Preparing for Your

Professional Cloud
Architect Journey

Course Workbook
Certification Exam Guide Sections
1 Designing and planning a cloud solution architecture

2 Managing and provisioning a solution infrastructure

3 Designing for security and compliance

4 Analyzing and optimizing technical and business processes

5 Managing implementation

6 Ensuring solution and operations reliability

Section 1:
Designing and planning a cloud
solution architecture

Cymbal Direct case study

 Cymbal Direct case study - 01

Company overview Solution concept

Cymbal Direct is an online direct- 1) The beta Delivery by Drone initiative enables licensed drone pilots to team up with Cymbal
to-consumer Chicago-based Direct to deliver shoes and sandals to customers via drone. DBD allows customers to place
their orders and then get their shoes delivered in an expedited amount of time. The drones
footwear and apparel retailer
stream real-time video to their pilots, as well as their coordinates, so that customers can see
founded in 2008 and acquired by the location of their shoes on a map.
Cymbal Group in 2010. Cymbal
2) Cymbal Direct wants to release official APIs for partners. APIs will be published in a
Direct is a fair trade and B Corp
controllable, versionable way, with the ability to track, secure and monetize.
certified, sustainability-focused
3) A social integration service initiative which highlights images hashtagged with Cymbal
company that works with cotton
Direct’s products using machine learning to ensure images are appropriate.. The social media
farmers to reinvest in their
highlighting service is currently proof-of-concept. Built by a developer in their own time
communities, a fact which appeals after hours as an experiment, the service garnered a lot of excitement and interest, especially
to Cymbal Direct’s younger target from the marketing team. During one of the internal demos, however, inappropriate images
market demographic. were included in the product gallery.
Existing technical environment
Cymbal Direct case study - 02
Delivery by Drone is an experiment by the supply chain and logistics team. Their core customer-facing application does order processing, showing the current
status and location of their delivery. The drones connect via the cellular network. The drones use the drone API to receive commands and send real-time
information and video about their location and status.

The existing technical environment Purchase & Product APIs were developed over time as the The social media highlighting
includes: business was being built. They were initially only intended to service currently runs on a single
be used in-house, and not exposed to 3rd parties and partners. virtual machine, and while it does
● A website frontend and pilot and truck work, it has some performance and
management systems run on ● Many of the APIs are simply built into monolithic apps, scalability issues.
Kubernetes and were not designed for partner integration, lacking
functionality such as versioning. ● SuSE linux
● Positional data for drone and truck
location kept in MongoDB database ● The majority of the APIs run on Ubuntu Linux VMs, and ● MySQL DB
clusters scaling has been somewhat difficult because of the use of ● Redis
● Drones connected to virtual machines virtual machines and monolithic architecture.
● Python
using a stateful connection, streaming ● APIs do not have a built-in mechanism for supporting
video via RMTP to the pilots and multiple accounts and granting access is very limited as a
sending commands from the pilots to result.
the drones
 Cymbal
Dress4Win
Direct case study - 03

Business requirements Technical requirements

● Easily scale to handle additional demand when ● Move to managed services wherever possible
needed and expand to more test markets. ● Ensure that developers can deploy container-based workloads to testing
● Streamline development for application and production environments in a highly scalable environment.
modernization and new features/products ● Standardize on containers where possible, but also allow for existing
● Ensure that developers spend as much time on core virtualization infrastructure to run as-is without a re-write, so it can be
business functionality as possible, and not have to slowly refactored over time
worry about scalability wherever possible ● Securely allow partner integration
● Let partners order directly via API ● Stream IoT data from drones
● Deploy a production version of the social media
highlighting service and ensure no inappropriate
content
 Cymbal
Dress4Win
Direct case study - 04
03

Executive statement

Cymbal Direct has three areas of strategic focus: improving customer experience, leveraging analytics, and improving digital marketing.
Cymbal Direct has experienced rapid growth and has had trouble meeting demand. The organization wants to implement solutions that will
help scale services and personalize customer experiences. Cymbal Direct wants to be able to dynamically surge delivery during peak
periods.

Cymbal Direct also wants to be able to facilitate large scale B2B orders and better predict customer demand and trends. The organization
wants to ensure the security of its B2B partners’ business plans and make it easier for those partners to integrate with Cymbal Direct’s
APIs to submit orders and specify customizations.

Cymbal Direct also wants to integrate social media and marketing applications into its platform. They would like to be able to highlight
posts on social media platforms which feature Cymbal Direct products directly on their product pages, but are concerned about the
possibility of having unsavory content shown to users accidentally.
Potential solutions Cymbal Direct case study -
Dress4Win case study - 0305

Existing environment Technical requirements Business requirements Proposed product/ solution

(does it…?) (does it…?)

Website frontend, pilot, and truck ● Move to managed services ● Easily scale to handle additional ● Global HTTP(s) Load Balancer
management systems run on wherever possible demand when needed? ● GKE in two regions
● Autoscaler
Kubernetes ● Ensure that developers can ● Streamline development?
● Private cluster
deploy container based
● Separate projects for website /
workloads to testing and
pilot / truck management -
production environments in a
dev,test,staging for each
highly scalable environment.
● Cloud Build
● Standardize on containers where ● Cloud Source Repository
possible ● Artifact Registry
● Migration type: lift and shift
● Automation tooling: Terraform
● Firewall rules - http/s
● Separate IAM roles for
developers and devops
● Replace GKE with Cloud Run for
website (future)
1.1 Diagnostic Question 01

Cymbal Direct drones continuously send data A. Ingest data with IoT Core, process it with Dataprep, and store it in a Coldline
during deliveries. You need to process and Cloud Storage bucket.
analyze the incoming telemetry data. After B. Ingest data with IoT Core, and then publish to Pub/Sub. Use Dataflow to
processing, the data should be retained, but it process the data, and store it in a Nearline Cloud Storage bucket.
will only be accessed once every month or
two. Your CIO has issued a directive to C. Ingest data with IoT Core, and then publish to Pub/Sub. Use BigQuery to
incorporate managed services wherever process the data, and store it in a Standard Cloud Storage bucket.
possible. You want a cost-effective solution to D. Ingest data with IoT Core, and then store it in BigQuery.
process the incoming streams of data.

What should you do?

1.1 Diagnostic Question 02

Customers need to have a good experience A. Eighty-five percent of customers are satisfied users
when accessing your web application so they B. Eighty-five percent of requests succeed when aggregated over
will continue to use your service. You want to 1 minute
define key performance indicators (KPIs) to
C. Low latency for > 85% of requests when aggregated over 1
establish a service level objective (SLO).
minute
D. Eighty-five percent of requests are successful

Which KPI could you use?

