Professional-Cloud-Architect Google Certified Professional - Cloud Architect (GCP) Questions and Answers

According to Google Cloud documentation on Application Performance Management (APM), Cloud Profiler is the most effective tool for identifying resource-intensive parts of an application's source code. For Altostrat's Java-based media processing pipeline, which likely involves CPU-intensive tasks such as metadata extraction or transcoding, understanding exactly which methods or lines of code consume the most CPU or memory is critical.

Cloud Profiler is a statistical, low-overhead profiler that continuously gathers performance data (CPU usage, heap allocation, etc.) from production applications with less than 0.5% impact on performance. It presents this data in an interactive flame graph, allowing developers to pinpoint bottlenecks in the media processing logic.

While Cloud Trace (Option C) is excellent for monitoring latency across distributed services, it primarily tracks the "outer shell" of the request—showing how long a function took to execute or how long an external API call lasted—but does not provide the deep, code-level insight into internal Java method execution that Profiler does. Cloud Logging (Option A) is useful for troubleshooting specific events but is not a performance analysis tool, and Snapshot Debugger (Option D) is designed for inspecting variables at specific execution points rather than aggregate performance profiling. Given Altostrat's goal to "Optimize cloud storage costs" and "Accelerate... operational workflows," using Cloud Profiler to create more efficient, less resource-hungry processing code is the architecturally sound choice.

https://cloud.google.com/bigquery/docs/loading-data#loading_denormalized_nested_and_repeat ed_data

https://cloud.google.co m/solutions/gaming/cloud-game-infrastructure#dedicated_game_server

https://cloud.google.com/blog/products/databases/getting-started-with-time-series-trend-predic tions-using-gcp

From Scenario:

A few of their games were more popular than expected, and they had problems scaling their application servers, MySQL databases, and analytics tools.

Requirements for Game Analytics Platform include: Dynamically scale up or down based on game activity

https://cloud .google.com/iam/docs/understanding-service-accounts

https://cloud.google.com/logging/docs/audit/

Reference https://cloud.google.com/pubsub/docs/ordering

https://cloud.google.co m/bigquery/docs/managing-partitioned-tables

https://cloud.google.com/community/tutorials/pci-tokenizer Deterministic output means that a given set of inputs (card number, expiration, and userID) will always generate the same token. This is useful if you want to rely on the token value to deduplicate your token stores. You can simply match a newly generated token to your existing catalog of tokens to determine whether the card has been previously stored. Depending on your application architecture, this can be a very useful feature. However, this could also be accomplished using a salted hash of the input values.

According to Google Cloud Hybrid Connectivity documentation, Cloud VPN is the standard and recommended solution for establishing a secure, encrypted connection over the public internet between an on-premises network and a Google Cloud VPC. This aligns with Cymbal’s requirement for "secure communication" while maintaining manageability. Unlike SSH tunnels (Option B), which are fragile and difficult to scale at an enterprise level, Cloud VPN utilizes IPsec protocols to create a stable and encrypted site-to-site tunnel.

+1

To satisfy the "secure and manageable" criteria, the implementation must include strictly defined VPC Firewall Rules. This ensures the principle of least privilege is applied, restricting on-premises systems to only the necessary cloud resources and ports required for their specific business functions. VPC Peering (Option D) is technically incorrect here as it is designed for connecting two VPCs within the cloud, not for on-premises to cloud connectivity. A Bastion Host (Option A) provides a secure gateway for administrative login (SSH/RDP) but does not provide the transparent, network-level connectivity required for the automated "legacy file-based integrations" and "data transfers" mentioned in Cymbal’s environment. By using Cloud VPN with granular firewalling, Cymbal achieves a secure extension of their data center into Google Cloud.

According to the Google Cloud Migration Framework, a phased approach (also known as a Phased Migration) is the highly recommended best practice for complex enterprise workloads like Cymbal's product catalog. This strategy minimizes business risk and operational disruption by avoiding the "Big Bang" approach (Option D), which is often cited in the Google Cloud Architecture Framework as being high-risk for large-scale migrations.

