Preparing for Your

Professional Cloud
Architect Journey

Course Workbook
Certification Exam Guide Sections
1 Designing and planning a cloud solution architecture

2 Managing and provisioning a solution infrastructure

3 Designing for security and compliance

4 Analyzing and optimizing technical and business processes

5 Managing implementation

6 Ensuring solution and operations reliability

Section 1:
Designing and planning a cloud
solution architecture

Cymbal Direct case study

 Cymbal Direct case study - 01

Company overview Solution concept

Cymbal Direct is an online direct- 1) The beta Delivery by Drone initiative enables licensed drone pilots to team up with Cymbal
to-consumer Chicago-based Direct to deliver shoes and sandals to customers via drone. DBD allows customers to place
their orders and then get their shoes delivered in an expedited amount of time. The drones
footwear and apparel retailer
stream real-time video to their pilots, as well as their coordinates, so that customers can see
founded in 2008 and acquired by the location of their shoes on a map.
Cymbal Group in 2010. Cymbal
2) Cymbal Direct wants to release official APIs for partners. APIs will be published in a
Direct is a fair trade and B Corp
controllable, versionable way, with the ability to track, secure and monetize.
certified, sustainability-focused
3) A social integration service initiative which highlights images hashtagged with Cymbal
company that works with cotton
Direct’s products using machine learning to ensure images are appropriate.. The social media
farmers to reinvest in their highlighting service is currently proof-of-concept. Built by a developer in their own time
communities, a fact which appeals after hours as an experiment, the service garnered a lot of excitement and interest, especially
to Cymbal Direct’s younger target from the marketing team. During one of the internal demos, however, inappropriate images
market demographic. were included in the product gallery.
Existing technical environment
Cymbal Direct case study - 02
Delivery by Drone is an experiment by the supply chain and logistics team. Their core customer-facing application does order processing, showing the current
status and location of their delivery. The drones connect via the cellular network. The drones use the drone API to receive commands and send real-time
information and video about their location and status.

The existing technical environment Purchase & Product APIs were developed over time as the The social media highlighting
includes: business was being built. They were initially only intended to service currently runs on a single
be used in-house, and not exposed to 3rd parties and partners. virtual machine, and while it does
● A website frontend and pilot and truck work, it has some performance and
management systems run on ● Many of the APIs are simply built into monolithic apps, scalability issues.
Kubernetes and were not designed for partner integration, lacking
functionality such as versioning. ● SuSE linux
● Positional data for drone and truck
location kept in MongoDB database ● The majority of the APIs run on Ubuntu Linux VMs, and ● MySQL DB
clusters scaling has been somewhat difficult because of the use of ● Redis
● Drones connected to virtual machines virtual machines and monolithic architecture.
● Python
using a stateful connection, streaming ● APIs do not have a built-in mechanism for supporting
video via RMTP to the pilots and multiple accounts and granting access is very limited as a
sending commands from the pilots to result.
the drones
 Cymbal
Dress4Win
Direct case study - 03

Business requirements Technical requirements

● Easily scale to handle additional demand when ● Move to managed services wherever possible
needed and expand to more test markets. ● Ensure that developers can deploy container-based workloads to testing
● Streamline development for application and production environments in a highly scalable environment.
modernization and new features/products ● Standardize on containers where possible, but also allow for existing
● Ensure that developers spend as much time on core virtualization infrastructure to run as-is without a re-write, so it can be
business functionality as possible, and not have to slowly refactored over time
worry about scalability wherever possible ● Securely allow partner integration
● Let partners order directly via API ● Stream IoT data from drones
● Deploy a production version of the social media
highlighting service and ensure no inappropriate
content
 Cymbal
Dress4Win
Direct case study - 04
03

Executive statement

Cymbal Direct has three areas of strategic focus: improving customer experience, leveraging analytics, and improving digital marketing.
Cymbal Direct has experienced rapid growth and has had trouble meeting demand. The organization wants to implement solutions that will
help scale services and personalize customer experiences. Cymbal Direct wants to be able to dynamically surge delivery during peak
periods.

Cymbal Direct also wants to be able to facilitate large scale B2B orders and better predict customer demand and trends. The organization
wants to ensure the security of its B2B partners’ business plans and make it easier for those partners to integrate with Cymbal Direct’s
APIs to submit orders and specify customizations.

Cymbal Direct also wants to integrate social media and marketing applications into its platform. They would like to be able to highlight
posts on social media platforms which feature Cymbal Direct products directly on their product pages, but are concerned about the
possibility of having unsavory content shown to users accidentally.
Potential solutions Cymbal Direct case study - 05
Dress4Win case study - 03

Existing environment Technical requirements Business requirements Proposed product/ solution

(does it…?) (does it…?)

Website frontend, pilot, and truck ● Move to managed services ● Easily scale to handle additional ● Global HTTP(s) Load Balancer
management systems run on wherever possible demand when needed? ● GKE in two regions
● Autoscaler
Kubernetes ● Ensure that developers can ● Streamline development?
● Private cluster
deploy container based
● Separate projects for website /
workloads to testing and
pilot / truck management -
production environments in a
dev,test,staging for each
highly scalable environment.
● Cloud Build
● Standardize on containers where ● Cloud Source Repository
possible ● Artifact Registry
● Migration type: lift and shift
● Automation tooling: Terraform
● Firewall rules - http/s
● Separate IAM roles for
developers and devops
● Replace GKE with Cloud Run for
website (future)
1.1 Diagnostic Question 01

Cymbal Direct drones continuously send data A. Ingest data with ClearBlade IoT Core, process it with Dataprep, and store it in a
during deliveries. You need to process and Coldline Cloud Storage bucket.
analyze the incoming telemetry data. After B. Ingest data with ClearBlade IoT Core, and then publish to Pub/Sub. Use
processing, the data should be retained, but it Dataflow to process the data, and store it in a Nearline Cloud Storage bucket.
will only be accessed once every month or
two. Your CIO has issued a directive to C. Ingest data with ClearBlade IoT Core, and then publish to Pub/Sub. Use
incorporate managed services wherever BigQuery to process the data, and store it in a Standard Cloud Storage bucket.
possible. You want a cost-effective solution to D. Ingest data with ClearBlade IoT Core, and then store it in BigQuery.
process the incoming streams of data.

What should you do?

1.1 Diagnostic Question 02

Customers need to have a good experience A. Eighty-five percent of customers are satisfied users
when accessing your web application so they B. Eighty-five percent of requests succeed when aggregated over
will continue to use your service. You want to 1 minute
define key performance indicators (KPIs) to
C. Low latency for > 85% of requests when aggregated over 1
establish a service level objective (SLO).
minute
D. Eighty-five percent of requests are successful

Which KPI could you use?

