Google Associate-Cloud-Engineer Google Cloud Certified - Associate Cloud Engineer Exam Practice Test

Run gcloud projects list to get the project ID, and then run gcloud services list --project .

Run gcloud init to set the current project to my-project, and then run gcloud services list --available.

Run gcloud info to view the account value, and then run gcloud services list --account .

Run gcloud projects describe to verify the project value, and then run gcloud services list --available.

Create and deploy a Custom Resource Definition per microservice.

Create and deploy a Docker Compose File.

Create and deploy a Job per microservice.

Create and deploy a Deployment per microservice.

Use service account credentials in your on-premises application.

Use gcloud to create a key file for the service account that has appropriate permissions.

Set up direct interconnect between your data center and Google Cloud Platform to enable authentication for your on-premises applications.

Go to the IAM & admin console, grant a user account permissions similar to the service account permissions, and use this user account for authentication from your data center.

Enable node auto-provisioning on the GKE cluster.

Create a VerticalPodAutscaler for those workloads.

Create a node pool with preemptible VMs and GPUs attached to those VMs.

Create a node pool of instances with GPUs, and enable autoscaling on this node pool with a minimum size of 1.

Migrate the users to Active Directory. Connect the Human Resources system to Active Directory. Turn on Google Cloud Directory Sync (GCDS) for Cloud Identity. Turn on Identity Federation from Cloud Identity to Active Directory.

Organize the users in Cloud Identity into groups. Enforce multi-factor authentication in Cloud Identity.

Turn on identity federation between Cloud Identity and Google Workspace. Enforce multi-factor authentication for domain wide delegation.

Use a third-party identity provider service through federation. Synchronize the users from Google Workplace to the third-party provider in real time.

Use your existing CI/CD pipeline Use the generated Docker images and deploy them to Cloud Run. Update the configurations and the required endpoints.

Use your existing continuous integration and delivery (CI/CD) pipeline. Use the generated Docker images and deploy them to Cloud Function. Use the same configuration as on-premises.

Use the existing codebase and deploy each service as a separate Cloud Function Update the configurations and the required endpoints.

Use your existing codebase and deploy each service as a separate Cloud Run Use the same configurations as on-premises.

Split the users from business units to multiple projects.

Apply a user- or project-level custom query quota for BigQuery data warehouse.

Create separate copies of your BigQuery data warehouse for each business unit.

Split your BigQuery data warehouse into multiple data warehouses for each business unit.

Change your BigQuery query model from on-demand to flat rate. Apply the appropriate number of slots to each Project.

Fill in local SSD. Fill in persistent disk storage and snapshot storage.

Fill in local SSD. Add estimated cost for cluster management.

Select Add GPUs. Fill in persistent disk storage and snapshot storage.

Select Add GPUs. Add estimated cost for cluster management.

Create a service account with an access scope. Use the access scope ‘https://www.googleapis.com/auth/devstorage.write_only’.

Create a service account with an access scope. Use the access scope ‘https://www.googleapis.com/auth/cloud-platform’.

Create a service account and add it to the IAM role ‘storage.objectCreator’ for that bucket.

Create a service account and add it to the IAM role ‘storage.objectAdmin’ for that bucket.

Update your web application to use the protocol HTTP/2 instead of HTTP/1.1

Set the concurrency number to 1 for your Cloud Run service.

Set the maximum number of instances for your Cloud Run service to 100.

Set the minimum number of instances for your Cloud Run service to 3.

Using the Cloud SDK, create a new project, enable the Compute Engine API in that project, and then create the instance specifying your new project.

Enable the Compute Engine API in the Cloud Console, use the Cloud SDK to create the instance, and then use the ––project flag to specify a new project.

Using the Cloud SDK, create the new instance, and use the ––project flag to specify the new project.

Answer yes when prompted by Cloud SDK to enable the Compute Engine API.

Enable the Compute Engine API in the Cloud Console. Go to the Compute Engine section of the Console to create a new instance, and look for the Create In A New Project option in the creation form.

Add users to roles/bigquery user role only, instead of roles/bigquery dataOwner.