 Designing a solution infrastructure that
1.1 meets business requirements

Resources to start your journey

Google Cloud Architecture Framework: System design

SRE Books
1.2 Diagnostic Question 03

Cymbal Direct developers have written a new A. Stop the instance, and then use the command
application. Based on initial usage estimates, you gcloud compute instances set-machine-type VM_NAME --
decide to run the application on Compute Engine machine-type e2-standard-8. Start the instance again.
instances with 15 Gb of RAM and 4 CPUs. These B. Stop the instance, and then use the command gcloud compute instances set-
instances store persistent data locally. After the machine-type VM_NAME --machine-type e2-standard-8. Set the instance’s
application runs for several months, historical metadata to: preemptible: true. Start the instance again.
data indicates that the application requires 30 Gb
of RAM. Cymbal Direct management wants you C. Stop the instance, and then use the command gcloud compute instances set-
to make adjustments that will minimize costs. machine-type VM_NAME --machine-type 2-custom-4-30720. Start the instance
again.
D. Stop the instance, and then use the command gcloud compute instances set-
machine-type VM_NAME --machine-type 2-custom-4-30720. Set the instance’s
What should you do? metadata to: preemptible: true. Start the instance again.
 Designing a solution infrastructure that
1.2 meets technical requirements

Resources to start your journey

Google Cloud Architecture Framework: System design

1.3 Diagnostic Question 04

You are creating a new project. You plan to set A. Create a new project, leave the default
up a Dedicated interconnect between two of network in place, and then use the default
your data centers in the near future and want to 10.x.x.x network range to create subnets in your desired regions.
ensure that your resources are only deployed B. Create a new project, delete the default VPC network, set up an auto mode VPC
to the same regions where your data centers network, and then use the default 10.x.x.x network range to create subnets in your
are located. You need to make sure that you desired regions.
don’t have any overlapping IP addresses that
could cause conflicts when you set up the C. Create a new project, delete the default VPC network, set up a custom mode VPC
interconnect. You want to use RFC 1918 class network, and then use IP addresses in the 172.16.x.x address range to create
B address space. subnets in your desired regions.
D. Create a new project, delete the default VPC network, set up the network in custom
mode, and then use IP addresses in the 192.168.x.x address range to create subnets
in your desired zones. Use VPC Network Peering to connect the zones in the same
region to create regional networks.
What should you do?
1.3 Diagnostic Question 05

Cymbal Direct is working with Cymbal Retail, a A. Verify that the subnet range
separate, autonomous division of Cymbal with Cymbal Retail is using doesn’t overlap
different staff, networking teams, and data center. with Cymbal Direct’s subnet range, and then enable VPC Network Peering
Cymbal Direct and Cymbal Retail are not in the for the project.
same Google Cloud organization. Cymbal Retail B. If Cymbal Retail does not have access to a Google Cloud data center, use
needs access to Cymbal Direct’s web application Carrier Peering to connect the two networks.
for making bulk orders, but the application will not
be available on the public internet. You want to C. Specify Cymbal Direct’s project as the Shared VPC host project, and then
ensure that Cymbal Retail has access to your configure Cymbal Retail’s project as a service project.
application with low latency. You also want to avoid D. Verify that the subnet Cymbal Retail is using has the same IP address range
egress network charges if possible. with Cymbal Direct’s subnet range, and then enable VPC Network Peering
for the project.

What should you do?

1.3 Diagnostic Question 06

Cymbal Direct's employees will use A. Order a Dedicated Interconnect from a Google Cloud partner, and ensure that proper
Google Workspace. Your current on- routes are configured.
premises network cannot meet the B. Connect the network to a Google point of presence, and enable Direct Peering.
requirements to connect to Google's public
infrastructure. C. Order a Partner Interconnect from a Google Cloud partner, and ensure that proper
routes are configured.
D. Connect the on-premises network to Google’s public infrastructure via a partner that
What should you do? supports Carrier Peering.
1.3 Diagnostic Question 07

Cymbal Direct is evaluating database options to A. Extract the data from MongoDB. Insert the data into Firestore using
store the analytics data from its experimental Datastore mode.
drone deliveries. You're currently using a small B. Create a Bigtable instance, extract the data from MongoDB, and
cluster of MongoDB NoSQL database servers. insert the data into Bigtable.
You want to move to a managed NoSQL
database service with consistent low latency that C. Extract the data from MongoDB. Insert the data into Firestore using
can scale throughput seamlessly and can handle Native mode.
the petabytes of data you expect after expanding D. Extract the data from MongoDB, and insert the data into BigQuery.
to additional markets.

What should you do?

1.3 Diagnostic Question 08

You are working with a client who is using A. In Cloud Shell, create a YAML file defining your Deployment called
Google Kubernetes Engine (GKE) to migrate deployment.yaml. Create a Deployment in GKE by running the command kubectl
applications from a virtual machine–based apply -f deployment.yaml
environment to a microservices-based B. In Cloud Shell, create a YAML file defining your Container called build.yaml. Create
architecture. Your client has a complex legacy a Container in GKE by running the command gcloud builds submit –config
application that stores a significant amount of build.yaml .
data on the file system of its VM. You do not C. In Cloud Shell, create a YAML file defining your StatefulSet called statefulset.yaml.
want to re-write the application to use an Create a StatefulSet in GKE by running the command kubectl apply -f
external service to store the file system data. statefulset.yaml
D. In Cloud Shell, create a YAML file defining your Pod called pod.yaml. Create a Pod
in GKE by running the command kubectl apply -f pod.yaml

What should you do?

 Designing network, storage, and
1.3 compute resources

Resources to start your journey

Choose and manage compute | Architecture Framework | G

oogle Cloud
Design your network infrastructure | Architecture Framewo
rk | Google Cloud
Select and implement a storage strategy | Architecture Fram
ework | Google Cloud

Google Cloud documentation

1.4 Diagnostic Question 09

You are working in a mixed environment of A. Manually create a GKE cluster, and then use Migrate to Containers (Migrate
VMs and Kubernetes. Some of your resources for Anthos) to set up the cluster, import VMs, and convert them to containers.
are on-premises, and some are in Google Cloud. B. Use Migrate to Containers (Migrate for Anthos) to automate the creation of
Using containers as a part of your CI/CD Compute Engine instances to import VMs and convert them to containers.
pipeline has sped up releases significantly. You
want to start migrating some of those VMs to C. Manually create a GKE cluster. Use Cloud Build to import VMs and convert
containers so you can get similar benefits. You them to containers.
want to automate the migration process where D. Use Migrate for Compute Engine to import VMs and convert them to
possible. containers.

What should you do?

1.4 Creating a migration plan

Resources to start your journey

Migrate for Anthos and GKE

Migration to Google Cloud: Choosing your migration path
Migrating to the cloud: a guide and checklist
Cloud Migration Products & Services
Application Migration | Google Cloud
1.5 Diagnostic Question 10

Cymbal Direct has created a proof of concept A. Move the existing codebase and VM provisioning scripts to git, and attach external
for a social integration service that highlights persistent volumes to the VMs.
images of its products from social media. The B. Make sure that the application declares any dependent requirements in a
proof of concept is a monolithic application requirements.txt or equivalent statement so that they can be referenced in a startup
running on a single SuSE Linux virtual script. Specify the startup script in a managed instance group template, and use an
machine (VM). The current version requires autoscaling policy.
increasing the VM’s CPU and RAM in order
to scale. You would like to refactor the VM so C. Make sure that the application declares any dependent requirements in a
that you can scale out instead of scaling up. requirements.txt or equivalent statement so that they can be referenced in a startup
script, and attach external persistent volumes to the VMs.
D. Use containers instead of VMs, and use a GKE autoscaling deployment.
What should you do?
 Envisioning future solution
1.5 improvements

Resources to start your journey

Twelve-factor app development on Google Cloud | Cloud Ar

chitecture Center
Section 2:
Managing and provisioning a
solution infrastructure
2.1 Diagnostic Question 01

Cymbal Direct must meet compliance A. Ensure that all users install Cloud VPN. Enable VPC Flow Logs for the networks you need
requirements. You need to ensure that to monitor.
employees with valid accounts cannot B. Enable VPC Service Controls, define a network perimeter to restrict access to authorized
access their VPC network from networks, and enable VPC Flow Logs for the networks you need to monitor.
locations outside of its secure corporate
network, including from home. You also C. Enable Identity-Aware Proxy (IAP) to allow users to access services securely. Use Google
want a high degree of visibility into Cloud’s operations suite to view audit logs for the networks you need to monitor.
network traffic for auditing and D. Enable VPC Service Controls, and use Google Cloud’s operations suite to view audit logs
forensics purposes. for the networks you need to monitor.

