You need to deploy a new service to production. The service needs to automatically scale using a Managed Instance Group (MIG) and should be deployed over multiple regions. The service needs a large number of resources for each instance and you need to plan for capacity. What should you do?
You need to define SLOs for a high-traffic web application. Customers are currently happy with the application performance and availability. Based on current measurement, the 90th percentile Of latency is 160 ms and the 95th percentile of latency is 300 ms over a 28-day window. What latency SLO should you publish?
Correct Answer: B
a latency SLO is a service level objective that specifies a target level of responsiveness for a web application1. A latency SLO can be expressed as a percentile of latency over a time window, such as the 90th percentile of latency over 28 days2. A percentile of latency is the maximum amount of time that a given percentage of requests take to complete. For example, the 90th percentile of latency is the maximum amount of time that 90% of requests take to complete3. To define a latency SLO, you need to consider the following factors24: The expectations and satisfaction of your customers. You want to set a latency SLO that reflects the level of performance that your customers are happy with and willing to pay for. The current and historical measurements of your latency. You want to set a latency SLO that is based on data and realistic for your web application. The trade-offs and costs of improving your latency. You want to set a latency SLO that balances the benefits of faster response times with the costs of engineering work, infrastructure, and complexity. Based on these factors, the best option for defining a latency SLO for your web application is option B. Option B sets the latency SLO to match the current measurement of your latency, which means that you are meeting the expectations and satisfaction of your customers. Option B also sets a realistic and achievable target for your web application, which means that you do not need to invest extra resources or effort to improve your latency. Option B also aligns with the best practice of setting conservative SLOs, which means that you have some buffer or margin for error in case your latency fluctuates or degrades5.
Your company is migrating its production systems to Google Cloud. You need to implement site reliability engineering (SRE) practices during the migration to minimize customer impact from potential future incidents. Which two SRE practices should you implement? Choose 2 answers
Correct Answer: B,E
Comprehensive and Detailed Explanation From General SRE Principles and Google Cloud Knowledge: Site Reliability Engineering (SRE) emphasizes reliability, automation, and a data-driven approach to operations. The goal is to minimize the "time to detect" (TTD) and "time to resolve" (TTR) for incidents. Option A (Ensure that full autonomy and permissions are only granted to the on-call team): While the on-call team needs appropriate permissions to act decisively during an incident, granting full autonomy and only to them can be a bottleneck and goes against the principle of least privilege if not carefully scoped. Broader teams might need specific, controlled access for their responsibilities. SRE encourages empowering teams but within a structured framework. Option B (Automate common tasks to analyze key impact information and intelligently suggest mitigating actions for the on-call team): This is a core SRE practice. Automation reduces toil, speeds up response, and ensures consistency. Analyzing impact and suggesting mitigations helps the on-call team resolve issues faster and more effectively. Option C (Ensure that all teams can modify the production environment to resolve issues): This is generally a bad practice and against SRE principles of controlled changes and reducing the blast radius of errors. Production changes should be managed, audited, and ideally automated, not open to modification by all teams, as this increases the risk of unintended incidents. Option D (Create an alerting mechanism for your SRE team based on your system's internal behavior): While alerting is crucial, SRE emphasizes alerting on symptoms that affect users (Service Level Objectives - SLOs) rather than just internal behavior or causes. Alerting solely on internal behavior can lead to alert fatigue and may not correlate directly with user impact. Good alerting focuses on user-facing impact first. Option E (Create up-to-date playbooks with instructions for debugging and mitigating issues): Playbooks (or runbooks) are essential in SRE. They document known issues, troubleshooting steps, and mitigation procedures. Keeping them up-to-date ensures that on-call engineers can respond to incidents quickly and consistently, even for less common issues, thereby minimizing customer impact. Therefore, automating incident response tasks (B) and maintaining clear, actionable playbooks (E) are two key SRE practices to implement for minimizing customer impact. Reference (Based on SRE principles): The SRE books by Google (e.g., "Site Reliability Engineering: How Google Runs Production Systems") heavily emphasize automation to reduce toil and the importance of playbooks for incident management. Google Cloud SRE solutions: https://cloud.google.com/sre Specifically, regarding playbooks and automation:"Playbooks should be living documents, updated regularly as systems change and new incidents provide new lessons." "SREs aim to automate repetitive tasks (toil) to free up time for engineering projects that improve reliability."