Add users to roles/bigquery dataEditor role only, instead of roles/bigquery dataOwner.

Create a custom role by removing delete permissions, and add users to that role only.

Create a custom role by removing delete permissions. Add users to the group, and then add the group to the custom role.

Sync Identities with Cloud Directory Sync, and then enable SAML for single sign-on

Sync Identities in the Google Admin console, and then enable Oauth for single sign-on

Sync identities with 3rd party LDAP sync, and then copy passwords to allow simplified login with (he same credentials

Sync identities with Cloud Directory Sync, and then copy passwords to allow simplified login with the same credentials.

In the Google Cloud console, visualize the costs related to the projects in the Reports section.

In the Google Cloud console, visualize the costs related to the projects in the Cost breakdown section.

In the Google Cloud console, use the export functionality of the Cost table. Create a Looker Studiodashboard on top of the CSV export.

Configure Cloud Billing data export to BigOuery for the billing account. Create a Looker Studio dashboard on top of the BigOuery export.

Disable the flag “Delete boot disk when instance is deleted.”

Enable delete protection on the instance.

Disable Automatic restart on the instance.

Enable Preemptibility on the instance.

Set the europe-west1-d zone as the default zone using the gcloud config subcommand.

In the Settings page for Compute Engine under Default location, set the zone to europe–west1-d.

In the CLI installation directory, create a file called default.conf containing zone=europe–west1–d.

Create a Metadata entry on the Compute Engine page with key compute/zone and value europe–west1–d.

1. Update your instances’ metadata to add the following value: snapshot–schedule: 0 1 * * *

2. Update your instances’ metadata to add the following value: snapshot–retention: 30

1. In the Cloud Console, go to the Compute Engine Disks page and select your instance’s disk.

2. In the Snapshot Schedule section, select Create Schedule and configure the following parameters:

–Schedule frequency: Daily

–Start time: 1:00 AM – 2:00 AM

–Autodelete snapshots after 30 days

1. Create a Cloud Function that creates a snapshot of your instance’s disk.

2.Create a Cloud Function that deletes snapshots that are older than 30 days.

3.Use Cloud Scheduler to trigger both Cloud Functions daily at 1:00 AM.

1. Create a bash script in the instance that copies the content of the disk to Cloud Storage.

2.Create a bash script in the instance that deletes data older than 30 days in the backup Cloud Storage bucket.

3.Configure the instance’s crontab to execute these scripts daily at 1:00 AM.

Use the command gcloud auth login and point it to the private key

Use the command gcloud auth activate-service-account and point it to the private key

Place the private key file in the installation directory of the Cloud SDK and rename it to "credentials ison"

Place the private key file in your home directory and rename it to ‘’GOOGLE_APPUCATION_CREDENTiALS".

Use a custom mode VPC network, configure static routes, and use active/passive routing

Use an automatic mode VPC network, configure static routes, and use active/active routing

Use a custom mode VPC network use Cloud Router border gateway protocol (86P) routes, and use active/passive routing

Use an automatic mode VPC network, use Cloud Router border gateway protocol (BGP) routes and configure policy-based routing

* Create service accounts sa-app and sa-db.

• Associate service account: sa-app with the application servers and the service account sa-db with the database servers.

• Create an ingress firewall rule to allow network traffic from source service account sa-app to target service account sa-db.

• Create network tags app-server and db-server.

• Add the app-server lag lo the application servers and the db-server lag to the database servers.

• Create an egress firewall rule to allow network traffic from source network tag app-server to target network tag db-server.

* Create a service account sa-app and a network tag db-server.

* Associate the service account sa-app with the application servers and the network tag db-server with

the database servers.

• Create an ingress firewall rule to allow network traffic from source VPC IP addresses and target the subnet-a IP addresses.

• Create a network lag app-server and service account sa-db.

• Add the tag to the application servers and associate the service account with the database servers.

• Create an egress firewall rule to allow network traffic from source network tag app-server to target service account sa-db.

1. Create a Cloud Function that uses a Cloud Pub/Sub trigger on that topic.2. Call your application on Cloud Run from the Cloud Function for every message.

