Passing the Google Cloud Professional Cloud Architect Exam

It was the 3rd time I passed the exam. The exam has changed from infrastructure migration focused to more cloud optimization and cost saving focused. I remember cloud storage near line, cold line questions always appeared in the first 2 exams but did not appear this time. The difficulty level has increased every time I took the exam. Some of the compute engine related questions require deep knowledge of how managed instance groups, regional disks, and instance schedule work. Most of the questions don’t require deep knowledge but general architectural understanding.

1. You want to deploy a non critical update to a compute engine managed instance group (MIG) in production. You want to cause minimal interruption to the existing application. What should you do? Create a MIG rolling update policy: opportunistic for non critical updates. Other update policy options were wrong.
2. You configured a MIG to scale based on the memory usage of the instances with the metric of agent.googleapis.com/memory/percent_use and dfollowing metric filters: metric.labels.state = “used” AND metric.labels.state = buffered” AND metric.labels.state = “cached”; you set metric-utilization-target-type=gauge. However, the MIG does not scale based on memory properly. What’s the fix? Change the metric filters to metric.labels.state = “used”. Changing target type from gauge to delta-per-second, changing metric from percent_used to bytes_used were wrong.
3. The organization has users in departments who only need to have permissions in the departmental projects. they don’t need access to other departmental projects. What should you do? Create a folder for each department, create Google groups for each department’s users. Grant the Google groups project IAM roles at the folder levels. Other options without using Google groups or folders were wrong.
4. Your company just acquired another company. Each company has a GCP organization and a VPC network. You want to enable calling the microservices in the acquired coompany’s VPC network. Some subnets have overlapping IP ranges. The applications are in a subnet that does not overlap with the called micro-service’s subnet ranges. What’s the cost effective method without re-engineering solutions? VPC peering can’t work on overlapped subnets. Shared VPC is not possible across organizations. Cloud HA VPN gateway to connect the 2 VPC networks is the answer.
5. How can the helicopter racing league explain the model’s prediction results? Use Vertex AI workbench, Vertex AI pipelines, or Vertex AI explanable AI? Last is correct.
6. You want architect a GKE cluster for the EHR healthcare company in the most secure manner. How should you design the cluster creation options? Public nodes or control planes are not as secure. Configure GKE private control plane, private nodes, master authorized network.
7. The organization has configured cloud identity and the GCP organization. All users are using Cloud Identity to sign into Google Accounts. How can you granting IAM roles to users not in the organization domain? Implement Organizational policy to allow IAM role bindings for configured organizational domains: constraints/iam.allowedPolicyMemberDomains.
8. You want to create a 99.99% available hybrid connection between Google Cloud and the on-prem environment. What is the most cost effective method? Create a classic VPN, create 2 HA VPN gateways, or a HA VPN gateway and 2 tunnels. The last option is correct. The option with 2 VPN gateways was more expensive.
9. The security team wants to prevent and mitigate data exfiltration risks. The environment contains HA VPN gateways to the on-prem environments. What should you do? Removing users who don’t need access to the bucket on the IAM page was the wrong answer. The correct answer was: Configure private Google access for on-prem hosts. Configure a VPC service control perimeter for accessing BigQuery and storage buckets from hosts on prem.
10. How do you create a deployment strategy for testing new versions of cloud run services in production before sending all the traffic to them? Use cloud console to configure a Cloud build trigger to be based on pushing to a branch, configure $Traffic_Percentage for sending a portion of traffic to the new versions.
11. The organization does not allow external IP for compute engine instances except for the specially allowed instances in a project. What should you do? Configure Organizational policy constraints/compute.vmExternalIpAccess to deny at the organizational level and allow at the project level.
12. You are debugging the slow performance of ingesting data in a Dataflow job from pub/sub to a BigTable cluster. The devops team has identified hot spots in the BigTable cluster. What should you do? re-design the rowKey to spread evenly across the alphabet.
13. Users are complaining about the performance of certain applications hosted on compute engine have degraded in the past week. What should you do? Investigate slow application performance in Cloud logging and monitoring before adjusting the machine type or creating a MIG.
14. Your company has a security policy of not storing PII data from 3rd parties. You need to ingest 3rd party data that contains PII in a few columns. What’s the solution? Remove PII data entering the projects by running a Dataflow job that executes DLP to remove PII data and insert to BigQuery. Options that ingested data first then remove or encrypt PII were wrong.
15. A bank needs mortgage application files to be retained for 5 years. Files are stored in Cloud storage buckets. Files should not be deleted or overwritten. Create a bucket retention policy to prevent deletion or change in objects for 5 years.
16. How do you implement files in storage buckets to track any changes made to the files? Enable bucket object versioning.
17. The production project needs compute engine instances to run all the time. The dev and test projects only need compute engine instances to be running between 9am,5pm weekly; what should you do? Wrong: Use spot instances for dev, test projects, use MIG for dev,test projects; correct: Configure Compute engine instance schedules to stop,start instances for instances in the dev,test projects.
18. What’s the quickest method to resolve application not responding to requests due to server CPU at 100% overload? The managed instance group (MIG) has reached the maximum configured instance count. Wrong: Kill the process that’s running at 100% CPU, change the machine type; correct: increase the size limit in the MIG.
19. A music streaming service provider uses a compute engine managed instance group for the music streaming application. The music files are streamed directly from storage buckets. The users are complaining clicking multiple times on the play buttons for some music. What should you do? Configure a HTTP(s) global load balancer, 2 backends where 1 backend is the MIG, the other backend is the storage bucket. Configure content delivery network on the backend of the bucket.
20. You installed Anthos service mesh and config management on a GKE cluster. A microservice deployed to the cluster has increased latency calling other microservices. How can you troubleshoot? Wrong: Use Anthos config management clusterSelector, cluster-name-selector; correct: Anthos service mesh observability service topology graph visualization to see the upstream service latency.
21. There was a question about publish with batching settings or configure publish retry settings to avoid timeouts. The scenario’s application is experiencing publishing timeouts. I can’t remember which options to choose but I probably answered wrong.

Total 50 questions. first 12 were from the case study. those are usually the harder ones. The exam process has improved. You no longer need to use the webcam to show the government issued ID. Before the exam starts, you’d use a QR code to take a picture of yourself and the government ID. You’d still be asked to use the webcam to show the surroundings. I used a $80 refurbished Lenovo Thinkcentre M710S and a $15 webcam to take the exam. I believe you are required to have a microphone on the PC.