configure Cloud NAT for the subnet and manually assign a static IP address to the Cloud NAT gateway. D. Create a VPC with the same CIDR ranges as your on-premises network. When migrating individual workloads, assign each workload the same static internal IP address.
Answer: D
Explanation:
Comprehensive and Detailed In Depth
Explanation:
The key requirement is to migrate applications that rely on hard-coded internal IP addresses without
modifying the application code. To achieve this, the migrated VMs in Google Cloud need to retain
their original internal IP addresses.
A. Non-overlapping CIDR ranges and new static IPs: This option requires changing the IP addresses of
the migrated workloads, which would necessitate modifying the application code to reflect these
new addresses. This violates a core requirement.
B. Migrating DNS and using ephemeral IPs: While migrating DNS can be beneficial in the long run,
using ephemeral internal IP addresses for the migrated workloads means their IPs could change
upon restart, breaking the hard-coded IP address dependencies.
C. Single subnet with Cloud NAT and static NAT IP: Cloud NAT allows instances without external IP
addresses to access the internet, but it doesn't help in preserving the internal IP addresses that the
applications use to communicate with each other. The internal IP addresses of the VMs would still be
within the VPC subnet range and might conflict if they are the same as the on-premises IPs.
D. Same CIDR ranges and same static IPs: Creating a VPC with the same CIDR ranges as the onpremises
network and assigning the same static internal IP addresses to the migrated workloads is
the only way to ensure that the applications can continue to communicate using their hard-coded IP
addresses without any code changes. This approach effectively extends the on-premises network's IP
address space into Google Cloud (though without direct connectivity initially, as stated in the
problem). Once the workloads are migrated, future steps can involve establishing connectivity (e.g.,
using VPN or Interconnect) if needed for hybrid scenarios.
discouraged for connected networks, for isolated migration scenarios as described, it's a necessary
step to avoid application changes. The problem statement explicitly says the environments are not
connected during the initial migration.
Question # 8
(You are deploying an application to Google Kubernetes Engine (GKE). The application needs to make API calls to a private Cloud Storage bucket. You need to configure your application Pods to authenticate to the Cloud Storage API, but your organization policy prevents the usage of service account keys. You want to follow Google-recommended practices. What should you do?)
A. Create the GKE cluster and deploy the application. Request a security exception to create a Google service account key. Set the constraints/iam.serviceAccountKeyExpiryHours organization policy to 8 hours B. Create the GKE cluster and deploy the application. Request a security exception to create a Google service account key. Set the constraints/iam.serviceAccountKeyExpiryHours organization policy to 24 hours. C. Create the GKE cluster with Workload Identity Federation. Configure the default node service account to access the bucket. Deploy the application into the cluster so the application can use the node service account permissions. Use Identity and Access Management (IAM) to grant the service account access to the bucket. D. Create the GKE cluster with Workload Identity Federation. Create a Google service account and a Kubernetes ServiceAccount, and configure both service accounts to use Workload Identity Federation. Attach the Kubernetes ServiceAccount to the application Pods and configure the Google service account to access the bucket with Identity and Access Management (IAM).
Answer: D
Explanation:
The organization policy explicitly prevents the use of service account keys, so options A and B, which
involve requesting exceptions to create them, are not in line with the policy and Google's
recommended practices for secure authentication.
Question # 9
(You need to migrate multiple PostgreSQL databases from your on-premises data center to Google
Cloud. You want to significantly improve the performance of your databases while minimizing
changes to your data schema and application code. You expect to exceed 150 TB of data per
geographical region. You want to follow Google-recommended practices and minimize your
operational costs. What should you do?)
A. Migrate your data to AlloyDB. B. Migrate your data to Spanner. C. Migrate your data to Firebase. D. Migrate your data to Bigtable.
Answer: A
Explanation:
Let's analyze each option based on the requirements: PostgreSQL compatibility, significant
performance improvement, minimal schema/code changes, handling large data volumes, Googlerecommended
practices, and cost minimization:
A. Migrate your data to AlloyDB: AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible
database service that offers significant performance improvements over standard PostgreSQL due to
its architectural optimizations. It is designed to handle large data volumes and minimizes the need
for schema and application code changes as it's wire-compatible with PostgreSQL. This aligns well
with the requirements for performance improvement, minimal changes, large data, and being a
Google-recommended option for PostgreSQL workloads.
B. Migrate your data to Spanner: Spanner is a globally distributed, horizontally scalable database
with strong consistency. While it offers excellent scalability and performance, it's not directly
PostgreSQL-compatible. Migrating to Spanner would likely require significant schema and application
code changes due to differences in data modeling and SQL dialect.
C. Migrate your data to Firebase: Firebase is a suite of mobile and web development tools, with its
primary database offering being Firestore (a NoSQL document database) and Realtime Database.
These are not PostgreSQL-compatible and would require substantial changes to the data model and
application code.
D. Migrate your data to Bigtable: Bigtable is a highly scalable NoSQL wide-column store. It's not
compatible with PostgreSQL and requires a completely different data model and application logic.
Therefore, AlloyDB is the most suitable option as it provides PostgreSQL compatibility for minimal
migration effort, significant performance improvements, scalability for large data volumes, and is a
recommended Google Cloud database service for PostgreSQL workloads.
as a NoSQL database, emphasizing its differences from relational databases like PostgreSQL.
Question # 10
(You are managing an application deployed on Cloud Run. The development team has released a new version of the application. You want to deploy and redirect traffic to this new version of the application. To ensure traffic to the new version of the application is served with no startup time, you want to ensure that there are two idle instances available for incoming traffic before adjusting the traffic flow. You also want to minimize administrative overhead. What should you do?)
A. Ensure the checkbox "Serve this revision immediately" is unchecked when deploying the new revision. Before changing the traffic rules, use a traffic simulation tool to send load to the new revision. B. Configure service autoscaling and set the minimum number of instances to 2. C. Configure revision autoscaling for the new revision and set the minimum number of instances to 2. D. Configure revision autoscaling for the existing revision and set the minimum number of instances to 2.
Answer: C
Explanation:
Let's analyze each option to find the one that meets the requirements of no startup time for new
traffic, two idle instances, and minimal administrative overhead:
A. Unchecking "Serve this revision immediately" and using a traffic simulation tool: Unchecking
"Serve this revision immediately" does prevent the new revision from receiving traffic immediately.
However, manually using a traffic simulation tool adds administrative overhead. It also doesn't
guarantee that two idle instances will be ready before traffic is shifted; you would need to monitor
and adjust traffic manually based on the simulation.
B. Configuring service autoscaling and setting the minimum number of instances to 2: Service-level
autoscaling applies to all revisions of the service. Setting the minimum instances at the service level
would ensure at least two instances are running across all active revisions, not specifically for the
new revision before traffic shift.
C. Configuring revision autoscaling for the new revision and setting the minimum number of
instances to 2: This is the correct approach. By configuring revision autoscaling specifically for the
new revision and setting the minimum number of instances to 2, Cloud Run will ensure that at least
two instances of the new version are running and ready to serve traffic before you redirect any traffic
to it. This eliminates startup latency when you do shift traffic. It also minimizes administrative
overhead as Cloud Run manages the instance scaling based on this configuration.
D. Configuring revision autoscaling for the existing revision and setting the minimum number of
instances to 2: This would ensure the existing version has at least two idle instances, which doesn't
directly address the requirement of having idle instances ready for the new version before traffic
how to deploy new revisions and gradually shift traffic between them. Combining minimum
instances on the new revision with traffic splitting allows for zero-downtime deployments with prewarmed
instances.
Question # 11
(You are developing an internet of things (IoT) application that captures sensor data from multiple devices that have already been set up. You need to identify the global data storage product your company should use to store this data. You must ensure that the storage solution you choose meets your requirements of sub-millisecond latency. What should you do?)
A. Store the IoT data in Spanner. Use caches to speed up the process and avoid latencies. B. Store the IoT data in Bigtable. C. Capture IoT data in BigQuery datasets. D. Store the IoT data in Cloud Storage. Implement caching by using Cloud CDN.
Answer: B Explanation:
Let's evaluate each option based on the requirement of sub-millisecond latency for globally stored
IoT data:
A. Spanner with Caching: While Spanner offers strong consistency and global scalability, the base
latency might not consistently be sub-millisecond for all read/write operations globally. Introducing
caching adds complexity and doesn't guarantee sub-millisecond latency for all initial reads or cache
misses.
B. Bigtable: Bigtable is a highly scalable NoSQL database service designed for low-latency, highthroughput
workloads. It excels at storing and retrieving large volumes of time-series data, which is
typical for IoT sensor data. Its architecture is optimized for single-key lookups and scans, providing
consistent sub-millisecond latency, making it a strong candidate for this use case.
C. BigQuery: BigQuery is a fully managed, serverless data warehouse designed for analytical queries
on large datasets. While it's excellent for analyzing IoT data in batch, it's not optimized for the lowlatency,
high-throughput ingestion and retrieval required for real-time IoT applications with submillisecond
latency needs.
D. Cloud Storage with Cloud CDN: Cloud Storage is object storage and is not designed for low-latency
transactional workloads. Cloud CDN is a content delivery network that caches content closer to users
for faster delivery, but it's not suitable for the primary storage of rapidly incoming IoT sensor data
Storage as object storage, not ideal for sub-millisecond latency reads and writes required for realtime
IoT data.
Question # 12
(Your digital media company stores a large number of video files on-premises. Each video file ranges from 100 MB to 100 GB. You are currently storing 150 TB of video data in your on-premises network, with no room for expansion. You need to migrate all infrequently accessed video files older than one year to Cloud Storage to ensure that on-premises storage remains available for new files. You must also minimize costs and control bandwidth usage. What should you do?)
A. Create a Cloud Storage bucket. Establish an Identity and Access Management (IAM) role with write permissions to the bucket. Use the gsutil tool to directly copy files over the network to Cloud Storage. B. Set up a Cloud Interconnect connection between the on-premises network and Google Cloud. Establish a private endpoint for Filestore access. Transfer the data from the existing Network File System (NFS) to Filestore. C. Use Transfer Appliance to request an appliance. Load the data locally, and ship the appliance back to Google for ingestion into Cloud Storage. D. Use Storage Transfer Service to move the data from the selected on-premises file storage systems to a Cloud Storage bucket.
Answer: D
Explanation:
Let's analyze each option:
A. Using gsutil: While gsutil can transfer data to Cloud Storage, for 150 TB of infrequently accessed
data, direct transfer over the network might be slow and consume significant bandwidth, potentially
impacting other network operations. It also lacks built-in mechanisms for filtering files based on age.
B. Using Cloud Interconnect and Filestore: Cloud Interconnect provides a dedicated connection, but
Filestore is a fully managed NFS service primarily designed for high-performance file sharing for
applications running in Google Cloud. Migrating 150 TB of infrequently accessed data to Filestore
would be cost-inefficient compared to Cloud Storage and doesn't directly address the requirement of
moving older than one year files.
C. Using Transfer Appliance: Transfer Appliance is suitable for very large datasets (petabytes) or when
network connectivity is poor or unreliable. While it addresses bandwidth concerns, it involves a
physical appliance and might be an overkill for 150 TB of data, especially if network connectivity is
reasonable.
D . Using Storage Transfer Service: Storage Transfer Service is specifically designed for moving large
amounts of data between online storage systems, including on-premises file systems and Cloud
Storage. It offers features like filtering by file age, scheduling transfers, and bandwidth control,
directly addressing all the requirements of the question: migrating infrequently
accessed files older than one year to Cloud Storage, minimizing costs (by using appropriate Cloud
Storage classes for infrequent access), and controlling bandwidth usage.
different storage classes (Standard, Nearline, Coldline, Archive) is crucial for cost optimization of
infrequently accessed dat
a. Storage Transfer Service can be configured to move data to a cost-effective class like Nearline or
Coldline.
Question # 13
(You are managing the security configuration of your company's Google Cloud organization. The Operations team needs specific permissions on both a Google Kubernetes Engine (GKE) cluster and a Cloud SQL instance. Two predefined Identity and Access Management (IAM) roles exist that contain a subset of the permissions needed by the team. You need to configure the necessary IAM permissions for this team while following Google-recommended practices. What should you do?)
A. Grant the team the two predefined IAM roles. B. Create a custom IAM role that combines the permissions from the two relevant predefined roles. C. Create a custom IAM role that includes only the required permissions from the predefined roles. D. Grant the team the IAM roles of Kubernetes Engine Admin and Cloud SQL Admin.
Answer: C
Explanation:
Granting more permissions than necessary violates the principle of least privilege, a fundamental
security best practice. While option A grants the necessary permissions (as subsets exist in two
predefined roles), it might also grant more permissions than the Operations team strictly requires for
their tasks on GKE and Cloud SQL. Option D is too broad; 'Admin' roles grant extensive permissions
that likely exceed the specific needs.
Google Cloud's best practices strongly recommend adhering to the principle of least privilege.
Creating a custom role allows you to precisely define the set of permissions the Operations team
needs for their specific tasks on the GKE cluster and the Cloud SQL instance, without granting any
unnecessary permissions. This minimizes the potential blast radius in case of accidental or malicious
concepts of predefined and custom roles and their use cases.
Question # 14
You are deploying an application on Google Cloud that requires a relational database for storage. To satisfy your company's security policies, your application must connect to your database through an encrypted and authenticated connection that requires minimal management and integrates with Identity and Access Management (IAM). What should you do?
A. Deploy a Cloud SQL database with the SSL mode set to encrypted only, configure SSL/TLS client certificates, and configure a database user and password. B. Deploy a Cloud SOL database and configure IAM database authentication. Access the database through the Cloud SQL Auth Proxy. C. Deploy a Cloud SQL database with the SSL mode set to encrypted only, configure SSL/TLS client certificates, and configure IAM database authentication. D. Deploy a Cloud SQL database and configure a database user and password. Access the database through the Cloud SQL Auth Proxy.
Answer: B
Explanation:
Cloud SQL Auth Proxy: This proxy ensures secure connections to your Cloud SQL database by
automatically handling encryption (SSL/TLS) and IAM-based authentication. It simplifies the
management of secure connections without needing to manage SSL/TLS certificates manually. IAM
Database Authentication: This allows you to use IAM credentials to authenticate to the database,
providing a unified and secure authentication mechanism that integrates seamlessly with Google
Cloud IAM.
Question # 15
You are configuring service accounts for an application that spans multiple projects. Virtual machines (VMs) running in the web-applications project need access to BigQuery datasets in the crmdatabases project. You want to follow Google-recommended practices to grant access to the service account in the web-applications project. What should you do?
A. Grant "project owner" for web-applications appropriate roles to crm-databases. B. Grant "project owner" role to crm-databases and the web-applications project. C. Grant "project owner" role to crm-databases and roles/bigquery.dataViewer role to webapplications. D. Grant roles/bigquery.dataViewer role to crm-databases and appropriate roles to web-applications.
Answer: C
Explanation:
Your Success, Their Words: Honest Reviews on Our Google Associate-Cloud-Engineer Exam Dumps
Just got my Google Associate Cloud Engineer certification! What really worked for me was how Certifycerts structured their practice questions—it felt like learning + testing at the same time. The actual exam questions came as no surprise at all. Absolutely flawless experience!
Valeria Murphy
I needed something focused because I didn't have months to prepare for Associate Cloud Engineer. Certifycerts helped me cut through the noise with targeted practice questions and answers and a solid online practice test. I followed a simple routine daily, and it paid off—I passed on my first attempt.
Jacobo Cabrera
The clarity of Certifycerts preparation for the Google Associate Cloud Engineer exam was something I appreciated. There is no unnecessary material; instead, practice questions and actual exam scenarios are all that is needed. I used to get confused switching between multiple resources, but sticking to one reliable source made a big difference. I felt prepared rather than stressed when I took the exam. My self-assurance was greatly enhanced by the familiarity of the questioning patterns. Glad to report that I passed!
Valeria Murphy
Jacobo Cabrera
