Professional-Cloud-DevOps-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud DevOps Engineer Exam

Go to page:

Question # 33

You support a multi-region web service running on Google Kubernetes Engine (GKE) behind a Global HTTP'S Cloud Load Balancer (CLB). For legacy reasons, user requests first go through a third-party Content Delivery Network (CDN). which then routes traffic to the CLB. You have already implemented an availability Service Level Indicator (SLI) at the CLB level. However, you want to increase coverage in case of a potential load balancer misconfiguration. CDN failure, or other global networking catastrophe. Where should you measure this new SLI?

Choose 2 answers

Your application servers' logs

Instrumentation coded directly in the client

Metrics exported from the application servers

GKE health checks for your application servers

A synthetic client that periodically sends simulated user requests

Full Access

Question # 34

You have deployed a fleet Of Compute Engine instances in Google Cloud. You need to ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring by your company's operations and cyber

security teams. You need to grant the required roles for the Compute Engine service account by using Identity and Access Management (IAM) while following the principle of least privilege. What should you do?

Grant the logging.editor and monitoring.metricwriter roles to the Compute Engine service accounts.

Grant the Logging. admin and monitoring . editor roles to the Compute Engine service accounts.

Grant the logging. logwriter and monitoring. editor roles to the Compute Engine service accounts.

Grant the logging. logWriter and monitoring. metricWriter roles to the Compute Engine service accounts.

Full Access

Answer:

Explanation:

The correct answer is D. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

According to the Google Cloud documentation, the Compute Engine service account is a Google-managed service account that is automatically created when you enable the Compute Engine API1. This service account is used by default to run your Compute Engine instances and access other Google Cloud services on your behalf1. To ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring, you need to grant the following IAM roles to the Compute Engine service account23:

The logging.logWriter role allows the service account to write log entries to Cloud Logging4.
The monitoring.metricWriter role allows the service account to write custom metrics to Cloud Monitoring5.

These roles grant the minimum permissions that are needed for logging and monitoring, following the principle of least privilege. The other roles are either unnecessary or too broad for this purpose. For example, the logging.editor role grants permissions to create and update logs, log sinks, and log exclusions, which are not required for writing log entries6. The logging.admin role grants permissions to delete logs, log sinks, and log exclusions, which are not required for writing log entries and may pose a security risk if misused. The monitoring.editor role grants permissions to create and update alerting policies, uptime checks, notification channels, dashboards, and groups, which are not required for writing custom metrics.

Reference: [Reference:, Service accounts, Service accounts. Setting up Stackdriver Logging for Compute Engine, Setting up Stackdriver Logging for Compute Engine. Setting up Stackdriver Monitoring for Compute Engine, Setting up Stackdriver Monitoring for Compute Engine. Predefined roles, Predefined roles. Predefined roles, Predefined roles. Predefined roles, Predefined roles. [Predefined roles], Predefined roles. [Predefined roles], Predefined roles., , , , ]

Question # 35

Your company's security team needs to have read-only access to Data Access audit logs in the _Required bucket You want to provide your security team with the necessary permissions following the principle of least privilege and Google-recommended practices. What should you do?

Assign the roles/logging, viewer role to each member of the security team

Assign the roles/logging. viewer role to a group with all the security team members

Assign the roles/logging.privateLogViewer role to each member of the security team

Assign the roles/logging.privateLogviewer role to a group with all the security team members

Full Access

Question # 36

Your company is developing applications that are deployed on Google Kubernetes Engine (GKE) Each team manages a different application You need to create the development and production environments for each team while you minimize costs Different teams should not be able to access other teams environments You want to follow Google-recommended practices What should you do?

Create one Google Cloud project per team In each project create a cluster for development and one for

production Grant the teams Identity and Access Management (1AM) access to their respective clusters

Create one Google Cloud project per team In each project create a cluster with a Kubernetes namespace

for development and one for production Grant the teams Identity and Access Management (1AM) access to their respective clusters.

Create a development and a production GKE cluster in separate projects In each cluster create a Kubernetes namespace per team and then configure Identity-Aware Proxy so that each team can only

access its own namespace

Create a development and a production GKE cluster in separate projects In each cluster create a Kubernetes namespace per team and then configure Kubernetes role-based access control (RBAC) so that each team can only access its own namespace

Full Access

Question # 37

You support a service with a well-defined Service Level Objective (SLO). Over the previous 6 months, your service has consistently met its SLO and customer satisfaction has been consistently high. Most of your serviceâ€™s operations tasks are automated and few repetitive tasks occur frequently. You want to optimize the balance between reliability and deployment velocity while following site reliability engineering best practices. What should you do? (Choose two.)

Make the serviceâ€™s SLO more strict.

Increase the serviceâ€™s deployment velocity and/or risk.

Shift engineering time to other services that need more reliability.

Get the product team to prioritize reliability work over new features.

Change the implementation of your Service Level Indicators (SLIs) to increase coverage.

Full Access

Question # 38

You need to run a business-critical workload on a fixed set of Compute Engine instances for several months. The workload is stable with the exact amount of resources allocated to it. You want to lower the costs for this workload without any performance implications. What should you do?

Purchase Committed Use Discounts.

Migrate the instances to a Managed Instance Group.

Convert the instances to preemptible virtual machines.

Create an Unmanaged Instance Group for the instances used to run the workload.

Full Access

Question # 39

You work for a global organization and run a service with an availability target of 99% with limited engineering resources. For the current calendar month you noticed that the service has 99 5% availability. You must ensure that your service meets the defined availability goals and can react to business changes including the upcoming launch of new features You also need to reduce technical debt while minimizing operational costs You want to follow Google-recommended practices What should you do?

Add N+1 redundancy to your service by adding additional compute resources to the service

Identify, measure and eliminate toil by automating repetitive tasks

Define an error budget for your service level availability and minimize the remaining error budget

Allocate available engineers to the feature backlog while you ensure that the sen/ice remains within the availability target

Full Access

Go to page: