Domain 2: Managing and Provisioning a Solution Infrastructure

CASE STUDY: TechStream Gaming. 500 emp, $100M rev. On-prem US/EU, 200 servers, MySQL 5TB. 2M peak users. $100K/mo cost. Req: Cut cost 40%, 5x growth, 3 new regions, daily deploys. CEO: Scale fast. CFO: <$100K/mo, 18mo ROI. CTO: Low cloud skills, 99.95% uptime. Tech: <100ms latency, real-time analytics, 5x spikes, EU data residency, DDoS protection, CI/CD. Constraints: 12mo migration, 4hr downtime, 20 devs (Java/MySQL), 5 ops (no cloud), $2M budget. To achieve sub-100ms latency globally and DDoS protection, which networking solution should you implement?

CASE STUDY: ShopGlobal. Global e-commerce. Monolithic Java on VMware. Oracle RAC (20TB). 10x Black Friday traffic. Req: Microservices, 100% uptime during holidays, personalized recommendations. CEO: Flawless omnichannel. CFO: Predictable spend. CTO: No vendor lock-in, open-source. Tech: Containerize, Global LB, PCI-DSS, async orders, real-time inventory. Constraints: Keep Oracle on-prem for 2 yrs (licensing), low K8s skills, strict security reviews. Which compute platform best satisfies the CTO's requirement for open-source standards while addressing the constraint of low Kubernetes skills?

CASE STUDY: AutoMakers Inc. 1M connected cars, 100GB/day telemetry. Req: Predictive maintenance, real-time driver dashboard, monetize data. CEO: Data is new engine. CFO: Cut 3rd-party IoT costs. CTO: Highly scalable ingest. Tech: MQTT ingest, stream processing, ML models, 7-yr cold storage, handle intermittent connectivity. Constraints: Anonymize data, low vehicle compute, strict analytics budget. To meet the 7-year cold storage requirement while adhering to the strict analytics budget, how should you configure storage?

CASE STUDY: HealthSecure. 50M patient records. Legacy mainframe, on-prem SAN (100TB), .NET portal. Req: Modernize portal, secure hospital sharing, fast audits. CEO: Modern UX. CFO: Automate audits. CISO: Zero breaches. Tech: HIPAA, CMEK, audit logging, API gateway, DR (1h RPO/4h RTO). Constraints: No public DB IPs, Dev/Ops separation, US data only, mainframe stays on-prem via VPN. Which service should you use to implement the API gateway for secure data sharing with partner hospitals?

You need to resolve internal DNS names for VMs across two different VPCs connected via VPC Peering. What must you configure?

A pod running in GKE needs to access a Cloud Storage bucket. You want to follow the principle of least privilege and avoid managing service account keys manually. What is the recommended approach?

You are deploying a containerized web application to Cloud Run. The application is thread-safe and can handle multiple requests simultaneously. How can you optimize costs and performance?

You need to protect Cloud Storage objects from accidental deletion and ensure that deleted objects are kept for 30 days before permanent removal. Which TWO features should you configure? (Select TWO)

You are configuring a Managed Instance Group (MIG) for a web application. Which TWO metrics can be used natively by the MIG autoscaler to trigger scaling events? (Select TWO)

In a Shared VPC architecture, which THREE IAM roles are typically required to allow a developer in a Service Project to create a VM that uses a subnet in the Host Project? (Select THREE)

**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming company with 500 employees and $100M in annual revenue. They develop multiplayer online games. **Current Technical Environment:** - On-premises data centers in US and EU - 200 servers (mix of Windows and Linux) - MySQL databases (5 TB total) - Peak concurrent users: 2 million - Current monthly infrastructure cost: $100K **Business Requirements:** - Reduce infrastructure costs by 40% - Support 5x user growth over 2 years - Launch in 3 new regions (APAC, SA, Africa) - Improve deployment speed (current: 1 week -> target: daily) **Executive Statements:** - CEO: "We need to scale rapidly to compete with larger gaming companies. Cloud migration is critical to our growth strategy." - CFO: "Cost reduction is paramount. We cannot exceed $60K/month in cloud costs. ROI must be achieved within 18 months." - CTO: "Our team has limited cloud experience. We need a solution that doesn't require extensive retraining. Reliability is non-negotiable - 99.95% uptime minimum." **Technical Requirements:** - Sub-100ms latency for players globally - Real-time analytics on player behavior - Seasonal traffic spikes (5x during holidays) - DDoS protection - CI/CD pipeline for daily deployments **Constraints:** - Migration must complete in 12 months - Cannot exceed 4-hour downtime during cutover - Development team: 20 engineers (Java, MySQL expertise) - Operations team: 5 engineers (limited cloud experience) **QUESTION:** To meet the technical requirements for global latency and security, how should you design the network ingress architecture?