What should you do?

2.1 Diagnostic Question 02

You are working with a client who has built a A. Deploy the web application using the App Engine standard environment using
secure messaging application. The application is a global external HTTP(S) load balancer and a network endpoint
open source and consists of two components. The group. Use an unmanaged instance group for the backend chat
first component is a web app, written in Go, servers. Use an external network load balancer to load-balance traffic
which is used to register an account and across the backend chat servers.
authorize the user’s IP address. The second is an
B. Deploy the web application using the App Engine flexible environment using a global external HTTP(S) load
encrypted chat protocol that uses TCP to talk to
balancer and a network endpoint group. Use an unmanaged instance group for the backend chat servers. Use an
the backend chat servers running Debian. If the
external network load balancer to load-balance traffic across the backend chat servers.
client's IP address doesn't match the registered IP
address, the application is designed to terminate C. Deploy the web application using the App Engine standard environment using a global external HTTP(S) load
their session. The number of clients using the balancer and a network endpoint group. Use a managed instance group for the backend chat servers. Use a global
service varies greatly based on time of day, and SSL proxy load balancer to load-balance traffic across the backend chat servers.
the client wants to be able to easily scale as D. Deploy the web application using the App Engine standard environment with a global external HTTP(S) load
needed. balancer and a network endpoint group. Use a managed instance group for the backend chat servers. Use an
external network load balancer to load-balance traffic across the backend chat servers.

What should you do?

2.1 Configuring network topologies

Resources to start your journey

VPC network overview | Google Cloud

Choosing a Network Connectivity product | Google Cloud
Cloud VPN overview
Best practices | Cloud Interconnect
Options for connecting to multiple VPC networks | Cloud Interconne
ct

Best practices for enterprise organizations | Documentation | Google

Cloud
2.2 Diagnostic Question 03

Cymbal Direct's user account management app A. Temporarily disable the account for 30 days. Export account information to Cloud Storage, and
allows users to delete their accounts whenever enable lifecycle management to delete the data in 60 days.
they like. Cymbal Direct also has a very B. Ensure that the user clearly understands that after they delete their account, all their information
generous 60-day return policy for users. The will also be deleted. Remind them to download a copy of their order history and account
customer service team wants to make sure that
information before deleting their account. Have the support agent copy any open or recent
they can still refund or replace items for a orders to a shared spreadsheet.
customer even if the customer’s account has
been deleted. C. Restore a previous copy of the user information database from a snapshot. Have a database
administrator capture needed information about the customer.
D. Disable the account. Export account information to Cloud Storage. Have the customer service
What can you do to ensure that the customer team permanently delete the data after 30 days.
service team has access to relevant account
information?
2.2 Configuring individual storage systems

Resources to start your journey

Select and implement a storage strategy | Architecture Framework |

Google Cloud

Best practices for Cloud Storage

Enterprise tier | Filestore | Google Cloud
Design an optimal storage strategy for your cloud workload
Storage options | Compute Engine Documentation | Google Cloud
Cloud Storage Options | Google Cloud
Object storage vs block storage vs file storage: which should you cho
ose? | Google Cloud Blog
2.3 Diagnostic Question 04

Cymbal Direct wants to create a A. Set up a source code repository. Run unit tests. Check in code. Deploy. Build a Docker
pipeline to automate the building container.
of new application releases. B. Check in code. Set up a source code repository. Run unit tests. Deploy. Build a Docker
container.
C. Set up a source code repository. Check in code. Run unit tests. Build a Docker container.
Deploy.
What sequence of steps D. Run unit tests. Deploy. Build a Docker container. Check in code. Set up a source code
should you use? repository.
2.3 Diagnostic Question 05

Your existing application runs on A. Set up a Google Kubernetes Engine (GKE) cluster, and then create a deployment with an
Ubuntu Linux VMs in an on- autoscaler.
premises hypervisor. You want to B. Isolate the core features that the application provides. Use Cloud Run to deploy each feature
deploy the application to Google independently as a microservice.
Cloud with minimal refactoring.
C. Use X or Partner Interconnect to connect the on-premises network where your application is
running to your VPC. Configure an endpoint for a global external HTTP(S) load balancer
that connects to the existing VMs.

What should you do? D. Write Terraform scripts to deploy the application as Compute Engine instances.
2.3 Diagnostic Question 06

Cymbal Direct needs to use a tool to deploy its A. Automate the deployment with Terraform scripts.
infrastructure. You want something that allows B. Automate the deployment using scripts containing gcloud commands.
for repeatable deployment processes, uses a
declarative language, and allows parallel C. Use Google Kubernetes Engine (GKE) to create deployments and manifests for your
deployment. You also want to deploy applications.
infrastructure as code on Google Cloud and D. Develop in Docker containers for portability and ease of deployment.
other cloud providers.

What should you do?

2.3 Diagnostic Question 07

Cymbal Direct wants to allow A. The API backend should be loosely coupled. Clients should not be required to know too
partners to make orders many details of the services they use. REST APIs using gRPC should be used for all external
programmatically, without having APIs.
to speak on the phone with an B. The API backend should be tightly coupled. Clients should know a significant amount about
agent. the services they use. REST APIs using gRPC should be used for all external APIs.
C. The API backend should be loosely coupled. Clients should not be required to know too
many details of the services they use. For REST APIs, HTTP(S) is the most common
What should you consider
protocol.
when designing the API?
D. The API backend should be tightly coupled. Clients should know a significant amount about
the services they use. For REST APIs, HTTP(S) is the most common protocol used.
2.3 Diagnostic Question 08

Cymbal Direct wants a layered A. Use labels to allow traffic only from certain sources and ports. Turn on Secure boot and
approach to security when setting vTPM.
up Compute Engine instances. B. Use labels to allow traffic only from certain sources and ports. Use a Compute Engine
service account.
C. Use network tags to allow traffic only from certain sources and ports. Turn on Secure boot
What are some options you
and vTPM.
could use to make your
Compute Engine instances D. Use network tags to allow traffic only from certain sources and ports. Use a Compute Engine
more secure? service account.
2.3 Diagnostic Question 09

You have deployed your frontend web A. Edit your pod's configuration file and change the number of replicas to six.
application in Kubernetes. Based on B. Edit your deployment's configuration file and change the number of replicas to six.
historical use, you need three pods to handle
normal demand. Occasionally your load will C. Use the "kubectl autoscale" command to change the pod's maximum number of
roughly double. A load balancer is already instances to six.
in place. D. Use the "kubectl autoscale" command to change the deployment’s maximum number
of instances to six.

How could you configure your

environment to efficiently meet
that demand?
2.3 Diagnostic Question 10

You need to deploy a load balancer for a A. The request is received by the global external HTTP(S) load balancer. A global forwarding rule sends the
web-based application with multiple request to a target proxy, which checks the URL map and selects the backend service. The backend service
backends in different regions. You want sends the request to Compute Engine instance groups in multiple regions.
to direct traffic to the backend closest to
B. The request is matched by a URL map and then sent to a global external HTTP(S) load balancer. A global
the end user, but also to different forwarding rule sends the request to a target proxy, which selects a backend service. The backend service
backends based on the URL the user is sends the request to Compute Engine instance groups in multiple regions.
accessing.
C. The request is received by the SSL proxy load balancer, which uses a global forwarding rule to check the
URL map, then sends the request to a backend service. The request is processed by Compute Engine
instance groups in multiple regions.
Which of the following could be D. The request is matched by a URL map and then sent to a SSL proxy load balancer. A global forwarding rule
used to implement this? sends the request to a target proxy, which selects a backend service and sends the request to Compute
Engine instance groups in multiple regions.
2.3 Configuring compute systems

Resources to start your journey

Choose a Compute Engine deployment strategy for your workload

Google Kubernetes Engine documentation
General development tips | Cloud Run Documentation
Choosing the right compute option in GCP: a decision tree | Google
Cloud Blog

Google Kubernetes Engine vs Cloud Run: Which should you use?

