- (Topic 10)
For this question, refer to the EHR Healthcare case study. You need to define the technical architecture for securely deploying workloads to Google Cloud. You also need to ensure that only verified containers are deployed using Google Cloud services. What should you do? (Choose two.)

1. A. Enable Binary Authorization on GKE, and sign containers as part of a CI/CD pipeline.
2. B. Configure Jenkins to utilize Kritis to cryptographically sign a container as part of a CI/CD pipeline.
3. C. Configure Container Registry to only allow trusted service accounts to create and deploy containers from the registry.
4. D. Configure Container Registry to use vulnerability scanning to confirm that there are no vulnerabilities before deploying the workload.

Correct Answer: A
Binary Authorization to ensure only verified containers are deployed To ensure deployment are secure and and consistent, automatically scan images for
vulnerabilities with container analysis (https://cloud.google.com/docs/ci-cd/overview?hl=en&skip_cache=true)

- (Topic 5)
Your company has developed a monolithic, 3-tier application to allow external users to upload and share files. The solution cannot be easily enhanced and lacks reliability. The development team would like to re-architect the application to adopt microservices and a fully managed service approach, but they need to convince their leadership that the effort is worthwhile. Which advantage(s) should they highlight to leadership?

1. A. The new approach will be significantly less costly, make it easier to manage the underlying infrastructure, and automatically manage the CI/CD pipelines.
2. B. The monolithic solution can be converted to a container with Docke
3. C. The generatedcontainer can then be deployed into a Kubernetes cluster.
4. D. The new approach will make it easier to decouple infrastructure from application, develop and release new features, manage the underlying infrastructure, manage CI/CD pipelines and perform A/B testing, and scale the solution if necessary.
5. E. The process can be automated with Migrate for Compute Engine.

Correct Answer: C
The new approach will make it easier to decouple infrastructure from an application, develop and release new features, manage the underlying infrastructure, manage CI/CD pipelines and perform A/B testing, and scale the solution if necessary.

- (Topic 5)
You need to develop procedures to test a disaster plan for a mission-critical application. You want to use
Google-recommended practices and native capabilities within GCP. What should you do?

1. A. Use Deployment Manager to automate service provisionin
2. B. Use Activity Logs to monitor and debug your tests.
3. C. Use Deployment Manager to automate provisionin
4. D. Use Stackdriver to monitor and debug your tests.
5. E. Use gcloud scripts to automate service provisionin
6. F. Use Activity Logs monitor and debug your tests.
7. G. Use automated scripts to automate service provisionin
8. H. Use Activity Logs monitor and debug your tests.

Correct Answer: B
https://cloud.google.com/solutions/dr-scenarios-planning-guide

- (Topic 5)
You are working in a highly secured environment where public Internet access from the Compute Engine VMs is not allowed. You do not yet have a VPN connection to access an on-premises file server. You need to install specific software on a Compute Engine instance. How should you install the software?

1. A. Upload the required installation files to Cloud Storag
2. B. Configure the VM on a subnet with a Private Google Access subne
3. C. Assign only an internal IP address to the V
4. D. Download the installation files to the VM using gsutil.
5. E. Upload the required installation files to Cloud Storage and use firewall rules to block all traffic except the IP address range for Cloud Storag
6. F. Download the files to the VM using gsutil.
7. G. Upload the required installation files to Cloud Source Repositorie
8. H. Configure the VM on a subnet with a Private Google Access subne
9. I. Assign only an internal IP address to the V
10. J. Download the installation files to the VM using gcloud.
11. K. Upload the required installation files to Cloud Source Repositories and use firewall rules to block all traffic except the IP address range for Cloud Source Repositorie
12. L. Download the files to the VM using gsutil.

Correct Answer: A
https://cloud.google.com/vpc/docs/private-access-options#pga-supported

- (Topic 5)
You have deployed several instances on Compute Engine. As a security requirement, instances cannot have a public IP address. There is no VPN connection between Google
Cloud and your office, and you need to connect via SSH into a specific machine without violating the security requirements. What should you do?

1. A. Configure Cloud NAT on the subnet where the instance is hoste
2. B. Create an SSH connection to the Cloud NAT IP address to reach the instance.
3. C. Add all instances to an unmanaged instance grou
4. D. Configure TCP Proxy Load Balancing with the instance group as a backen
5. E. Connect to the instance using the TCP Proxy IP.
6. F. Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel Use
7. G. Use the gcloud command line tool to ssh into the instance.
8. H. Create a bastion host in the network to SSH into the bastion host from your office locatio
9. I. From the bastion host, SSH into the desired instance.

Correct Answer: C
https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_with_ssh
Leveraging the BeyondCorp security model. "This January, we enhanced context-aware access capabilities in Cloud Identity-Aware Proxy (IAP) to help you protect SSH and RDP access to your virtual machines (VMs)—without needing to provide your VMs with public IP addresses, and without having to set up bastion hosts. " https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware- access-to-vms-via-ssh-and-rdp-without-bastion-hosts
Reference: https://cloud.google.com/solutions/connecting-securely