Google Cloud Architect 认证考试错题集5

D. Store static content such as HTML and images in a Cloud Storage bucket. Use Cloud Functions to host the APIs and save the user data in Firestore.

- Storing static content in a Cloud Storage bucket is a cost-effective and efficient way to serve static assets like HTML and images.

- Using Cloud Functions to host APIs allows for a serverless architecture, which can easily scale based on demand without the need to manage infrastructure.

- Firestore is a NoSQL document database that provides scalability and reliability, making it a good choice for storing user data in a cost-effective manner.

The correct answer is C. Export logs to a Pub/Sub topic, and trigger Cloud Function with the relevant log events.将日志导出到 Pub/Sub 主题并使用相关日志事件触发 Cloud Function 是监控和快速响应 Google Cloud 中异常的常见做法。Pub/Sub 是一种消息传递服务，允许服务解耦并提供可靠且可扩展的事件传递。通过将日志导出到 Pub/Sub 主题，您可以设置订阅以触发 Cloud Functions 来实时处理日志事件。 Cloud Functions 是无服务器函数，可用于近乎实时地响应事件，使其成为快速响应日志中检测到的异常的理想选择。

Exporting logs to a Pub/Sub topic and triggering a Cloud Function with the relevant log events is a common practice for monitoring and reacting quickly to anomalies in Google Cloud. Pub/Sub is a messaging service that allows decoupling of services and provides reliable and scalable event delivery. By exporting logs to a Pub/Sub topic, you can set up subscriptions to trigger Cloud Functions for processing log events in real time. Cloud Functions are serverless functions that can be used to respond to events in near real-time, making them an ideal choice for reacting quickly to anomalies detected in logs.

总体解释

The correct answer is C. Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to SSH into the instance.

- Identity-Aware Proxy (IAP) is a Google Cloud service that provides secure remote access to Google Cloud resources without the need for a VPN. By configuring IAP on the instance, you can securely access it without a public IP address.身份感知代理 (IAP) 是一项 Google Cloud 服务，无需 VPN 即可提供对 Google Cloud 资源的安全远程访问。通过在实例上配置 IAP，您可以在没有公共 IP 地址的情况下安全地访问它。

- To use IAP for SSH access, you need to have the role of IAP-secured Tunnel User, which allows you to establish secure tunnels to your instances using IAP.要使用 IAP 进行 SSH 访问，您需要具有 IAP 安全隧道用户的角色

- Using the gcloud command line tool, you can establish an SSH connection to the instance through IAP, ensuring secure access without violating the security requirements.

Why the other options are incorrect:

D. Creating a bastion host in the network and SSHing into the bastion host from your office location, then from the bastion host to the desired instance, does not comply with the security requirement of instances not having a public IP address. Bastion hosts are typically used to provide secure access to instances in private networks, but in this case, direct SSH access to the instance is required without a public IP address.

The correct answer is C: Assign the development team group the Project Owner role on the Shopping folder, and remove the development team group Project Owner role from the Organization.

Assigning the development team group the Project Owner role on the Shopping folder allows them to create resources in the Shopping folder but not in the Finance folder. By removing the Project Owner role from the Organization, you prevent the development team from creating resources in projects in the Finance folder because they no longer have the necessary permissions at the Organization level. 通过从组织中删除 Project Owner 角色，您可以阻止开发团队在 Finance 文件夹中的项目中创建资源， 因为他们不再具有组织级别的必要权限。

- Using an unmanaged instance group allows you to have full control over the instances and their configurations, which is required in this scenario where the application needs full control over the data on the file system.使用非托管实例组允许您完全控制实例及其配置，这在应用程序需要完全控制文件系统上的数据的情况下是必需的。

- Having an active and standby instance in different zones ensures high availability in case of any incidents or failures, as the standby instance can take over if the active instance goes down.在不同的区域中拥有活动实例和备用实例可确保在发生任何事件或故障时具有高可用性，因为如果活动实例发生故障，备用实例可以接管。

- Using a regional persistent disk ensures that the data on the file system is available and consistent across different zones.使用区域持久磁盘可确保文件系统上的数据在不同区域中可用且一致。

- Using a network load balancer in front of the instances allows you to distribute incoming traffic evenly and efficiently to the instances.在实例前面使用网络负载平衡器可让您将传入流量均匀高效地分配给实例。

Now, let's explain why the other options are incorrect:

- Option A suggests using an HTTP load balancer, which is not suitable for TCP traffic. Additionally, using Cloud Filestore may not provide the required control over the data on the file system.HTTP 负载平衡器，它不适用于 TCP 流量。此外，使用 Cloud Filestore 可能无法提供对文件系统上数据的必要控制。

Deploy a new revision to Cloud Run with the new version. Configure traffic percentage between revisions.

- Deploying a new revision to Cloud Run with the new version allows you to have multiple versions of your application running simultaneously.

- By configuring the traffic percentage between revisions, you can control how much traffic is directed to the new version and the existing version, allowing you to evaluate the new code with a subset of production traffic.

C. Binary logging: Binary logging records changes to the database so that in the event of a catastrophic failure, you can replay the changes from the binary logs to restore the database to a consistent state without losing data.

D. Automated backups: Automated backups regularly take snapshots of your database, allowing you to restore it to a specific point in time in case of data loss or corruption.

E. Semisynchronous replication: Semisynchronous replication ensures that at least one replica has received and acknowledged a transaction before it is committed on the primary database. While this can improve data durability, it does not directly address data loss in case of catastrophic failure. 半同步复制：半同步复制可确保在主数据库上提交事务之前，至少有一个副本已收到并确认该事务。虽然这可以提高数据持久性，但它不能直接解决发生灾难性故障时的数据丢失问题。

您在一个体育协会工作，协会成员年龄在 8 至 30 岁之间，其中大量的健康数据（包括伤病数据）都存储在 BigQuery 中。法律要求根据主体要求删除这些数据。

A. Use a unique identifier for each individual. Upon a deletion request, delete all rows from BigQuery with this identifier.

This option is the correct answer because it ensures compliance with the legislation that requires deletion of personal information upon request. By using a unique identifier for each individual, you can easily identify and delete all rows associated with that individual in BigQuery when a deletion request is received. This method allows for efficient and complete removal of the subject's data from the database.

Now, let's explain why the other options are incorrect:

B. When ingesting new data in BigQuery, run the data through the Data Loss Prevention (DLP) API to identify any personal information. As part of the DLP scan, save the result to Data Catalog. Upon a deletion request, query Data Catalog to find the column with personal information.

- This option focuses on identifying personal information using DLP and saving the results to Data Catalog. While this is a good practice for data protection, it does not directly address the requirement of deleting data upon request. Querying Data Catalog to find personal information columns does not guarantee efficient deletion of individual data upon request.

• App Engine provides built-in mechanisms for staging new versions of applications in the production environment, making it easy for developers to test and deploy changes.
• App Engine 是一个完全托管的平台，允许开发人员轻松部署应用程序，而无需担心底层基础架构。此平台即服务 (PaaS) 产品旨在让开发人员专注于编写代码和快速部署应用程序。

• App Engine 提供内置机制，用于在生产环境中暂存应用程序的新版本，使开发人员可以轻松测试和部署更改。
• 使用 App Engine，您可以设置应用程序的不同版本，以便在将新版本推广到生产环境之前轻松暂存和测试它们。
• App Engine 还提供了用于管理访问控制和权限的工具，这可以使外包运营团队自主地将暂存版本推广到生产环境，同时最大限度地减少运营开销。

C. Compute Engine:

• Compute Engine provides virtual machines that can be used to run applications, but it requires more manual configuration and management compared to App Engine.
• Using Compute Engine would require more operational overhead in setting up and managing the virtual machines, which goes against the goal of minimizing operational overhead in this scenario.

D. Google Kubernetes Engine (GKE):

• Google Kubernetes Engine is a managed Kubernetes service that allows you to deploy, manage, and scale containerized applications using Kubernetes. While GKE provides more control and flexibility compared to App Engine, it also requires more operational overhead to manage the Kubernetes clusters.
• Using GKE would involve more complexity in setting up and managing Kubernetes clusters, which may not be the best choice for minimizing operational overhead in this scenario where the goal is to allow easy staging and autonomous promotion of application versions.

Option C:

1. Setting up Cloud VPN establishes a secure connection between the Compute Engine application and the on-premises MySQL server.

2. Stopping the on-premises application ensures no data changes occur during the migration.

3. Starting the Compute Engine application configured to read and write to the on-premises MySQL server allows the application to continue functioning with the existing database.

4. Creating a replication configuration in Cloud SQL sets up replication between the on-premises MySQL server and Cloud SQL, ensuring data consistency.

5. Configuring the source database server to accept connections from the Cloud SQL replica ensures that replication can occur.

6. Finalizing the Cloud SQL replica configuration ensures that the data is synchronized.

7. Stopping the Compute Engine application at this point ensures that no data loss occurs during the cutover.

8. Promoting the Cloud SQL replica to a standalone instance allows the application to switch to using Cloud SQL seamlessly.

9. Restarting the Compute Engine application configured to read and write to the Cloud SQL standalone instance completes the migration with minimal downtime and no data loss.

云上云下replication + promote standalong instance

Option A:

- This option involves modifying the source code of the application to read from both databases, which is not a minimal modification approach.

- The process of writing queries to both databases and reading from its local database can introduce complexity and potential data consistency issues during the migration.

Option B:

- This option involves setting up Cloud SQL proxy and MySQL proxy, which can add unnecessary complexity to the migration process.

- Stopping the on-premises application after importing data to Cloud SQL can result in potential data loss if there are any changes made to the on-premises database during the migration.

Option D:

- This option involves importing data to Cloud SQL before starting the application on Compute Engine, which can result in downtime and potential data loss during the migration.

- The application should be running and reading from the on-premises database until the cutover is completed to minimize downtime and data loss.

In conclusion, option C provides a structured approach to migrating the application with minimal modifications, minimal downtime, and no data loss to customers.

----

-----