Preparing for Your

Professional Cloud
Architect Journey

Course Workbook
Certification Exam Guide Sections
1 Designing and planning a cloud solution architecture

2 Managing and provisioning a solution infrastructure

3 Designing for security and compliance

4 Analyzing and optimizing technical and business processes

5 Managing implementation

6 Ensuring solution and operations reliability

Section 1:
Designing and planning a
cloud solution architecture

Cymbal Direct case study

 Cymbal Direct case study - 01

Company overview Solution concept

Cymbal Direct is an online 1) The beta Delivery by Drone initiative enables licensed drone pilots to team up with
direct-to-consumer Cymbal Direct to deliver shoes and sandals to customers via drone. DBD allows
Chicago-based footwear and customers to place their orders and then get their shoes delivered in an expedited
amount of time. The drones stream real-time video to their pilots, as well as their
apparel retailer founded in 2008
coordinates, so that customers can see the location of their shoes on a map.
and acquired by Cymbal Group
in 2010. Cymbal Direct is a fair 2) Cymbal Direct wants to release official APIs for partners. APIs will be published in a
controllable, versionable way, with the ability to track, secure and monetize.
trade and B Corp certified,
sustainability-focused company 3) A social integration service initiative which highlights images hashtagged with
Cymbal Direct’s products using machine learning to ensure images are
that works with cotton farmers
appropriate.. The social media highlighting service is currently proof-of-concept.
to reinvest in their communities, Built by a developer in their own time after hours as an experiment, the service
a fact which appeals to Cymbal garnered a lot of excitement and interest, especially from the marketing team.
Direct’s younger target market During one of the internal demos, however, inappropriate images were included in
demographic. the product gallery.
Existing technical environment
Cymbal Direct case study - 02
Delivery by Drone is an experiment by the supply chain and logistics team. Their core customer-facing application does order processing,
showing the current status and location of their delivery. The drones connect via the cellular network. The drones use the drone API to receive
commands and send real-time information and video about their location and status.

The existing technical environment Purchase & Product APIs were developed over time as The social media highlighting
includes: the business was being built. They were initially only service currently runs on a single
intended to be used in-house, and not exposed to 3rd virtual machine, and while it does
● A website frontend and pilot and parties and partners. work, it has some performance
truck management systems run on and scalability issues.
Kubernetes ● Many of the APIs are simply built into monolithic
apps, and were not designed for partner integration, ● SuSE linux
● Positional data for drone and truck
location kept in MongoDB database lacking functionality such as versioning.
● MySQL DB
clusters ● The majority of the APIs run on Ubuntu Linux VMs,
● Redis
● Drones connected to virtual and scaling has been somewhat difficult because of
the use of virtual machines and monolithic ● Python
machines using a stateful
connection, streaming video via architecture.
RMTP to the pilots and sending ● APIs do not have a built-in mechanism for
commands from the pilots to the supporting multiple accounts and granting access is
drones very limited as a result.
 Cymbal
Dress4Win
Direct case study - 03

Business requirements Technical requirements

● Easily scale to handle additional demand when ● Move to managed services wherever possible
needed and expand to more test markets. ● Ensure that developers can deploy container-based workloads to
● Streamline development for application testing and production environments in a highly scalable
modernization and new features/products environment.
● Ensure that developers spend as much time on ● Standardize on containers where possible, but also allow for
core business functionality as possible, and not existing virtualization infrastructure to run as-is without a
have to worry about scalability wherever re-write, so it can be slowly refactored over time
possible ● Securely allow partner integration
● Let partners order directly via API ● Stream IoT data from drones
● Deploy a production version of the social
media highlighting service and ensure no
inappropriate content
 Cymbal
Dress4Win
Direct case study - 04
03

Executive statement

Cymbal Direct has three areas of strategic focus: improving customer experience, leveraging analytics, and improving digital
marketing. Cymbal Direct has experienced rapid growth and has had trouble meeting demand. The organization wants to
implement solutions that will help scale services and personalize customer experiences. Cymbal Direct wants to be able to
dynamically surge delivery during peak periods.

Cymbal Direct also wants to be able to facilitate large scale B2B orders and better predict customer demand and trends. The
organization wants to ensure the security of its B2B partners’ business plans and make it easier for those partners to
integrate with Cymbal Direct’s APIs to submit orders and specify customizations.

Cymbal Direct also wants to integrate social media and marketing applications into its platform. They would like to be able to
highlight posts on social media platforms which feature Cymbal Direct products directly on their product pages, but are
concerned about the possibility of having unsavory content shown to users accidentally.
Potential solutions Cymbal Direct case study - 05
Dress4Win case study - 03

Existing environment Technical requirements Business requirements Proposed product/ solution

(does it…?) (does it…?)

Website frontend, pilot, and truck ● Move to managed services ● Easily scale to handle ● Global HTTP(s) Load Balancer
management systems run on wherever possible additional demand when ● GKE in two regions
Kubernetes needed? ● Autoscaler
● Ensure that developers can
● Private cluster
deploy container based ● Streamline development?
● Separate projects for website
workloads to testing and
/ pilot / truck management -
production environments in a
dev,test,staging for each
highly scalable environment.
● Cloud Build
● Standardize on containers ● Cloud Source Repository
where possible ● Artifact Registry
● Migration type: lift and shift
● Automation tooling:
Terraform
● Firewall rules - http/s
● Separate IAM roles for
developers and devops
● Replace GKE with Cloud Run
for website (future)
1.1 Diagnostic Question 01

Cymbal Direct drones continuously send A. Ingest data with ClearBlade IoT Core, process it with Dataprep, and
data during deliveries. You need to store it in a Coldline Cloud Storage bucket.
process and analyze the incoming B. Ingest data with ClearBlade IoT Core, and then publish to Pub/Sub.
telemetry data. After processing, the data Use Dataflow to process the data, and store it in a Nearline Cloud
should be retained, but it will only be Storage bucket.
accessed once every month or two. Your
C. Ingest data with ClearBlade IoT Core, and then publish to Pub/Sub.
CIO has issued a directive to incorporate
Use BigQuery to process the data, and store it in a Standard Cloud
managed services wherever possible.
Storage bucket.
You want a cost-effective solution to
process the incoming streams of data. D. Ingest data with ClearBlade IoT Core, and then store it in BigQuery.

What should you do?

1.1 Diagnostic Question 02

Customers need to have a good A. Eighty-five percent of customers are satisfied users
experience when accessing your web B. Eighty-five percent of requests succeed when
application so they will continue to use aggregated over 1 minute
your service. You want to define key
C. Low latency for > 85% of requests when aggregated
performance indicators (KPIs) to
over 1 minute
establish a service level objective (SLO).
D. Eighty-five percent of requests are successful

Which KPI could you use?