Section 3:
Designing for security
and compliance
3.1 Diagnostic Question 01

Your client created an Identity and Access A. Keep all resources in one project, and use a flat resource hierarchy to reduce
Management (IAM) resource hierarchy with complexity and simplify management.
Google Cloud when the company was a startup. B. Keep all resources in one project, but change the resource hierarchy to reflect
Your client has grown and now has multiple company organization.
departments and teams. You want to recommend
a resource hierarchy that follows Google- C. Use a flat resource hierarchy and multiple projects with established trust
recommended practices. boundaries.
D. Use multiple projects with established trust boundaries, and change the
resource hierarchy to reflect company organization.

What should you do?

3.1 Diagnostic Question 02

Cymbal Direct’s social media app must run in A. Use separate service accounts for each component (social media app,
a separate project from its APIs and web store. APIs, and web store) with basic roles to grant access.
You want to use Identity and Access B. Use one service account for all components (social media app, APIs,
Management (IAM) to ensure a secure and web store) with basic roles to grant access.
environment.
C. Use separate service accounts for each component (social media app,
APIs, and web store) with predefined or custom roles to grant access.
D. Use one service account for all components (social media app, APIs,
and web store) with predefined or custom roles to grant access.
How should you set up IAM?
3.1 Diagnostic Question 03

Michael is the owner/operator of “Zneeks,” a retail shoe A. As a shoe retailer, Michael wants to send Cymbal Direct custom
store that caters to sneaker aficionados. He regularly works purchase orders so that batches of custom shoes are sent to his
with customers who order small batches of custom shoes. customers.
Michael is interested in using Cymbal Direct to manufacture B. Michael is a tech-savvy owner/operator of a small business.
and ship custom batches of shoes to these customers.
Reasonably tech-savvy but not a developer, Michael likes C. Zneeks is a retail shoe store that caters to sneaker aficionados.
using Cymbal Direct's partner purchase portal but wants the D. Michael is reasonably tech-savvy but needs Cymbal Direct's partner
process to be easy. What is an example of a user story that purchase portal to be easy.
could describe Michael’s persona?

What is an example of a user story that could

describe Michael’s persona?
3.1 Diagnostic Question 04

Cymbal Direct has an application running on a A. Create a service account for each of the services the VM needs to
Compute Engine instance. You need to give access. Associate the service accounts with the Compute Engine
the application access to several Google Cloud instance.
services. You do not want to keep any B. Create a service account and assign it the project owner role, which
credentials on the VM instance itself. enables access to any needed service.
C. Create a service account for the instance. Use Access scopes to enable
access to the required services.
What should you do? D. Create a service account with one or more predefined or custom roles,
which give access to the required services.
3.1 Diagnostic Question 05

Cymbal Direct wants to use Identity and A. Grant access by assigning custom roles to groups.
Access Management (IAM) to allow Use multiple groups for better control. Give
employees to have access to Google Cloud access as low in the hierarchy as possible to prevent the
resources and services based on their job roles. inheritance of too many abilities from a higher level.
Several employees are project managers and B. Grant access by assigning predefined roles to groups. Use multiple groups for
want to have some level of access to see what better control. Give access as low in the hierarchy as possible to prevent the
has been deployed. The security team wants to inheritance of too many abilities from a higher level.
ensure that securing the environment and
managing resources is simple so that it will C. Give access directly to each individual for more granular control. Give access as
scale. low in the hierarchy as possible to prevent the inheritance of too many abilities
from a higher level.
D. Grant access by assigning predefined roles to groups. Use multiple groups for
better control. Make sure you give out access to all the children in a hierarchy
What approach should you use? under the level needed, because child resources will not automatically inherit
abilities.
3.1 Diagnostic Question 06

You have several Compute Engine A. Edit the Compute Engine instances running your web application, and enable
instances running NGINX and Google Cloud Armor. Create a Google Cloud Armor policy with a default rule action
Tomcat for a web application. In of "Allow." Add a new rule that specifies the IP address causing the login failures as
your web server logs, many login the Condition, with an action of "Deny” and a deny status of "403," and accept the
failures come from a single IP default priority (1000).
address, which looks like a brute
B. Ensure that an HTTP(S) load balancer is configured to send traffic to the backend Compute Engine instances running your web
force attack.
server. Create a Google Cloud Armor policy with a default rule action of "Deny." Add a new rule that specifies the IP address
causing the login failures as the Condition, with an action of "Deny" and a deny status of "403," and accept the default priority
(1000). Add the load balancer backend service's HTTP-backend as the target.
C. Ensure that an HTTP(S) load balancer is configured to send traffic to the backend Compute Engine instances running your web
server. Create a Google Cloud Armor policy with a default rule action of "Allow." Add a new rule that specifies the IP address
How can you block this traffic? causing the login failures as the Condition, with an action of "Deny" and a deny status of "403," and accept the default priority
(1000). Add the load balancer backend service's HTTP-backend as the target.
D. Ensure that an HTTP(S) load balancer is configured to send traffic to your backend Compute Engine instances running your web
server. Create a Google Cloud Armor policy using the instance’s local firewall with a default rule action of "Allow." Add a new
local firewall rule that specifies the IP address causing the login failures as the Condition, with an action of "Deny" and a deny
status of "403," and accept the default priority (1000).
3.1 Diagnostic Question 07

Cymbal Direct needs to make sure its

A. Remove external IP addresses from the VM instances running
new social media integration service
the social media service and place them in a private VPC behind
can’t be accessed directly from the
Cloud NAT. Any SSH connection for management should be done with
public internet. You want to allow
Identity-Aware Proxy (IAP) or a bastion host (jump box) after
access only through the web frontend
allowing SSH access from IAP or a corporate network.
store.
B. Limit access to the external IP addresses of the VM instances using firewall rules and place them in a
private VPC behind Cloud NAT. Any SSH connection for management should be done with Identity-
Aware Proxy (IAP) or a bastion host (jump box) after allowing SSH access from IAP or a corporate
How can you prevent access to the network.
social media integration service from C. Limit access to the external IP addresses of the VM instances using a firewall rule to block all outbound
the outside world, but still allow traffic. Any SSH connection for management should be done with Identity-Aware Proxy (IAP) or a
access to the APIs of social media bastion host (jump box) after allowing SSH access from IAP or a corporate network.
services?
D. Remove external IP addresses from the VM instances running the social media service and place them
in a private VPC behind Cloud NAT. Any SSH connection for management should be restricted to
corporate network IP addresses by Google Cloud Armor.
3.1 Diagnostic Question 08

Cymbal Direct is experiencing success using A. Set up Cloud VPN between the corporate network and
Google Cloud and you want to leverage tools to the Google Cloud project's VPC network. Allow
make your solutions more efficient. Erik, one of users to connect to the Cloud Functions instance.
the original web developers, currently adds new
B. Use Google Cloud Armor to restrict access to the corporate network's external IP address.
products to your application manually. Erik has
Configure firewall rules to allow only HTTP(S) access.
many responsibilities and requires a long lead time
to add new products. You need to create a Cloud C. Create a Google group and add authorized employees to it. Configure Identity-Aware Proxy
Functions application to let Cymbal Direct (IAP) to the Cloud Functions application as a HTTP-resource. Add the group as a principle with
employees add new products instead of waiting for the role "Project Owner."
Erik. However, you want to make sure that only D. Create a Google group and add authorized employees to it. Configure Identity-Aware Proxy
authorized employees can use the application. (IAP) to the Cloud Functions application as a HTTP-resource. Add the group as a principle with
the role "IAP-secured Web App User."