 Designing a solution infrastructure that
1.1 meets business requirements

Resources to start your journey

Google Cloud Architecture Framework: System design

SRE Books
1.2 Diagnostic Question 03

Cymbal Direct developers have written a new A. Stop the instance, and then use the
application. Based on initial usage estimates, you command gcloud compute instances
decide to run the application on Compute Engine set-machine-type VM_NAME --
instances with 15 Gb of RAM and 4 CPUs. These machine-type e2-standard-8. Start the instance again.
instances store persistent data locally. After the B. Stop the instance, and then use the command gcloud compute instances set-
application runs for several months, historical machine-type VM_NAME --machine-type e2-standard-8. Set the instance’s
data indicates that the application requires 30 Gb metadata to: preemptible: true. Start the instance again.
of RAM. Cymbal Direct management wants you
to make adjustments that will minimize costs. C. Stop the instance, and then use the command gcloud compute instances set-
machine-type VM_NAME --machine-type 2-custom-4-30720. Start the instance
again.
D. Stop the instance, and then use the command gcloud compute instances set-
What should you do? machine-type VM_NAME --machine-type 2-custom-4-30720. Set the instance’s
metadata to: preemptible: true. Start the instance again.
 Designing a solution infrastructure that
1.2 meets technical requirements

Resources to start your journey

Google Cloud Architecture Framework: System design

1.3 Diagnostic Question 04

You are creating a new project. You plan to set A. Create a new project, leave the default
up a Dedicated interconnect between two of network in place, and then use the default
your data centers in the near future and want to 10.x.x.x network
ensure that your resources are only deployed range to create subnets in your desired regions.
to the same regions where your data centers B. Create a new project, delete the default VPC network, set up an auto mode VPC
are located. You need to make sure that you network, and then use the default 10.x.x.x network range to create subnets in your
don’t have any overlapping IP addresses that desired regions.
could cause conflicts when you set up the
interconnect. You want to use RFC 1918 class C. Create a new project, delete the default VPC network, set up a custom mode VPC
B address space. network, and then use IP addresses in the 172.16.x.x address range to create
subnets in your desired regions.
D. Create a new project, delete the default VPC network, set up the network in custom
mode, and then use IP addresses in the 192.168.x.x address range to create subnets
in your desired zones. Use VPC Network Peering to connect the zones in the same
What should you do?
region to create regional networks.
1.3 Diagnostic Question 05

Cymbal Direct is working with Cymbal Retail, a A. Verify that the subnet range
separate, autonomous division of Cymbal with Cymbal Retail is using doesn’t
different staff, networking teams, and data center. overlap with Cymbal Direct’s subnet range,
Cymbal Direct and Cymbal Retail are not in the and then enable VPC Network Peering for the project.
same Google Cloud organization. Cymbal Retail B. If Cymbal Retail does not have access to a Google Cloud data center, use
needs access to Cymbal Direct’s web application Carrier Peering to connect the two networks.
for making bulk orders, but the application will not
be available on the public internet. You want to C. Specify Cymbal Direct’s project as the Shared VPC host project, and then
ensure that Cymbal Retail has access to your configure Cymbal Retail’s project as a service project.
application with low latency. You also want to avoid D. Verify that the subnet Cymbal Retail is using has the same IP address range
egress network charges if possible. with Cymbal Direct’s subnet range, and then enable VPC Network Peering
for the project.

What should you do?

1.3 Diagnostic Question 06

Cymbal Direct's employees will use A. Order a Dedicated Interconnect from a Google Cloud partner, and ensure that proper
Google Workspace. Your current on- routes are configured.
premises network cannot meet the B. Connect the network to a Google point of presence, and enable Direct Peering.
requirements to connect to Google's public
infrastructure. C. Order a Partner Interconnect from a Google Cloud partner, and ensure that proper
routes are configured.
D. Connect the on-premises network to Google’s public infrastructure via a partner that
What should you do? supports Carrier Peering.
1.3 Diagnostic Question 07

Cymbal Direct is evaluating database options to A. Extract the data from MongoDB. Insert the data into Firestore using
store the analytics data from its experimental Datastore mode.
drone deliveries. You're currently using a small B. Create a Bigtable instance, extract the data from MongoDB, and
cluster of MongoDB NoSQL database servers. insert the data into Bigtable.
You want to move to a managed NoSQL
database service with consistent low latency that C. Extract the data from MongoDB. Insert the data into Firestore using
can scale throughput seamlessly and can handle Native mode.
the petabytes of data you expect after expanding D. Extract the data from MongoDB, and insert the data into BigQuery.
to additional markets.

What should you do?

1.3 Diagnostic Question 08

You are working with a client who is using A. In Cloud Shell, create a YAML file defining your Deployment called
Google Kubernetes Engine (GKE) to migrate deployment.yaml. Create a Deployment in GKE by running the command kubectl
applications from a virtual machine–based apply -f deployment.yaml
environment to a microservices-based B. In Cloud Shell, create a YAML file defining your Container called build.yaml. Create
architecture. Your client has a complex legacy a Container in GKE by running the command gcloud builds submit –config
application that stores a significant amount of build.yaml .
data on the file system of its VM. You do not C. In Cloud Shell, create a YAML file defining your StatefulSet called statefulset.yaml.
want to re-write the application to use an Create a StatefulSet in GKE by running the command kubectl apply -f
external service to store the file system data. statefulset.yaml
D. In Cloud Shell, create a YAML file defining your Pod called pod.yaml. Create a Pod
in GKE by running the command kubectl apply -f pod.yaml

What should you do?

 Designing network, storage, and
1.3 compute resources

Resources to start your journey

Choose and manage compute | Architecture Framework | G

oogle Cloud
Design your network infrastructure | Architecture Framewo
rk | Google Cloud
Select and implement a storage strategy | Architecture Fram
ework | Google Cloud

Google Cloud documentation

1.4 Diagnostic Question 09

You are working in a mixed environment of A. Manually create a GKE cluster, and then use Migrate to Containers (Migrate
VMs and Kubernetes. Some of your resources for Anthos) to set up the cluster, import VMs, and convert them to containers.
are on-premises, and some are in Google Cloud. B. Use Migrate to Containers (Migrate for Anthos) to automate the creation of
Using containers as a part of your CI/CD Compute Engine instances to import VMs and convert them to containers.
pipeline has sped up releases significantly. You
want to start migrating some of those VMs to C. Manually create a GKE cluster. Use Cloud Build to import VMs and convert
containers so you can get similar benefits. You them to containers.
want to automate the migration process where D. Use Migrate for Compute Engine to import VMs and convert them to
possible. containers.

What should you do?

1.4 Creating a migration plan

Resources to start your journey

Migrate for Anthos and GKE

Migration to Google Cloud: Choosing your migration path
Migrating to the cloud: a guide and checklist
Cloud Migration Products & Services
Application Migration | Google Cloud
1.5 Diagnostic Question 10

Cymbal Direct has created a proof of concept A. Move the existing codebase and VM provisioning scripts to git, and attach external
for a social integration service that highlights persistent volumes to the VMs.
images of its products from social media. The B. Make sure that the application declares any dependent requirements in a
proof of concept is a monolithic application requirements.txt or equivalent statement so that they can be referenced in a startup
running on a single SuSE Linux virtual script. Specify the startup script in a managed instance group template, and use an
machine (VM). The current version requires autoscaling policy.
increasing the VM’s CPU and RAM in order
to scale. You would like to refactor the VM so C. Make sure that the application declares any dependent requirements in a
that you can scale out instead of scaling up. requirements.txt or equivalent statement so that they can be referenced in a startup
script, and attach external persistent volumes to the VMs.
D. Use containers instead of VMs, and use a GKE autoscaling deployment.
What should you do?
 Envisioning future solution
1.5 improvements

Resources to start your journey

Twelve-factor app development on Google Cloud | Cloud Ar

chitecture Center
Section 2:
Managing and provisioning a
solution infrastructure
2.1 Diagnostic Question 01

Cymbal Direct must meet compliance A. Ensure that all users install Cloud VPN. Enable VPC Flow Logs for the networks you need
requirements. You need to ensure that to monitor.
employees with valid accounts cannot B. Enable VPC Service Controls, define a network perimeter to restrict access to authorized
access their VPC network from networks, and enable VPC Flow Logs for the networks you need to monitor.
locations outside of its secure corporate
network, including from home. You also C. Enable Identity-Aware Proxy (IAP) to allow users to access services securely. Use Google
want a high degree of visibility into Cloud’s operations suite to view audit logs for the networks you need to monitor.
network traffic for auditing and D. Enable VPC Service Controls, and use Google Cloud’s operations suite to view audit logs
forensics purposes. for the networks you need to monitor.