 Designing a solution infrastructure
1.1 that meets business requirements

Resources to start your journey

Google Cloud Architecture Framework: System design

SRE Books
1.2 Diagnostic Question 03

Cymbal Direct developers have written a A. Stop the instance, and then use the
new application. Based on initial usage command gcloud compute instances
estimates, you decide to run the application set-machine-type VM_NAME --machine-type e2-standard-8. Start the
on Compute Engine instances with 15 Gb of instance again.
RAM and 4 CPUs. These instances store
B. Stop the instance, and then use the command gcloud compute instances
persistent data locally. After the application
set-machine-type VM_NAME --machine-type e2-standard-8. Set the
runs for several months, historical data
instance’s metadata to: preemptible: true. Start the instance again.
indicates that the application requires 30
Gb of RAM. Cymbal Direct management C. Stop the instance, and then use the command gcloud compute instances
wants you to make adjustments that will set-machine-type VM_NAME --machine-type 2-custom-4-30720. Start
minimize costs. the instance again.
D. Stop the instance, and then use the command gcloud compute instances
What should you do? set-machine-type VM_NAME --machine-type 2-custom-4-30720. Set the
instance’s metadata to: preemptible: true. Start the instance again.
 Designing a solution infrastructure
1.2 that meets technical requirements

Resources to start your journey

Google Cloud Architecture Framework: System design

1.3 Diagnostic Question 04

You are creating a new project. You plan A. Create a new project, leave the default
to set up a Dedicated interconnect network in place, and then use the default
between two of your data centers in the 10.x.x.x network range to create subnets in your desired regions.
near future and want to ensure that your B. Create a new project, delete the default VPC network, set up an auto
resources are only deployed to the same mode VPC network, and then use the default 10.x.x.x network range to
regions where your data centers are create subnets in your desired regions.
located. You need to make sure that you
C. Create a new project, delete the default VPC network, set up a custom
don’t have any overlapping IP addresses
mode VPC network, and then use IP addresses in the 172.16.x.x address
that could cause conflicts when you set
range to create subnets in your desired regions.
up the interconnect. You want to use RFC
1918 class B address space. D. Create a new project, delete the default VPC network, set up the network
in custom mode, and then use IP addresses in the 192.168.x.x address
range to create subnets in your desired zones. Use VPC Network Peering
to connect the zones in the same region to create regional networks.
What should you do?
1.3 Diagnostic Question 05

Cymbal Direct is working with Cymbal Retail, a A. Verify that the subnet range
separate, autonomous division of Cymbal with Cymbal Retail is using doesn’t
different staff, networking teams, and data overlap with Cymbal Direct’s subnet range, and then enable VPC
center. Cymbal Direct and Cymbal Retail are Network Peering for the project.
not in the same Google Cloud organization. B. If Cymbal Retail does not have access to a Google Cloud data
Cymbal Retail needs access to Cymbal center, use Carrier Peering to connect the two networks.
Direct’s web application for making bulk
C. Specify Cymbal Direct’s project as the Shared VPC host project, and
orders, but the application will not be
then configure Cymbal Retail’s project as a service project.
available on the public internet. You want to
ensure that Cymbal Retail has access to your D. Verify that the subnet Cymbal Retail is using has the same IP
application with low latency. You also want to address range with Cymbal Direct’s subnet range, and then enable
avoid egress network charges if possible. VPC Network Peering for the project.

What should you do?

1.3 Diagnostic Question 06

Cymbal Direct's employees will use A. Order a Dedicated Interconnect from a Google Cloud partner, and ensure
Google Workspace. Your current that proper routes are configured.
on-premises network cannot meet B. Connect the network to a Google point of presence, and enable Direct
the requirements to connect to Peering.
Google's public infrastructure.
C. Order a Partner Interconnect from a Google Cloud partner, and ensure that
proper routes are configured.
What should you do? D. Connect the on-premises network to Google’s public infrastructure via a
partner that supports Carrier Peering.
1.3 Diagnostic Question 07

Cymbal Direct is evaluating database A. Extract the data from MongoDB. Insert the data into Firestore
options to store the analytics data from its using Datastore mode.
experimental drone deliveries. You're B. Create a Bigtable instance, extract the data from MongoDB,
currently using a small cluster of MongoDB and insert the data into Bigtable.
NoSQL database servers. You want to
move to a managed NoSQL database C. Extract the data from MongoDB. Insert the data into
Firestore using Native mode.
service with consistent low latency that
can scale throughput seamlessly and can D. Extract the data from MongoDB, and insert the data into
handle the petabytes of data you expect BigQuery.
after expanding to additional markets.

What should you do?

1.3 Diagnostic Question 08

You are working with a client who is using A. In Cloud Shell, create a YAML file defining your Deployment called
Google Kubernetes Engine (GKE) to deployment.yaml. Create a Deployment in GKE by running the command
migrate applications from a virtual kubectl apply -f deployment.yaml
machine–based environment to a B. In Cloud Shell, create a YAML file defining your Container called build.yaml.
microservices-based architecture. Your Create a Container in GKE by running the command gcloud builds submit
client has a complex legacy application that –config build.yaml .
stores a significant amount of data on the C. In Cloud Shell, create a YAML file defining your StatefulSet called
file system of its VM. You do not want to statefulset.yaml. Create a StatefulSet in GKE by running the command
re-write the application to use an external kubectl apply -f statefulset.yaml
service to store the file system data. D. In Cloud Shell, create a YAML file defining your Pod called pod.yaml. Create a
Pod in GKE by running the command kubectl apply -f pod.yaml

What should you do?

 Designing network, storage, and
1.3 compute resources

Resources to start your journey

Choose and manage compute | Architecture

Framework | Google Cloud
Design your network infrastructure | Architecture
Framework | Google Cloud
Select and implement a storage strategy |
Architecture Framework | Google Cloud
Google Cloud documentation
1.4 Diagnostic Question 09

You are working in a mixed environment of A. Manually create a GKE cluster, and then use Migrate to Containers
VMs and Kubernetes. Some of your (Migrate for Anthos) to set up the cluster, import VMs, and convert
resources are on-premises, and some are them to containers.
in Google Cloud. Using containers as a B. Use Migrate to Containers (Migrate for Anthos) to automate the
part of your CI/CD pipeline has sped up creation of Compute Engine instances to import VMs and convert
releases significantly. You want to start them to containers.
migrating some of those VMs to containers
C. Manually create a GKE cluster. Use Cloud Build to import VMs and
so you can get similar benefits. You want
convert them to containers.
to automate the migration process where
possible. D. Use Migrate for Compute Engine to import VMs and convert them to
containers.
What should you do?
1.4 Creating a migration plan

Resources to start your journey

Migrate for Anthos and GKE

Migration to Google Cloud: Choosing your migration path
Migrating to the cloud: a guide and checklist
Cloud Migration Products & Services
Application Migration | Google Cloud
1.5 Diagnostic Question 10

Cymbal Direct has created a proof of A. Move the existing codebase and VM provisioning scripts to git, and attach
concept for a social integration service external persistent volumes to the VMs.
that highlights images of its products B. Make sure that the application declares any dependent requirements in a
from social media. The proof of concept requirements.txt or equivalent statement so that they can be referenced in
is a monolithic application running on a a startup script. Specify the startup script in a managed instance group
single SuSE Linux virtual machine (VM). template, and use an autoscaling policy.
The current version requires increasing
C. Make sure that the application declares any dependent requirements in a
the VM’s CPU and RAM in order to scale.
requirements.txt or equivalent statement so that they can be referenced in
You would like to refactor the VM so that
a startup script, and attach external persistent volumes to the VMs.
you can scale out instead of scaling up.
D. Use containers instead of VMs, and use a GKE autoscaling deployment.
What should you do?
 Envisioning future solution
1.5 improvements

Resources to start your journey

Twelve-factor app development on Google Cloud |

Cloud Architecture Center
Section 2:
Managing and provisioning
a solution infrastructure
2.1 Diagnostic Question 01

Cymbal Direct must meet A. Ensure that all users install Cloud VPN. Enable VPC Flow Logs for the networks
compliance requirements. You need you need to monitor.
to ensure that employees with valid B. Enable VPC Service Controls, define a network perimeter to restrict access to
accounts cannot access their VPC authorized networks, and enable VPC Flow Logs for the networks you need to
network from locations outside of monitor.
its secure corporate network,
C. Enable Identity-Aware Proxy (IAP) to allow users to access services securely. Use
including from home. You also want
Google Cloud’s operations suite to view audit logs for the networks you need to
a high degree of visibility into
monitor.
network traffic for auditing and
forensics purposes. D. Enable VPC Service Controls, and use Google Cloud’s operations suite to view
audit logs for the networks you need to monitor.

