Google Associate Cloud Engineer - Practice Test 1
You are managing a custom mode VPC network in Google Cloud. A specific subnet, configured with the IP range 10.0.0.0/20, is experiencing a shortage of primary internal IP addresses for its virtual machines. To address this, you need to expand the available IP addresses for these VMs without disrupting existing configurations unnecessarily. What is the most appropriate action to take?
Adding a secondary IP range to a subnet allows you to provide additional IP addresses for virtual machines, particularly for alias IP ranges, without modifying the existing primary IP range. This approach avoids potential disruptions or reconfigurations of existing VMs that would be necessary if the primary subnet range were expanded. The new secondary range 10.1.0.0/20 is a valid, non-overlapping block.
Your organization utilizes a central Google Cloud project for numerous services, alongside dedicated projects for development and testing. The DevOps team requires access to all production services to fulfill their responsibilities. You need to ensure that future Google Cloud product updates do not inadvertently expand their permissions. Following Google's recommended practices, what action should you take?
Creating a custom role with specific permissions adheres to the principle of least privilege, ensuring the DevOps team only has the access they need. Applying this custom role at the production project level scopes the permissions appropriately, preventing unintended access to other projects or broader organizational resources. This approach also prevents future Google Cloud product changes from automatically broadening permissions, as custom roles are not automatically updated by Google.
You are developing a multi-tenant application on Google Kubernetes Engine (GKE) where each customer's Pod runs potentially untrusted, arbitrary code. To enhance security and maximize isolation between these customer Pods within a single GKE cluster, what is the most effective approach?
To maximize isolation for untrusted workloads running arbitrary code in GKE, gVisor provides a strong security boundary. By configuring a node pool with gVisor and specifying runtimeClassName: gvisor, each Pod runs in a sandboxed environment, significantly enhancing isolation between tenants. This directly addresses the need for stronger isolation against potential exploits from customer code.
You have deployed an LDAP server on a Google Compute Engine virtual machine (VM) that uses TLS over UDP port 636 for client communication. You need to ensure that external clients can successfully connect to this LDAP server. What is the most appropriate action to take?
To allow incoming traffic to a Compute Engine VM, you must create an ingress firewall rule. Firewall rules are applied to instances based on network tags. Therefore, you need to assign a tag to the VM and then create an ingress rule targeting that tag for the specified port and protocol.
Your organization utilizes a single sign-on (SSO) identity provider that supports Security Assertion Markup Language (SAML) integration. Your user accounts are managed within Cloud Identity. You need to configure Cloud Identity so that users authenticate using your organization's existing SSO provider. What is the correct approach?
The scenario describes integrating an existing SAML-based SSO identity provider with Cloud Identity. In this setup, your company's SSO provider is the Identity Provider (IdP), and Google Cloud Identity acts as the Service Provider (SP). Therefore, you need to configure Cloud Identity to use a third-party IdP, with Google as the SP.