100+ Free Tencent Cloud Expert Solutions Architect Practice Questions

Explanation: CCN provides full-mesh interconnection across all connected VPCs and Direct Connect gateways with automatic route learning, eliminating manual route maintenance. CCN's built-in intelligent scheduling selects the lowest-latency path and reroutes automatically on link failure. VPC Peering requires O(n²) peer connections and no automatic failover. VPN Gateways add latency over the public internet. Direct Connect to a co-location hub is viable but introduces a single point of failure and higher setup complexity.

Explanation: GAAP (Global Application Acceleration) accelerates TCP/UDP traffic over Tencent's private backbone, dramatically reducing intercontinental latency compared with the public internet. It supports health-check-driven automatic failover to a secondary origin and is designed specifically for real-time applications such as gaming. CLB is single-region. Anycast EIP provides nearest-PoP anycast but does not offer application-layer health failover across regional server pools. CDN is designed for cacheable content, not stateful real-time sessions.

Explanation: Tencent Cloud Direct Connect establishes a private physical connection between the enterprise data center and Tencent Cloud, bypassing the public internet entirely. A Dedicated Tunnel over Direct Connect gives guaranteed bandwidth, predictable latency, and network-level SLAs. VPN Gateways traverse the public internet. CCN provides private routing between cloud resources but still requires an access point to on-premises, which is Direct Connect. EIP with Security Groups is a public-internet approach.

Explanation: TDSQL-C (CynosDB) is Tencent Cloud's cloud-native distributed database that supports synchronous multi-AZ and multi-region replication, delivering RPO=0. Its automated failover mechanism completes in seconds, satisfying RTO <30s. Snapshot-based backup delivers RPO measured in hours, not zero. Read replicas require manual promotion and incur replication lag. Redis with AOF is an in-memory cache, not a transactional RDBMS.

Explanation: CKafka (Tencent Cloud's managed Kafka) can handle millions of messages per second. Apache Flink on EMR provides sub-second stateful stream processing to meet the 5-second latency requirement. ClickHouse delivers OLAP query performance for real-time analytics. Direct MySQL writes at 200K TPS would require massive sharding and still cannot serve analytical queries efficiently. COS/Spark batch cannot meet 5-second end-to-end latency. Redis is an in-memory cache without durable OLAP capabilities.

Explanation: COS Object Lock in compliance mode enforces WORM semantics: once a retention period is set, not even the bucket owner can delete or overwrite the object before expiry. A 7-year retention period directly satisfies regulatory data immutability requirements. Versioning with MFA delete protects against accidental deletion but does not enforce compliance-mode retention. Cross-region replication improves durability but does not prevent deletion. Lifecycle rules manage storage class transitions, not object immutability.

Explanation: Rotating the key immediately removes the exposure risk. Storing secrets in Tencent Cloud Secrets Manager (KMS-backed) and using IAM role-based credentials (CAM role or assumed credentials) for CI/CD means no long-lived keys ever touch the filesystem or environment variables. The tencentcloud Terraform provider supports role-based credential injection. .tfvars files that are git-ignored can be accidentally committed. Reading secrets from COS adds complexity and still requires separate credentials. Plaintext environment variables are visible in process listings and CI logs.

Explanation: KMS customer-managed keys (CMK) with Bring Your Own Key (BYOK) allow the bank to import key material generated on its own HSM. The bank retains control over the key material and can revoke access by deleting the key material from KMS, immediately rendering encrypted data unreadable — even by Tencent Cloud. Service-managed keys are controlled by Tencent. Redis-stored keys are accessible to anyone with Redis credentials. TLS protects data in transit, not at rest.

Explanation: Zero-trust requires identity-based authentication and authorization for every request regardless of network location. Tencent Cloud Service Mesh (TCM, based on Istio) enforces mTLS between every service pair, ensuring cryptographic identity verification. Combined with CAM workload identity (federated OIDC tokens), authorization decisions are based on verified identity rather than IP addresses. Security Groups are network-location-based controls — antithetical to zero-trust. Private Link limits exposure but does not verify identity. Cloud Firewall IPS inspects signatures but does not enforce workload identity.

Explanation: GitOps requires a pull-based reconciliation loop where the cluster agent (ArgoCD or Flux) continuously compares desired state in Git with actual cluster state, reconciling any drift. Tencent Cloud CODING DevOps provides Git hosting, CI, and integrates with ArgoCD/Flux deployed in TKE. This is the canonical GitOps pattern on Tencent Cloud. Jenkins push-based deployments do not detect or correct drift after deployment. Auto Scaling watches compute metrics, not application manifests. OOS can automate operations but is not a GitOps reconciliation engine.