**CASE STUDY: TrendWear Apparel** **Company Overview:** TrendWear Apparel is a global clothing retailer with an e-commerce platform and 500 physical stores. **Current Technical Environment:** - On-premises VMware environment - Legacy IBM Mainframe for core inventory management - Monolithic e-commerce application running on VMs **Business Requirements:** - Modernize the e-commerce platform to handle Black Friday (10x normal traffic) - Unify online and in-store inventory data in real-time - Avoid major capital expenditure (CapEx) for data center refreshes **Executive Statements:** - CEO: "We need an omnichannel experience. Customers should see accurate store inventory online." - CFO: "We must shift from CapEx to OpEx. No more buying hardware." - CTO: "We want to move to microservices, but we cannot retire the mainframe for at least 3 years due to complex legacy dependencies." **Technical Requirements:** - Hybrid architecture connecting GCP and on-premises - Microservices architecture for the new e-commerce platform - PCI-DSS compliance for all payment processing - Consistent management plane across on-prem and cloud **Constraints:** - Mainframe must remain on-premises - E-commerce migration must be completed before the next holiday season (8 months) **QUESTION:** The new e-commerce microservices in GCP must query the on-premises mainframe for real-time inventory. This requires high bandwidth, low latency, and an enterprise-grade SLA. Which networking solution should you implement?

**CASE STUDY: CareData Health** **Company Overview:** CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data. **Current Technical Environment:** - Decentralized on-premises data centers at each hospital - Legacy Electronic Health Record (EHR) systems - Fragmented data silos preventing holistic patient views **Business Requirements:** - Centralize patient data into a single secure data lake - Enable machine learning for predictive diagnostics - Securely share anonymized data with external research partners **Executive Statements:** - CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates." - CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration." - DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory." **Technical Requirements:** - End-to-end encryption using keys managed by CareData - Strict access controls and comprehensive audit logging - Ingestion of HL7 and FHIR healthcare data formats - Physical separation of EU and US data **Constraints:** - Highly regulated environment - Legacy systems cannot be modified, only integrated with **QUESTION:** To meet the requirement for comprehensive audit logging, the security team needs to retain all data access logs for 7 years and query them rapidly during compliance audits. How should you configure this?

**CASE STUDY: AutoMakers Inc** **Company Overview:** AutoMakers Inc is a global vehicle manufacturer. They have recently launched a line of connected cars. **Current Technical Environment:** - 1 million connected cars currently on the road - Cars send telemetry data (speed, engine temp, location) every 5 seconds - Current on-premises MQTT brokers are crashing under the load **Business Requirements:** - Enable predictive maintenance to alert drivers before parts fail - Provide real-time fleet tracking for commercial customers - Support over-the-air (OTA) software updates **Executive Statements:** - CEO: "Data is our new revenue stream. We need to monetize this telemetry data." - CTO: "We expect to have 10 million connected cars in 3 years. The architecture must scale infinitely without manual intervention." - CFO: "The cost of ingesting and storing this data must be strictly controlled. We cannot pay for idle capacity." **Technical Requirements:** - Ingest up to 100,000 messages per second - Low-latency processing for real-time alerts - Time-series data storage for historical analysis - Handle variable network connectivity (cars driving through tunnels) **Constraints:** - Strict budget for data ingestion - Small data engineering team **QUESTION:** When designing the Cloud Bigtable schema for the telemetry data, how should you structure the row key to prevent hotspotting and allow efficient querying of a specific car's history?

Your company is deploying a multi-tier application across several GCP projects. The security team mandates that all network resources (subnets, firewalls, routes) must be centrally managed by the network engineering team, but the application developers should be able to create VMs in their own projects. Which networking architecture should you implement?

A media company stores terabytes of high-resolution video files in Cloud Storage. The files are accessed frequently for the first 30 days after upload. After 30 days, they are rarely accessed but must be kept immediately available for 90 days. After 90 days, they are only kept for compliance and can take hours to retrieve. How should you configure the Cloud Storage lifecycle policy to minimize costs?

You are designing a highly available architecture for a critical web application. The database tier uses Cloud SQL for PostgreSQL. You need to ensure that if the primary zone goes down, the database automatically fails over to another zone with zero data loss. How should you configure Cloud SQL?

You are deploying a highly secure application to Google Kubernetes Engine (GKE). The security team mandates that the GKE cluster must be a Private Cluster. Which THREE statements are true regarding GKE Private Clusters? (Select THREE)

You need to connect your on-premises data center to Google Cloud. You are evaluating Cloud VPN and Cloud Interconnect. Which TWO statements are correct when comparing these services? (Select TWO)

You are provisioning storage for Compute Engine instances. You need to select the appropriate Persistent Disk (PD) types. Which TWO statements accurately describe GCP Persistent Disk options? (Select TWO)

CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers, 5TB MySQL. 2M peak users, $100K/mo cost. Business: Reduce cost 40%, 5x growth, launch APAC/SA/Africa, daily deployments. Executives: - CEO: "Scale rapidly to compete. Cloud is critical." - CFO: "Cost reduction paramount. Max $100K/mo. ROI in 18 months." - CTO: "Team has limited cloud experience. 99.95% uptime non-negotiable." Tech: <100ms latency globally, real-time analytics, 5x seasonal spikes, EU data residency, DDoS protection, CI/CD. Constraints: 12-month migration, 4hr max downtime, 20 devs (Java/MySQL), 5 ops (limited cloud), $2M budget. To meet the sub-100ms global latency requirement and handle seasonal spikes, how should you configure the compute architecture?

CASE STUDY: RetailMart Overview: Global e-commerce, 5,000 employees. Legacy monolith on VMware, 20TB Oracle DB on-prem. Business: Modernize to microservices, 100% uptime during Black Friday (10x traffic), real-time inventory sync, exit data center in 2 years. Executives: - CEO: "Innovate faster to beat online-only competitors." - CFO: "End hardware CAPEX. Move to pure OPEX." - CTO: "Break monolith safely. Zero downtime during transition." Tech: Migrate off Oracle to open-source, containerize, secure hybrid connectivity during transition, automated scaling. Constraints: Zero downtime for storefront, heavy reliance on Oracle stored procedures, all hybrid traffic must be private/encrypted. How should you design the hybrid connectivity to meet the security and bandwidth requirements during the 2-year transition?

CASE STUDY: HealthData Corp Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging. Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR. Executives: - CEO: "Trust is our product. Zero tolerance for breaches." - CFO: "Storage costs growing exponentially. Need lifecycle management." - CISO: "Zero-trust architecture, end-to-end encryption." Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration. Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute. To address the CFO's cost concerns and the ransomware protection requirement, how should you configure the Cloud Storage buckets for medical imaging?

CASE STUDY: AutoIoT Overview: Connected car manufacturer. 1M vehicles sending telemetry every 5 seconds. Business: Predictive maintenance alerts, real-time fleet tracking, monetize anonymized data. Executives: - CEO: "Leverage AI to predict failures." - CTO: "Current MQTT brokers crashing. Need fully managed, scalable ingestion." - DPO: "Vehicle location is sensitive. Strip PII before analytics." Tech: Ingest millions of msgs/sec, real-time stream processing for anomalies, store raw data for ML, sub-second queries for dashboards. Constraints: Vehicles lose connection and send late batch data. ML models updated weekly. Strict analytics budget. How should you handle the constraint where vehicles lose connection and send late batch data?

You are designing a multi-tier application in Google Cloud. The web tier is in a public subnet, and the database tier is in a private subnet with no external IP addresses. The database instances need to download software updates from the internet. How should you configure this securely?

Your organization uses a Shared VPC architecture. Project A is the Host Project. Project B and Project C are Service Projects. A developer in Project B needs to create a Compute Engine instance attached to a subnet in the Shared VPC. Which IAM role must the developer be granted, and where?

You are migrating an on-premises application to GKE. The application requires a persistent file system that can be read and written to by multiple pods simultaneously across different nodes. Which storage solution should you provision?

You need to configure a VPC network for a multi-tier application. The web tier must be accessible from the internet, but the database tier must be completely isolated from inbound internet traffic. Both tiers need to communicate with each other. Which TWO configurations should you apply? (Select TWO)

You are provisioning a Cloud SQL for MySQL instance for a production application. The application requires high availability (HA) to survive a zone failure, and needs to support heavy read traffic from reporting dashboards without impacting the primary transactional workload. Which TWO configurations should you enable? (Select TWO)

You are configuring a Google Kubernetes Engine (GKE) cluster. The security team requires that pods must not run as the root user, and that the cluster must automatically scale the number of nodes based on resource requests. Which TWO features should you configure? (Select TWO)