What should you do?

3.1 Diagnostic Question 09

You've recently created an internal Cloud Run A. Use an ACL on the Cloud Storage bucket. Create a
application for developers in your organization. The read-only group that only has viewer
application lets developers clone production Cloud privileges, and ensure that the developers are in that
SQL databases into a project specifically created to group.
test code and deployments. Your previous process was
B. Leave the ACLs on the Cloud Storage bucket as-is. Disable Cloud VPN, and have
to export a database to a Cloud Storage bucket, and developers use Identity-Aware Proxy (IAP) to connect. Create an organization policy to
then import the SQL dump into a legacy on-premises
enforce public access protection.
testing environment database with connectivity to
Google Cloud via Cloud VPN. Management wants to C. Use predefined roles to restrict access to what the developers are allowed to do. Create
incentivize using the new process with Cloud SQL for a group for the developers, and associate the group with the Cloud SQL Viewer role.
rapid testing and track how frequently rapid testing Remove the "cloudsql.instances.export" ability from the role.
occurs. D. Create a custom role to restrict access to what developers are allowed to do. Create a
group for the developers, and associate the group with your custom role. Ensure that the
custom role does not have "cloudsql.instances.export."

How can you ensure that the developers use

the new process?
3.1 Designing for security

Resources to start your journey

Google Cloud Architecture Framework: Security, privacy, and compliance

IAM best practice guides available now | Google Cloud Blog
Using resource hierarchy for access control | IAM Documentation | Google Cloud
Chapter 18 - SRE Engagement Model
Service accounts | Compute Engine Documentation | Google Cloud
Google Cloud Armor overview
Private clusters | Kubernetes Engine Documentation | Google Cloud
Understanding IAM custom roles | IAM Documentation | Google Cloud
3.2 Diagnostic Question 10

Your client is legally required to comply with A. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health
the Payment Card Industry Data Security Analytics in the Premium tier. Export or view the PCI-DSS Report from the SCC dashboard's
Standard (PCI-DSS). The client has formal Compliance tab.
audits already, but the audits are only done B. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health
periodically. The client needs to monitor for Analytics in the Standard tier. Export or view the PCI-DSS Report from the SCC dashboard's
common violations to meet those requirements Compliance tab.
more easily. The client does not want to replace
audits but wants to engage in continuous C. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health
compliance and catch violations early. Analytics in the Premium tier. Export or view the PCI-DSS Report from the SCC dashboard's
Vulnerabilities tab.
D. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health
Analytics in the Standard tier. Export or view the PCI-DSS Report from the SCC dashboard's
What would you recommend Vulnerabilities tab.
that this client do?
32
. Designing for compliance

Resources to start your journey

Manage compliance obligations | Architecture Framework | Google Cloud

Cloud Compliance & Regulations Resources
Assuring Compliance in the Cloud
Security Command Center | Google Cloud
Section 4:
Analyzing and optimizing technical
and business processes
4.1 Diagnostic Question 01

You are asked to implement a lift and shift A. Commit the configuration file to your software repository.
operation for Cymbal Direct’s Social Media B. Run terraform plan to verify the contents of the Terraform configuration file.
Highlighting service. You compose a Terraform
configuration file to build all the necessary C. Run terraform apply to deploy the resources described in the configuration file.
Google Cloud resources. D. Run terraform init to download the necessary provider modules.

What is the next step in the Terraform

What should you do?
workflow for this effort?
4.1 Diagnostic Question 02

You have implemented a manual A. Implement and reference a source repository in your Cloud Build configuration
CI/CD process for the container file.
services required for the next B. Implement a build trigger that applies your build configuration when a new
implementation of the Cymbal software update is committed to Cloud Source Repositories.
Direct’s Drone Delivery project. You
want to automate the process. C. Specify the name of your Container Registry in your Cloud Build configuration.
D. Configure and push a manifest file into an environment repository in Cloud Source
Repositories.

What should you do?

4.1 Diagnostic Question 03

You have an application implemented A. Implement a scheduled snapshot on your Compute Engine instances.
on Compute Engine. You want to B. Implement a regional managed instance group.
increase the durability of your
application. C. Monitor your application’s usage metrics and implement autoscaling.
D. Perform health checks on your Compute Engine instances.

What should you do?

4.1 Diagnostic Question 04

Developers on your team A. Implement a Cloud Build configuration file with build steps.
frequently write new versions of B. Implement a build trigger that references your repository and branch.
the code for one of your
applications. You want to automate C. Set proper permissions for Cloud Build to access deployment resources.
the build process when updates are D. Upload application updates and Cloud Build configuration files to Cloud Source Repositories.
pushed to Cloud Source
Repositories.

What should you do?

4.1 Diagnostic Question 05

Your development team used Cloud Source A. The runtime environment does not have permissions to the Artifact Registry in
Repositories, Cloud Build, and Artifact Registry to your current project.
successfully implement the build portion of an B. The runtime environment does not have permissions to Cloud Source
application's CI/CD process.. However, the Repositories in your current project.
deployment process is erroring out. Initial
troubleshooting shows that the runtime C. The Artifact Registry might be in a different project.
environment does not have access to the build D. You need to specify the Artifact Registry image by name.
images. You need to advise the team on how to
resolve the issue.

What could cause this problem?

4.1 Diagnostic Question 06

You are implementing a disaster recovery plan A. Hot with a low recovery time objective (RTO)
for the cloud version of your drone solution. B. Warm with a high recovery time objective (RTO)
Sending videos to the pilots is crucial from an
operational perspective. C. Cold with a low recovery time objective (RTO)
D. Hot with a high recovery time objective (RTO)
What design pattern should you choose for this
part of your architecture?
4.1 Diagnostic Question 07

The number of requests received by your A. Applying a circuit breaker

application is nearing the maximum specified B. Applying exponential backoff
in your design. You want to limit the number
of incoming requests until the system can C. Increasing jitter
handle the workload. D. Applying graceful degradation

What design pattern does

this situation describe?
4.1 Diagnostic Question 08

The pilot subsystem in your Delivery by A. Configure proper startup scripts for your VMs.
Drone service is critical to your service. You B. Deploy a load balancer to distribute traffic across multiple machines.
want to ensure that connections to the pilots
can survive a VM outage without affecting C. Create persistent disk snapshots.
connectivity. D. Implement a managed instance group and load balancer..

What should you do?

4.1 Diagnostic Question 09

Cymbal Direct wants to improve its drone A. You should implement canary testing.
pilot interface. You want to collect B. You should implement A/B testing.
feedback on proposed changes from the
community of pilots before rolling out C. You should implement a blue/green deployment.
updates systemwide. D. You should implement an in-place release.