What should you do?

2.1 Diagnostic Question 02
You are working with a client who has built a A. Deploy the web application using the App Engine standard
secure messaging application. The environment using a global external HTTP(S) load balancer
application is open source and consists of and a network endpoint group. Use an unmanaged instance
two components. The first component is a group for the backend chat servers. Use an external network
web app, written in Go, which is used to load balancer to load-balance traffic across the backend chat servers.
register an account and authorize the
B. Deploy the web application using the App Engine flexible environment using a global external
user’s IP address. The second is an
HTTP(S) load balancer and a network endpoint group. Use an unmanaged instance group for the
encrypted chat protocol that uses TCP to
backend chat servers. Use an external network load balancer to load-balance traffic across the
talk to the backend chat servers running
backend chat servers.
Debian. If the client's IP address doesn't
match the registered IP address, the C. Deploy the web application using the App Engine standard environment using a global external
application is designed to terminate their HTTP(S) load balancer and a network endpoint group. Use a managed instance group for the
session. The number of clients using the backend chat servers. Use a global SSL proxy load balancer to load-balance traffic across the
service varies greatly based on time of day, backend chat servers.
and the client wants to be able to easily D. Deploy the web application using the App Engine standard environment with a global external
scale as needed. HTTP(S) load balancer and a network endpoint group. Use a managed instance group for the
backend chat servers. Use an external network load balancer to load-balance traffic across the
What should you do? backend chat servers.
2.1 Configuring network topologies

Resources to start your journey

VPC network overview | Google Cloud

Choosing a Network Connectivity product | Google Cloud
Cloud VPN overview
Best practices | Cloud Interconnect
Options for connecting to multiple VPC networks | Cloud
Interconnect Best practices for enterprise organizations |
Documentation | Google Cloud
2.2 Diagnostic Question 03

Cymbal Direct's user account management A. Temporarily disable the account for 30 days. Export account information to Cloud
app allows users to delete their accounts Storage, and enable lifecycle management to delete the data in 60 days.
whenever they like. Cymbal Direct also has
B. Ensure that the user clearly understands that after they delete their account, all their
a very generous 60-day return policy for
information will also be deleted. Remind them to download a copy of their order
users. The customer service team wants to
history and account information before deleting their account. Have the support
make sure that they can still refund or
agent copy any open or recent orders to a shared spreadsheet.
replace items for a customer even if the
customer’s account has been deleted. C. Restore a previous copy of the user information database from a snapshot. Have a
database administrator capture needed information about the customer.
D. Disable the account. Export account information to Cloud Storage. Have the
What can you do to ensure that the customer service team permanently delete the data after 30 days.
customer service team has access to
relevant account information?
2.2 Configuring individual storage systems

Resources to start your journey

Select and implement a storage strategy | Architecture

Framework | Google Cloud
Best practices for Cloud Storage
Enterprise tier | Filestore | Google Cloud
Design an optimal storage strategy for your cloud workload
Storage options | Compute Engine Documentation | Google
Cloud
Cloud Storage Options | Google Cloud
Object storage vs block storage vs file storage: which should
you choose? | Google Cloud Blog
2.3 Diagnostic Question 04

Cymbal Direct wants to A. Set up a source code repository. Run unit tests. Check in code. Deploy. Build a
create a pipeline to Docker container.
automate the building of new B. Check in code. Set up a source code repository. Run unit tests. Deploy. Build a
application releases. Docker container.
C. Set up a source code repository. Check in code. Run unit tests. Build a Docker
container. Deploy.
What sequence of steps D. Run unit tests. Deploy. Build a Docker container. Check in code. Set up a source
should you use? code repository.
2.3 Diagnostic Question 05

Your existing application runs A. Set up a Google Kubernetes Engine (GKE) cluster, and then create a deployment
on Ubuntu Linux VMs in an with an autoscaler.
on-premises hypervisor. You B. Isolate the core features that the application provides. Use Cloud Run to deploy
want to deploy the application each feature independently as a microservice.
to Google Cloud with minimal
refactoring. C. Use Dedicated or Partner Interconnect to connect the on-premises network
where your application is running to your VPC. Configure an endpoint for a global
external HTTP(S) load balancer that connects to the existing VMs.

What should you do? D. Write Terraform scripts to deploy the application as Compute Engine instances.
2.3 Diagnostic Question 06

Cymbal Direct needs to use a tool to A. Automate the deployment with Terraform scripts.
deploy its infrastructure. You want B. Automate the deployment using scripts containing gcloud commands.
something that allows for repeatable
deployment processes, uses a C. Use Google Kubernetes Engine (GKE) to create deployments and manifests
declarative language, and allows parallel for your applications.
deployment. You also want to deploy D. Develop in Docker containers for portability and ease of deployment.
infrastructure as code on Google Cloud
and other cloud providers.

What should you do?

2.3 Diagnostic Question 07

Cymbal Direct wants to allow A. The API backend should be loosely coupled. Clients should not be required to
partners to make orders know too many details of the services they use. REST APIs using gRPC should be
programmatically, without used for all external APIs.
having to speak on the phone B. The API backend should be tightly coupled. Clients should know a significant
with an agent. amount about the services they use. REST APIs using gRPC should be used for all
external APIs.
C. The API backend should be loosely coupled. Clients should not be required to
What should you consider know too many details of the services they use. For REST APIs, HTTP(S) is the
when designing the API? most common protocol.
D. The API backend should be tightly coupled. Clients should know a significant
amount about the services they use. For REST APIs, HTTP(S) is the most common
protocol used.
2.3 Diagnostic Question 08

Cymbal Direct wants a layered A. Use labels to allow traffic only from certain sources and ports. Turn on Secure
approach to security when boot and vTPM.
setting up Compute Engine B. Use labels to allow traffic only from certain sources and ports. Use a Compute
instances. Engine service account.
C. Use network tags to allow traffic only from certain sources and ports. Turn on
What are some options you
Secure boot and vTPM.
could use to make your
Compute Engine instances D. Use network tags to allow traffic only from certain sources and ports. Use a
more secure? Compute Engine service account.
2.3 Diagnostic Question 09

You have deployed your frontend web A. Edit your pod's configuration file and change the number of replicas to six.
application in Kubernetes. Based on B. Edit your deployment's configuration file and change the number of replicas
historical use, you need three pods to to six.
handle normal demand. Occasionally
your load will roughly double. A load C. Use the "kubectl autoscale" command to change the pod's maximum
balancer is already in place. number of instances to six.
D. Use the "kubectl autoscale" command to change the deployment’s
maximum number of instances to six.
How could you configure your
environment to efficiently meet
that demand?
2.3 Diagnostic Question 10

You need to deploy a load balancer A. The request is received by the global external HTTP(S) load balancer. A global forwarding rule
for a web-based application with sends the request to a target proxy, which checks the URL map and selects the backend
multiple backends in different service. The backend service sends the request to Compute Engine instance groups in multiple
regions. You want to direct traffic to regions.
the backend closest to the end
B. The request is matched by a URL map and then sent to a global external HTTP(S) load
user, but also to different backends
balancer. A global forwarding rule sends the request to a target proxy, which selects a backend
based on the URL the user is
service. The backend service sends the request to Compute Engine instance groups in multiple
accessing.
regions.
C. The request is received by the SSL proxy load balancer, which uses a global forwarding rule to
check the URL map, then sends the request to a backend service. The request is processed by
Which of the following could
Compute Engine instance groups in multiple regions.
be used to implement this?
D. The request is matched by a URL map and then sent to a SSL proxy load balancer. A global
forwarding rule sends the request to a target proxy, which selects a backend service and sends
the request to Compute Engine instance groups in multiple regions.
2.3 Configuring compute systems

Resources to start your journey

Choose a Compute Engine deployment strategy for your

workload
Google Kubernetes Engine documentation
General development tips | Cloud Run Documentation
Choosing the right compute option in GCP: a decision tree |
Google Cloud Blog
Google Kubernetes Engine vs Cloud Run: Which should you
use?
Section 3:
Designing for security
and compliance
3.1 Diagnostic Question 01

Your client created an Identity and Access A. Keep all resources in one project, and use a flat resource hierarchy to
Management (IAM) resource hierarchy reduce complexity and simplify management.
with Google Cloud when the company was B. Keep all resources in one project, but change the resource hierarchy
a startup. Your client has grown and now to reflect company organization.
has multiple departments and teams. You
want to recommend a resource hierarchy C. Use a flat resource hierarchy and multiple projects with established
trust boundaries.
that follows Google-recommended
practices. D. Use multiple projects with established trust boundaries, and change
the resource hierarchy to reflect company organization.

