Visit here for our full Google Professional Cloud Developer exam dumps and practice test questions.

Question 121: 

You need to implement blue-green deployment for your application on Google Kubernetes Engine. Which approach should you use?

A) Deploy both versions to the same cluster and use Service labels to switch traffic

B) Create two separate projects for blue and green environments

C) Use only rolling updates for all deployments

D) Deploy to Compute Engine instead of GKE

Answer: A

Explanation:

Blue-green deployment on Google Kubernetes Engine involves running two complete versions of your application simultaneously within the same cluster and using Kubernetes Service label selectors to instantly switch traffic between versions. This deployment strategy minimizes downtime and provides immediate rollback capabilities by maintaining both environments ready to serve traffic.

The implementation begins by deploying the new version (green) alongside the existing production version (blue) using separate Deployments with distinct version labels. Both Deployments run simultaneously with identical replica counts and resource allocations. The production Service initially directs traffic to blue pods using label selectors matching the blue version identifier. After validating green version functionality through testing and monitoring, administrators update the Service selector to match green version labels, instantly redirecting all production traffic.

This approach provides several advantages including zero-downtime deployments as traffic switches instantly between healthy pod sets, immediate rollback capability by reverting Service selectors to the previous version without redeploying, and comprehensive testing opportunities where the green environment receives synthetic traffic or limited real user traffic before full cutover. The parallel operation allows side-by-side comparison of metrics between versions identifying performance regressions before impacting all users.

Resource considerations require temporarily doubling infrastructure capacity as both versions run simultaneously during deployment windows. Organizations can mitigate costs by maintaining the previous version for limited periods only, typically hours or days sufficient for validation and potential rollback needs. Automated cleanup processes remove old versions after successful deployment confirmation.

Creating separate projects introduces unnecessary complexity and cost. Rolling updates provide gradual deployment but lack instant cutover and rollback. Compute Engine requires manual load balancer reconfiguration. The Service label selector approach delivers true blue-green deployment within GKE leveraging native Kubernetes traffic management capabilities for reliable, reversible deployments.

Question 122: 

Your application needs to authenticate users and provide secure token-based access. Which Google Cloud service should you use?

A) Cloud IAM

B) Cloud KMS

C) Identity Platform

D) Secret Manager

Answer: C

Explanation:

Identity Platform provides comprehensive user authentication and identity management services including user registration, login, password management, and secure token issuance for application access control. This fully managed service implements industry-standard authentication protocols while abstracting complex security implementations enabling developers to focus on application functionality rather than authentication infrastructure.

The platform supports multiple authentication methods including email and password authentication with secure password hashing and breach detection, phone number authentication with SMS verification codes, social provider integration with Google, Facebook, Twitter, and GitHub, SAML and OpenID Connect for enterprise identity federation, and anonymous authentication for guest users. Multi-factor authentication adds additional security layers requiring users to verify identity through multiple channels.

Token-based authentication flows issue JSON Web Tokens (JWTs) after successful user authentication. Applications include these tokens in subsequent API requests, with backend services validating token signatures and claims before granting access. Token validation occurs through Identity Platform SDKs that verify cryptographic signatures, check expiration timestamps, and extract user identity claims. This stateless authentication scales efficiently without requiring server-side session storage or database lookups for every request.

User management capabilities include user profile storage with custom attributes, email verification workflows, password reset mechanisms, account linking across providers, and user activity monitoring. Admin APIs enable programmatic user management, bulk operations, and integration with existing identity systems. Security features include bot protection, anomaly detection identifying suspicious authentication patterns, and compliance with industry standards like OAuth 2.0 and OpenID Connect.

Cloud IAM manages Google Cloud resource access rather than application users. Cloud KMS provides encryption key management without authentication services. Secret Manager stores credentials but doesn’t authenticate users. Identity Platform specifically addresses application user authentication delivering secure, scalable identity management essential for modern applications requiring user login and access control.

Question 123: 

You need to deploy machine learning models for real-time prediction. Which service provides the lowest latency for inference?