What type of deployment pattern

should you implement?
4.1 Analyzing and defining technical processes

Resources to start your journey

Securing the software development lifecycle with Cloud Build and SLSA
CI/CD with Google Cloud
Site Reliability Engineering
DevOps tech: Continuous testing | Google Cloud
Application deployment and testing strategies | Cloud Architecture Center
Chapter 17 - Testing for Reliability
Service Catalog documentation | Google Cloud
What is Disaster Recovery? | Google Cloud
API design guide
4.3 Diagnostic Question 10

You want to establish procedures for A. Block access to storage assets in one of your zones.
testing the resilience of the delivery-by- B. Inject a bad health check for one or more of your resources.
drone solution.
C. Load test your application to see how it responds.
D. Block access to all resources in a zone.

How would you simulate

a scalability issue?
 Developing procedures to ensure
4.3 reliability of solutions in production

Resources to start your journey

Site Reliability Engineering

Site Reliability Engineering (SRE) | Google Cloud
Patterns for scalable and resilient apps | Cloud Architecture Center
How to achieve a resilient IT strategy with Google Cloud
Patterns for scalable and resilient apps | Cloud Architecture Center
Disaster recovery planning guide | Cloud Architecture Center
Section 5:
Managing implementation

Section 6:
Ensuring solution and
operations reliability
5.1 Diagnostic Question 01

Cymbal Direct is working on a social A. Assign the predefined Billing Account Administrator role to Mahesh. Create a project budget. Configure
media integration service in Google billing alerts to be sent to the Billing Administrator. Use resource quotas to cap how many resources can
Cloud. Mahesh is a non-technical be deployed.
manager who wants to ensure that the B. Assign the predefined Billing Account Administrator role to Mahesh. Create a project budget. Configure
project doesn’t exceed the budget and billing alerts to be sent to the Project Owner. Use resource quotas to cap how much money can be spent.
responds quickly to unexpected cost
increases. You need to set up access C. Use the predefined Billing Account Administrator role for the Billing Administrator group, and assign
and billing for the project. Mahesh to the group. Create a project budget. Configure billing alerts to be sent to the Billing
Administrator. Use resource quotas to cap how many resources can be deployed.
D. Use the predefined Billing Account Administrator role for the Billing Administrator group, and assign
Mahesh to the group. Create a project budget. Configure billing alerts to be sent to the Billing Account
Administrator. Use resource quotas to cap how much money can be spent.
What should you do?
5.1 Diagnostic Question 02

Your organization is planning a disaster A. Use a global HTTP(S) load balancer. Deploy the web application as
recovery (DR) strategy. Your stakeholders Compute Engine managed instance groups (MIG) in two regions, us-west and us-
require a recovery time objective (RTO) east. Configure the load balancer to use both backends. Use Cloud SQL with high
of 0 and a recovery point objective (RPO) availability (HA) enabled in us-east and a cross-region replica in us-west.
of 0 for zone outage. They require an RTO
B. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance groups
of 4 hours and an RPO of 1 hour for a
(MIG) in two regions, us-west and us-east. Configure the load balancer to the us-east backend. Use Cloud SQL with
regional outage. Your application consists
high availability (HA) enabled in us-east and a cross-region replica in us-west. Manually promote the us-west Cloud
of a web application and a backend
SQL instance and change the load balancer backend to us-west.
MySQL database. You need the most
efficient solution to meet your recovery C. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance groups
KPIs. (MIG) in two regions, us-west and us-east. Configure the load balancer to use both backends. Use Cloud SQL with
high availability (HA) enabled in us-east and back up the database every hour to a multi-region Cloud Storage
bucket. Restore the data to a Cloud SQL database in us-west if there is a failure.
D. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance groups
What should you do?
(MIG) in two regions, us-west and us-east. Configure the load balancer to use both backends. Use Cloud SQL with
high availability (HA) enabled in us-east and back up the database every hour to a multi-region Cloud Storage
bucket. Restore the data to a Cloud SQL database in us-west if there is a failure and change the load balancer
backend to us-west.
 Advising development/operation team(s)
5.1 to ensure successful deployment of the
solution

Resources to start your journey

Cloud Reference Architectures and Diagrams | Cloud Architecture Center

What is DevOps? Research and Solutions | Google Cloud
Develop and deliver apps with Cloud Code, Cloud Build, Google Cloud Dep
loy, and GKE | Cloud Architecture Center
Google Cloud API design tips
DevOps tech: Continuous testing | Google Cloud
DevOps tech: Test data management | Google Cloud
Testing Overview | Cloud Functions Documentation
Database Migration Service | Google Cloud
Cloud Migration Products & Services
5.2 Diagnostic Question 03

Your environment has multiple projects used A. Configure billing export to BigQuery. Create a Google Cloud budget for
for development and testing. Each project each project. Create a group for the developers in each project,
has a budget, and each developer has a and add them to the appropriate group. Create a notification channel for each group.
budget. A personal budget overrun can cause Configure a billing alert to notify the group when their budget is exceeded. Modify the build scripts/pipeline to
a project budget overrun. Several developers label all resources with the label “creator” set to the developer’s email address. Use spot (preemptible) instances
are creating resources for testing as part of wherever possible.
their CI/CD pipeline but are not deleting
B. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Configure a billing alert to
these resources after their tests are complete.
notify billing admins and users when their budget is exceeded. Modify the build scripts/pipeline to label all
If the compute resource fails during testing,
resources with the label “creator” set to the developer’s email address. Use spot (preemptible) instances wherever
the test can be run again. You want to reduce
possible.
costs and notify the developer when a
personal budget overrun causes a project C. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Create a Pub/Sub topic for
budget overrun. developer-budget-notifications. Create a Cloud Function to notify the developer based on the labels. Modify the
build scripts/pipeline to label all resources with the label “creator” set to the developer’s email address. Use spot
(preemptible) instances wherever possible.
D. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Create a Pub/Sub topic for
developer-budget-notifications. Create a Cloud Function to notify the developer based on the labels. Modify the
What should you do? build scripts/pipeline to label all resources with the label “creator” set to the developer’s email address. Use spot
(preemptible) instances wherever possible. Use Cloud Scheduler to delete resources older than 24 hours in each
project.
 Interacting with Google Cloud
5.2 programmatically

Resources to start your journey

gcloud CLI overview | Google Cloud CLI Documentation

How Cloud Shell works
Google Cloud APIs
Testing apps locally with the emulator | Cloud Pub/Sub Documentation
Connect your app and start prototyping | Firebase Documentation
Use the emulator | Cloud Bigtable Documentation
Using the Cloud Spanner Emulator
6.1 Diagnostic Question 04

Your client has adopted a multi-cloud A. In Cloud Monitoring, create an uptime check for the URL your clients will
strategy that uses a virtual machine-based access. Configure it to check from multiple regions. Use the Cloud
infrastructure. The client's website serves Monitoring dashboard to view the uptime metrics over time and ensure
users across the globe. The client needs a that the SLO is met. Recommend an SLO of 97% uptime per month.
single dashboard view to monitor
B. In Cloud Monitoring, create an uptime check for the URL your clients will access. Configure it to check from
performance in their AWS and Google
multiple regions. Use the Cloud Monitoring dashboard to view the uptime metrics over time and ensure that the
Cloud environments. Your client previously
SLO is met. Recommend an SLO of 97% uptime per day.
experienced an extended outage and wants
to establish a monthly service level C. Authorize access to your Google Cloud project from AWS with a service account. Install the monitoring agent on
objective (SLO) of no outage longer than an AWS EC2 (virtual machines) and Compute Engine instances. Use Cloud Monitoring to create dashboards that use
hour. the performance metrics from virtual machines to ensure that the SLO is met.
D. Create a new project to use as an AWS connector project. Authorize access to the project from AWS with a service
account. Install the monitoring agent on AWS EC2 (virtual machines) and Compute Engine instances. Use Cloud
Monitoring to create dashboards that use the performance metrics from virtual machines to ensure that the SLO is
What should you do?
met.
6.1 Diagnostic Question 05