What should you do?

3.1 Diagnostic Question 02

Cymbal Direct’s social media app must A. Use separate service accounts for each component (social
run in a separate project from its APIs media app, APIs, and web store) with basic roles to grant
and web store. You want to use Identity access.
and Access Management (IAM) to ensure B. Use one service account for all components (social media
a secure environment. app, APIs, and web store) with basic roles to grant access.
C. Use separate service accounts for each component (social
media app, APIs, and web store) with predefined or custom
roles to grant access.
How should you set up IAM? D. Use one service account for all components (social media
app, APIs, and web store) with predefined or custom roles to
grant access.
3.1 Diagnostic Question 03

Michael is the owner/operator of “Zneeks,” a retail A. As a shoe retailer, Michael wants to send Cymbal Direct
shoe store that caters to sneaker aficionados. He custom purchase orders so that batches of custom shoes are
regularly works with customers who order small sent to his customers.
batches of custom shoes. Michael is interested in B. Michael is a tech-savvy owner/operator of a small business.
using Cymbal Direct to manufacture and ship custom
batches of shoes to these customers. Reasonably C. Zneeks is a retail shoe store that caters to sneaker
aficionados.
tech-savvy but not a developer, Michael likes using
Cymbal Direct's partner purchase portal but wants D. Michael is reasonably tech-savvy but needs Cymbal Direct's
the process to be easy. What is an example of a user partner purchase portal to be easy.
story that could describe Michael’s persona?

What is an example of a user story that

could describe Michael’s persona?
3.1 Diagnostic Question 04

Cymbal Direct has an application running A. Create a service account for each of the services the VM
on a Compute Engine instance. You need needs to access. Associate the service accounts with the
to give the application access to several Compute Engine instance.
Google Cloud services. You do not want B. Create a service account and assign it the project owner role,
to keep any credentials on the VM which enables access to any needed service.
instance itself.
C. Create a service account for the instance. Use Access scopes
to enable access to the required services.
What should you do? D. Create a service account with one or more predefined or
custom roles, which give access to the required services.
3.1 Diagnostic Question 05
Cymbal Direct wants to use Identity and A. Grant access by assigning custom roles
Access Management (IAM) to allow to groups. Use multiple groups for
employees to have access to Google better control. Give access as low in the
Cloud resources and services based on hierarchy as possible to prevent the inheritance of too many abilities from
their job roles. Several employees are a higher level.
project managers and want to have some B. Grant access by assigning predefined roles to groups. Use multiple
level of access to see what has been groups for better control. Give access as low in the hierarchy as possible
deployed. The security team wants to to prevent the inheritance of too many abilities from a higher level.
ensure that securing the environment
C. Give access directly to each individual for more granular control. Give
and managing resources is simple so that
access as low in the hierarchy as possible to prevent the inheritance of
it will scale.
too many abilities from a higher level.
D. Grant access by assigning predefined roles to groups. Use multiple
What approach should you use? groups for better control. Make sure you give out access to all the
children in a hierarchy under the level needed, because child resources
will not automatically inherit abilities.
3.1 Diagnostic Question 06
You have several Compute A. Edit the Compute Engine instances running your web application, and
Engine instances running enable Google Cloud Armor. Create a Google Cloud Armor policy with a
NGINX and Tomcat for a web default rule action of "Allow." Add a new rule that specifies the IP address
application. In your web server causing the login failures as the Condition, with an action of "Deny” and a
logs, many login failures come deny status of "403," and accept the default priority (1000).
from a single IP address, which
B. Ensure that an HTTP(S) load balancer is configured to send traffic to the backend Compute Engine instances
looks like a brute force attack.
running your web server. Create a Google Cloud Armor policy with a default rule action of "Deny." Add a new rule
that specifies the IP address causing the login failures as the Condition, with an action of "Deny" and a deny
status of "403," and accept the default priority (1000). Add the load balancer backend service's HTTP-backend
as the target.
C. Ensure that an HTTP(S) load balancer is configured to send traffic to the backend Compute Engine instances
How can you block this traffic? running your web server. Create a Google Cloud Armor policy with a default rule action of "Allow." Add a new rule
that specifies the IP address causing the login failures as the Condition, with an action of "Deny" and a deny
status of "403," and accept the default priority (1000). Add the load balancer backend service's HTTP-backend
as the target.
D. Ensure that an HTTP(S) load balancer is configured to send traffic to your backend Compute Engine instances
running your web server. Create a Google Cloud Armor policy using the instance’s local firewall with a default rule
action of "Allow." Add a new local firewall rule that specifies the IP address causing the login failures as the
Condition, with an action of "Deny" and a deny status of "403," and accept the default priority (1000).
3.1 Diagnostic Question 07
Cymbal Direct needs to make sure
A. Remove external IP addresses from the VM instances
its new social media integration
running the social media service and place them in a
service can’t be accessed directly
private VPC behind Cloud NAT. Any SSH connection for management
from the public internet. You want
should be done with Identity-Aware Proxy (IAP) or a bastion
to allow access only through the
host (jump box) after allowing SSH access from IAP or a corporate network.
web frontend store.
B. Limit access to the external IP addresses of the VM instances using firewall rules and place
them in a private VPC behind Cloud NAT. Any SSH connection for management should be
done with Identity-Aware Proxy (IAP) or a bastion host (jump box) after allowing SSH access
How can you prevent access to from IAP or a corporate network.
the social media integration C. Limit access to the external IP addresses of the VM instances using a firewall rule to block
service from the outside world, all outbound traffic. Any SSH connection for management should be done with
but still allow access to the APIs Identity-Aware Proxy (IAP) or a bastion host (jump box) after allowing SSH access from IAP
of social media services? or a corporate network.
D. Remove external IP addresses from the VM instances running the social media service and
place them in a private VPC behind Cloud NAT. Any SSH connection for management should
be restricted to corporate network IP addresses by Google Cloud Armor.
3.1 Diagnostic Question 08
Cymbal Direct is experiencing success using A. Set up Cloud VPN between the corporate network
Google Cloud and you want to leverage tools and the Google Cloud project's VPC network.
to make your solutions more efficient. Erik, Allow users to connect to the Cloud Functions instance.
one of the original web developers, currently
B. Use Google Cloud Armor to restrict access to the corporate network's external IP
adds new products to your application
address. Configure firewall rules to allow only HTTP(S) access.
manually. Erik has many responsibilities and
requires a long lead time to add new C. Create a Google group and add authorized employees to it. Configure Identity-Aware
products. You need to create a Cloud Proxy (IAP) to the Cloud Functions application as a HTTP-resource. Add the group as
Functions application to let Cymbal Direct a principle with the role "Project Owner."
employees add new products instead of D. Create a Google group and add authorized employees to it. Configure Identity-Aware
waiting for Erik. However, you want to make Proxy (IAP) to the Cloud Functions application as a HTTP-resource. Add the group as
sure that only authorized employees can use a principle with the role "IAP-secured Web App User."
the application.