1. Grant the Pub/Sub Subscriber role to the service account used by Cloud Run.2. Create a Cloud Pub/Sub subscription for that topic.3. Make your application pull messages from that subscription.

1. Create a service account.2. Give the Cloud Run Invoker role to that service account for your Cloud Run application.3. Create a Cloud Pub/Sub subscription that uses that service account and uses your Cloud Run application as the push endpoint.

1. Deploy your application on Cloud Run on GKE with the connectivity set to Internal.2. Create a Cloud Pub/Sub subscription for that topic.3. In the same Google Kubernetes Engine cluster as your application, deploy a container that takes the messages and sends them to your application.

Verify that both projects are in a GCP Organization. Create a new VPC and add all instances.

Verify that both projects are in a GCP Organization. Share the VPC from one project and request that the Compute Engine instances in the other project use this shared VPC.

Verify that you are the Project Administrator of both projects. Create two new VPCs and add all instances.

Verify that you are the Project Administrator of both projects. Create a new VPC and add all instances.

Use kubect1 to delete the topic resource.

Use gcloud CLI to delete the topic.

Use kubect1 to create the label deleted-by-cnrm and to change its value to true for the topic resource.

Use gcloud CLI to update the topic label managed-by-cnrm to false.

Add the group for the finance team to roles/billing user role.

Add the group for the finance team to roles/billing admin role.

Add the group for the finance team to roles/billing viewer role.

Add the group for the finance team to roles/billing project/Manager role.

For each GCP product in the solution, review the pricing details on the products pricing page. Use the pricing calculator to total the monthly costs for each GCP product.

For each GCP product in the solution, review the pricing details on the products pricing page. Create a Google Sheet that summarizes the expected monthly costs for each product.

Provision the solution on GCP. Leave the solution provisioned for 1 week. Navigate to the Billing Report page in the Google Cloud Platform Console. Multiply the 1 week cost to determine the monthly costs.

Provision the solution on GCP. Leave the solution provisioned for 1 week. Use Stackdriver to determine the provisioned and used resource amounts. Multiply the 1 week cost to determine the monthly costs.

Use labels to group resources that share common IAM policies

Use folders to group resources that share common IAM policies

Set up a proper billing account structure to group IAM policies

Set up a proper project naming structure to group IAM policies

Use gcloud iam roles copy and specify the production project as the destination project.

Use gcloud iam roles copy and specify your organization as the destination organization.

In the Google Cloud Platform Console, use the ‘create role from role’ functionality.

In the Google Cloud Platform Console, use the ‘create role’ functionality and select all applicable permissions.

Grant each individual external consultant the role of BigQuery Editor

Grant each individual external consultant the role of BigQuery Viewer

Create a Google Group that contains the consultants and grant the group the role of BigQuery Editor

Create a Google Group that contains the consultants, and grant the group the role of BigQuery Viewer

Add the cluster’s API as a new Type Provider in Deployment Manager, and use the new type to create the DaemonSet.

Use the Deployment Manager Runtime Configurator to create a new Config resource that contains the DaemonSet definition.

With Deployment Manager, create a Compute Engine instance with a startup script that uses kubectl to create the DaemonSet.

In the cluster’s definition in Deployment Manager, add a metadata that has kube-system as key and the DaemonSet manifest as value.

Use the projects. move method to move the project to your organization. Update the billing account of the project to that of your organization.

Ensure that you have an Organization Administrator Identity and Access Management (IAM) role assigned to you in both organizations. Navigate to the Resource Manager in the startup's Google Cloud organization, and drag the project to your company's organization.

Create a Private Catalog tor the Google Cloud Marketplace, and upload the resources of the startup’s production project to the Catalog. Share the Catalog with your organization, and deploy the resources in your company’s project.

Create an infrastructure-as-code template tor all resources in the project by using Terraform. and deploy that template to a new project in your organization. Delete the protect from the startup's Google Cloud organization.

.00.0.0/0

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

Configure an SSL Proxy load balancer in front of the application servers.