A) BigQuery ML

B) Vertex AI Prediction with online endpoints

C) AutoML Tables

D) Cloud Storage with custom processing

Answer: B

Explanation:

Vertex AI Prediction with online endpoints delivers optimized infrastructure for real-time machine learning inference providing low-latency predictions typically within tens of milliseconds. This managed service handles model deployment, autoscaling, monitoring, and version management while ensuring consistent performance for applications requiring immediate prediction results.

Online prediction endpoints maintain model instances continuously loaded in memory ready to process incoming prediction requests instantly. This architecture contrasts with batch prediction where models load periodically to process large datasets. The in-memory approach eliminates model loading overhead ensuring each prediction request completes rapidly. Endpoints support multiple machine learning frameworks including TensorFlow, PyTorch, scikit-learn, and XGBoost enabling deployment of models built with various tools.

The autoscaling capability automatically adjusts prediction infrastructure based on request volume, scaling from minimum instances during low traffic to maximum instances during peak periods. This elasticity ensures consistent latency regardless of load while optimizing costs by reducing capacity during idle periods. Traffic splitting enables A/B testing and canary deployments where portions of prediction traffic route to different model versions for gradual rollout and performance comparison.

Model serving optimizations include GPU acceleration for deep learning models requiring intensive computation, model versioning supporting simultaneous deployment of multiple model versions with routing rules determining which version handles specific requests, and prediction caching temporarily storing recent predictions reducing computation for repeated identical requests. Monitoring integration provides visibility into prediction latency, throughput, and error rates enabling performance optimization.

BigQuery ML excels at batch predictions over large datasets but lacks real-time optimization. AutoML Tables provides automated model training but predictions still require deployment to online endpoints. Cloud Storage stores models but requires custom inference infrastructure. Vertex AI Prediction online endpoints specifically address real-time inference requirements delivering production-grade model serving with minimal latency essential for interactive applications.

Question 124: 

What is the recommended way to manage database schema changes in a CI/CD pipeline?

A) Manually execute SQL scripts in production

B) Use database migration tools with version control and automated deployment

C) Delete and recreate databases with each deployment

D) Allow developers to modify production schemas directly

Answer: B

Explanation:

Database migration tools with version control and automated deployment represent the recommended approach for managing schema changes, ensuring consistent, repeatable, and auditable database evolution across environments. This methodology treats database schemas as code subject to the same development practices as application code including version control, peer review, testing, and automated deployment.

Migration tools like Liquibase, Flyway, or Alembic track schema versions through migration files containing incremental changes. Each migration file describes a specific schema modification such as adding tables, modifying columns, creating indexes, or updating constraints. Files are numbered or timestamped establishing execution order. The migration tool maintains a metadata table in each database recording which migrations have been applied preventing duplicate execution and enabling consistent schema state across environments.

The development workflow begins with developers creating migration files for required schema changes and committing them to version control alongside application code. Pull requests enable peer review of database changes before merging. Automated testing in CI pipelines applies migrations to test databases, runs integration tests validating application compatibility with new schemas, and verifies migration reversibility through rollback tests. This validation catches issues before production deployment.

Deployment automation applies pending migrations to each environment progressively from development through staging to production. The migration tool examines the database metadata table, identifies unapplied migrations, executes them in order, and records successful completion. This automation ensures consistent schema application and eliminates manual errors common with manual SQL execution. Rollback capabilities enable reverting problematic changes through down migrations or database backups.

Manual production changes lack auditability and consistency. Deleting databases destroys data. Direct developer access bypasses controls and creates security risks. Database migration tools provide the discipline and automation necessary for reliable database schema management in modern CI/CD pipelines ensuring database changes receive the same rigor as application code changes.

Question 125: 

You need to implement distributed caching for your application to reduce database load. Which solution is most appropriate?

A) Cloud SQL read replicas

B) Cloud Memorystore for Redis

C) Cloud Filestore

D) Persistent Disk snapshots

Answer: B

Explanation:

Cloud Memorystore for Redis provides fully managed in-memory data store services ideal for implementing distributed caching to reduce database load and improve application performance. This managed Redis service delivers sub-millisecond data access latency enabling applications to cache frequently accessed data, session information, and computed results rather than repeatedly querying databases.