By starting with a pilot project focused on a specific product category, Cymbal can validate the technical architecture of their new generative AI tools—such as Vertex AI Search and Retail API—in a controlled environment. This allows the team to refine the Human-in-the-Loop (HITL) review processes and ensure that the AI-generated attributes and descriptions meet their accuracy standards before a global rollout. This "crawl-walk-run" methodology aligns with the Google Cloud Adoption Framework, specifically the "Scale" and "Learn" themes, by allowing the organization to build expertise and adjust governance policies based on real-world results from the pilot.

Furthermore, a gradual expansion helps in managing costs effectively, as Cymbal can optimize resource allocation (like moving from on-premises databases to Cloud Spanner or Cloud SQL) based on the performance metrics observed during the initial phase. Options A and B are too prescriptive regarding specific compute choices without first establishing a successful migration pattern and do not address the primary requirement of "proper change management" and risk mitigation.

A "cloud-first" modernization strategy for a retail product catalog typically involves moving from legacy relational databases to high-performance, managed services. AlloyDB for PostgreSQL is Google Cloud's premier choice for demanding transactional workloads. It offers superior performance (up to 4x faster than standard PostgreSQL) and built-in high availability, making it ideal for the low-latency requirements of web applications and AI virtual agents.

Option A follows the architecturally sound pattern of separating structured data from unstructured assets. Cloud Storage is the industry standard for storing "product images," providing massive scalability, high availability, and low cost through lifecycle management.

Option B is less ideal because Bigtable is not designed for storing binary image blobs efficiently, and Spanner can be significantly more expensive and complex to manage if global multi-region consistency is not a strict requirement for the "minimizing operational costs" goal. Option C is incorrect because Filestore (NFS) is not a suitable primary database for a modern web application catalog. Option D is technically flawed as Cloud Storage is not an efficient primary database for structured application queries, and BigQuery is an analytical warehouse, not an image store. By combining AlloyDB and Cloud Storage, Cymbal achieves a performant, scalable, and cost-optimized foundation for their digital transformation.

According to the Google Cloud Architecture Framework for modernizing applications, Google Kubernetes Engine (GKE) is the most suitable compute platform for services requiring high scalability and availability. Cymbal’s AI-powered virtual agents must handle "anticipated growth" and fluctuating customer demands from their web and mobile apps. GKE’s Horizontal Pod Autoscaler (HPA) and Cluster Autoscaler ensure that the compute resources expand automatically during peak shopping hours and shrink during low-traffic periods to "minimize costs."

GKE is explicitly mentioned in Cymbal’s "Existing Technical Environment" as their preferred platform for containerized applications. Leveraging GKE for the virtual agents allows the development team to use a microservices approach, isolating the agent's logic from other catalog enrichment tasks. Option D (Single large VM) is a "legacy" approach that creates a single point of failure and does not scale efficiently. Option A (Cloud SQL) is a database service, not a compute resource for running agent logic. While Vertex AI Agent Builder (Option B) is the tool used to create the agents, the underlying compute that hosts the integrated application and handles the traffic orchestration is best served by a managed Kubernetes environment like GKE, which aligns with their requirement for "Scalability and Performance."

The Google Cloud database migration path follows a "like-for-like" managed service strategy. Cloud SQL is the recommended destination for MySQL and SQL Server workloads that do not require the massive horizontal scale of Spanner, fitting Cymbal’s "Technical Stack Modernization" goals. Memorystore is the managed service for Redis, and Firestore is the native NoSQL replacement for MongoDB.

For the image storage requirement, Cloud Storage Coldline is the mathematically correct choice for data accessed "less and less frequently" with a retention period exceeding 90 days. According to Cloud Storage documentation, Coldline is specifically designed for data accessed at most once a quarter (90 days). Using Object Lifecycle Management to move images from Standard to Coldline allows Cymbal to "reduce costs" while keeping images "immediately accessible" (unlike Archive storage, which may have different trade-offs). Option C is less optimal because Nearline is intended for 30-day access patterns; given the images stay for 90+ days and usage drops significantly, the deeper savings of Coldline are preferred. Option A is over-engineered (Spanner for all) and expensive, while Option B contradicts the requirement to "reduce costs" by increasing operational overhead

According to Google Cloud Storage documentation, the soft-delete policy is a feature enabled by default on new buckets (starting in 2024) to protect against accidental or malicious deletion. It retains deleted objects for a specified retention period (default is seven days). For workloads involving large files—such as the video files Cymbal uses for Vertex AI training—this policy can lead to unexpected cost spikes.