You need to define Service Level Objectives (SLOs) for a high-traffic multi-region web application. Customers expect the application to always be available and have fast response times. Customers are currently happy with the application performance and availability. Based on current measurement, you observe that the 90th percentile of latency is 120ms and the 95th percentile of latency is 275ms over a 28-day window. What latency SLO would you recommend to the team to publish?
Your company allows teams to self-manage Google Cloud projects, including project-level Identity and Access Management (IAM). You are concerned that the team responsible for the Shared VPC project might accidentally delete the project, so a lien has been placed on the project. You need to design a solution to restrict Shared VPC project deletion to those with the resourcemanager.projects.updateLiens permission at the organization level. What should you do?
Correct Answer: C
Comprehensive and Detailed Explanation From General Google Cloud IAM and Organization Policy Knowledge: The core requirement is to prevent accidental deletion of a Shared VPC host project, even by project owners, by ensuring that only users with a specific permission at the organization level can remove the lien that protects the project. A lien (resourcemanager.projects.delete) has already been placed on the project. This prevents its deletion. The challenge is to prevent the removal of this lien by project-level administrators. The permission to remove a lien is resourcemanager.projectLiens.update (or resourcemanager.projects. updateLiens as stated in the question, which implies a broader update capability including liens). Option A (Enable VPC Service Controls for the container.googleapis.com API service): VPC Service Controls are for data exfiltration prevention by creating service perimeters. They do not directly control IAM permissions for lien management or project deletion. Option B (Revoke the resourcemanager.projects.updateLiens permission from all users associated with the project): While this would prevent project-level users from removing the lien, it doesn't enforce therequirement that only users with this permission at the organization level can remove it. A project owner could potentially re-grant themselves this permission at the project level if not otherwise restricted. The goal is a stronger, centrally enforced restriction. Option C (Enable the compute.restrictXpnProjectLienRemoval organization policy constraint): This is specifically designed for the scenario described.Organization Policies allow centralized control over resource configurations across the organization. The compute.restrictXpnProjectLienRemoval constraint, when enforced (set to True), restricts the removal of liens on Shared VPC host projects. Only users who have the resourcemanager.projectLiens.update permission (or resourcemanager.projects.updateLiens) granted at the organization level can then remove such liens. This prevents project owners or other project-level principals from removing the lien unless they also have this specific permission at the org level. Option D (Instruct teams to only perform IAM permission management as code with Terraform): While Infrastructure as Code (IaC) is a good practice for managing IAM, it's an operational guideline and doesn't technically enforce the restriction on lien removal. A user with sufficient project-level IAM permissions could still manually remove the lien via the console or gcloud if not prevented by an organization policy. Therefore, enabling the compute.restrictXpnProjectLienRemoval organization policy is the direct and most effective way to meet the requirement. Reference (Based on Google Cloud Organization Policy and Shared VPC documentation): Google Cloud documentation on Resource Manager Liens: https://cloud.google.com/resource-manager/docs /project-liens Google Cloud documentation on Organization Policy Constraints: https://cloud.google.com/resource-manager /docs/organization-policy/org-policy-constraints Specifically, the compute.restrictXpnProjectLienRemoval constraint: "When set to true, liens on Shared VPC host projects can only be removed by users that have resourcemanager.projectLiens.update permission on the organization." (or similar wording indicating org-level permission is required). This constraint ensures that the protection afforded by the lien on a critical Shared VPC host project cannot be easily circumvented at the project level.