What should you do?

2.1 Diagnostic Question 02

You are working with a client who has built a A. Deploy the web application using the App Engine standard
secure messaging application. The application is environment using a global external HTTP(S) load balancer
open source and consists of two components. The and a network endpoint group. Use an unmanaged
first component is a web app, written in Go, instance group for the backend
which is used to register an account and chat servers. Use an external network
authorize the user’s IP address. The second is an load balancer to load-balance traffic across the backend chat servers.
encrypted chat protocol that uses TCP to talk to
B. Deploy the web application using the App Engine flexible environment using a global external HTTP(S) load
the backend chat servers running Debian. If the
balancer and a network endpoint group. Use an unmanaged instance group for the backend chat servers. Use an
client's IP address doesn't match the registered IP
external network load balancer to load-balance traffic across the backend chat servers.
address, the application is designed to terminate
their session. The number of clients using the C. Deploy the web application using the App Engine standard environment using a global external HTTP(S) load
service varies greatly based on time of day, and balancer and a network endpoint group. Use a managed instance group for the backend chat servers. Use a global
the client wants to be able to easily scale as SSL proxy load balancer to load-balance traffic across the backend chat servers.
needed. D. Deploy the web application using the App Engine standard environment with a global external HTTP(S) load
balancer and a network endpoint group. Use a managed instance group for the backend chat servers. Use an
external network load balancer to load-balance traffic across the backend chat servers.

What should you do?

2.1 Configuring network topologies

Resources to start your journey

VPC network overview | Google Cloud

Choosing a Network Connectivity product | Google Cloud
Cloud VPN overview
Best practices | Cloud Interconnect
Options for connecting to multiple VPC networks | Cloud Interconne
ct

Best practices for enterprise organizations | Documentation | Google

Cloud
2.2 Diagnostic Question 03

Cymbal Direct's user account management app A. Temporarily disable the account for 30 days. Export account information to Cloud Storage, and
allows users to delete their accounts whenever enable lifecycle management to delete the data in 60 days.
they like. Cymbal Direct also has a very
B. Ensure that the user clearly understands that after they delete their account, all their information
generous 60-day return policy for users. The
will also be deleted. Remind them to download a copy of their order history and account
customer service team wants to make sure that
information before deleting their account. Have the support agent copy any open or recent
they can still refund or replace items for a
orders to a shared spreadsheet.
customer even if the customer’s account has
been deleted. C. Restore a previous copy of the user information database from a snapshot. Have a database
administrator capture needed information about the customer.
D. Disable the account. Export account information to Cloud Storage. Have the customer service
What can you do to ensure that the customer team permanently delete the data after 30 days.
service team has access to relevant account
information?
2.2 Configuring individual storage systems

Resources to start your journey

Select and implement a storage strategy | Architecture Framework |

Google Cloud

Best practices for Cloud Storage

Enterprise tier | Filestore | Google Cloud
Design an optimal storage strategy for your cloud workload
Storage options | Compute Engine Documentation | Google Cloud
Cloud Storage Options | Google Cloud
Object storage vs block storage vs file storage: which should you cho
ose? | Google Cloud Blog
2.3 Diagnostic Question 04

Cymbal Direct wants to create a A. Set up a source code repository. Run unit tests. Check in code. Deploy. Build a Docker
pipeline to automate the building container.
of new application releases. B. Check in code. Set up a source code repository. Run unit tests. Deploy. Build a Docker
container.
C. Set up a source code repository. Check in code. Run unit tests. Build a Docker container.
Deploy.
What sequence of steps D. Run unit tests. Deploy. Build a Docker container. Check in code. Set up a source code
should you use? repository.
2.3 Diagnostic Question 05

Your existing application runs on A. Set up a Google Kubernetes Engine (GKE) cluster, and then create a deployment with an
Ubuntu Linux VMs in an on- autoscaler.
premises hypervisor. You want to B. Isolate the core features that the application provides. Use Cloud Run to deploy each feature
deploy the application to Google independently as a microservice.
Cloud with minimal refactoring.
C. Use Dedicated or Partner Interconnect to connect the on-premises network where your
application is running to your VPC. Configure an endpoint for a global external HTTP(S)
load balancer that connects to the existing VMs.

What should you do? D. Write Terraform scripts to deploy the application as Compute Engine instances.
2.3 Diagnostic Question 06

Cymbal Direct needs to use a tool to deploy its A. Automate the deployment with Terraform scripts.
infrastructure. You want something that allows B. Automate the deployment using scripts containing gcloud commands.
for repeatable deployment processes, uses a
declarative language, and allows parallel C. Use Google Kubernetes Engine (GKE) to create deployments and manifests for your
deployment. You also want to deploy applications.
infrastructure as code on Google Cloud and D. Develop in Docker containers for portability and ease of deployment.
other cloud providers.

What should you do?

2.3 Diagnostic Question 07

Cymbal Direct wants to allow A. The API backend should be loosely coupled. Clients should not be required to know too
partners to make orders many details of the services they use. REST APIs using gRPC should be used for all external
programmatically, without having APIs.
to speak on the phone with an B. The API backend should be tightly coupled. Clients should know a significant amount about
agent. the services they use. REST APIs using gRPC should be used for all external APIs.
C. The API backend should be loosely coupled. Clients should not be required to know too
many details of the services they use. For REST APIs, HTTP(S) is the most common
What should you consider
protocol.
when designing the API?
D. The API backend should be tightly coupled. Clients should know a significant amount about
the services they use. For REST APIs, HTTP(S) is the most common protocol used.
2.3 Diagnostic Question 08

Cymbal Direct wants a layered A. Use labels to allow traffic only from certain sources and ports. Turn on Secure boot and
approach to security when setting vTPM.
up Compute Engine instances. B. Use labels to allow traffic only from certain sources and ports. Use a Compute Engine
service account.
C. Use network tags to allow traffic only from certain sources and ports. Turn on Secure boot
What are some options you
and vTPM.
could use to make your
Compute Engine instances D. Use network tags to allow traffic only from certain sources and ports. Use a Compute Engine
more secure? service account.
2.3 Diagnostic Question 09

You have deployed your frontend web A. Edit your pod's configuration file and change the number of replicas to six.
application in Kubernetes. Based on B. Edit your deployment's configuration file and change the number of replicas to six.
historical use, you need three pods to handle
normal demand. Occasionally your load will C. Use the "kubectl autoscale" command to change the pod's maximum number of
roughly double. A load balancer is already instances to six.
in place. D. Use the "kubectl autoscale" command to change the deployment’s maximum number
of instances to six.

How could you configure your

environment to efficiently meet
that demand?
2.3 Diagnostic Question 10

You need to deploy a load balancer for a A. The request is received by the global external HTTP(S) load balancer. A global forwarding rule sends the
web-based application with multiple request to a target proxy, which checks the URL map and selects the backend service. The backend service
backends in different regions. You want sends the request to Compute Engine instance groups in multiple regions.
to direct traffic to the backend closest to
B. The request is matched by a URL map and then sent to a global external HTTP(S) load balancer. A global
the end user, but also to different
forwarding rule sends the request to a target proxy, which selects a backend service. The backend service
backends based on the URL the user is
sends the request to Compute Engine instance groups in multiple regions.
accessing.
C. The request is received by the SSL proxy load balancer, which uses a global forwarding rule to check the
URL map, then sends the request to a backend service. The request is processed by Compute Engine
instance groups in multiple regions.
Which of the following could be D. The request is matched by a URL map and then sent to a SSL proxy load balancer. A global forwarding rule
used to implement this? sends the request to a target proxy, which selects a backend service and sends the request to Compute
Engine instance groups in multiple regions.
2.3 Configuring compute systems

Resources to start your journey

Choose a Compute Engine deployment strategy for your workload

Google Kubernetes Engine documentation
General development tips | Cloud Run Documentation
Choosing the right compute option in GCP: a decision tree | Google
Cloud Blog

Google Kubernetes Engine vs Cloud Run: Which should you use?