Configure an Internal UDP load balancer in front of the application servers.

Configure an External HTTP(s) load balancer in front of the application servers.

Configure an External Network load balancer in front of the application servers.

Use the GCP Console to transfer the file instead of gsutil.

Enable parallel composite uploads using gsutil on the file transfer.

Decrease the TCP window size on the machine initiating the transfer.

Change the storage class of the bucket from Nearline to Multi-Regional.

Create the instance without a public IP address.

Create the instance with Private Google Access enabled.

Create a deny-all egress firewall rule on the VPC network.

Create a route on the VPC to route all traffic to the instance over the VPN tunnel.

Use the gcloud CLI services enable cloudresourcemanager.googleapis.com command to enable all resources.

Use the gcloud services enable compute.googleapis.com command to enable Compute Engine and the gcloud services enable storage-api.googleapis.com command to enable the Cloud Storage APIs.

Open the Google Cloud console and enable all Google Cloud APIs from the API dashboard.

Open the Google Cloud console and run gcloud init --project in a Cloud Shell.

Assign the pods of the image rendering microservice a higher pod priority than the older microservices

Create a node pool with compute-optimized machine type nodes for the image rendering microservice Use the node pool with general-purpose

machine type nodes for the other microservices

Use the node pool with general-purpose machine type nodes for lite mage rendering microservice Create a nodepool with compute-optimized machine type nodes for the other microservices

Configure the required amount of CPU and memory in the resource requests specification of the image rendering microservice deployment Keep the resource requests for the other microservices at the default

Use a Shielded VM.

Use a Preemptible VM.

Use a sole-tenant node.

Enable deletion protection on the instance.

Create a signed URL with a four-hour expiration and share the URL with the company.

Set object access to ‘public’ and use object lifecycle management to remove the object after four hours.

Configure the storage bucket as a static website and furnish the object’s URL to the company. Delete the object from the storage bucket after four hours.

Create a new Cloud Storage bucket specifically for the external company to access. Copy the object to that bucket. Delete the bucket after four hours have passed.

Deploy the application lo Cloud. Run. Use gradual rollouts for traffic spelling.

Deploy the application lo Google Kubemetes Engine. Use Anthos Service Mesh for traffic splitting.

Deploy the application to Cloud functions. Saucily the version number in the functions name.

Deploy the application to App Engine. For each new version, create a new service.

Set the maximum number of instances to 1.

Decrease the maximum number of instances to 3.

Use a TCP health check instead of an HTTP health check.

Increase the initial delay of the HTTP health check to 200 seconds.

Create a Cloud Scheduler task to regularly scan your projects and delete mismatched users.

Create a Cloud Scheduler task to regularly scan your resources and delete mismatched users.

Set an organizational policy constraint to limit identities by domain to automatically remove mismatched users.

Set an organizational policy constraint to limit identities by domain, and then retroactively remove the existing mismatched users.

Ask your ML team to add the “accelerator: gpu” annotation to their pod specification.

Recreate all the nodes of the GKE cluster to enable GPUs on all of them.

Create your own Kubernetes cluster on top of Compute Engine with nodes that have GPUs. Dedicate this cluster to your ML team.

Add a new, GPU-enabled, node pool to the GKE cluster. Ask your ML team to add the cloud.google.com/gke -accelerator: nvidia-tesla-p100 nodeSelector to their pod specification.

Create a Billing account, associate a payment method with it, and provide all project creators with permission to associate that billing account with their projects.

Grant all engineer’s permission to create their own billing accounts for each new project.

Apply for monthly invoiced billing, and have a single invoice tor the project paid by the finance team.

Create a billing account, associate it with a monthly purchase order (PO), and send the PO to Google Cloud.

HTTPS Load Balancer

Network Load Balancer

SSL Proxy Load Balancer

Internal TCP/UDP Load Balancer. Add a firewall rule allowing ingress traffic from 0.0.0.0/0 on the target instances.

Open the Cloud Spanner console to review configurations.

Open the IAM & admin console to review IAM policies for Cloud Spanner roles.