When soft-delete is active, objects that are deleted are not immediately removed from the billing cycle; instead, they continue to incur charges at the same rate as "live" objects until the retention period expires. In an AI training environment where datasets are frequently updated, replaced, or temporary "scratch" files are created and deleted, the volume of soft-deleted bytes can quickly double or triple the effective storage footprint.

Options B and D are incorrect because moving from dual-region or multi-region to a single region would actually reduce storage costs, as regional storage is priced lower. Option A is incorrect because disabling the policy would stop the retention of deleted bytes, thereby lowering the bill. Therefore, checking for an active or recently enabled soft-delete policy is the standard troubleshooting step for sudden increases in storage costs associated with high-churn, large-file datasets.

According to the Google Cloud Architecture Framework: Performance Excellence, Local SSDs are the optimal choice for "scratch" space, temporary files, and workloads requiring the lowest possible latency and highest IOPS. Unlike Persistent Disks (Option C) or Filestore (Option B), which are network-attached, Local SSDs are physically attached to the server that hosts the virtual machine instance.

This physical proximity eliminates network latency, providing sub-millisecond access times which are critical for "frequently accessed and modified" temporary files during AI training and inference. For generative AI, where data shuffling and checkpointing are intensive, the high throughput of Local SSDs prevents the storage layer from becoming a bottleneck for the expensive GPU/TPU accelerators.

While the data on Local SSDs is ephemeral (lost if the VM is deleted or undergoes certain maintenance events), this perfectly matches Cymbal's requirement for "temporary files." Furthermore, Local SSDs can be more cost-effective than provisioning high-performance Persistent Disks of equivalent speed, as their performance is not tied to the disk size. Cloud Storage (Option A) is unsuitable for this specific use case due to the significantly higher latency of object-based storage compared to block-based local storage.

The Avro binary format is the preferred format for loading compressed data. Avro data is faster to load because the data can be read in parallel, even when the data blocks are compressed.

Cloud Storage supports streaming transfers with the gsutil tool or boto library, based on HTTP chunked transfer encoding. Streaming data lets you stream data to and from your Cloud Storage account as soon as it becomes available without requiring that the data be first saved to a separate file. Streaming transfers are useful if you have a process that generates data and you do not want to buffer it locally before uploading it, or if you want to send the result from a computational pipeline directly into Cloud Storage.

https://cloud.google.com/solutions/data-lifecycle-cloud-platform

https://cloud.google.com/solutions/designing-connected-vehicle-platform

Coldline Storage is the best choice for data that you plan to access at most once a year, due to its slightly lower availability, 90-day minimum storage duration, costs for data access, and higher per-operation costs. For example:

Cold Data Storage - Infrequently accessed data, such as data stored for legal or regulatory reasons, can be stored at low cost as Coldline Storage, and be available when you need it.

Disaster recovery - In the event of a disaster recovery event, recovery time is key. Cloud Storage provides low latency access to data stored as Coldline Storage.

Storageguarantees 2 replicates which are geo diverse (100 miles apart) which can get better remote latency and availability.

More importantly, is that multiregional heavily leverages Edge caching and CDNs to provide the content to the end users.

All this redundancy and caching means that Multiregional comes with overhead to sync and ensure consistency between geo-diverse areas. As such, it’s much better for write-once-read-many scenarios. This means frequently accessed (e.g. “hot” objects) around the world, such as website content, streaming videos, gaming or mobile applications.

Capacity planning, TCO calculations, opex/capex allocation From the case study, it can conclude that Management (CXO) all concern rapid provision of resources (infrastructure) for growing as well as cost management, such as Cost optimization in Infrastructure, trade up front capital expenditures (Capex) for ongoing operating expenditures (Opex), and Total cost of ownership (TCO)

https://cloud.google.com/endpoints/docs/openapi/about-cloud-endpoints?hl=en_US &_ga=2.21787131.-1712523161.1522785064

https://cloud.google.com/endpoints/docs/openapi/architecture-overview

https://cloud.google.com/storage/docs/gsutil/commands/test

Develop, deploy, protect and monitor your APIs with Google Cloud Endpoints. Using an Open API Specification or one of our API frameworks, Cloud Endpoints gives you the tools you need for every phase of API development.