Section 3:
Designing for security
and compliance
3.1 Diagnostic Question 01

Your client created an Identity and Access A. Keep all resources in one project, and use a flat resource hierarchy to reduce
Management (IAM) resource hierarchy with complexity and simplify management.
Google Cloud when the company was a startup. B. Keep all resources in one project, but change the resource hierarchy to reflect
Your client has grown and now has multiple company organization.
departments and teams. You want to recommend
a resource hierarchy that follows Google- C. Use a flat resource hierarchy and multiple projects with established trust
recommended practices. boundaries.
D. Use multiple projects with established trust boundaries, and change the
resource hierarchy to reflect company organization.

What should you do?

3.1 Diagnostic Question 02

Cymbal Direct’s social media app must run in A. Use separate service accounts for each component (social media app,
a separate project from its APIs and web store. APIs, and web store) with basic roles to grant access.
You want to use Identity and Access B. Use one service account for all components (social media app, APIs,
Management (IAM) to ensure a secure and web store) with basic roles to grant access.
environment.
C. Use separate service accounts for each component (social media app,
APIs, and web store) with predefined or custom roles to grant access.
D. Use one service account for all components (social media app, APIs,
and web store) with predefined or custom roles to grant access.
How should you set up IAM?
3.1 Diagnostic Question 03

Michael is the owner/operator of “Zneeks,” a retail shoe A. As a shoe retailer, Michael wants to send Cymbal Direct custom
store that caters to sneaker aficionados. He regularly works purchase orders so that batches of custom shoes are sent to his
with customers who order small batches of custom shoes. customers.
Michael is interested in using Cymbal Direct to manufacture B. Michael is a tech-savvy owner/operator of a small business.
and ship custom batches of shoes to these customers.
Reasonably tech-savvy but not a developer, Michael likes C. Zneeks is a retail shoe store that caters to sneaker aficionados.
using Cymbal Direct's partner purchase portal but wants the D. Michael is reasonably tech-savvy but needs Cymbal Direct's partner
process to be easy. What is an example of a user story that purchase portal to be easy.
could describe Michael’s persona?

What is an example of a user story that could

describe Michael’s persona?
3.1 Diagnostic Question 04

Cymbal Direct has an application running on a A. Create a service account for each of the services the VM needs to
Compute Engine instance. You need to give access. Associate the service accounts with the Compute Engine
the application access to several Google Cloud instance.
services. You do not want to keep any B. Create a service account and assign it the project owner role, which
credentials on the VM instance itself. enables access to any needed service.
C. Create a service account for the instance. Use Access scopes to enable
access to the required services.
What should you do? D. Create a service account with one or more predefined or custom roles,
which give access to the required services.
3.1 Diagnostic Question 05

Cymbal Direct wants to use Identity and A. Grant access by assigning custom roles
Access Management (IAM) to allow to groups. Use multiple groups for
employees to have access to Google Cloud better control. Give
resources and services based on their job roles. access as low in the hierarchy
Several employees are project managers and as possible to prevent the inheritance of too many abilities from a higher level.
want to have some level of access to see what B. Grant access by assigning predefined roles to groups. Use multiple groups for
has been deployed. The security team wants to better control. Give access as low in the hierarchy as possible to prevent the
ensure that securing the environment and inheritance of too many abilities from a higher level.
managing resources is simple so that it will
scale. C. Give access directly to each individual for more granular control. Give access as
low in the hierarchy as possible to prevent the inheritance of too many abilities
from a higher level.
D. Grant access by assigning predefined roles to groups. Use multiple groups for
What approach should you use? better control. Make sure you give out access to all the children in a hierarchy
under the level needed, because child resources will not automatically inherit
abilities.
3.1 Diagnostic Question 06

You have several Compute Engine A. Edit the Compute Engine instances running your web application, and
instances running NGINX and enable Google Cloud Armor. Create a Google Cloud Armor policy with a
Tomcat for a web application. In default rule action of "Allow." Add a
your web server logs, many login new rule that specifies the IP address causing
failures come from a single IP the login failures as the Condition, with an action of "Deny” and a
address, which looks like a brute deny status of "403," and accept the default priority (1000).
force attack.
B. Ensure that an HTTP(S) load balancer is configured to send traffic to the backend Compute Engine instances running your web
server. Create a Google Cloud Armor policy with a default rule action of "Deny." Add a new rule that specifies the IP address
causing the login failures as the Condition, with an action of "Deny" and a deny status of "403," and accept the default priority
(1000). Add the load balancer backend service's HTTP-backend as the target.
C. Ensure that an HTTP(S) load balancer is configured to send traffic to the backend Compute Engine instances running your web
How can you block this traffic? server. Create a Google Cloud Armor policy with a default rule action of "Allow." Add a new rule that specifies the IP address
causing the login failures as the Condition, with an action of "Deny" and a deny status of "403," and accept the default priority
(1000). Add the load balancer backend service's HTTP-backend as the target.
D. Ensure that an HTTP(S) load balancer is configured to send traffic to your backend Compute Engine instances running your web
server. Create a Google Cloud Armor policy using the instance’s local firewall with a default rule action of "Allow." Add a new
local firewall rule that specifies the IP address causing the login failures as the Condition, with an action of "Deny" and a deny
status of "403," and accept the default priority (1000).
3.1 Diagnostic Question 07

Cymbal Direct needs to make sure its

A. Remove external IP addresses from the VM instances
new social media integration service
running the social media service and place them in a
can’t be accessed directly from the
private VPC behind Cloud NAT. Any
public internet. You want to allow
SSH connection for management should be done
access only through the web frontend
with Identity-Aware Proxy (IAP) or a
store.
bastion host (jump box) after allowing SSH access from IAP or a corporate network.
B. Limit access to the external IP addresses of the VM instances using firewall rules and place them in a
private VPC behind Cloud NAT. Any SSH connection for management should be done with Identity-
How can you prevent access to the Aware Proxy (IAP) or a bastion host (jump box) after allowing SSH access from IAP or a corporate
social media integration service from network.
the outside world, but still allow C. Limit access to the external IP addresses of the VM instances using a firewall rule to block all outbound
access to the APIs of social media traffic. Any SSH connection for management should be done with Identity-Aware Proxy (IAP) or a
services? bastion host (jump box) after allowing SSH access from IAP or a corporate network.
D. Remove external IP addresses from the VM instances running the social media service and place them
in a private VPC behind Cloud NAT. Any SSH connection for management should be restricted to
corporate network IP addresses by Google Cloud Armor.
3.1 Diagnostic Question 08

Cymbal Direct is experiencing success using A. Set up Cloud VPN between the corporate network
Google Cloud and you want to leverage tools to and the Google Cloud project's VPC network.
make your solutions more efficient. Erik, one of Allow users to
the original web developers, currently adds new connect to the Cloud Functions instance.
products to your application manually. Erik has B. Use Google Cloud Armor to restrict access to the corporate network's external IP address.
many responsibilities and requires a long lead time Configure firewall rules to allow only HTTP(S) access.
to add new products. You need to create a Cloud
Functions application to let Cymbal Direct C. Create a Google group and add authorized employees to it. Configure Identity-Aware Proxy
employees add new products instead of waiting for (IAP) to the Cloud Functions application as a HTTP-resource. Add the group as a principle with
Erik. However, you want to make sure that only the role "Project Owner."
authorized employees can use the application. D. Create a Google group and add authorized employees to it. Configure Identity-Aware Proxy
(IAP) to the Cloud Functions application as a HTTP-resource. Add the group as a principle with
the role "IAP-secured Web App User."