Cymbal Direct uses a proprietary service A. Ensure that VPC firewall rules allow access from the IP addresses used by
to manage on-call rotation and alerting. Google Cloud’s uptime-check servers. Create a Pub/Sub topic for alerting
The on-call rotation service has an API as a monitoring notification channel in Google Cloud’s operations suite.
for integration. Cymbal Direct wants to Create an uptime check for the appropriate resource's internal IP address, with an
monitor its environment for service alerting policy set to use the Pub/Sub topic. Create a Cloud Function that subscribes to the Pub/Sub topic to send the
availability and ensure that the correct alert to the on-call API.
person is notified.
B. Ensure that VPC firewall rules allow access from the IP addresses used by Google Cloud's uptime-check servers.
Create a Pub/Sub topic for alerting as a monitoring notification channel in Google Cloud’s operations suite. Create an
uptime check for the appropriate resource's external IP address, with an alerting policy set to use the Pub/Sub topic.
Create a Cloud Function that subscribes to the Pub/Sub topic to send the alert to the on-call API.
C. Ensure that VPC firewall rules allow access from the on-call API. Create a Cloud Function to send the alert to the on-
What should you do? call API. Add Cloud Functions as a monitoring notification channel in Google Cloud’s operations suite. Create an
uptime check for the appropriate resource's external IP address, with an alerting policy set to use the Cloud Function.
D. Ensure that VPC firewall rules allow access from the IP addresses used by Google Cloud's uptime-check servers. Add
the URL for the on-call rotation API as a monitoring notification channel in Google Cloud’s operations suite. Create
an uptime check for the appropriate resource's internal IP address, with an alerting policy set to use the API.
6.2 Diagnostic Question 06

Cymbal Direct releases new versions of its A. Adopt a “waterfall” development process. Maintain the current release
drone delivery software every 1.5 to 2 schedule. Ensure that documentation explains how all the features interact.
months. Although most releases are Ensure that the entire application is tested in a staging environment
successful, you have experienced three before the release. Ensure that the process to roll back the release is
problematic releases that made drone documented. Use Cloud Monitoring, Cloud Logging, and Cloud Alerting to
delivery unavailable while software ensure visibility.
developers rolled back the release. You
B. Adopt a “waterfall” development process. Maintain the current release schedule. Ensure that documentation
want to increase the reliability of software
explains how all the features interact. Automate testing of the application. Ensure that the process to roll back the
releases and prevent similar problems in the
release is well documented. Use Cloud Monitoring, Cloud Logging, and Cloud Alerting to ensure visibility.
future.
C. Adopt an “agile” development process. Maintain the current release schedule. Automate build processes from a
source repository. Automate testing after the build process. Use Cloud Monitoring, Cloud Logging, and Cloud
Alerting to ensure visibility. Deploy the previous version if problems are detected and you need to roll back.
D. Adopt an “agile” development process. Reduce the time between releases as much as possible. Automate the build
What should you do?
process from a source repository, which includes versioning and self-testing. Use Cloud Monitoring, Cloud
Logging, and Cloud Alerting to ensure visibility. Use a canary deployment to detect issues that could cause
rollback.
6.3 Diagnostic Question 07

Cymbal Direct’s warehouse and inventory A. Create metrics in Cloud Monitoring for your microservices to test
system was written in Java. The system whether they are intermittently unavailable or slow to respond to HTTPS
uses a microservices architecture in GKE requests. Use Cloud Profiler to determine which functions/methods in
and is instrumented with Zipkin. your application’s code use the most system resources. Use Cloud Trace to
Seemingly at random, a request will be 5- identify slow requests and determine which microservices/calls take the most time
10 times slower than others. The to respond.
development team tried to reproduce the
B. Create metrics in Cloud Monitoring for your microservices to test whether they are intermittently unavailable or
problem in testing, but failed to determine
slow to respond to HTTPS requests. Use Cloud Trace to determine which functions/methods in your application’s
the cause of the issue.
code use the most system resources. Use Cloud Profiler to identify slow requests and determine which
microservices/calls take the most time to respond.
C. Use Error Reporting to test whether your microservices are intermittently unavailable or slow to respond to HTTPS
requests. Use Cloud Profiler to determine which functions/methods in your application’s code use the most system
resources. Use Cloud Trace to identify slow requests and determine which microservices/calls take the most time to
What should you do? respond.
D. Use Error Reporting to test whether your microservices are intermittently unavailable or slow to respond to HTTPS
requests. Use Cloud Trace to determine which functions/methods in your application’s code Use the most system
resources. Use Cloud Profiler to identify slow requests and determine which microservices/calls take the most time
to respond.
6.3 Diagnostic Question 08

You are using Cloud Run to deploy a Flask web application A. Use ssh to connect to the Compute Engine instance where Cloud Run is running. Run the command
named app.py written in Python. In your testing and staging 'python3 -m pdb app.py' to debug the application.
environments, the application performed as expected. When
B. Use ssh to connect to the Compute Engine instance where Cloud Run is running. Use the command
the application was deployed to production, product search
'pip install google-python-cloud-debugger' to install Cloud Debugger. Use the 'gcloud debug'
results displayed products that should have been filtered out
command to debug the application.
based on the user's preferences. The developer believes this
performance issue would result from the 'user.productFilter' C. Modify the Dockerfile for the Cloud Run application. Change the RUN command to 'python3 -m
variable either not being set or not being evaluated correctly. pdb /app.py'. Modify the script to import pdb. Deploy to Cloud Run as a canary build.
You want visibility into what is happening, but also want to D. Modify the Dockerfile for the Cloud Run application. Add 'RUN 'pip install google-python-cloud-
minimize user impact, because this is not a critical bug. debugger' to the Dockerfile. Modify the script to import googleclouddebugger. Use 'gcloud debug' to
debug the application.

What should you do?

6.4 Diagnostic Question 09

Cymbal Direct has a new social media integration A. Increase the maximum number of instances in the MIG and
service that pulls images of its products from social verify that this resolves the issue. Ensure that the ticket is
media sites and displays them in a gallery of customer annotated with your solution. Create a normal work ticket for
images on your online store. You receive an alert from the application developer with a link to the incident. Mark the
Cloud Monitoring at 3:34 AM on Saturday. The store is incident as closed.
still online, but the gallery does not appear. The CPU
B. Check the incident documentation or labels to determine the on-call contact. Appoint an incident
utilization is 30% higher than expected on the VMs
commander, and open a chat channel, or conference call for emergency response. Investigate and resolve
running the service, which causes the managed instance
the issue by increasing the maximum number of instances in the MIG, and verify that this resolves the
group (MIG) to scale to the maximum number of
issue. Mark the incident as closed.
instances. You verify that the issue is real by checking
the site and by checking the incidents timeline. C. Increase the maximum number of instances in the MIG and verify that this resolves the issue. Check the
incident documentation or labels to determine the on-call contact. Appoint an incident commander, and
open a chat channel, or conference call for emergency response. Investigate and resolve the root cause of
the issue. Write a blameless post-mortem and identify steps to prevent the issue, to ensure a culture of
continuous improvement.
D. Verify the high CPU is not user impacting, increase the maximum number of instances in the MIG and
What should you do to resolve the issue? verify that this resolves the issue.
6.4 Diagnostic Question 10

You need to adopt Site Reliability A. Adopt Google Cloud’s operations suite to gain visibility into the environment.
Engineering principles and increase Use Cloud Trace for distributed tracing, Cloud Logging for logging, and
visibility into your environment. You want Cloud Monitoring for monitoring, alerting, and dashboards. Only page the on-call
to minimize management overhead and contact about novel issues or events that haven’t been seen before. Use GNU
reduce noise generated by the information Privacy Guard (GPG) to check container image signatures and ensure that
being collected. You also want to streamline only signed containers are deployed.
the process of reacting to analyzing and
B. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for distributed tracing,
improving your environment, and to ensure
Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and dashboards. Page the on-call contact
that only trusted container images are
when issues that affect resources in the environment are detected. Use GPG to check container image signatures and
deployed to production.
ensure that only signed containers are deployed.
C. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for distributed tracing,
Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and dashboards. Only page the on-call
What should you do?
contact about novel issues that violate a SLO or events that haven’t been seen before. Use Binary Authorization to
ensure that only signed container images are deployed.
D. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for distributed tracing,
Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and dashboards. Page the on-call contact
when issues that affect resources in the environment are detected. Use Binary Authorization to ensure that only signed
container images are deployed.
 Ensuring solution and
6.1- 6.4 operations reliability

Resources to start your journey

Google Cloud operations suite documentation

Operations: Cloud Monitoring & Logging | Google Cloud
Cloud operations grows with monitoring, logging, more | Google Clou
d Blog

Continuous Delivery | Google Cloud

Concepts | Google Cloud Deploy
Adopting SLOs | Cloud Architecture Center
Analyzing a case study:
Dress4Win
 Dress4Win case study - 01

Company overview Solution concept

Dress4Win is a web-based company that helps their users organize and For the first phase of their migration to the
manage their personal wardrobe using a web app and mobile application. The cloud, Dress4Win is moving their
company also cultivates an active social network that connects their users development and test environments. They are
with designers and retailers. They monetize their services through also building a disaster recovery site, because
advertising, ecommerce, referrals, and a freemium app model. The their current infrastructure is at a single
application has grown from a few servers in the founder’s garage to several location. They are not sure which
hundred servers and appliances in a colocated data center. However, the components of their architecture they can
capacity of their infrastructure is now insufficient for the application’s rapid migrate as is and which components they
growth. Because of this growth and the company’s desire to innovate faster, need to change before migrating them.
Dress4Win is committing to a full migration to a public cloud.
Existing technical environment
Dress4Win case study - 02
The Dress4Win application is served out of a single data center
location. All servers run Ubuntu LTS v16.04.

Databases: Compute:
MySQL. One server for user data, inventory, 40 web application servers providing Three RabbitMQ servers for
static data micro-services based APIs and static messaging, social notifications,
MySQL 5.7 content and events
8 core CPUs Tomcat - Java Eight core CPUs
128 GB of RAM Nginx 32GB of RAM
2x 5 TB HDD (RAID 1) Four core CPUs Miscellaneous servers:
32 GB of RAM Jenkins, monitoring, bastion hosts,
20 Apache Hadoop/Spark servers: security scanners
Storage appliances:
Data analysis Eight core CPUs
iSCSI for VM hosts
Real-time trending calculations 32GB of RAM
Fibre channel SAN - MySQL databases
1 PB total storage; 400 TB available Eight core CPUs
NAS - image storage, logs, backups 128 GB of RAM
100 TB total storage; 35 TB available 4x 5 TB HDD (RAID 1)
 Dress4Win case study - 03

Business requirements Technical requirements

● Build a reliable and reproducible environment ● Easily create non-production environments in the cloud
with scaled parity of production ● Implement an automation framework for provisioning resources in
● Improve security by defining and adhering to a set cloud
of security and identity and access management ● Implement a continuous deployment process for deploying
(IAM) best practices for cloud applications to the on-premises data center or cloud
● Improve business agility and speed of innovation ● Support failover of the production environment to cloud during an
through rapid provisioning of new resources emergency
● Analyze and optimize architecture for ● Encrypt data on the wire and at rest
performance in the cloud
● Support multiple private connections between the production data
center and cloud environment
 Dress4Win case study - 04

Executive statement

Our investors are concerned about our ability to scale and contain costs with our current infrastructure. They are also concerned that a
competitor could use a public cloud platform to offset their up-front investment and free them to focus on developing better features. Our
traffic patterns are highest in the mornings and weekend evenings; during other times, 80% of our capacity is sitting idle.

Our capital expenditure is now exceeding our quarterly projections. Migrating to the cloud will likely cause an initial increase in spending,
but we expect to fully transition before our next hardware refresh cycle. Our total cost of ownership (TCO) analysis over the next five years
for a public cloud strategy achieves a cost reduction between 30% and 50% over our current model.
Categorizing Objectives Dress4Win case study - REF
Itemized list of objectives

Business requirements Technical requirements Solution component

● Build a reliable and reproducible ● Easily create non-production environments Databases:

environment with scaled parity of in the cloud ● MySQL. One server for user data,
production ● Implement an automation framework for inventory, static data
○ MySQL 5.7
● Improve security by defining and provisioning resources in cloud
○ 8 core CPUs
adhering to a set of security and ● Implement a continuous deployment process ○ 128 GB of RAM
identity and access management (IAM) for deploying applications to the on- ○ 2x 5 TB HDD (RAID 1)
best practices for cloud premises data center or cloud
● Improve business agility and speed of Compute:
● Support failover of the production
innovation through rapid provisioning environment to cloud during an emergency ● 40 web application servers providing
of new resources micro-services based APIs and static
● Encrypt data on the wire and at rest content
● Analyze and optimize architecture for
performance in the cloud ● Support multiple private connections ○ Tomcat - Java
between the production data center and ○ Nginx
cloud environment. ○ Four core CPUs
○ RAM

… more in actual case study

 When will you take the exam?

How many weeks do you have to

Plan time prepare?

to prepare How many hours will you spend

preparing for the exam each week?

How many total hours will you prepare?

Weekly study plan
Now, consider what you’ve learned about your knowledge and skills through
the diagnostic questions in this course. You should have a better
understanding of what areas you need to focus on and what resources are
available.

Use the template that follows to plan your study goals for each week.
Consider:
● What exam guide section(s) or topic area(s) will you focus on?
● What courses (or specific modules) will help you learn more?
● What Skill Badges or labs will you work on for hands-on practice?
● What documentation links will you review?
● What additional resources will you use - such as sample questions?
● What will you do to prepare for the case studies?
You may do some or all of these study activities each week.

Duplicate the weekly template for the number of weeks in your individual
preparation journey.
Weekly study template (example)
Area(s) of focus: Automating infrastructure with Terraform

Courses/modules Elastic Google Cloud Infrastructure: Scaling and Automation M3

to complete: Reliable Google Cloud Infrastructure: Design and Process, M3

Skill Badges/labs Automating Infrastructure on Google Cloud with Terraform

to complete:

Documentation Using Recommendations for Infrastructure as Code | Recommender Documentation | Google Cloud
to review: Using Terraform with Google Cloud
Managing infrastructure as code with Terraform, Cloud Build, and GitOps | Cloud Architecture Center | Google Cloud

Additional study: Sample questions 1-3

Review case study 2 and search for relevant reference architectures
Weekly study template
Area(s) of focus:

Courses/modules
to complete:

Skill Badges/labs
to complete:

Documentation
to review:

Additional study: