Visit here for our full Google Professional Cloud Developer exam dumps and practice test questions.

Question 196:

A developer needs to implement authentication for a web application using Google accounts. Which Google Cloud service provides OAuth 2.0 authentication and user identity management?

A) Cloud IAM

B) Identity Platform

C) Cloud Identity

D) Firebase Authentication

Answer: B

Explanation:

Identity Platform provides OAuth 2.0 authentication and comprehensive user identity management for web applications using Google accounts and other identity providers. Identity Platform is Google Cloud’s customer identity and access management (CIAM) solution that enables developers to add authentication and user management to applications with minimal code. The service supports multiple authentication methods including Google Sign-In, email/password, phone authentication, and federated identity providers like Facebook, Twitter, GitHub, and SAML/OIDC-compliant enterprise identity systems.

Identity Platform handles the complete authentication flow including generating OAuth 2.0 authorization URLs with appropriate scopes, exchanging authorization codes for access tokens and refresh tokens, validating tokens and managing token lifecycle, and providing user profile information from identity providers. When users sign in with Google accounts, Identity Platform manages the OAuth consent screen, handles redirect callbacks, and returns authenticated user sessions with JSON Web Tokens that applications verify to authorize access. The service provides SDKs for web, iOS, Android, and server-side applications that abstract authentication complexity behind simple API calls.

The platform offers enterprise features including multi-factor authentication for enhanced security, user account management APIs for programmatic user creation and updates, customizable email templates for verification and password reset workflows, activity logging and audit trails for compliance requirements, and tenant isolation for multi-tenant applications serving multiple customer organizations. Identity Platform integrates with Cloud Identity-Aware Proxy for protecting applications without authentication code, with Firebase services for mobile and web app backends, and with Google Cloud services through IAM for fine-grained authorization. The service scales automatically to handle authentication volumes from small applications to systems with millions of users.

Cloud IAM manages service accounts and resource permissions not end-user authentication. Cloud Identity manages workforce identities for organizations. Firebase Authentication provides similar capabilities but Identity Platform is the Google Cloud enterprise offering with additional features. Identity Platform is the comprehensive solution for OAuth 2.0 authentication and user identity management in Google Cloud applications.

Question 197:

An application deployed on App Engine needs to access secrets like database passwords. Which Google Cloud service provides secure secret storage and versioning?

A) Cloud KMS

B) Secret Manager

C) Cloud Storage

D) Cloud IAM

Answer: B

Explanation:

Secret Manager provides secure secret storage and versioning for sensitive data like database passwords that applications deployed on App Engine need to access. Secret Manager is Google Cloud’s centralized secret management service designed specifically for storing, managing, and accessing sensitive information including API keys, passwords, certificates, and other credentials. The service encrypts secrets at rest and in transit, provides audit logging of secret access, supports versioning for secret rotation, and integrates with IAM for fine-grained access control determining which services and users can access specific secrets.

Secret Manager stores secrets as multiple versions, allowing applications to reference either specific versions or the latest version automatically. When passwords or API keys need rotation, developers create new secret versions while maintaining previous versions for graceful migration. Applications configured to use the latest version automatically receive updated secrets without code changes or redeployment. Each secret access is logged through Cloud Audit Logs, providing visibility into which services accessed secrets and when, supporting security audits and compliance requirements. Secrets are encrypted using Google-managed encryption keys by default, with support for customer-managed encryption keys through Cloud KMS for organizations requiring additional control.

App Engine applications access Secret Manager through client libraries available in multiple languages or through REST APIs. Applications authenticate using their App Engine default service account, and IAM policies control which secrets each application can access based on the principle of least privilege. Secret Manager integrates with App Engine environment variables through secret references, allowing applications to retrieve secrets at runtime without hardcoding sensitive values in configuration files or source code. The service also supports automatic replication across multiple regions for high availability and low-latency access from globally distributed applications.

Cloud KMS manages encryption keys not application secrets. Cloud Storage is for files not secret management. Cloud IAM manages permissions but not secret storage. Secret Manager is the purpose-built service for secure secret storage, versioning, and access control for application credentials in Google Cloud.

Question 198:

A developer needs to implement real-time notifications when documents change in Cloud Firestore. Which feature should be used?

A) Cloud Functions triggers

B) Firestore listeners

C) Pub/Sub notifications

D) Cloud Tasks

Answer: B

Explanation:

Firestore listeners should be used to implement real-time notifications when documents change in Cloud Firestore. Firestore listeners provide real-time synchronization capabilities that notify client applications immediately when documents or queries change, enabling reactive user interfaces that update automatically without polling. Listeners establish persistent connections between applications and Firestore, receiving push notifications whenever monitored documents are created, updated, or deleted, making them ideal for collaborative applications, live dashboards, chat systems, and any scenario requiring immediate data synchronization.

Firestore listeners can be attached to individual documents or to queries monitoring multiple documents matching specific criteria. When changes occur, Firestore pushes snapshots containing updated data to registered listeners, including both the new document state and metadata indicating what changed. Client-side SDKs for web, iOS, and Android provide simple APIs for attaching listeners using callbacks or reactive streams that execute automatically when changes occur. For example, a listener on a chat room collection receives notifications whenever new messages are added, triggering UI updates that display messages in real-time without refresh or polling.

Firestore optimizes listener performance through several mechanisms including local caching where previously retrieved data is stored client-side reducing unnecessary network traffic, snapshot listeners that only transmit changed documents rather than entire query results, and latency compensation where optimistic updates appear immediately while server confirmation happens asynchronously. Listeners handle network interruptions gracefully by automatically reconnecting and synchronizing missed changes when connectivity restores. The service scales to support millions of concurrent listeners across global user bases with consistent low-latency notification delivery.

Cloud Functions triggers execute server-side code in response to Firestore changes but do not provide client-side real-time notifications. Pub/Sub is for asynchronous messaging not Firestore change notifications. Cloud Tasks manages task queues. Firestore listeners are the native, real-time notification mechanism for monitoring document changes and implementing reactive applications with Cloud Firestore.

Question 199:

An application needs to process uploaded videos by transcoding them into multiple formats. Which Google Cloud service provides video transcoding capabilities?

A) Cloud Functions

B) Transcoder API

C) Cloud Video Intelligence API

D) Cloud Media Processing

Answer: B

Explanation:

Transcoder API provides video transcoding capabilities for processing uploaded videos into multiple formats in Google Cloud. Transcoder API is a fully managed service that converts video files between different codecs, resolutions, bitrates, and container formats, enabling applications to deliver optimized video content for various devices, network conditions, and quality requirements. The service handles the computational complexity of video processing at scale without requiring developers to manage transcoding infrastructure or software.

Transcoder API accepts input videos from Cloud Storage buckets and generates output videos according to job configurations specifying target formats. Developers create transcoding jobs defining input file locations, output specifications including codecs like H.264 or VP9, resolutions ranging from SD to 4K, bitrates for bandwidth optimization, and container formats like MP4 or HLS for adaptive streaming. The API supports creating multiple output renditions from single inputs, enabling adaptive bitrate streaming where players select appropriate quality levels based on viewer bandwidth. Advanced features include audio track manipulation, subtitle embedding, thumbnail generation, and content protection through DRM encryption.

The service processes videos efficiently using Google’s infrastructure, automatically scaling to handle varying workload volumes from occasional transcoding jobs to continuous high-volume processing. Transcoder API provides job status monitoring through polling or Pub/Sub notifications, allowing applications to track progress and handle completed transcodings. Pricing is based on processing duration and output resolution, with costs scaling linearly with transcoding volume. The API integrates with other Google Cloud services including Cloud Storage for input/output management, Cloud Functions for workflow automation triggered by video uploads, and CDN for delivering transcoded videos globally.

Cloud Functions can orchestrate transcoding but does not perform it. Cloud Video Intelligence API analyzes video content but does not transcode. Cloud Media Processing is not a specific Google Cloud service. Transcoder API is the purpose-built, managed service for video transcoding at scale in Google Cloud applications.

Question 200:

A developer needs to implement search functionality across millions of documents with faceted filtering and ranking. Which Google Cloud service should be used?

A) Cloud Firestore

B) Vertex AI Search

C) BigQuery

D) Elasticsearch on Compute Engine

Answer: B

Explanation:

Vertex AI Search (formerly Enterprise Search) should be used to implement search functionality across millions of documents with faceted filtering and ranking. Vertex AI Search is Google Cloud’s fully managed, enterprise-grade search solution that provides powerful search capabilities including natural language understanding, relevance ranking, faceted navigation, and personalized results. The service leverages Google’s search expertise and machine learning technologies to deliver high-quality search experiences similar to Google Search but customized for organizational content and applications.

Vertex AI Search indexes structured and unstructured content from various sources including Cloud Storage, BigQuery, websites, and third-party systems. The service automatically extracts entities, relationships, and semantic meaning from documents using natural language processing, enabling sophisticated search capabilities beyond simple keyword matching. Users can search using natural language queries, and the service interprets intent, handles synonyms, corrects spelling errors, and ranks results by relevance using machine learning models trained on search behavior. Faceted filtering allows users to refine results by attributes like document type, date, author, or custom metadata fields, providing intuitive navigation through large result sets.

The service provides features critical for enterprise search including document-level access control integrated with IAM ensuring users only see content they have permission to access, result personalization based on user history and preferences, analytics showing popular queries and click-through rates for optimization, and autocomplete suggestions that guide users toward relevant content. Vertex AI Search scales automatically to handle search volumes from small applications to enterprise-wide deployments with millions of documents and thousands of concurrent users. The managed nature eliminates operational overhead including index management, capacity planning, and infrastructure maintenance.

Cloud Firestore provides limited querying not full-text search with faceting. BigQuery is for analytics not search. Elasticsearch on Compute Engine requires self-management. Vertex AI Search is Google Cloud’s managed, enterprise search service providing sophisticated search capabilities with faceted filtering and intelligent ranking for applications.

Question 201:

An application needs to perform batch processing on large datasets triggered by file uploads to Cloud Storage. Which architecture pattern is most appropriate?

A) Cloud Storage trigger → Cloud Functions → Dataflow

B) Cloud Storage trigger → Pub/Sub → Cloud Run → Dataproc

C) Cloud Scheduler → Cloud Functions → BigQuery

D) Cloud Storage trigger → Cloud Build → Compute Engine

Answer: A

Explanation:

The architecture pattern using Cloud Storage trigger to Cloud Functions to Dataflow is most appropriate for batch processing large datasets triggered by file uploads. This pattern leverages Cloud Storage event notifications to detect file uploads, uses Cloud Functions as a lightweight orchestrator to initiate processing, and employs Dataflow for scalable, distributed data processing. The combination provides an event-driven, serverless architecture that automatically processes uploaded data without manual intervention or persistent infrastructure.

When files are uploaded to Cloud Storage buckets, the configured trigger automatically invokes a Cloud Function that receives event metadata including bucket name, file name, and file size. The Cloud Function validates the upload, potentially checking file format and size constraints, then launches a Dataflow job passing file location and processing parameters. Dataflow handles the heavy lifting of batch processing using Apache Beam pipelines that automatically parallelize operations across many workers, enabling efficient processing of gigabyte to petabyte-scale datasets. Dataflow jobs can perform transformations including data cleansing, aggregation, enrichment, and format conversion before writing results to destinations like BigQuery, Cloud Storage, or Cloud Bigtable.

This architecture provides several advantages including automatic scaling where Dataflow provisions workers based on data volume, fault tolerance through automatic retry of failed operations, cost efficiency by using serverless components that charge only during active processing, and operational simplicity eliminating infrastructure management. Cloud Functions provides a bridge between the event-driven upload notification and the batch processing job, enabling validation logic, error handling, and job parameterization. The pattern supports complex data pipelines with multiple processing stages, conditional workflows, and integration with data quality monitoring.

Option B using Dataproc is viable but Dataflow is more serverless and easier to manage for most use cases. Option C uses scheduling not event triggers. Option D with Cloud Build and Compute Engine is over-engineered. The Cloud Storage trigger to Cloud Functions to Dataflow pattern is the recommended serverless, event-driven architecture for batch processing triggered by file uploads.

Question 202:

A developer needs to implement API rate limiting to prevent abuse and ensure fair usage. Where should rate limiting be configured for a REST API?

A) Application code

B) API Gateway

C) Cloud Armor

D) Cloud Load Balancing

Answer: B

Explanation:

Rate limiting should be configured in API Gateway for REST APIs to prevent abuse and ensure fair usage. API Gateway is Google Cloud’s fully managed API management service that provides comprehensive capabilities for securing, monitoring, and controlling API access including request rate limiting, quota enforcement, authentication, and traffic management. Implementing rate limiting at the API Gateway level provides centralized control, protects backend services from overload, and enables consistent policy enforcement across all API endpoints without requiring rate limiting logic in every microservice.