Go to the Stackdriver Monitoring console and review information for Cloud Spanner.

Go to the Stackdriver Logging console, review admin activity logs, and filter them for Cloud Spanner IAM roles.

Upload the data to BigQuery using the bq command line tool.

Upload the data to Cloud Storage using the gsutil command line tool.

Upload the data into Cloud SQL using the import function in the console.

Upload the data into Cloud Spanner using the import function in the console.

Configure Billing Data Export to BigQuery and visualize the data in Data Studio.

Visit the Cost Table page to get a CSV export and visualize it using Data Studio.

Fill all resources in the Pricing Calculator to get an estimate of the monthly cost.

Use the Reports view in the Cloud Billing Console to view the desired cost information.

Deployment Manager

Cloud Composer

Managed Instance Group

Unmanaged Instance Group

Create an Instance template with the container image, and deploy a Managed Instance Group with Autoscaling.

Upload Docker images to Artifact Registry, and deploy the application on Google Kubernetes Engine using Standard mode.

Upload Docker images to the Cloud Storage, and deploy the application on Google Kubernetes Engine using Standard mode.

Upload Docker images to Artifact Registry, and deploy the application on Cloud Run.

Run gcloud iam roles describe roles/spanner.databaseUser. Add the users to the role.

Run gcloud iam roles describe roles/spanner.databaseUser. Add the users to a new group. Add the group to the role.

Run gcloud iam roles describe roles/spanner.viewer --project my-project. Add the users to the role.

Run gcloud iam roles describe roles/spanner.viewer --project my-project. Add the users to a new group. Add the group to the role.

Cloud Run for Anthos

Cloud Run

App Engine Standard

Cloud Functions.

Create a GKE Autopilot cluster. Enroll the cluster in the rapid release channel.

Create a GKE Autopilot cluster. Enroll the cluster in the stable release channel.

Create a zonal GKE standard cluster. Enroll the cluster in the stable release channel.

Create a regional GKE standard cluster. Enroll the cluster in the rapid release channel.

Download the private key from the service account, and add it to each VMs custom metadata.

Download the private key from the service account, and add the private key to each VM’s SSH keys.

Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.

When creating the VMs, set the service account’s API scope for Compute Engine to read/write.

Use App Engine and configure Cloud Scheduler to trigger the application using Pub/Sub.

Use Cloud Functions and configure the bucket as a trigger resource.

Use Google Kubernetes Engine and configure a CronJob to trigger the application using Pub/Sub.

Use Dataflow as a batch job, and configure the bucket as a data source.

Use Cloud SQL database with cross-region replication to store game statistics in the EU, US, and APAC regions.

Use Cloud Spanner to store user data mapped to the game statistics.

Use BigQuery to store game statistics with a Redis on Memorystore instance in the front to provide global consistency.

Store game statistics in a Bigtable database partitioned by username.

Use Cloud Logging filters to create log-based metrics for firewall and instance actions. Monitor the changes and set up reasonable alerts.

Install Kibana on a compute Instance. Create a log sink to forward Cloud Audit Logs filtered for firewalls and

compute instances to Pub/Sub. Target the Pub/Sub topic to push messages to the Kibana instance. Analyze the logs on Kibana in real time.

Turn on Google Cloud firewall rules logging, and set up alerts for any insert, update, or delete events.

Create a log sink to forward Cloud Audit Logs filtered for firewalls and compute instances to Cloud Storage.

Use BigQuery to periodically analyze log events in the storage bucket.

Use the command gcloud config set container/cluster dev.

Use the command gcloud container clusters update dev.

Create a file called gke.default in the ~/.gcloud folder that contains the cluster name.

Create a file called defaults.json in the ~/.gcloud folder that contains the cluster name.

Contact cloud-billing@google.com with your bank account details and request a corporate billing account for your company.

Create a ticket with Google Support and wait for their call to share your credit card details over the phone.

In the Google Platform Console, go to the Resource Manage and move all projects to the root Organization.

In the Google Cloud Platform Console, create a new billing account and set up a payment method.

Select Google Kubernetes Engine. Use a single-node cluster with a small instance type.