What should you do?

3.1 Diagnostic Question 09
You've recently created an internal Cloud Run A. Use an ACL on the Cloud Storage bucket.
application for developers in your organization. Create a read-only group that only has
The application lets developers clone viewer privileges, and ensure that the
production Cloud SQL databases into a project developers are in that group.
specifically created to test code and
B. Leave the ACLs on the Cloud Storage bucket as-is. Disable Cloud VPN, and
deployments. Your previous process was to
have developers use Identity-Aware Proxy (IAP) to connect. Create an
export a database to a Cloud Storage bucket,
organization policy to enforce public access protection.
and then import the SQL dump into a legacy
on-premises testing environment database with C. Use predefined roles to restrict access to what the developers are allowed to
connectivity to Google Cloud via Cloud VPN. do. Create a group for the developers, and associate the group with the
Management wants to incentivize using the new Cloud SQL Viewer role. Remove the "cloudsql.instances.export" ability from
process with Cloud SQL for rapid testing and the role.
track how frequently rapid testing occurs. D. Create a custom role to restrict access to what developers are allowed to do.
Create a group for the developers, and associate the group with your custom
role. Ensure that the custom role does not have "cloudsql.instances.export."
How can you ensure that the developers
use the new process?
3.1 Designing for security

Resources to start your journey

Google Cloud Architecture Framework: Security, privacy, and compliance

IAM best practice guides available now | Google Cloud Blog
Using resource hierarchy for access control | IAM Documentation |
Google Cloud
Chapter 18 - SRE Engagement Model
Service accounts | Compute Engine Documentation | Google Cloud
Google Cloud Armor overview
Private clusters | Kubernetes Engine Documentation | Google Cloud
Understanding IAM custom roles | IAM Documentation | Google Cloud
3.2 Diagnostic Question 10

Your client is legally required to comply A. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security
with the Payment Card Industry Data Health Analytics in the Premium tier. Export or view the PCI-DSS Report from the SCC
Security Standard (PCI-DSS). The client dashboard's Compliance tab.
has formal audits already, but the audits
B. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security
are only done periodically. The client
Health Analytics in the Standard tier. Export or view the PCI-DSS Report from the SCC
needs to monitor for common violations to
dashboard's Compliance tab.
meet those requirements more easily. The
client does not want to replace audits but C. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security
wants to engage in continuous Health Analytics in the Premium tier. Export or view the PCI-DSS Report from the SCC
compliance and catch violations early. dashboard's Vulnerabilities tab.
D. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security
Health Analytics in the Standard tier. Export or view the PCI-DSS Report from the SCC
What would you recommend dashboard's Vulnerabilities tab.
that this client do?
32
. Designing for compliance

Resources to start your journey

Manage compliance obligations | Architecture Framework | Google Cloud

Cloud Compliance & Regulations Resources
Assuring Compliance in the Cloud
Security Command Center | Google Cloud
Section 4:
Analyzing and optimizing
technical and business processes
4.1 Diagnostic Question 01

You are asked to implement a lift and shift A. Commit the configuration file to your software repository.
operation for Cymbal Direct’s Social Media B. Run terraform plan to verify the contents of the Terraform
Highlighting service. You compose a configuration file.
Terraform configuration file to build all the
necessary Google Cloud resources. C. Run terraform apply to deploy the resources described in the
configuration file.

What is the next step in the Terraform D. Run terraform init to download the necessary provider modules.
What should you do?
workflow for this effort?
4.1 Diagnostic Question 02

You have implemented a manual A. Implement and reference a source repository in your Cloud Build
CI/CD process for the container configuration file.
services required for the next B. Implement a build trigger that applies your build configuration when a
implementation of the Cymbal new software update is committed to Cloud Source Repositories.
Direct’s Drone Delivery project.
You want to automate the C. Specify the name of your Container Registry in your Cloud Build
configuration.
process.
D. Configure and push a manifest file into an environment repository in
Cloud Source Repositories.
What should you do?
4.1 Diagnostic Question 03

You have an application A. Implement a scheduled snapshot on your Compute Engine instances.
implemented on Compute Engine. B. Implement a regional managed instance group.
You want to increase the durability
of your application. C. Monitor your application’s usage metrics and implement autoscaling.
D. Perform health checks on your Compute Engine instances.

What should you do?

4.1 Diagnostic Question 04

Developers on your team A. Implement a Cloud Build configuration file with build steps.
frequently write new versions B. Implement a build trigger that references your repository and branch.
of the code for one of your
applications. You want to C. Set proper permissions for Cloud Build to access deployment resources.
automate the build process D. Upload application updates and Cloud Build configuration files to Cloud Source
when updates are pushed to Repositories.
Cloud Source Repositories.

What should you do?

4.1 Diagnostic Question 05

Your development team used Cloud Source A. The runtime environment does not have permissions to the Artifact
Repositories, Cloud Build, and Artifact Registry in your current project.
Registry to successfully implement the build B. The runtime environment does not have permissions to Cloud Source
portion of an application's CI/CD process.. Repositories in your current project.
However, the deployment process is erroring
out. Initial troubleshooting shows that the C. The Artifact Registry might be in a different project.
runtime environment does not have access to D. You need to specify the Artifact Registry image by name.
the build images. You need to advise the team
on how to resolve the issue.

What could cause this problem?

4.1 Diagnostic Question 06

You are implementing a disaster recovery A. Hot with a low recovery time objective (RTO)
plan for the cloud version of your drone B. Warm with a high recovery time objective (RTO)
solution. Sending videos to the pilots is
crucial from an operational perspective. C. Cold with a low recovery time objective (RTO)
D. Hot with a high recovery time objective (RTO)
What design pattern should you choose
for this part of your architecture?
4.1 Diagnostic Question 07

The number of requests received by your A. Applying a circuit breaker

application is nearing the maximum B. Applying exponential backoff
specified in your design. You want to limit
the number of incoming requests until C. Increasing jitter
the system can handle the workload. D. Applying graceful degradation

What design pattern does

this situation describe?
4.1 Diagnostic Question 08

The pilot subsystem in your Delivery by A. Configure proper startup scripts for your VMs.
Drone service is critical to your service. B. Deploy a load balancer to distribute traffic across multiple machines.
You want to ensure that connections to
the pilots can survive a VM outage C. Create persistent disk snapshots.
without affecting connectivity. D. Implement a managed instance group and load balancer..

What should you do?

4.1 Diagnostic Question 09

Cymbal Direct wants to improve its A. You should implement canary testing.
drone pilot interface. You want to B. You should implement A/B testing.
collect feedback on proposed
changes from the community of pilots C. You should implement a blue/green deployment.
before rolling out updates systemwide. D. You should implement an in-place release.

What type of deployment

pattern should you implement?
4.1 Analyzing and defining technical processes

Resources to start your journey

Securing the software development lifecycle with Cloud Build and SLSA
CI/CD with Google Cloud
Site Reliability Engineering
DevOps tech: Continuous testing | Google Cloud
Application deployment and testing strategies | Cloud Architecture Center
Chapter 17 - Testing for Reliability
Service Catalog documentation | Google Cloud
What is Disaster Recovery? | Google Cloud
API design guide
4.3 Diagnostic Question 10

You want to establish procedures A. Block access to storage assets in one of your zones.
for testing the resilience of the B. Inject a bad health check for one or more of your resources.
delivery-by-drone solution.
C. Load test your application to see how it responds.
D. Block access to all resources in a zone.