API Gateway rate limiting works through quota configurations that specify maximum request rates per API consumer over time windows. Administrators define quotas like “100 requests per minute per API key” or “10,000 requests per day per authenticated user” in the API configuration using OpenAPI specifications with Google extensions. The gateway tracks request counts for each consumer using distributed counters, rejecting requests that exceed configured limits with HTTP 429 Too Many Requests responses. Rate limits can be applied globally across all API endpoints, per specific endpoint paths, or per operation allowing fine-grained control over API usage patterns.

API Gateway supports different quota enforcement strategies including per-API-key limits for applications identified by API keys, per-user limits for authenticated users identified through JWT tokens or OAuth, and per-IP limits for anonymous traffic. The service provides quota visibility through Cloud Monitoring, enabling administrators to monitor quota consumption, identify consumers approaching limits, and adjust quotas based on actual usage patterns. When limits are reached, API Gateway can return custom error responses with headers indicating retry-after times and remaining quota, helping API consumers implement appropriate backoff strategies.

Application code can implement rate limiting but creates inconsistency across services and adds development overhead. Cloud Armor provides DDoS protection but is not designed for API rate limiting. Cloud Load Balancing focuses on traffic distribution not request quotas. API Gateway is the purpose-built service for comprehensive API rate limiting and quota management in Google Cloud.

Question 203:

An application uses Cloud SQL and experiences slow query performance during peak hours. Which approach improves read scalability?

A) Increase Cloud SQL instance size

B) Create read replicas

C) Enable query caching

D) Use connection pooling

Answer: B

Explanation:

Creating read replicas improves read scalability for Cloud SQL instances experiencing slow query performance during peak hours. Read replicas are separate Cloud SQL instances that asynchronously replicate data from the primary instance and serve read queries, distributing query load across multiple database servers. This horizontal scaling approach increases overall read throughput by allowing applications to route read-only queries to replicas while directing write operations to the primary instance, effectively multiplying available query processing capacity.

Cloud SQL read replicas continuously synchronize data from the primary instance through replication logs, maintaining near-real-time data consistency with typical replication lag measured in milliseconds to seconds depending on write load and network latency. Applications configure connection strings pointing to replica endpoints for read operations while maintaining primary instance connections for writes and transactions requiring strong consistency. Load balancing across multiple replicas further distributes read traffic, with some applications using client-side logic or connection pools that round-robin queries across replica endpoints for optimal distribution.

Read replicas provide additional benefits beyond performance including geographic distribution where replicas in multiple regions reduce query latency for globally distributed users, high availability where replicas can be promoted to primary instances during outages, and analytics workload isolation where resource-intensive reporting queries run against replicas without impacting transactional workload performance on the primary instance. Cloud SQL supports creating multiple read replicas per primary instance, enabling scaling to handle demanding read workloads. Replicas can have different machine types than the primary instance, allowing cost optimization by using smaller instances for less critical read workloads.

Increasing instance size improves overall capacity but is vertical scaling with limits and higher costs. Query caching helps but has limited effectiveness for diverse query patterns. Connection pooling reduces connection overhead but does not increase query processing capacity. Creating read replicas is the most effective approach for improving read scalability and distributing query load in Cloud SQL applications.

Question 204:

A developer needs to implement a workflow with multiple sequential and parallel steps including human approval. Which Google Cloud service should be used?

A) Cloud Composer

B) Cloud Workflows

C) Cloud Tasks

D) Cloud Scheduler

Answer: B

Explanation:

Cloud Workflows should be used to implement workflows with multiple sequential and parallel steps including human approval requirements. Cloud Workflows is Google Cloud’s fully managed orchestration service that coordinates and sequences calls to Google Cloud services, external APIs, and serverless functions through declarative workflow definitions. The service supports complex workflow patterns including sequential execution, parallel branches, conditional logic, error handling, and waiting for external events like human approvals, making it ideal for automating multi-step business processes.

Cloud Workflows uses YAML syntax to define workflows as sequences of steps with each step representing an operation like invoking HTTP endpoints, calling Cloud Functions, querying BigQuery, or waiting for callbacks. The service handles workflow state management, automatic retries for transient failures, and execution tracking without requiring developers to write boilerplate orchestration code. For human approval scenarios, workflows can pause execution by creating pending approval records, sending notifications to approvers, and waiting for callback webhooks indicating approval decisions before resuming execution. Built-in support for callbacks enables workflows to wait indefinitely for external events without consuming resources or timing out.