Caching strategies significantly reduce database load by storing query results, computed data, and frequently accessed objects in memory. When applications need data, they first check the cache returning results instantly if found. Cache misses trigger database queries with results stored in the cache for subsequent requests. This pattern dramatically reduces database query volume particularly for read-heavy workloads where the same data is accessed repeatedly by multiple users or application instances.

Cloud Memorystore provides automatic replication for high availability with Redis instances replicated across zones. Automatic failover detects instance failures and promotes replicas to primary status within seconds maintaining cache availability even during infrastructure issues. This reliability ensures caching remains available providing consistent performance benefits. Redis persistence options enable data recovery after restarts preventing complete cache invalidation requiring expensive database rebuilding.

Advanced Redis features support sophisticated caching patterns including time-based expiration automatically removing stale cache entries, least-recently-used eviction policies managing memory when capacity limits are reached, pub/sub messaging enabling real-time cache invalidation across application instances, and atomic operations supporting counters, sets, and sorted sets beyond simple key-value storage. These capabilities enable complex caching strategies matching application requirements.

Cloud SQL read replicas reduce primary database load but still involve database queries with higher latency than memory access. Cloud Filestore provides file storage rather than caching. Persistent Disk snapshots serve backup purposes. Cloud Memorystore for Redis specifically addresses distributed caching requirements delivering the performance, availability, and features necessary for effective application caching reducing database load and improving response times.

Question 126: 

Which Cloud SQL feature provides automatic failover for high availability?

A) Read replicas

B) High availability configuration with regional instances

C) Cloud SQL Proxy

D) Automated backups

Answer: B

Explanation:

High availability configuration with regional instances provides automatic failover capabilities for Cloud SQL ensuring database availability during infrastructure failures or maintenance events. This feature deploys database instances across multiple zones within a region with synchronous replication between primary and standby instances enabling rapid failover maintaining service continuity.

The architecture maintains a primary instance handling all database operations with a standby instance in a different zone receiving synchronous replication of every transaction. Synchronous replication ensures the standby remains current with zero data loss during failover. Health monitoring continuously checks primary instance availability detecting failures from hardware issues, network problems, or zone outages within seconds.

Automatic failover triggers when the monitoring system detects primary instance unavailability. The standby instance promotes to primary status and begins handling database traffic typically within 60 to 120 seconds depending on database size and workload. The original primary instance IP address automatically redirects to the new primary ensuring applications reconnect without configuration changes. This transparent failover minimizes application disruption requiring only brief reconnection handling rather than manual intervention.

After failover completes, Cloud SQL automatically provisions a new standby instance in a healthy zone reestablishing high availability protection. The system performs this recovery without manual intervention maintaining continuous protection against subsequent failures. Regional persistent disks ensure data survives zone failures providing durable storage underlying both instances.

Read replicas provide scalability for read workloads but don’t offer automatic failover. Cloud SQL Proxy secures connections but doesn’t provide availability features. Automated backups enable recovery but require manual restoration with extended downtime. High availability configuration specifically addresses automatic failover requirements delivering production-grade availability for critical database workloads where downtime impacts business operations.

Question 127: 

You need to implement request authentication between microservices in GKE. What is the recommended approach?

A) Share API keys between services

B) Use service mesh with mutual TLS

C) Embed passwords in environment variables

D) Disable authentication for internal services

Answer: B

Explanation:

Service mesh with mutual TLS provides the recommended authentication approach for microservices running in Google Kubernetes Engine, establishing secure encrypted communication channels with bidirectional identity verification between services. This infrastructure layer handles authentication, encryption, and authorization automatically without requiring custom implementation in application code.

Mutual TLS extends standard TLS where clients verify server identities to include server verification of client identities. Both parties present certificates during connection establishment proving their identities through cryptographic signatures. Service meshes like Anthos Service Mesh or Istio automate certificate management by issuing short-lived certificates to each service, distributing them through sidecar proxies, rotating them automatically before expiration, and validating certificates during every connection attempt.

The sidecar proxy architecture deploys a proxy container alongside each application container intercepting all network traffic. Proxies handle TLS termination, certificate validation, traffic encryption, and policy enforcement transparently to applications. Applications communicate with local proxies using unencrypted connections, while proxies encrypt traffic between services. This separation of concerns enables centralized security policy management without modifying application code.

Service mesh capabilities extend beyond authentication to include authorization policies controlling which services can communicate based on service identity, traffic management for canary deployments and circuit breaking, observability through distributed tracing and metrics collection, and traffic encryption ensuring confidentiality for sensitive data transmitted between services. These features create comprehensive security and observability layers across microservices environments.

Shared API keys lack rotation mechanisms and create security risks when compromised. Environment variable passwords suffer similar limitations. Disabling authentication exposes services to unauthorized access from compromised containers or malicious internal actors. Service mesh with mutual TLS provides defense-in-depth security authenticating every service-to-service connection ensuring only authorized services communicate while encrypting traffic protecting sensitive data.

Question 128: 

What is the purpose of the Cloud Tasks service?

A) To execute code in response to HTTP requests

B) To manage asynchronous task execution with guaranteed delivery

C) To store application configuration

D) To provide in-memory caching

Answer: B

Explanation:

Cloud Tasks manages asynchronous task execution with guaranteed delivery, enabling applications to defer work to be processed later by worker services. This fully managed service handles task queuing, scheduling, retries, and delivery ensuring reliable execution of background jobs, deferred processing, and long-running operations without blocking user-facing request handlers.

The task queue model allows applications to create tasks representing units of work that need execution. Tasks contain payloads describing the work to perform and target URLs specifying worker endpoints that will process the tasks. Applications quickly enqueue tasks and return responses to users without waiting for potentially slow operations to complete. Cloud Tasks reliably delivers tasks to worker services which process them asynchronously at their own pace.

Guaranteed delivery ensures every enqueued task executes successfully through automatic retry mechanisms. If worker services fail to process tasks or respond with error status codes, Cloud Tasks automatically retries delivery using exponential backoff algorithms. Configurable retry parameters control maximum attempts, retry intervals, and timeout durations. Dead letter queues capture tasks that exceed retry limits for manual investigation and reprocessing.

Rate limiting capabilities control task dispatch rates preventing workers from being overwhelmed. Queue configurations specify maximum concurrent tasks and dispatch rates per second. This throttling protects backend services from sudden load spikes while ensuring steady work processing. Task scheduling enables delayed execution where tasks don’t dispatch until specified future times, supporting workflows like reminder systems, delayed notifications, or scheduled data processing.

Cloud Functions executes event-driven code but lacks explicit task queue management. Configuration storage and caching serve different purposes. Cloud Tasks specifically addresses reliable asynchronous task processing requirements common in modern applications needing background job execution, scheduled operations, and workload smoothing that improves user experience by offloading slow operations from request paths.

Question 129: 

You need to implement feature flags for gradual feature rollout. Which approach is recommended?

A) Use environment variables for all feature flags

B) Implement a centralized feature flag service with real-time updates

C) Hardcode feature toggles in application code

D) Redeploy applications for every feature change

Answer: B

Explanation:

Centralized feature flag services with real-time updates provide the recommended approach for managing feature flags, enabling dynamic feature control without application redeployment. This architecture separates feature activation from code deployment allowing gradual rollouts, A/B testing, quick rollbacks, and user segmentation through runtime configuration changes.

Feature flag services maintain flag definitions including flag names, descriptions, targeting rules determining which users receive features, and current activation states. Applications query the service during initialization or periodically during runtime to retrieve current flag states. Real-time update mechanisms using long polling, WebSockets, or server-sent events push flag changes to running applications within seconds enabling immediate feature activation or deactivation across fleets.

Targeting capabilities enable sophisticated rollout strategies including percentage-based rollouts where features activate for specific user percentages gradually increasing as confidence grows, user attribute targeting enabling features for beta users, specific accounts, or user segments, geographic targeting activating features in specific regions, and custom rules combining multiple attributes for complex scenarios. These capabilities support safe feature launches minimizing blast radius when issues occur.

Implementation patterns include client-side SDKs that cache flag states locally reducing latency and enabling operation during service outages, server-side evaluation preventing flag manipulation by clients, and analytics integration tracking feature usage and performance. Flag management interfaces enable non-technical stakeholders to control features without developer involvement. Audit trails document flag changes for compliance and troubleshooting.

Environment variables lack dynamic updates requiring restarts. Hardcoded toggles necessitate redeployment defeating the purpose. Full redeployment for features increases risk and slows iteration. Centralized feature flag services with real-time updates provide the flexibility and control necessary for modern continuous delivery practices enabling rapid experimentation and safe feature rollouts.

Question 130: 

Which Cloud Monitoring metric type should you use for counting events like API requests?

A) Gauge

B) Delta

C) Cumulative

D) Distribution

Answer: B

Explanation:

Delta metrics represent the optimal choice for counting discrete events like API requests, measuring the change in a value over a specific time interval. This metric type captures incremental counts of events occurring during each reporting period, enabling accurate rate calculations and preventing double-counting issues that affect other metric types.

The delta metric model records the number of events that occurred since the last measurement rather than absolute counts or current values. Applications increment local counters as events occur then report the accumulated count to Cloud Monitoring periodically. Cloud Monitoring aggregates these deltas across multiple application instances and time intervals producing accurate total counts and rates. This approach naturally handles application restarts, scaling events, and instance failures without artificial metric discontinuities.

API request counting exemplifies delta metric usage where applications increment counters for each incoming request. Monitoring systems aggregate these counts across all instances calculating total requests per minute, requests per second by endpoint, error rates comparing failed to successful requests, and usage patterns identifying peak traffic periods. Alert policies trigger notifications when request rates exceed thresholds indicating traffic spikes or potential attacks.

Delta metrics differ from gauge metrics which measure current point-in-time values like memory usage or connection counts. Cumulative metrics maintain running totals over the entire lifetime of a process creating discontinuities during restarts. Distribution metrics capture value distributions across ranges useful for latency measurements but less suitable for simple event counting.

Implementation requires careful client library selection supporting delta metrics, appropriate aggregation functions typically sum for combining counts across instances, and time alignment ensuring accurate rate calculations. Delta metrics provide the foundation for monitoring service health, capacity planning, billing calculations based on usage, and performance analysis across distributed applications where event counting represents fundamental observability requirements.

Question 131: 

You need to implement canary deployment for your Cloud Run service. What is the recommended approach?

A) Deploy to a separate project and manually switch traffic

B) Use Cloud Run traffic splitting to gradually route traffic to new revisions

C) Replace the entire service immediately

D) Use multiple services with external load balancers

Answer: B

Explanation:

Cloud Run traffic splitting enables canary deployments by gradually routing percentages of production traffic to new service revisions while maintaining the majority on stable versions. This built-in capability provides safe deployment practices allowing validation of new code with real user traffic before full rollout while maintaining instant rollback options.

The traffic splitting mechanism allows administrators to specify percentage distributions across multiple revisions simultaneously. A typical canary deployment begins by routing five or ten percent of traffic to the new revision while ninety to ninety-five percent remains on the proven stable revision. Monitoring systems track error rates, latency, and other metrics comparing new revision performance against the baseline. If metrics remain healthy, traffic percentages gradually increase over hours or days until the new revision handles all traffic.

Configuration occurs through Cloud Run console interfaces, gcloud commands, or infrastructure-as-code tools specifying exact traffic percentages for each revision. Tag-based routing enables stable URLs for testing where specific revisions receive traffic from tagged URLs independent of percentage splits. This capability allows dedicated testing of new revisions before exposing them to general user traffic.

Rollback simplicity represents a key advantage where reverting traffic to previous revisions requires only updating traffic percentages without redeploying code. If new revisions exhibit problems, administrators immediately shift traffic back to stable versions stopping impact within seconds. The previous revision remains deployed and warm eliminating cold start delays during rollback.

Separate projects introduce unnecessary complexity. Immediate replacement lacks gradual validation. External load balancers require manual configuration. Cloud Run traffic splitting provides native, simple, powerful canary deployment capabilities integrated directly into the platform enabling safe deployment practices essential for maintaining high availability while continuously delivering new features.

Question 132: 

What is the primary purpose of Cloud Armor in application security?

A) To encrypt data at rest

B) To provide DDoS protection and WAF capabilities at the edge

C) To manage SSL certificates

D) To scan container images for vulnerabilities

Answer: B

Explanation:

Cloud Armor delivers distributed denial-of-service (DDoS) protection and web application firewall (WAF) capabilities at Google’s global edge network, defending applications from volumetric attacks, protocol exploits, and application-layer threats before malicious traffic reaches backend services. This security service integrates with Cloud Load Balancing providing defense-in-depth protection for internet-facing applications.

DDoS protection operates automatically at Google’s network edge absorbing volumetric attacks that attempt to overwhelm application infrastructure with massive traffic floods. The global infrastructure absorbs terabits per second of attack traffic distributing load across worldwide data centers preventing any single location from being overwhelmed. Automatic detection identifies attack patterns distinguishing legitimate traffic from malicious requests using machine learning models trained on Google’s extensive threat intelligence.

Web application firewall capabilities enable custom security policies defining rules that block requests matching attack patterns. Pre-configured rules protect against OWASP Top 10 vulnerabilities including SQL injection, cross-site scripting, remote code execution, and directory traversal attacks. Custom rules filter requests based on IP addresses, geographic locations, HTTP headers, request paths, or request parameters. Rate limiting restricts requests from individual clients preventing abuse and brute force attacks.

Security policy flexibility allows different rules for different backend services enabling tailored protection for various application components. Logging integration records blocked requests for security analysis and compliance auditing. Preview mode tests rules against traffic without enforcement validating policies before production deployment. Integration with Cloud Monitoring enables alerting on security events and attack detection.

Encryption at rest uses different services. Certificate management occurs through Certificate Manager. Container scanning uses Container Analysis. Cloud Armor specifically addresses edge security providing DDoS protection and WAF capabilities essential for protecting internet-facing applications from network and application-layer attacks that threaten availability and security.

Question 133: 

You need to implement distributed tracing across multiple services. Which library should you use?

A) OpenTelemetry

B) Protobuf

C) gRPC

D) Apache Kafka

Answer: A

Explanation:

OpenTelemetry provides a vendor-neutral observability framework and instrumentation libraries for implementing distributed tracing across microservices architectures. This open standard enables applications to emit traces, metrics, and logs that integrate with Cloud Trace and other observability backends without vendor lock-in while providing consistent instrumentation across different programming languages and frameworks.

The instrumentation approach involves adding OpenTelemetry SDKs to application code that automatically capture trace data as requests flow through services. Libraries provide automatic instrumentation for common frameworks like Flask, Django, Express, and Spring Boot capturing HTTP requests, database queries, and external API calls without custom code. Manual instrumentation enables developers to create custom spans for business logic representing important operations like payment processing or inventory checks.

Context propagation represents the core distributed tracing mechanism where trace and span identifiers flow between services through HTTP headers or message metadata. When service A calls service B, OpenTelemetry automatically includes trace context in the outbound request. Service B extracts this context creating child spans that link to the parent request. This chain creates hierarchical traces showing complete request flows across distributed systems.

Export configuration directs trace data to backends like Cloud Trace for storage and analysis. OpenTelemetry exporters support multiple backends simultaneously enabling hybrid observability strategies. Sampling configurations control what percentage of traces are captured balancing observability with overhead costs. Semantic conventions standardize span attributes ensuring consistent labeling across services and organizations.

Protobuf provides data serialization rather than tracing. gRPC handles remote procedure calls. Kafka manages message streaming. OpenTelemetry specifically addresses distributed tracing requirements providing the instrumentation libraries and standards necessary for implementing comprehensive observability across microservices architectures enabling developers to understand request flows and diagnose performance issues.

Question 134: 

What is the recommended way to handle secrets in Cloud Build pipelines?

A) Hardcode secrets in build configuration files

B) Store secrets in Secret Manager and access them during builds

C) Pass secrets as build arguments in plain text

D) Commit secrets to source control

Answer: B

Explanation:

Secret Manager integration with Cloud Build provides the secure recommended approach for handling secrets during build pipelines, enabling builds to access sensitive credentials like API keys, passwords, and certificates without exposing them in configuration files, logs, or source code. This managed service eliminates security risks from embedded credentials while maintaining operational convenience.

The integration mechanism allows build configurations to reference secrets stored in Secret Manager using special syntax in cloudbuild.yaml files. During build execution, Cloud Build retrieves secret values from Secret Manager and makes them available as environment variables or mounted files within build steps. Secrets never appear in build logs or configuration files visible to users examining build history.

Access control through Cloud IAM ensures only authorized build service accounts can retrieve specific secrets. Granular permissions control which builds access which secrets preventing unauthorized secret access. Audit logging in Cloud Audit Logs records every secret access providing security teams visibility into credential usage. Secret versioning enables builds to reference specific versions ensuring consistent behavior while allowing secret rotation without breaking builds.

Implementation best practices include using separate secrets for different environments preventing production credentials from being used in test builds, rotating secrets regularly, minimizing secret scope granting only necessary permissions, and encrypting secrets at rest using customer-managed encryption keys for additional security. Build steps requiring secrets explicitly declare dependencies ensuring proper sequencing.

Hardcoding secrets creates security vulnerabilities exposing credentials to anyone viewing configurations. Plain text arguments appear in logs and build history. Committing secrets to source control creates permanent credential exposure in version history. Secret Manager integration provides the security controls and audit capabilities necessary for safe secret handling in CI/CD pipelines protecting sensitive credentials throughout the build process.

Question 135: 

You need to implement a health check for your application running on Cloud Run. What endpoint should your application provide?

A) /metrics for Prometheus scraping

B) /health that returns 200 OK when the application is healthy

C) /status for detailed status information

D) /version showing the current application version

Answer: B

Explanation:

Health check endpoints returning HTTP 200 status codes represent the standard implementation for Cloud Run health monitoring, enabling the platform to verify application availability and readiness to serve traffic. This simple contract allows Cloud Run to detect unhealthy instances, stop routing traffic to failing containers, and restart problematic instances maintaining service availability.

The health endpoint implementation should perform lightweight checks verifying the application can process requests successfully. Typical checks include verifying critical dependencies like database connections, checking that required services respond, validating configuration loaded correctly, and confirming internal state remains consistent. Checks should complete within seconds avoiding timeout issues. The endpoint returns HTTP 200 when all checks pass or HTTP 503 or other error codes when problems are detected.

Cloud Run automatically performs health checks during container startup and periodically during operation. Startup checks verify containers reach healthy states before receiving production traffic preventing requests from routing to incomplete initializations. Periodic liveness checks detect containers entering unhealthy states during operation. Failed health checks trigger automatic container restarts and traffic redirection maintaining service availability without manual intervention.

Configuration options control health check behavior including initial delay before first check allowing slow-starting applications time to initialize, check interval determining how frequently Cloud Run probes containers, timeout duration specifying maximum acceptable response time, and failure threshold setting how many consecutive failures trigger restart. Proper tuning prevents false positives from transient issues while ensuring rapid detection of genuine problems.

Metrics endpoints serve monitoring rather than health verification. Status and version endpoints provide information but don’t indicate operational health. The /health endpoint specifically fulfills the health check contract Cloud Run expects enabling automated availability management that maintains service reliability through automatic failure detection and recovery.