How would you simulate

a scalability issue?
 Developing procedures to ensure
4.3 reliability of solutions in production

Resources to start your journey

Site Reliability Engineering

Site Reliability Engineering (SRE) | Google Cloud
Patterns for scalable and resilient apps | Cloud Architecture Center
How to achieve a resilient IT strategy with Google Cloud
Patterns for scalable and resilient apps | Cloud Architecture Center
Disaster recovery planning guide | Cloud Architecture Center

The diagnostic question that you just reviewed tested your knowledge of one aspect
of developing procedures to ensure reliability of solutions in production. These are
some links to learn more.

https://sre.google/
https://cloud.google.com/sre#section-6
https://cloud.google.com/architecture/scalable-and-resilient-apps
https://cloud.google.com/blog/topics/inside-google-cloud/rethinking-business-res
ilience-with-google-cloud
https://cloud.google.com/architecture/scalable-and-resilient-apps#test_your_resili
ence
https://cloud.google.com/architecture/dr-scenarios-planning-guide
Section 5:
Managing implementation

Section 6:
Ensuring solution and
operations reliability
5.1 Diagnostic Question 01

Cymbal Direct is working on a A. Assign the predefined Billing Account Administrator role to Mahesh. Create a project budget.
social media integration service in Configure billing alerts to be sent to the Billing Administrator. Use resource quotas to cap how
Google Cloud. Mahesh is a many resources can be deployed.
non-technical manager who wants
B. Assign the predefined Billing Account Administrator role to Mahesh. Create a project budget.
to ensure that the project doesn’t
Configure billing alerts to be sent to the Project Owner. Use resource quotas to cap how much
exceed the budget and responds
money can be spent.
quickly to unexpected cost
increases. You need to set up C. Use the predefined Billing Account Administrator role for the Billing Administrator group, and
access and billing for the project. assign Mahesh to the group. Create a project budget. Configure billing alerts to be sent to the
Billing Administrator. Use resource quotas to cap how many resources can be deployed.
D. Use the predefined Billing Account Administrator role for the Billing Administrator group, and
assign Mahesh to the group. Create a project budget. Configure billing alerts to be sent to the
What should you do? Billing Account Administrator. Use resource quotas to cap how much money can be spent.
5.1 Diagnostic Question 02

Your organization is planning a A. Use a global HTTP(S) load balancer. Deploy the web application
disaster recovery (DR) strategy. Your as Compute Engine managed instance groups (MIG) in two regions,
stakeholders require a recovery time us-west and us-east. Configure the load balancer to use both backends.
objective (RTO) of 0 and a recovery Use Cloud SQL with high availability (HA) enabled in us-east and a cross-region replica in us-west.
point objective (RPO) of 0 for zone
B. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance
outage. They require an RTO of 4
groups (MIG) in two regions, us-west and us-east. Configure the load balancer to the us-east backend.
hours and an RPO of 1 hour for a
Use Cloud SQL with high availability (HA) enabled in us-east and a cross-region replica in us-west.
regional outage. Your application
Manually promote the us-west Cloud SQL instance and change the load balancer backend to us-west.
consists of a web application and a
backend MySQL database. You need C. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance
the most efficient solution to meet groups (MIG) in two regions, us-west and us-east. Configure the load balancer to use both backends.
your recovery KPIs. Use Cloud SQL with high availability (HA) enabled in us-east and back up the database every hour to a
multi-region Cloud Storage bucket. Restore the data to a Cloud SQL database in us-west if there is a
failure.
What should you do?
D. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance
groups (MIG) in two regions, us-west and us-east. Configure the load balancer to use both backends.
Use Cloud SQL with high availability (HA) enabled in us-east and back up the database every hour to a
multi-region Cloud Storage bucket. Restore the data to a Cloud SQL database in us-west if there is a
failure and change the load balancer backend to us-west.
 Advising development/operation
5.1 team(s) to ensure successful
deployment of the solution

Resources to start your journey

Cloud Reference Architectures and Diagrams | Cloud Architecture

Center
What is DevOps? Research and Solutions | Google Cloud
Develop and deliver apps with Cloud Code, Cloud Build, Google
Cloud Deploy, and GKE | Cloud Architecture Center
Google Cloud API design tips
DevOps tech: Continuous testing | Google Cloud
DevOps tech: Test data management | Google Cloud
Testing Overview | Cloud Functions Documentation
Database Migration Service | Google Cloud
Cloud Migration Products & Services
5.2 Diagnostic Question 03
Your environment has multiple projects A. Configure billing export to BigQuery. Create a Google Cloud
used for development and testing. budget for each project. Create a group for the developers in
Each project has a budget, and each each project, and add them to the appropriate group. Create a
developer has a budget. A personal notification channel for each group. Configure a billing alert to notify the group when their budget is
budget overrun can cause a project exceeded. Modify the build scripts/pipeline to label all resources with the label “creator” set to the
budget overrun. Several developers are developer’s email address. Use spot (preemptible) instances wherever possible.
creating resources for testing as part
B. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Configure a
of their CI/CD pipeline but are not
billing alert to notify billing admins and users when their budget is exceeded. Modify the build
deleting these resources after their
scripts/pipeline to label all resources with the label “creator” set to the developer’s email address. Use
tests are complete. If the compute spot (preemptible) instances wherever possible.
resource fails during testing, the test
can be run again. You want to reduce C. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Create a
costs and notify the developer when a Pub/Sub topic for developer-budget-notifications. Create a Cloud Function to notify the developer
personal budget overrun causes a based on the labels. Modify the build scripts/pipeline to label all resources with the label “creator” set
project budget overrun. to the developer’s email address. Use spot (preemptible) instances wherever possible.
D. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Create a
Pub/Sub topic for developer-budget-notifications. Create a Cloud Function to notify the developer
What should you do? based on the labels. Modify the build scripts/pipeline to label all resources with the label “creator” set
to the developer’s email address. Use spot (preemptible) instances wherever possible. Use Cloud
Scheduler to delete resources older than 24 hours in each project.
 Interacting with Google Cloud
5.2 programmatically

Resources to start your journey

gcloud CLI overview | Google Cloud CLI Documentation

How Cloud Shell works
Google Cloud APIs
Testing apps locally with the emulator | Cloud Pub/Sub Documentation
Connect your app and start prototyping | Firebase Documentation
Use the emulator | Cloud Bigtable Documentation
Using the Cloud Spanner Emulator
6.1 Diagnostic Question 04