Select Google Kubernetes Engine. Use a three-node cluster with micro instance types.

Select Compute Engine. Use preemptible VM instances of the appropriate standard machine type.

Select Compute Engine. Use VM instance types that support micro bursting.

Save the incoming votes to Firestore. Use Cloud Scheduler to trigger a Cloud Functions instance to periodically process the votes.

Use a dedicated instance to process the incoming votes. Send the votes directly to this instance.

Save the incoming votes to a JSON file on Cloud Storage. Process the votes in a batch at the end of the day.

Save the incoming votes to Pub/Sub. Use the Pub/Sub topic to trigger a Cloud Functions instance to process the votes.

Deploy the application on a managed instance group and configure autoscaling.

Deploy the application on a Kubernetes Engine cluster and configure node pool autoscaling.

Deploy the application on Cloud Functions and configure the maximum number instances.

Deploy the application on Cloud Run and configure autoscaling.

Configure Cloud NAT for all subnets of your VPC to be used when egressing from the VM instances.

Create a private zone on Cloud DNS, and configure the applications with the DNS name.

Configure the IP of the database as custom metadata for each instance, and query the metadata server.

Query the Compute Engine internal DNS from the applications to retrieve the IP of the database.

Deploy the application on GKE, and add a HorizontalPodAutoscaler to the deployment.

Deploy the application on GKE, and add a VerticalPodAutoscaler to the deployment.

Create a GKE cluster with autoscaling enabled on the node pool. Set a minimum and maximum for the size of the node pool.

Create a separate node pool for each application, and deploy each application to its dedicated node pool.

View System Event Logs in Stackdriver. Search for the user’s email as the principal.

View System Event Logs in Stackdriver. Search for the service account associated with the user.

View Data Access audit logs in Stackdriver. Search for the user’s email as the principal.

View the Admin Activity log in Stackdriver. Search for the service account associated with the user.

Run gcloud auth login, enter your login credentials in the dialog window, and paste the received login token to gcloud CLI.

Create a Google Cloud service account, and download the service account key. Place the key file in a folder on your machine where gcloud CLI can find it.

Download your Cloud Identity user account key. Place the key file in a folder on your machine where gcloud CLI can find it.

Run gcloud config set compute/zone $my_zone to set the default zone for gcloud CLI.

Run gcloud config set project $my_project to set the default project for gcloud CLI.

1. Create a configuration for each project you need to manage.

2. Activate the appropriate configuration when you work with each of your assigned GCP projects.

1. Create a configuration for each project you need to manage.

2. Use gcloud init to update the configuration values when you need to work with a non-default project

1. Use the default configuration for one project you need to manage.

2. Activate the appropriate configuration when you work with each of your assigned GCP projects.

1. Use the default configuration for one project you need to manage.

2. Use gcloud init to update the configuration values when you need to work with a non-default project.

Migrate the web application to App Engine and the backend API to Cloud Run Use Cloud Tasks to run your background job on Compute Engine

Migrate the web application to App Engine and the backend API to Cloud Run. Use Cloud Tasks to run your background job on Cloud Run.

Run the web application on a Cloud Storage bucket and the backend API on Cloud Run Use Cloud Tasks to run your background job on Cloud Run.

Run the web application on a Cloud Storage bucket and the backend API on Cloud Run. Use Cloud Tasks to run your background job on Compute Engine

Create a Cloud Function to create an instance template.

Create a snapshot schedule for the disk using the desired interval.

Create a cron job to create a new disk from the disk using gcloud.

Create a Cloud Task to create an image and export it to Cloud Storage.

Enable Cloud Identity in the GCP Console for your domain.

Grant them the required IAM roles using their G Suite email address.

Create a CSV sheet with all users’ email addresses. Use the gcloud command line tool to convert them into Google Cloud Platform accounts.

In the G Suite console, add the users to a special group called cloud-console-users@yourdomain.com. Rely on the default behavior of the Cloud Platform to grant users access if they are members of this group.

Add the user to roles/iam.roleAdmin role.

Add the user to roles/iam.securityAdmin role.

Add the user to roles/iam.serviceAccountUser role.

Add the user to roles/iam.serviceAccountAdmin role.

The pending Pod's resource requests are too large to fit on a single node of the cluster.

Too many Pods are already running in the cluster, and there are not enough resources left to schedule the pending Pod.

The node pool is configured with a service account that does not have permission to pull the container image used by the pending Pod.

The pending Pod was originally scheduled on a node that has been preempted between the creation of the Deployment and your verification of the Pods’ status. It is currently being rescheduled on a new node.

1. Create a single VPC with a subnet for the DMZ and a subnet for the LAN. 2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public ingress traffic for the DMZ.

1. Create a single VPC with a subnet for the DMZ and a subnet for the LAN. 2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public egress traffic for the DMZ.

1. Create a VPC with a subnet for the DMZ and another VPC with a subnet for the LAN. 2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public ingress traffic for the DMZ.

1. Create a VPC with a subnet for the DMZ and another VPC with a subnet for the LAN. 2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public egress traffic for the DMZ.

Enable Cloud IAP for the Compute Engine instances, and add the operations partner as a Cloud IAP Tunnel User.

Tag all the instances with the same network tag. Create a firewall rule in the VPC to grant TCP access on port 22 for traffic from the operations partner to instances with the network tag.

Set up Cloud VPN between your Google Cloud VPC and the internal network of the operations partner.

Ask the operations partner to generate SSH key pairs, and add the public keys to the VM instances.

Create a health check on port 443 and use that when creating the Managed Instance Group.

Select Multi-Zone instead of Single-Zone when creating the Managed Instance Group.

In the Instance Template, add the label ‘health-check’.

In the Instance Template, add a startup script that sends a heartbeat to the metadata server.

Review the Compute Engine activity logs Select and review the Admin Event logs

Review the Compute Engine activity logs Select and review the System Event logs

Install the Cloud Logging Agent In Cloud Logging review the Compute Engine syslog logs

Install the Cloud Logging Agent In Cloud Logging, review the Compute Engine operation logs

1. Go to the Logs ingestion window in Stackdriver Logging, and disable the log source for the GKE container resource.

1. Go to the Logs ingestion window in Stackdriver Logging, and disable the log source for the GKE Cluster Operations resource.

1. Go to the GKE console, and delete existing clusters.2. Recreate a new cluster.3. Clear the option to enable legacy Stackdriver Logging.

1. Go to the GKE console, and delete existing clusters.2. Recreate a new cluster.3. Clear the option to enable legacy Stackdriver Monitoring.

Assign the appropriate permissions, and then use Cloud Monitoring to review metrics

Use the export logs API to provide the Admin Activity Audit Logs in the format they want

Turn on Data Access Logs for the buckets they want to audit, and Then build a query in the log viewer that filters on Cloud Storage

Assign the appropriate permissions, and then create a Data Studio report on Admin Activity Audit Logs

Invite the user to transfer their existing account

Invite the user to use an email alias to resolve the conflict

Tell the user that they must delete their existing account

Tell the user to remove all personal email from the existing account

• Create a custom role with Compute Engine, Cloud Functions, and Cloud SQL permissions in one project within the Google Cloud organization.

• Copy the role across all projects created within the organization with the gcloud iam roles copy command.

• Assign the role to developers in those projects.

• Add all developers to a Google group in Google Groups for Workspace.

• Assign the predefined role of Compute Admin to the Google group at the Google Cloud organization level.

• Add all developers to a Google group in Cloud Identity.

• Assign predefined roles for Compute Engine, Cloud Functions, and Cloud SQL permissions to the Google group for each project in the Google Cloud organization.

• Add all developers to a Google group in Cloud Identity.

• Create a custom role with Compute Engine, Cloud Functions, and Cloud SQL permissions at the Google Cloud organization level.

• Assign the custom role to the Google group.

Add the users to roles/browser role.

Add the users to roles/iam.roleViewer role.

Add the users to a group, and add this group to roles/browser role.

Add the users to a group, and add this group to roles/iam.roleViewer role.