What should you do?

3.1 Diagnostic Question 09

You've recently created an internal Cloud Run A. Use an ACL on the Cloud Storage bucket.
application for developers in your organization. The Create a read-only group that only has
application lets developers clone production Cloud viewer
SQL databases into a project specifically created to privileges, and ensure that the
test code and deployments. Your previous process was developers are in that group.
to export a database to a Cloud Storage bucket, and B. Leave the ACLs on the Cloud Storage bucket as-is. Disable Cloud VPN, and have
then import the SQL dump into a legacy on-premises developers use Identity-Aware Proxy (IAP) to connect. Create an organization policy to
testing environment database with connectivity to
enforce public access protection.
Google Cloud via Cloud VPN. Management wants to
incentivize using the new process with Cloud SQL for C. Use predefined roles to restrict access to what the developers are allowed to do. Create
rapid testing and track how frequently rapid testing a group for the developers, and associate the group with the Cloud SQL Viewer role.
occurs. Remove the "cloudsql.instances.export" ability from the role.
D. Create a custom role to restrict access to what developers are allowed to do. Create a
group for the developers, and associate the group with your custom role. Ensure that the
custom role does not have "cloudsql.instances.export."
How can you ensure that the developers use
the new process?
3.1 Designing for security

Resources to start your journey

Google Cloud Architecture Framework: Security, privacy, and compliance

IAM best practice guides available now | Google Cloud Blog
Using resource hierarchy for access control | IAM Documentation | Google Cloud
Chapter 18 - SRE Engagement Model
Service accounts | Compute Engine Documentation | Google Cloud
Google Cloud Armor overview
Private clusters | Kubernetes Engine Documentation | Google Cloud
Understanding IAM custom roles | IAM Documentation | Google Cloud
3.2 Diagnostic Question 10

Your client is legally required to comply with A. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health
the Payment Card Industry Data Security Analytics in the Premium tier. Export or view the PCI-DSS Report from the SCC dashboard's
Standard (PCI-DSS). The client has formal Compliance tab.
audits already, but the audits are only done
B. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health
periodically. The client needs to monitor for Analytics in the Standard tier. Export or view the PCI-DSS Report from the SCC dashboard's
common violations to meet those requirements
Compliance tab.
more easily. The client does not want to replace
audits but wants to engage in continuous C. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health
compliance and catch violations early. Analytics in the Premium tier. Export or view the PCI-DSS Report from the SCC dashboard's
Vulnerabilities tab.
D. Enable the Security Command Center (SCC) dashboard, asset discovery, and Security Health
Analytics in the Standard tier. Export or view the PCI-DSS Report from the SCC dashboard's
What would you recommend Vulnerabilities tab.
that this client do?
32
. Designing for compliance

Resources to start your journey

Manage compliance obligations | Architecture Framework | Google Cloud

Cloud Compliance & Regulations Resources
Assuring Compliance in the Cloud
Security Command Center | Google Cloud
Section 4:
Analyzing and optimizing technical
and business processes
4.1 Diagnostic Question 01

You are asked to implement a lift and shift A. Commit the configuration file to your software repository.
operation for Cymbal Direct’s Social Media B. Run terraform plan to verify the contents of the Terraform configuration file.
Highlighting service. You compose a Terraform
configuration file to build all the necessary C. Run terraform apply to deploy the resources described in the configuration file.
Google Cloud resources. D. Run terraform init to download the necessary provider modules.

What is the next step in the Terraform

What should you do?
workflow for this effort?
4.1 Diagnostic Question 02

You have implemented a manual A. Implement and reference a source repository in your Cloud Build configuration
CI/CD process for the container file.
services required for the next B. Implement a build trigger that applies your build configuration when a new
implementation of the Cymbal software update is committed to Cloud Source Repositories.
Direct’s Drone Delivery project. You
want to automate the process. C. Specify the name of your Container Registry in your Cloud Build configuration.
D. Configure and push a manifest file into an environment repository in Cloud Source
Repositories.

What should you do?

4.1 Diagnostic Question 03

You have an application implemented A. Implement a scheduled snapshot on your Compute Engine instances.
on Compute Engine. You want to B. Implement a regional managed instance group.
increase the durability of your
application. C. Monitor your application’s usage metrics and implement autoscaling.
D. Perform health checks on your Compute Engine instances.

What should you do?

4.1 Diagnostic Question 04

Developers on your team A. Implement a Cloud Build configuration file with build steps.
frequently write new versions of B. Implement a build trigger that references your repository and branch.
the code for one of your
applications. You want to automate C. Set proper permissions for Cloud Build to access deployment resources.
the build process when updates are D. Upload application updates and Cloud Build configuration files to Cloud Source Repositories.
pushed to Cloud Source
Repositories.

What should you do?

4.1 Diagnostic Question 05

Your development team used Cloud Source A. The runtime environment does not have permissions to the Artifact Registry in
Repositories, Cloud Build, and Artifact Registry to your current project.
successfully implement the build portion of an B. The runtime environment does not have permissions to Cloud Source
application's CI/CD process.. However, the Repositories in your current project.
deployment process is erroring out. Initial
troubleshooting shows that the runtime C. The Artifact Registry might be in a different project.
environment does not have access to the build D. You need to specify the Artifact Registry image by name.
images. You need to advise the team on how to
resolve the issue.

What could cause this problem?

4.1 Diagnostic Question 06

You are implementing a disaster recovery plan A. Hot with a low recovery time objective (RTO)
for the cloud version of your drone solution. B. Warm with a high recovery time objective (RTO)
Sending videos to the pilots is crucial from an
operational perspective. C. Cold with a low recovery time objective (RTO)
D. Hot with a high recovery time objective (RTO)
What design pattern should you choose for this
part of your architecture?
4.1 Diagnostic Question 07

The number of requests received by your A. Applying a circuit breaker

application is nearing the maximum specified B. Applying exponential backoff
in your design. You want to limit the number
of incoming requests until the system can C. Increasing jitter
handle the workload. D. Applying graceful degradation

What design pattern does

this situation describe?
4.1 Diagnostic Question 08

The pilot subsystem in your Delivery by A. Configure proper startup scripts for your VMs.
Drone service is critical to your service. You B. Deploy a load balancer to distribute traffic across multiple machines.
want to ensure that connections to the pilots
can survive a VM outage without affecting C. Create persistent disk snapshots.
connectivity. D. Implement a managed instance group and load balancer..

What should you do?

4.1 Diagnostic Question 09

Cymbal Direct wants to improve its drone A. You should implement canary testing.
pilot interface. You want to collect B. You should implement A/B testing.
feedback on proposed changes from the
community of pilots before rolling out C. You should implement a blue/green deployment.
updates systemwide. D. You should implement an in-place release.