Your client has adopted a multi-cloud A. In Cloud Monitoring, create an uptime check for the URL your
strategy that uses a virtual clients will access. Configure it to check from multiple regions.
machine-based infrastructure. The Use the Cloud Monitoring dashboard to view the uptime metrics
client's website serves users across over time and ensure that the SLO is met. Recommend an SLO of 97% uptime per month.
the globe. The client needs a single
B. In Cloud Monitoring, create an uptime check for the URL your clients will access. Configure it to check
dashboard view to monitor
from multiple regions. Use the Cloud Monitoring dashboard to view the uptime metrics over time and
performance in their AWS and Google
ensure that the SLO is met. Recommend an SLO of 97% uptime per day.
Cloud environments. Your client
previously experienced an extended C. Authorize access to your Google Cloud project from AWS with a service account. Install the monitoring
outage and wants to establish a agent on AWS EC2 (virtual machines) and Compute Engine instances. Use Cloud Monitoring to create
monthly service level objective (SLO) dashboards that use the performance metrics from virtual machines to ensure that the SLO is met.
of no outage longer than an hour. D. Create a new project to use as an AWS connector project. Authorize access to the project from AWS
with a service account. Install the monitoring agent on AWS EC2 (virtual machines) and Compute
Engine instances. Use Cloud Monitoring to create dashboards that use the performance metrics from
What should you do? virtual machines to ensure that the SLO is met.
6.1 Diagnostic Question 05
Cymbal Direct uses a proprietary A. Ensure that VPC firewall rules allow access from the IP addresses
service to manage on-call rotation used by Google Cloud’s uptime-check servers. Create a Pub/Sub
and alerting. The on-call rotation topic for alerting as a monitoring notification channel in Google
service has an API for integration. Cloud’s operations suite. Create an uptime check for the appropriate
Cymbal Direct wants to monitor its resource's internal IP address, with an alerting policy set to use the Pub/Sub topic. Create a Cloud
environment for service availability Function that subscribes to the Pub/Sub topic to send the alert to the on-call API.
and ensure that the correct person
B. Ensure that VPC firewall rules allow access from the IP addresses used by Google Cloud's uptime-check
is notified.
servers. Create a Pub/Sub topic for alerting as a monitoring notification channel in Google Cloud’s
operations suite. Create an uptime check for the appropriate resource's external IP address, with an
alerting policy set to use the Pub/Sub topic. Create a Cloud Function that subscribes to the Pub/Sub
topic to send the alert to the on-call API.

What should you do? C. Ensure that VPC firewall rules allow access from the on-call API. Create a Cloud Function to send the
alert to the on-call API. Add Cloud Functions as a monitoring notification channel in Google Cloud’s
operations suite. Create an uptime check for the appropriate resource's external IP address, with an
alerting policy set to use the Cloud Function.
D. Ensure that VPC firewall rules allow access from the IP addresses used by Google Cloud's uptime-check
servers. Add the URL for the on-call rotation API as a monitoring notification channel in Google Cloud’s
operations suite. Create an uptime check for the appropriate resource's internal IP address, with an
alerting policy set to use the API.
6.2 Diagnostic Question 06
Cymbal Direct releases new versions of A. Adopt a “waterfall” development process. Maintain the current
its drone delivery software every 1.5 to release schedule. Ensure that documentation explains how all
2 months. Although most releases are the features interact. Ensure that the entire application is tested
successful, you have experienced in a staging environment before the release. Ensure that the process
three problematic releases that made to roll back the release is documented. Use Cloud Monitoring,
drone delivery unavailable while Cloud Logging, and Cloud Alerting to ensure visibility.
software developers rolled back the
B. Adopt a “waterfall” development process. Maintain the current release schedule. Ensure that
release. You want to increase the
documentation explains how all the features interact. Automate testing of the application. Ensure that
reliability of software releases and
the process to roll back the release is well documented. Use Cloud Monitoring, Cloud Logging, and
prevent similar problems in the future. Cloud Alerting to ensure visibility.
C. Adopt an “agile” development process. Maintain the current release schedule. Automate build
processes from a source repository. Automate testing after the build process. Use Cloud Monitoring,
Cloud Logging, and Cloud Alerting to ensure visibility. Deploy the previous version if problems are
What should you do? detected and you need to roll back.
D. Adopt an “agile” development process. Reduce the time between releases as much as possible.
Automate the build process from a source repository, which includes versioning and self-testing. Use
Cloud Monitoring, Cloud Logging, and Cloud Alerting to ensure visibility. Use a canary deployment to
detect issues that could cause rollback.
6.3 Diagnostic Question 07
Cymbal Direct’s warehouse and A. Create metrics in Cloud Monitoring for your microservices to
inventory system was written in Java. test whether they are intermittently unavailable or slow to
The system uses a microservices respond to HTTPS requests. Use Cloud Profiler to determine
architecture in GKE and is which functions/methods in your application’s code use the most
instrumented with Zipkin. Seemingly system resources. Use Cloud Trace to identify slow requests and
at random, a request will be 5-10 determine which microservices/calls take the most time to respond.
times slower than others. The
B. Create metrics in Cloud Monitoring for your microservices to test whether they are intermittently
development team tried to reproduce
unavailable or slow to respond to HTTPS requests. Use Cloud Trace to determine which
the problem in testing, but failed to
functions/methods in your application’s code use the most system resources. Use Cloud Profiler to
determine the cause of the issue. identify slow requests and determine which microservices/calls take the most time to respond.
C. Use Error Reporting to test whether your microservices are intermittently unavailable or slow to
respond to HTTPS requests. Use Cloud Profiler to determine which functions/methods in your
application’s code use the most system resources. Use Cloud Trace to identify slow requests and
What should you do? determine which microservices/calls take the most time to respond.
D. Use Error Reporting to test whether your microservices are intermittently unavailable or slow to
respond to HTTPS requests. Use Cloud Trace to determine which functions/methods in your
application’s code Use the most system resources. Use Cloud Profiler to identify slow requests and
determine which microservices/calls take the most time to respond.
6.3 Diagnostic Question 08

You are using Cloud Run to deploy a Flask web A. Use ssh to connect to the Compute Engine instance where Cloud Run is running. Run the
application named app.py written in Python. In your command 'python3 -m pdb app.py' to debug the application.
testing and staging environments, the application
B. Use ssh to connect to the Compute Engine instance where Cloud Run is running. Use the
performed as expected. When the application was
command 'pip install google-python-cloud-debugger' to install Cloud Debugger. Use the
deployed to production, product search results
'gcloud debug' command to debug the application.
displayed products that should have been filtered out
based on the user's preferences. The developer C. Modify the Dockerfile for the Cloud Run application. Change the RUN command to
believes this performance issue would result from the 'python3 -m pdb /app.py'. Modify the script to import pdb. Deploy to Cloud Run as a canary
'user.productFilter' variable either not being set or not build.
being evaluated correctly. You want visibility into what D. Modify the Dockerfile for the Cloud Run application. Add 'RUN 'pip install
is happening, but also want to minimize user impact, google-python-cloud-debugger' to the Dockerfile. Modify the script to import
because this is not a critical bug. googleclouddebugger. Use 'gcloud debug' to debug the application.

What should you do?

6.4 Diagnostic Question 09
Cymbal Direct has a new social media integration A. Increase the maximum number of instances in the MIG
service that pulls images of its products from and verify that this resolves the issue. Ensure that the
social media sites and displays them in a gallery of ticket is annotated with your solution. Create a normal
customer images on your online store. You receive work ticket for the application developer with a link to
an alert from Cloud Monitoring at 3:34 AM on the incident. Mark the incident as closed.
Saturday. The store is still online, but the gallery
B. Check the incident documentation or labels to determine the on-call contact. Appoint an
does not appear. The CPU utilization is 30% higher
incident commander, and open a chat channel, or conference call for emergency response.
than expected on the VMs running the service,
Investigate and resolve the issue by increasing the maximum number of instances in the MIG,
which causes the managed instance group (MIG)
and verify that this resolves the issue. Mark the incident as closed.
to scale to the maximum number of instances. You
verify that the issue is real by checking the site C. Increase the maximum number of instances in the MIG and verify that this resolves the issue.
and by checking the incidents timeline. Check the incident documentation or labels to determine the on-call contact. Appoint an
incident commander, and open a chat channel, or conference call for emergency response.
Investigate and resolve the root cause of the issue. Write a blameless post-mortem and
identify steps to prevent the issue, to ensure a culture of continuous improvement.
D. Verify the high CPU is not user impacting, increase the maximum number of instances in the
MIG and verify that this resolves the issue.
What should you do to resolve the issue?
6.4 Diagnostic Question 10
You need to adopt Site Reliability A. Adopt Google Cloud’s operations suite to gain visibility into the
Engineering principles and increase environment. Use Cloud Trace for distributed tracing, Cloud Logging
visibility into your environment. You for logging, and Cloud Monitoring for monitoring, alerting, and
want to minimize management dashboards. Only page the on-call contact about novel issues or
overhead and reduce noise generated events that haven’t been seen before. Use GNU Privacy Guard (GPG)
by the information being collected. You to check container image signatures and ensure that only signed containers are deployed.
also want to streamline the process of
B. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for
reacting to analyzing and improving
distributed tracing, Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and
your environment, and to ensure that
dashboards. Page the on-call contact when issues that affect resources in the environment are detected.
only trusted container images are Use GPG to check container image signatures and ensure that only signed containers are deployed.
deployed to production.
C. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for
distributed tracing, Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and
What should you do? dashboards. Only page the on-call contact about novel issues that violate a SLO or events that haven’t
been seen before. Use Binary Authorization to ensure that only signed container images are deployed.
D. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for
distributed tracing, Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and
dashboards. Page the on-call contact when issues that affect resources in the environment are detected.
Use Binary Authorization to ensure that only signed container images are deployed.
 Ensuring solution and
6.1- 6.4 operations reliability

Resources to start your journey

Google Cloud operations suite documentation

Operations: Cloud Monitoring & Logging | Google Cloud
Cloud operations grows with monitoring, logging, more |
Google Cloud Blog
Continuous Delivery | Google Cloud
Concepts | Google Cloud Deploy
Adopting SLOs | Cloud Architecture Center
Analyzing a case study:
Dress4Win
 Dress4Win case study - 01

Company overview Solution concept

Dress4Win is a web-based company that helps their users organize For the first phase of their migration to
and manage their personal wardrobe using a web app and mobile the cloud, Dress4Win is moving their
application. The company also cultivates an active social network that development and test environments.
connects their users with designers and retailers. They monetize their They are also building a disaster
services through advertising, ecommerce, referrals, and a freemium recovery site, because their current
app model. The application has grown from a few servers in the infrastructure is at a single location. They
founder’s garage to several hundred servers and appliances in a are not sure which components of their
colocated data center. However, the capacity of their infrastructure is architecture they can migrate as is and
now insufficient for the application’s rapid growth. Because of this which components they need to change
growth and the company’s desire to innovate faster, Dress4Win is before migrating them.
committing to a full migration to a public cloud.
Existing technical environment
Dress4Win case study - 02
The Dress4Win application is served out of a single data
center location. All servers run Ubuntu LTS v16.04.

Databases: Compute:
MySQL. One server for user data, inventory, 40 web application servers providing Three RabbitMQ servers for
static data micro-services based APIs and static messaging, social notifications,
MySQL 5.7 content and events
8 core CPUs Tomcat - Java Eight core CPUs
128 GB of RAM Nginx 32GB of RAM
2x 5 TB HDD (RAID 1) Four core CPUs Miscellaneous servers:
32 GB of RAM Jenkins, monitoring, bastion
20 Apache Hadoop/Spark servers: hosts, security scanners
Storage appliances:
Data analysis Eight core CPUs
iSCSI for VM hosts
Real-time trending calculations 32GB of RAM
Fibre channel SAN - MySQL databases
1 PB total storage; 400 TB available Eight core CPUs
NAS - image storage, logs, backups 128 GB of RAM
100 TB total storage; 35 TB available 4x 5 TB HDD (RAID 1)
 Dress4Win case study - 03

Business requirements Technical requirements

● Build a reliable and reproducible environment ● Easily create non-production environments in the cloud
with scaled parity of production ● Implement an automation framework for provisioning
● Improve security by defining and adhering to resources in cloud
a set of security and identity and access ● Implement a continuous deployment process for deploying
management (IAM) best practices for cloud applications to the on-premises data center or cloud
● Improve business agility and speed of ● Support failover of the production environment to cloud
innovation through rapid provisioning of new during an emergency
resources
● Encrypt data on the wire and at rest
● Analyze and optimize architecture for
● Support multiple private connections between the production
performance in the cloud
data center and cloud environment
 Dress4Win case study - 04

Executive statement

Our investors are concerned about our ability to scale and contain costs with our current infrastructure. They are also
concerned that a competitor could use a public cloud platform to offset their up-front investment and free them to focus on
developing better features. Our traffic patterns are highest in the mornings and weekend evenings; during other times, 80%
of our capacity is sitting idle.

Our capital expenditure is now exceeding our quarterly projections. Migrating to the cloud will likely cause an initial increase
in spending, but we expect to fully transition before our next hardware refresh cycle. Our total cost of ownership (TCO)
analysis over the next five years for a public cloud strategy achieves a cost reduction between 30% and 50% over our
current model.
Categorizing Objectives Dress4Win case study - REF
Itemized list of objectives

Business requirements Technical requirements Solution component

● Build a reliable and reproducible ● Easily create non-production Databases:

environment with scaled parity of environments in the cloud ● MySQL. One server for user data,
production ● Implement an automation framework inventory, static data
● Improve security by defining and for provisioning resources in cloud ○ MySQL 5.7
adhering to a set of security and ○ 8 core CPUs
● Implement a continuous deployment ○ 128 GB of RAM
identity and access management process for deploying applications to
(IAM) best practices for cloud ○ 2x 5 TB HDD (RAID 1)
the on-premises data center or cloud
● Improve business agility and speed ● Support failover of the production Compute:
of innovation through rapid environment to cloud during an ● 40 web application servers
provisioning of new resources emergency providing micro-services based
● Analyze and optimize architecture APIs and static content
● Encrypt data on the wire and at rest ○ Tomcat - Java
for performance in the cloud
● Support multiple private connections ○ Nginx
between the production data center ○ Four core CPUs
and cloud environment. ○ RAM

… more in actual case study

 When will you take the exam?

Plan time How many weeks do you have to

prepare?

to prepare How many hours will you spend

preparing for the exam each week?

How many total hours will you

prepare?
Weekly study plan

Now, consider what you’ve learned about your knowledge and skills
through the diagnostic questions in this course. You should have a
better understanding of what areas you need to focus on and what
resources are available.

Use the template that follows to plan your study goals for each week.
Consider:
● What exam guide section(s) or topic area(s) will you focus on?
● What courses (or specific modules) will help you learn more?
● What Skill Badges or labs will you work on for hands-on practice?
● What documentation links will you review?
● What additional resources will you use - such as sample
questions?
● What will you do to prepare for the case studies?
You may do some or all of these study activities each week.

Duplicate the weekly template for the number of weeks in your

individual preparation journey.
Weekly study template (example)

Area(s) of focus: Automating infrastructure with Terraform

Courses/modules Elastic Google Cloud Infrastructure: Scaling and Automation M3

to complete: Reliable Google Cloud Infrastructure: Design and Process, M3

Skill Badges/labs Automating Infrastructure on Google Cloud with Terraform

to complete:

Documentation Using Recommendations for Infrastructure as Code | Recommender Documentation | Google

to review: Cloud
Using Terraform with Google Cloud
Managing infrastructure as code with Terraform, Cloud Build, and GitOps | Cloud Architecture Center | Google
Cloud

Additional study: Sample questions 1-3

Review case study 2 and search for relevant reference architectures

If you’ve identified managed services as a particular area you need to study, you
might choose to structure your study for a week to include targeted modules from the
on-demand training, a related Skill Badge for hands-on practice, and documentation.

Alternatively, you might choose one week to complete an entire course, and another
week to focus on a Skill Badge. You can determine the approach that fits your existing
skillset.
Weekly study template

Area(s) of focus:

Courses/modules
to complete:

Skill Badges/labs
to complete:

Documentation
to review:

Additional study: