- (Exam Topic 2)
You need to deploy a new European version of a website hosted on Google Kubernetes Engine. The current and new websites must be accessed via the same HTTP(S) load balancer's external IP address, but have different domain names. What should you do?

Correct Answer:B
https://kubernetes.io/docs/concepts/services-networking/ingress/#name-based-virtual-hosting Name-based virtual hosts support routing HTTP traffic to multiple host names at the same IP address.

- (Exam Topic 2)
You need to redesign the ingestion of audit events from your authentication service to allow it to handle a large increase in traffic. Currently, the audit service and the authentication system run in the same Compute Engine virtual machine. You plan to use the following Google Cloud tools in the new architecture:
Multiple Compute Engine machines, each running an instance of the authentication service Multiple Compute Engine machines, each running an instance of the audit service
Pub/Sub to send the events from the authentication services.
How should you set up the topics and subscriptions to ensure that the system can handle a large volume of messages and can scale efficiently?

Correct Answer:A
https://cloud.google.com/pubsub/docs/subscriber "Multiple subscribers can make pull calls to the same "shared" subscription. Each subscriber will receive a subset of the messages."

- (Exam Topic 2)
You need to deploy resources from your laptop to Google Cloud using Terraform. Resources in your Google Cloud environment must be created using a service account. Your Cloud Identity has the roles/iam.serviceAccountTokenCreator Identity and Access Management (IAM) role and the necessary permissions to deploy the resources using Terraform. You want to set up your development environment to deploy the desired resources following Google-recommended best practices. What should you do?

Correct Answer:D
https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#file-system Whenever possible, avoid storing service account keys on a file system. If you can't avoid storing keys on
disk, make sure to restrict access to the key file, configure file access auditing, and encrypt the underlying disk.
https://cloud.google.com/iam/docs/best-practices-for-managing-service-account-keys#software-keystore In situations where using a hardware-based key store isn't viable, use a software-based key store to manage
service account keys. Similar to hardware-based options, a software-based key store lets users or applications
use service account keys without revealing the private key. Software-based key store solutions can help you control key access in a fine-grained manner and can also ensure that each key access is logged.

- (Exam Topic 2)
You are running a web application on Google Kubernetes Engine that you inherited. You want to determine whether the application is using libraries with known vulnerabilities or is vulnerable to XSS attacks. Which service should you use?

Correct Answer:C
https://cloud.google.com/security-command-center/docs/concepts-web-security-scanner-overview
Web Security Scanner identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. It crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible.

- (Exam Topic 2)
You have an application written in Python running in production on Cloud Run. Your application needs to read/write data stored in a Cloud Storage bucket in the same project. You want to grant access to your
application following the principle of least privilege. What should you do?

Correct Answer:A
https://cloud.google.com/iam/docs/understanding-roles#storage.admin

- (Exam Topic 2)
You work for an organization that manages an ecommerce site. Your application is deployed behind a global HTTP(S) load balancer. You need to test a new product recommendation algorithm. You plan to use A/B testing to determine the new algorithm’s effect on sales in a randomized way. How should you test this feature?

Correct Answer:A
https://cloud.google.com/load-balancing/docs/https/traffic-management-global#traffic_actions_weight-based_tra Deploying a new version of an existing production service generally incurs some risk. Even if your tests pass in staging, you probably don't want to subject 100% of your users to the new version immediately. With traffic management, you can define percentage-based traffic splits across multiple backend services.
For example, you can send 95% of the traffic to the previous version of your service and 5% to the new version of your service. After you've validated that the new production version works as expected, you can gradually shift the percentages until 100% of the traffic reaches the new version of your service. Traffic splitting is typically used for deploying new versions, A/B testing, service migration, and similar processes.
https://cloud.google.com/traffic-director/docs/advanced-traffic-management#weight-based_traffic_splitting_for_ https://cloud.google.com/architecture/implementing-deployment-and-testing-strategies-on-gke#split_the_traffic_ https://cloud.google.com/load-balancing/docs/https/traffic-management-global#traffic_actions_weight-based_tra