Cloud Workflows provides capabilities essential for production orchestration including parallel execution where multiple independent steps run concurrently improving overall workflow duration, conditional branching based on previous step results, error handling and retry policies per step, input/output transformation using expressions, and subworkflows for modularity and reusability. The service integrates with Cloud Logging and Cloud Monitoring for execution visibility, showing workflow progress, step timing, and failure details. Workflows execute serverlessly with pricing based on step executions, making them cost-effective for both frequent and occasional automation needs.

Cloud Composer is for complex data pipelines using Apache Airflow but is heavier weight than Workflows. Cloud Tasks manages task queues not multi-step orchestration. Cloud Scheduler handles time-based triggering not workflow coordination. Cloud Workflows is the purpose-built service for orchestrating multi-step workflows with human approval and complex coordination patterns in Google Cloud.

Question 205:

An application needs to ensure data residency compliance by storing all data within a specific geographic region. Which Google Cloud configuration enforces this requirement?

A) IAM policies

B) Resource locations

C) Organization policies

D) VPC Service Controls

Answer: C

Explanation:

Organization policies should be used to ensure data residency compliance by enforcing that all data is stored within specific geographic regions. Organization policies are Google Cloud’s centralized governance mechanism that allows administrators to programmatically define restrictions and requirements across entire organizations, folders, or projects. For data residency, the “Resource Location Restriction” organization policy constrains where resources can be created, ensuring compliance with regulatory requirements like GDPR, data sovereignty laws, or contractual obligations limiting data storage to specific countries or regions.

The Resource Location Restriction policy uses location taxonomies to define allowed geographic areas where resources can be created. Administrators specify allowed regions using values like “in:us-locations” for United States only, “in:eu-locations” for European Union, or specific regions like “in:us-east1” for fine-grained control. When this policy is enforced, Google Cloud prevents creation of non-compliant resources including Cloud Storage buckets, BigQuery datasets, Cloud SQL instances, Compute Engine instances, and other services in prohibited regions. The policy applies at API level, blocking resource creation requests that violate location constraints regardless of whether requests originate from console, command-line tools, or programmatic API calls.

Organization policies provide inheritance where policies set at organization level automatically apply to all folders and projects below, ensuring consistent enforcement across entire cloud environments. Administrators can create exceptions by overriding inherited policies at lower levels when specific projects require different constraints. The policies work in conjunction with other security controls including IAM for access control, VPC Service Controls for network perimeter security, and encryption for data protection, providing defense-in-depth for compliance requirements. Policy compliance can be monitored through Cloud Asset Inventory showing resources and their locations, enabling audits verifying adherence to data residency requirements.

IAM policies control access not resource locations. Resource locations are selected during creation but do not enforce restrictions. VPC Service Controls protect against data exfiltration but do not enforce storage locations. Organization policies are the comprehensive governance mechanism for enforcing geographic data residency requirements in Google Cloud.

Question 206:

A developer needs to analyze application performance and identify CPU bottlenecks in production. Which Google Cloud tool should be used?

A) Cloud Trace

B) Cloud Profiler

C) Cloud Monitoring

D) Cloud Debugger

Answer: B

Explanation:

Cloud Profiler should be used to analyze application performance and identify CPU bottlenecks in production environments. Cloud Profiler is Google Cloud’s continuous profiling tool that collects and analyzes resource usage data from running applications including CPU time, heap memory allocation, thread contention, and wall-clock time. The service provides statistical insights into which functions and code paths consume the most resources, enabling developers to identify performance bottlenecks and optimization opportunities without significantly impacting application performance or requiring special debug builds.

Cloud Profiler works by periodically sampling application execution, capturing stack traces showing which functions are executing at sample times. The service aggregates samples over time periods ranging from minutes to days, generating flame graphs and other visualizations showing where applications spend execution time. For CPU profiling, the tool identifies which functions consume the most processor cycles, helping developers prioritize optimization efforts on code that delivers maximum performance improvement. The profiling overhead is minimal, typically less than 1-2 percent of CPU usage, making it safe to run continuously in production environments without user impact.

Cloud Profiler supports multiple languages including Java, Go, Python, Node.js, and .NET, with language-specific agents that integrate with application runtimes. The tool enables comparing profiles across different time periods, application versions, or deployment environments, helping verify that optimizations actually improve performance. Developers can drill down from high-level flame graphs showing overall CPU distribution into specific function call paths, examining which callers invoke expensive functions and whether opportunities exist for caching, algorithmic improvements, or eliminating redundant work. Integration with source code repositories displays profiling data alongside actual code, providing context for optimization decisions.

Cloud Trace analyzes request latency not CPU usage. Cloud Monitoring tracks metrics but not code-level profiling. Cloud Debugger inspects variables not performance. Cloud Profiler is the specialized tool for production performance profiling and CPU bottleneck identification in Google Cloud applications.

Question 207:

An application needs to process messages from Pub/Sub with guaranteed ordering for messages with the same key. Which configuration is required?

A) Enable message ordering on subscription

B) Use topic partitioning

C) Configure message grouping

D) Enable FIFO delivery mode

Answer: A

Explanation:

Enabling message ordering on subscriptions is required to process messages from Pub/Sub with guaranteed ordering for messages with the same key. Cloud Pub/Sub message ordering ensures that messages published with the same ordering key are delivered to subscribers in the exact order they were published, maintaining sequence consistency for related messages. This capability is essential for applications requiring causally consistent processing, such as maintaining database state through event sourcing, processing transaction logs, or implementing workflows where step ordering matters.

Message ordering is configured at the subscription level by setting the “enable_message_ordering” flag to true when creating subscriptions. Publishers must assign ordering keys to messages, typically using values like user IDs, transaction IDs, or entity identifiers that logically group related messages. Pub/Sub maintains separate ordered queues per ordering key, ensuring messages within each key sequence are delivered in order while allowing parallel processing of messages with different ordering keys. This design provides ordering guarantees where needed without sacrificing overall throughput or requiring global ordering across all messages.

When message ordering is enabled, subscribers must acknowledge messages in the order received, as acknowledging later messages before earlier ones can cause redelivery of the entire sequence. Subscribers should process messages synchronously within each ordering key to maintain consistency, though different ordering keys can be processed in parallel. If message processing fails, Pub/Sub redelivers the failed message and all subsequent messages in that ordering key sequence, ensuring no messages are skipped. Applications must implement idempotent processing to handle potential duplicate delivery during retries.

Topic partitioning is not a Pub/Sub feature. Message grouping is not standard terminology. FIFO delivery mode is not how Pub/Sub ordering is configured. Enabling message ordering on subscriptions with ordering keys in published messages is the correct configuration for guaranteed message ordering in Cloud Pub/Sub.

Question 208:

A developer needs to implement blue-green deployment for a containerized application on Cloud Run. Which approach should be used?

A) Deploy new revision and manually shift traffic

B) Use Cloud Deploy with approval gates

C) Configure gradual rollout percentages

D) Use traffic splitting between revisions

Answer: D

Explanation:

Using traffic splitting between revisions is the appropriate approach for implementing blue-green deployment for containerized applications on Cloud Run. Cloud Run’s traffic management capabilities allow routing request traffic across multiple service revisions using percentage-based distribution, enabling blue-green deployment strategies where new versions (green) are deployed alongside existing versions (blue) before completely switching traffic. This approach minimizes risk by validating new deployments with production traffic before full cutover while maintaining the ability to instantly rollback if issues arise.

Blue-green deployment with Cloud Run involves deploying a new revision without automatically serving traffic to it, configuring traffic splitting to direct 100 percent of traffic to the existing (blue) revision and 0 percent to the new (green) revision initially, testing the green revision through its specific revision URL to validate functionality, and then updating traffic allocation to shift 100 percent of traffic to the green revision when ready. This instant cutover eliminates the gradual transition period of canary deployments, making blue-green appropriate when new versions have been thoroughly tested and rapid deployment is desired.

Cloud Run maintains all revisions by default, allowing instant rollback by shifting traffic back to previous revisions if issues are discovered after deployment. Traffic splitting can be managed through the Google Cloud console, gcloud command-line tool, or programmatically through APIs enabling integration with CI/CD pipelines. The service provides revision-specific metrics in Cloud Monitoring showing performance, error rates, and resource usage per revision, helping validate green revision health before complete cutover. Traffic splitting operates at the request level, ensuring individual user sessions are not split between revisions within single interactions.

Manually shifting traffic describes the concept but traffic splitting is the specific feature. Cloud Deploy adds deployment pipelines but traffic splitting is the core capability. Gradual rollout percentages describe canary deployments not pure blue-green. Traffic splitting between revisions is the Cloud Run feature enabling blue-green deployment strategies.

Question 209:

An application needs to perform batch data transformations using SQL. Which Google Cloud service provides serverless SQL-based data transformation?

A) Cloud Dataflow

B) BigQuery

C) Cloud Dataproc

D) Cloud Functions

Answer: B

Explanation:

BigQuery provides serverless SQL-based data transformation for batch data processing workloads. While BigQuery is primarily known as a data warehouse for analytics queries, it also serves as a powerful ETL and data transformation engine through features including scheduled queries, data manipulation language (DML) statements, stored procedures, and user-defined functions. BigQuery’s serverless architecture automatically scales compute resources for transformation workloads, eliminating infrastructure management while providing cost-efficient processing through automatic resource optimization.

BigQuery transformations leverage standard SQL for data manipulation including INSERT, UPDATE, DELETE, and MERGE statements that modify table data, complex SELECT queries with joins, aggregations, and window functions for computing derived datasets, and CREATE TABLE AS SELECT (CTAS) statements for materializing transformation results as new tables. Scheduled queries enable recurring transformations that execute automatically on time-based schedules, maintaining derived tables and aggregations as source data changes. Multi-statement procedures combine multiple transformation steps with control flow logic including loops, conditionals, and exception handling, orchestrating complex ETL workflows entirely within BigQuery.

BigQuery provides transformation capabilities optimized for large-scale data processing including columnar storage that reads only required columns improving query performance, partitioning and clustering that prune unnecessary data from scans, federated queries that access data in Cloud Storage, Cloud SQL, and Bigtable without loading it into BigQuery, and streaming buffer integration allowing transformations on real-time ingested data. The serverless execution model provisions query resources automatically based on data volume and query complexity, with pricing based on bytes processed encouraging optimized query design. BigQuery ML integration enables transformations incorporating machine learning predictions within SQL queries.

Cloud Dataflow is for Apache Beam pipelines not pure SQL. Cloud Dataproc requires cluster management. Cloud Functions is for event-driven code not batch SQL. BigQuery is the serverless, SQL-based platform for batch data transformation at scale in Google Cloud.

Question 210:

A developer needs to implement request authentication and authorization for microservices without modifying application code. Which solution should be used?

A) API Gateway

B) Identity-Aware Proxy

C) Service mesh with Istio

D) Cloud Armor

Answer: C

Explanation:

A service mesh with Istio should be used to implement request authentication and authorization for microservices without modifying application code. Istio is an open-source service mesh that provides security, observability, and traffic management capabilities by deploying sidecar proxies alongside application containers that intercept all network traffic. These proxies enforce authentication and authorization policies at the network layer without requiring changes to application code, making security transparent to developers while providing consistent enforcement across all microservices.

Istio authentication works through mutual TLS (mTLS) where the service mesh automatically establishes encrypted connections between services and verifies service identities using certificates. Istio’s certificate authority generates, distributes, and rotates certificates automatically, eliminating manual certificate management. For end-user authentication, Istio integrates with JWT token validation, verifying tokens issued by identity providers like Google Identity Platform or third-party OAuth servers. The mesh validates token signatures, expiration times, and required claims before allowing requests to reach application containers.

Istio authorization uses policy resources defining fine-grained access control rules specifying which services can communicate, what operations they can perform, and under what conditions access is granted. Policies support RBAC-style rules based on service identities, end-user attributes from JWT tokens, request properties like HTTP methods and paths, and custom conditions using expressions. Authorization decisions occur at the sidecar proxy level, rejecting unauthorized requests before they consume application resources. The declarative policy model separates security concerns from application logic, enabling security teams to manage policies without coordinating application deployments.

API Gateway provides API-level security but for external APIs not internal microservices. Identity-Aware Proxy protects applications but works at the edge not between microservices. Cloud Armor provides DDoS protection not microservice authentication. Service mesh with Istio is the comprehensive solution for transparent authentication and authorization between microservices without application code changes.