What type of deployment pattern

should you implement?
4.1 Analyzing and defining technical processes

Resources to start your journey

Securing the software development lifecycle with Cloud Build and SLSA
CI/CD with Google Cloud
Site Reliability Engineering
DevOps tech: Continuous testing | Google Cloud
Application deployment and testing strategies | Cloud Architecture Center
Chapter 17 - Testing for Reliability
Service Catalog documentation | Google Cloud
What is Disaster Recovery? | Google Cloud
API design guide
4.3 Diagnostic Question 10

You want to establish procedures for A. Block access to storage assets in one of your zones.
testing the resilience of the delivery-by- B. Inject a bad health check for one or more of your resources.
drone solution.
C. Load test your application to see how it responds.
D. Block access to all resources in a zone.

How would you simulate

a scalability issue?
 Developing procedures to ensure
4.3 reliability of solutions in production

Resources to start your journey

Site Reliability Engineering

Site Reliability Engineering (SRE) | Google Cloud
Patterns for scalable and resilient apps | Cloud Architecture Center
How to achieve a resilient IT strategy with Google Cloud
Patterns for scalable and resilient apps | Cloud Architecture Center
Disaster recovery planning guide | Cloud Architecture Center
Section 5:
Managing implementation

Section 6:
Ensuring solution and
operations reliability
5.1 Diagnostic Question 01

Cymbal Direct is working on a social A. Assign the predefined Billing Account Administrator role to Mahesh. Create a project budget. Configure
media integration service in Google billing alerts to be sent to the Billing Administrator. Use resource quotas to cap how many resources can
Cloud. Mahesh is a non-technical be deployed.
manager who wants to ensure that the B. Assign the predefined Billing Account Administrator role to Mahesh. Create a project budget. Configure
project doesn’t exceed the budget and billing alerts to be sent to the Project Owner. Use resource quotas to cap how much money can be spent.
responds quickly to unexpected cost
increases. You need to set up access C. Use the predefined Billing Account Administrator role for the Billing Administrator group, and assign
and billing for the project. Mahesh to the group. Create a project budget. Configure billing alerts to be sent to the Billing
Administrator. Use resource quotas to cap how many resources can be deployed.
D. Use the predefined Billing Account Administrator role for the Billing Administrator group, and assign
Mahesh to the group. Create a project budget. Configure billing alerts to be sent to the Billing Account
Administrator. Use resource quotas to cap how much money can be spent.
What should you do?
5.1 Diagnostic Question 02

Your organization is planning a disaster A. Use a global HTTP(S) load balancer. Deploy the web application
recovery (DR) strategy. Your stakeholders as Compute Engine managed instance groups (MIG) in two regions,
require a recovery time objective (RTO) us-west and us-east. Configure the load balancer to use
of 0 and a recovery point objective (RPO) both backends. Use Cloud SQL with high availability
of 0 for zone outage. They require an RTO (HA) enabled in us-east and a cross-region replica in us-west.
of 4 hours and an RPO of 1 hour for a
B. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance groups
regional outage. Your application consists
(MIG) in two regions, us-west and us-east. Configure the load balancer to the us-east backend. Use Cloud SQL with
of a web application and a backend
high availability (HA) enabled in us-east and a cross-region replica in us-west. Manually promote the us-west Cloud
MySQL database. You need the most
SQL instance and change the load balancer backend to us-west.
efficient solution to meet your recovery
KPIs. C. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance groups
(MIG) in two regions, us-west and us-east. Configure the load balancer to use both backends. Use Cloud SQL with
high availability (HA) enabled in us-east and back up the database every hour to a multi-region Cloud Storage
bucket. Restore the data to a Cloud SQL database in us-west if there is a failure.
What should you do?
D. Use a global HTTP(S) load balancer. Deploy the web application as Compute Engine managed instance groups
(MIG) in two regions, us-west and us-east. Configure the load balancer to use both backends. Use Cloud SQL with
high availability (HA) enabled in us-east and back up the database every hour to a multi-region Cloud Storage
bucket. Restore the data to a Cloud SQL database in us-west if there is a failure and change the load balancer
backend to us-west.
 Advising development/operation team(s)
5.1 to ensure successful deployment of the
solution

Resources to start your journey

Cloud Reference Architectures and Diagrams | Cloud Architecture Center

What is DevOps? Research and Solutions | Google Cloud
Develop and deliver apps with Cloud Code, Cloud Build, Google Cloud Dep
loy, and GKE | Cloud Architecture Center
Google Cloud API design tips
DevOps tech: Continuous testing | Google Cloud
DevOps tech: Test data management | Google Cloud
Testing Overview | Cloud Functions Documentation
Database Migration Service | Google Cloud
Cloud Migration Products & Services
5.2 Diagnostic Question 03

Your environment has multiple projects used A. Configure billing export to BigQuery. Create a Google Cloud
for development and testing. Each project budget for each project. Create a group for the developers in
has a budget, and each developer has a each project, and add
budget. A personal budget overrun can cause them to the appropriate group. Create a
a project budget overrun. Several developers notification channel for each group. Configure a billing alert to notify the group when their budget is exceeded.
are creating resources for testing as part of Modify the build scripts/pipeline to label all resources with the label “creator” set to the developer’s email address.
their CI/CD pipeline but are not deleting Use spot (preemptible) instances wherever possible.
these resources after their tests are complete.
B. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Configure a billing alert to
If the compute resource fails during testing,
notify billing admins and users when their budget is exceeded. Modify the build scripts/pipeline to label all
the test can be run again. You want to reduce
resources with the label “creator” set to the developer’s email address. Use spot (preemptible) instances wherever
costs and notify the developer when a
possible.
personal budget overrun causes a project
budget overrun. C. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Create a Pub/Sub topic for
developer-budget-notifications. Create a Cloud Function to notify the developer based on the labels. Modify the
build scripts/pipeline to label all resources with the label “creator” set to the developer’s email address. Use spot
(preemptible) instances wherever possible.
D. Configure billing export to BigQuery. Create a Google Cloud budget for each project. Create a Pub/Sub topic for
What should you do? developer-budget-notifications. Create a Cloud Function to notify the developer based on the labels. Modify the
build scripts/pipeline to label all resources with the label “creator” set to the developer’s email address. Use spot
(preemptible) instances wherever possible. Use Cloud Scheduler to delete resources older than 24 hours in each
project.
 Interacting with Google Cloud
5.2 programmatically

Resources to start your journey

gcloud CLI overview | Google Cloud CLI Documentation

How Cloud Shell works
Google Cloud APIs
Testing apps locally with the emulator | Cloud Pub/Sub Documentation
Connect your app and start prototyping | Firebase Documentation
Use the emulator | Cloud Bigtable Documentation
Using the Cloud Spanner Emulator
6.1 Diagnostic Question 04

Your client has adopted a multi-cloud A. In Cloud Monitoring, create an uptime check for the URL your
strategy that uses a virtual machine-based clients will access. Configure it to check from multiple regions.
infrastructure. The client's website serves Use the Cloud Monitoring
users across the globe. The client needs a dashboard to view the uptime metrics
single dashboard view to monitor over time and ensure that the SLO is met. Recommend an SLO of 97% uptime per month.
performance in their AWS and Google
B. In Cloud Monitoring, create an uptime check for the URL your clients will access. Configure it to check from
Cloud environments. Your client previously
multiple regions. Use the Cloud Monitoring dashboard to view the uptime metrics over time and ensure that the
experienced an extended outage and wants
SLO is met. Recommend an SLO of 97% uptime per day.
to establish a monthly service level
objective (SLO) of no outage longer than an C. Authorize access to your Google Cloud project from AWS with a service account. Install the monitoring agent on
hour. AWS EC2 (virtual machines) and Compute Engine instances. Use Cloud Monitoring to create dashboards that use
the performance metrics from virtual machines to ensure that the SLO is met.
D. Create a new project to use as an AWS connector project. Authorize access to the project from AWS with a service
account. Install the monitoring agent on AWS EC2 (virtual machines) and Compute Engine instances. Use Cloud
What should you do?
Monitoring to create dashboards that use the performance metrics from virtual machines to ensure that the SLO is
met.
6.1 Diagnostic Question 05