From scenario:

Business Requirements

Decrease unplanned vehicle downtime to less than 1 week, without increasing the cost of carrying surplus inventory

Support the dealer network with more data on how their customers use their equipment to better position new products and services

Have the ability to partner with different companies – especially with seed and fertilizer suppliers in the fast-growing agricultural business – to create compelling joint offerings for their customers.

https://cloud.google.com/appengine/docs/flexible/go/authorizi ng-apps

https://cloud.googl e.com/docs/enterprise/best-practices-for-enterprise-organizations#delegate_application_authorization_with_oauth2

Delegate application authorization with OAuth2

Cloud Platform APIs support OAuth 2.0, and scopes provide granular authorization over the methods that are supported. Cloud Platform supports both service-account and user-account OAuth, also called three-legged OAuth.

based on the requirement of secure and high-performance connection between on-premises systems to Google Cloud

https://cloud.google.com/network-connectivity/docs/interconnect/tutorials/partner-creating-9999-availability

https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#disableexternalip

https://cloud.google.com/security/compliance/hipaa

https://cloud.google.com /pubsub/docs/publisher?hl=en#batching

The case does not call out the throughput being an issue. However, to achieve 99.99%, you need to have 4 connections as per Google recommendations. However, in the options only A has the option to add an additional Interconnect connection. https://cloud.google.com/network-connectivity/docs/interconnect/concepts/dedicated-overview#availability

Binary Authorization to ensure only verified containers are deployed To ensure deployment are secure and and consistent, automatically scan images for vulnerabilities with container analysis (https://cloud.google.com/docs/ci-cd/overview?hl=en &skip_cache=true)

https://cloud.google.com/kubernetes-engine/d ocs/concepts/private-cluster-concept#overview

Note: The principle of least privilege and separation of duties are concepts that, although semantically different, are intrinsically related from the standpoint of security. The intent behind both is to prevent people from having higher privilege levels than they actually need

Principle of Least Privilege: Users should only have the least amount of privileges required to perform their job and no more. This reduces authorization exploitation by limiting access to resources such as targets, jobs, or monitoring templates for which they are not authorized.

Separation of Duties: Beyond limiting user privilege level, you also limit user duties, or the specific jobs they can perform. No user should be given responsibility for more than one related function. This limits the ability of a user to perform a malicious action and then cover up that action.

https://cloud.google.com/iam/docs/understanding-service-accounts

Migrating data to Google Cloud Platform

Let’s say that you have some data processing that happens on another cloud provider and you want to transfer the processed data to Google Cloud Platform. You can use a service account from the virtual machines on the external cloud to push the data to Google Cloud Platform. To do this, you must create and download a service account key when you create the service account and then use that key from the external process to call the Cloud Platform APIs.

https://cloud.google.com/datastore/docs/concepts/overview

Common workloads for Google Cloud Datastore:

User profiles

Product catalogs

Game state

https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-ssh

D: Handling "Unable to connect on port 22" error message

Possible causes include:

There is no firewall rule allowing SSH access on the port. SSH access on port 22 is enabled on all Compute Engine instances by default. If you have disabled access, SSH from the Browser will not work. If you run sshd on a port other than 22, you need to enable the access to that port with a custom firewall rule.

The firewall rule allowing SSH access is enabled, but is not configured to allow connections from GCP Console services. Source IP addresses for browser-based SSH sessions are dynamically allocated by GCP Console and can vary from session to session.

According to Google Cloud Compute Engine documentation, Spot VMs (formerly Preemptible VMs) are the most cost-effective choice for fault-tolerant, batch processing workloads. Since Altostrat’s jobs are "not time-critical" and can "tolerate occasional interruptions," Spot VMs offer a significant discount—typically 60-91%—compared to standard on-demand prices.

The "Reliability and cost management" priority mentioned in the executive statement is directly addressed by utilizing the spare capacity that Spot VMs provide. While these instances can be reclaimed by Google Cloud at any time (preempted) with a 30-second notice, Altostrat’s batch processing architecture (likely running on GKE or managed instance groups) can automatically reschedule these tasks when capacity becomes available again.

Option A (Reserved instances) requires a long-term commitment (1 or 3 years) and is better suited for predictable, constant workloads, not fluctuating batch jobs. Option C (Standard VMs) is unnecessarily expensive for workloads that do not require 100% uptime. Option D (Cloud Run functions) is excellent for event-driven, short-lived tasks but can become more expensive than Spot VMs for heavy, long-running batch computational demands. By leveraging Spot VMs, Altostrat achieves its goal of optimizing cloud storage and compute costs while maintaining the scalability required for its vast media library.

According to Google Cloud Architecture Framework and Cloud KMS documentation, when a customer requires direct control and auditability over the encryption keys used for data at rest, Customer-Managed Encryption Keys (CMEK) is the recommended path.

While Google Cloud encrypts all data at rest by default using Google-managed keys (Option B), Altostrat specifically requires control and auditability. By using CMEK through Cloud Key Management Service (Cloud KMS), Altostrat can manage the key rotation schedules, revoke access to keys immediately to "kill" access to the data, and view detailed logs in Cloud Audit Logs every time the key is used to encrypt or decrypt a media asset.

Option D is superior to Option C because client-side encryption with a self-managed HashiCorp Vault adds significant operational overhead and complexity, contradicting the business requirement to "Simplify infrastructure management." CMEK integrates natively with Cloud Storage, allowing for a seamless experience while meeting the strict security requirements for sensitive documentaries and interviews. Furthermore, the use of IAM roles and groups for fine-grained access control aligns with the principle of least privilege, ensuring that only authorized service accounts and users can access the sensitive buckets and the keys required to decrypt them.

According to the Apigee API Platform documentation, the Quota policy is the primary mechanism used to enforce business-level constraints by limiting the number of request messages an API proxy allows over a specific period of time (such as a minute, hour, day, week, or month). For a media company like Altostrat, which aims to "unlock new revenue streams through targeted marketing" and "drive revenue growth," managing API consumption is critical for cost predictability and monetization strategies.

Google Cloud distinguishes between Spike Arrest and Quota policies. While Spike Arrest is designed for operational safety—protecting backend systems from sudden traffic bursts—the Quota policy is specifically used to enforce business contracts, Service Level Agreements (SLAs), and cost management. By configuring a Quota policy, Altostrat can ensure that no single consumer or application exceeds the total volume of calls that would result in unexpected infrastructure costs or exceed the limits of their current subscription tier.

Options A and B (API Key and OAuth) are essential for authentication and authorization—identifying who is making the call—but they do not inherently limit the volume of calls. Option D (XML threat protection) is a security measure to prevent malformed payload attacks. Therefore, to meet the specific business requirement of "Reliability and cost management," implementing Quota policies within Apigee is the architecturally correct choice to prevent API abuse and manage operational expenditure.

According to the Google Cloud Architecture Framework: Software Development and Delivery section, unit testing is the foundational practice for verifying the smallest parts of an application—such as functions, classes, or individual microservices—in complete isolation. The requirement specifically asks for a method to ensure services function correctly "in isolation," which is the primary definition of a unit test.

In Altostrat’s modernized CI/CD environment, unit tests are executed early in the pipeline (the "left" side of DevSecOps). They typically use "mocks" or "stubs" to simulate external dependencies like BigQuery, Cloud Storage, or other microservices. This ensures that the internal logic of a specific service—for instance, the metadata extraction logic or the pricing algorithm—is mathematically and logically sound before it interacts with the rest of the system.

While Integration testing (Option D) is vital for ensuring services talk to each other correctly, it does not test them "in isolation." End-to-end testing (Option C) validates the entire user journey but is slow and complex to debug. Load testing (Option B) focuses on performance under stress rather than functional correctness. To meet the technical requirement of "Modernize CI/CD for containerized deployments," Altostrat must prioritize a robust suite of unit tests to provide developers with rapid feedback and ensure the high reliability of their operational workflows.