Cymbal Direct uses a proprietary service A. Ensure that VPC firewall rules allow access from the IP addresses
to manage on-call rotation and alerting. used by Google Cloud’s uptime-check servers. Create a Pub/Sub
The on-call rotation service has an API topic for alerting as a monitoring
for integration. Cymbal Direct wants to notification channel in Google
monitor its environment for service Cloud’s operations suite. Create an uptime check for the appropriate
availability and ensure that the correct resource's internal IP address, with an alerting policy set to use the Pub/Sub topic.
person is notified. Create a Cloud Function that subscribes to the Pub/Sub topic to send the alert to the on-call API.
B. Ensure that VPC firewall rules allow access from the IP addresses used by Google Cloud's uptime-check servers.
Create a Pub/Sub topic for alerting as a monitoring notification channel in Google Cloud’s operations suite. Create an
uptime check for the appropriate resource's external IP address, with an alerting policy set to use the Pub/Sub topic.
Create a Cloud Function that subscribes to the Pub/Sub topic to send the alert to the on-call API.

What should you do? C. Ensure that VPC firewall rules allow access from the on-call API. Create a Cloud Function to send the alert to the on-
call API. Add Cloud Functions as a monitoring notification channel in Google Cloud’s operations suite. Create an
uptime check for the appropriate resource's external IP address, with an alerting policy set to use the Cloud Function.
D. Ensure that VPC firewall rules allow access from the IP addresses used by Google Cloud's uptime-check servers. Add
the URL for the on-call rotation API as a monitoring notification channel in Google Cloud’s operations suite. Create
an uptime check for the appropriate resource's internal IP address, with an alerting policy set to use the API.
6.2 Diagnostic Question 06

Cymbal Direct releases new versions of its A. Adopt a “waterfall” development process. Maintain the current
drone delivery software every 1.5 to 2 release schedule. Ensure that documentation explains how all
months. Although most releases are the features interact. Ensure that the entire
successful, you have experienced three application is tested in a
problematic releases that made drone staging environment before the release. Ensure that the process
delivery unavailable while software to roll back the release is documented. Use Cloud Monitoring,
developers rolled back the release. You Cloud Logging, and Cloud Alerting to ensure visibility.
want to increase the reliability of software
B. Adopt a “waterfall” development process. Maintain the current release schedule. Ensure that documentation
releases and prevent similar problems in the
explains how all the features interact. Automate testing of the application. Ensure that the process to roll back the
future.
release is well documented. Use Cloud Monitoring, Cloud Logging, and Cloud Alerting to ensure visibility.
C. Adopt an “agile” development process. Maintain the current release schedule. Automate build processes from a
source repository. Automate testing after the build process. Use Cloud Monitoring, Cloud Logging, and Cloud
Alerting to ensure visibility. Deploy the previous version if problems are detected and you need to roll back.
What should you do?
D. Adopt an “agile” development process. Reduce the time between releases as much as possible. Automate the build
process from a source repository, which includes versioning and self-testing. Use Cloud Monitoring, Cloud
Logging, and Cloud Alerting to ensure visibility. Use a canary deployment to detect issues that could cause
rollback.
6.3 Diagnostic Question 07

Cymbal Direct’s warehouse and inventory A. Create metrics in Cloud Monitoring for your microservices to
system was written in Java. The system test whether they are intermittently unavailable or slow to
uses a microservices architecture in GKE respond to HTTPS requests. Use
and is instrumented with Zipkin. Cloud Profiler to determine which
Seemingly at random, a request will be 5- functions/methods in your application’s code use the most
10 times slower than others. The system resources. Use Cloud Trace to identify slow requests and
development team tried to reproduce the determine which microservices/calls take the most time to respond.
problem in testing, but failed to determine
B. Create metrics in Cloud Monitoring for your microservices to test whether they are intermittently unavailable or
the cause of the issue.
slow to respond to HTTPS requests. Use Cloud Trace to determine which functions/methods in your application’s
code use the most system resources. Use Cloud Profiler to identify slow requests and determine which
microservices/calls take the most time to respond.
C. Use Error Reporting to test whether your microservices are intermittently unavailable or slow to respond to HTTPS
requests. Use Cloud Profiler to determine which functions/methods in your application’s code use the most system
What should you do? resources. Use Cloud Trace to identify slow requests and determine which microservices/calls take the most time to
respond.
D. Use Error Reporting to test whether your microservices are intermittently unavailable or slow to respond to HTTPS
requests. Use Cloud Trace to determine which functions/methods in your application’s code Use the most system
resources. Use Cloud Profiler to identify slow requests and determine which microservices/calls take the most time
to respond.
6.3 Diagnostic Question 08

You are using Cloud Run to deploy a Flask web application A. Use ssh to connect to the Compute Engine instance where Cloud Run is running. Run the command
named app.py written in Python. In your testing and staging 'python3 -m pdb app.py' to debug the application.
environments, the application performed as expected. When
B. Use ssh to connect to the Compute Engine instance where Cloud Run is running. Use the command
the application was deployed to production, product search
'pip install google-python-cloud-debugger' to install Cloud Debugger. Use the 'gcloud debug'
results displayed products that should have been filtered out
command to debug the application.
based on the user's preferences. The developer believes this
performance issue would result from the 'user.productFilter' C. Modify the Dockerfile for the Cloud Run application. Change the RUN command to 'python3 -m
variable either not being set or not being evaluated correctly. pdb /app.py'. Modify the script to import pdb. Deploy to Cloud Run as a canary build.
You want visibility into what is happening, but also want to D. Modify the Dockerfile for the Cloud Run application. Add 'RUN 'pip install google-python-cloud-
minimize user impact, because this is not a critical bug. debugger' to the Dockerfile. Modify the script to import googleclouddebugger. Use 'gcloud debug' to
debug the application.

What should you do?

6.4 Diagnostic Question 09

Cymbal Direct has a new social media integration A. Increase the maximum number of instances in the MIG
service that pulls images of its products from social and verify that this resolves the issue. Ensure that the
media sites and displays them in a gallery of customer ticket is annotated with
images on your online store. You receive an alert from your solution. Create a normal
Cloud Monitoring at 3:34 AM on Saturday. The store is work ticket for the application developer with a link to
still online, but the gallery does not appear. The CPU the incident. Mark the incident as closed.
utilization is 30% higher than expected on the VMs
B. Check the incident documentation or labels to determine the on-call contact. Appoint an incident
running the service, which causes the managed instance
commander, and open a chat channel, or conference call for emergency response. Investigate and resolve
group (MIG) to scale to the maximum number of
the issue by increasing the maximum number of instances in the MIG, and verify that this resolves the
instances. You verify that the issue is real by checking
issue. Mark the incident as closed.
the site and by checking the incidents timeline.
C. Increase the maximum number of instances in the MIG and verify that this resolves the issue. Check the
incident documentation or labels to determine the on-call contact. Appoint an incident commander, and
open a chat channel, or conference call for emergency response. Investigate and resolve the root cause of
the issue. Write a blameless post-mortem and identify steps to prevent the issue, to ensure a culture of
continuous improvement.

What should you do to resolve the issue? D. Verify the high CPU is not user impacting, increase the maximum number of instances in the MIG and
verify that this resolves the issue.
6.4 Diagnostic Question 10

You need to adopt Site Reliability A. Adopt Google Cloud’s operations suite to gain visibility into the
Engineering principles and increase environment. Use Cloud Trace for distributed tracing, Cloud Logging
visibility into your environment. You want for logging, and Cloud Monitoring for monitoring, alerting,
to minimize management overhead and and dashboards. Only page the on-call
reduce noise generated by the information contact about novel issues or events
being collected. You also want to streamline that haven’t been seen before. Use GNU Privacy Guard (GPG)
the process of reacting to analyzing and to check container image signatures and ensure that only signed containers are deployed.
improving your environment, and to ensure
B. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for distributed tracing,
that only trusted container images are
Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and dashboards. Page the on-call contact
deployed to production.
when issues that affect resources in the environment are detected. Use GPG to check container image signatures and
ensure that only signed containers are deployed.
C. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for distributed tracing,
What should you do?
Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and dashboards. Only page the on-call
contact about novel issues that violate a SLO or events that haven’t been seen before. Use Binary Authorization to
ensure that only signed container images are deployed.
D. Adopt Google Cloud’s operations suite to gain visibility into the environment. Use Cloud Trace for distributed tracing,
Cloud Logging for logging, and Cloud Monitoring for monitoring, alerting, and dashboards. Page the on-call contact
when issues that affect resources in the environment are detected. Use Binary Authorization to ensure that only signed
container images are deployed.
 Ensuring solution and
6.1- 6.4 operations reliability

Resources to start your journey

Google Cloud operations suite documentation

Operations: Cloud Monitoring & Logging | Google Cloud
Cloud operations grows with monitoring, logging, more | Google Clou
d Blog

Continuous Delivery | Google Cloud

Concepts | Google Cloud Deploy
Adopting SLOs | Cloud Architecture Center
Analyzing a case study:
Dress4Win
 Dress4Win case study - 01

Company overview Solution concept

Dress4Win is a web-based company that helps their users organize and For the first phase of their migration to the
manage their personal wardrobe using a web app and mobile application. The cloud, Dress4Win is moving their
company also cultivates an active social network that connects their users development and test environments. They are
with designers and retailers. They monetize their services through also building a disaster recovery site, because
advertising, ecommerce, referrals, and a freemium app model. The their current infrastructure is at a single
application has grown from a few servers in the founder’s garage to several location. They are not sure which
hundred servers and appliances in a colocated data center. However, the components of their architecture they can
capacity of their infrastructure is now insufficient for the application’s rapid migrate as is and which components they
growth. Because of this growth and the company’s desire to innovate faster, need to change before migrating them.
Dress4Win is committing to a full migration to a public cloud.
Existing technical environment
Dress4Win case study - 02
The Dress4Win application is served out of a single data center
location. All servers run Ubuntu LTS v16.04.

Databases: Compute:
MySQL. One server for user data, inventory, 40 web application servers providing Three RabbitMQ servers for
static data micro-services based APIs and static messaging, social notifications,
MySQL 5.7 content and events
8 core CPUs Tomcat - Java Eight core CPUs
128 GB of RAM Nginx 32GB of RAM
2x 5 TB HDD (RAID 1) Four core CPUs Miscellaneous servers:
32 GB of RAM Jenkins, monitoring, bastion hosts,
20 Apache Hadoop/Spark servers: security scanners
Storage appliances:
Data analysis Eight core CPUs
iSCSI for VM hosts
Real-time trending calculations 32GB of RAM
Fibre channel SAN - MySQL databases
1 PB total storage; 400 TB available Eight core CPUs
NAS - image storage, logs, backups 128 GB of RAM
100 TB total storage; 35 TB available 4x 5 TB HDD (RAID 1)
 Dress4Win case study - 03

Business requirements Technical requirements

● Build a reliable and reproducible environment ● Easily create non-production environments in the cloud
with scaled parity of production ● Implement an automation framework for provisioning resources in
● Improve security by defining and adhering to a set cloud
of security and identity and access management ● Implement a continuous deployment process for deploying
(IAM) best practices for cloud applications to the on-premises data center or cloud
● Improve business agility and speed of innovation ● Support failover of the production environment to cloud during an
through rapid provisioning of new resources emergency
● Analyze and optimize architecture for ● Encrypt data on the wire and at rest
performance in the cloud
● Support multiple private connections between the production data
center and cloud environment
 Dress4Win case study - 04

Executive statement

Our investors are concerned about our ability to scale and contain costs with our current infrastructure. They are also concerned that a
competitor could use a public cloud platform to offset their up-front investment and free them to focus on developing better features. Our
traffic patterns are highest in the mornings and weekend evenings; during other times, 80% of our capacity is sitting idle.

Our capital expenditure is now exceeding our quarterly projections. Migrating to the cloud will likely cause an initial increase in spending,
but we expect to fully transition before our next hardware refresh cycle. Our total cost of ownership (TCO) analysis over the next five years
for a public cloud strategy achieves a cost reduction between 30% and 50% over our current model.
Categorizing Objectives Dress4Win case study - REF
Itemized list of objectives

Business requirements Technical requirements Solution component

● Build a reliable and reproducible ● Easily create non-production environments Databases:

environment with scaled parity of in the cloud ● MySQL. One server for user data,
production ● Implement an automation framework for inventory, static data
● Improve security by defining and ○ MySQL 5.7
provisioning resources in cloud
○ 8 core CPUs
adhering to a set of security and ● Implement a continuous deployment process ○ 128 GB of RAM
identity and access management (IAM)
for deploying applications to the on- ○ 2x 5 TB HDD (RAID 1)
best practices for cloud premises data center or cloud
● Improve business agility and speed of ● Support failover of the production Compute:
innovation through rapid provisioning environment to cloud during an emergency ● 40 web application servers providing
of new resources micro-services based APIs and static
● Encrypt data on the wire and at rest content
● Analyze and optimize architecture for
performance in the cloud ● Support multiple private connections ○ Tomcat - Java
between the production data center and ○ Nginx
cloud environment. ○ Four core CPUs
○ RAM

… more in actual case study

 When will you take the exam?

How many weeks do you have to

Plan time prepare?

to prepare How many hours will you spend

preparing for the exam each week?

How many total hours will you prepare?

Weekly study plan
Now, consider what you’ve learned about your knowledge and skills through
the diagnostic questions in this course. You should have a better
understanding of what areas you need to focus on and what resources are
available.

Use the template that follows to plan your study goals for each week.
Consider:
● What exam guide section(s) or topic area(s) will you focus on?
● What courses (or specific modules) will help you learn more?
● What Skill Badges or labs will you work on for hands-on practice?
● What documentation links will you review?
● What additional resources will you use - such as sample questions?
● What will you do to prepare for the case studies?
You may do some or all of these study activities each week.

Duplicate the weekly template for the number of weeks in your individual
preparation journey.
Weekly study template (example)
Area(s) of focus: Automating infrastructure with Terraform

Courses/modules Elastic Google Cloud Infrastructure: Scaling and Automation M3

to complete: Reliable Google Cloud Infrastructure: Design and Process, M3

Skill Badges/labs Automating Infrastructure on Google Cloud with Terraform

to complete:

Documentation Using Recommendations for Infrastructure as Code | Recommender Documentation | Google Cloud
to review: Using Terraform with Google Cloud
Managing infrastructure as code with Terraform, Cloud Build, and GitOps | Cloud Architecture Center | Google Cloud

Additional study: Sample questions 1-3

Review case study 2 and search for relevant reference architectures
Weekly study template
Area(s) of focus:

Courses/modules
to complete:

Skill Badges/labs
to complete:

Documentation
to review:

Additional study: