March Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer Questions and Answers

Questions 4

You want to create a service in GCP using IPv6.

What should you do?

Options:

A.

Create the instance with the designated IPv6 address.

B.

Configure a TCP Proxy with the designated IPv6 address.

C.

Configure a global load balancer with the designated IPv6 address.

D.

Configure an internal load balancer with the designated IPv6 address.

Buy Now
Questions 5

Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer You need to protect the application from potential application-level attacks. What should you do?

Options:

A.

Enable Cloud CDN on the backend service.

B.

Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer

C.

Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service.

D.

Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service

Buy Now
Questions 6

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.

How should you design the topology?

Options:

A.

Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.

B.

Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.

C.

Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.

D.

Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Buy Now
Questions 7

You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) Instances What two prerequisite tasks must be completed before creating the load balancer?

Choose 2 answers

Options:

A.

Choose a region.

B.

Create firewall rules for health checks

C.

Reserve a static IP address for the load balancer

D.

Determine the subnet mask for a proxy-only subnet.

E.

Determine the subnet mask for Serverless VPC Access.

Buy Now
Questions 8

You work for a multinational enterprise that is moving to GCP.

These are the cloud requirements:

• An on-premises data center located in the United States in Oregon and New York with Dedicated Interconnects connected to Cloud regions us-west1 (primary HQ) and us-east4 (backup)

• Multiple regional offices in Europe and APAC

• Regional data processing is required in europe-west1 and australia-southeast1

• Centralized Network Administration Team

Your security and compliance team requires a virtual inline security appliance to perform L7 inspection for URL filtering. You want to deploy the appliance in us-west1.

What should you do?

Options:

A.

• Create 2 VPCs in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Host Project.• Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.• Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

B.

• Create 2 VPCs in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Service Project.• Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.• Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

C.

• Create 1 VPC in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Host Project.• Attach NIC0 in us-west1 subnet of the Host Project.• Attach NIC1 in us-west1 subnet of the Host Project• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

D.

• Create 1 VPC in a Shared VPC Service Project.• Configure a 2-NIC instance in zone us-west1-a in the Service Project.• Attach NIC0 in us-west1 subnet of the Service Project.• Attach NIC1 in us-west1 subnet of the Service Project• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

Buy Now
Questions 9

You are designing a hub-and-spoke network architecture for your company’s cloud-based environment. You need to make sure that all spokes are peered with the hub. The spokes must use the hub's virtual appliance for internet access.

The virtual appliance is configured in high-availability mode with two instances using an internal load balancer with IP address 10.0.0.5. What should you do?

Options:

A.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub.

Import the custom routes in the spokes.

B.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

Delete the default internet gateway route of the spokes.

C.

Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

D.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Create a new route in the spoke VPC that points to IP address 10.0.0.5.

Buy Now
Questions 10

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space In your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

Options:

A.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

B.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters

C.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and

D.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected --disable-default-snat, —enable-ip-alias, and—enable-private-nodes

Buy Now
Questions 11

You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

Professional-Cloud-Network-Engineer Question 11

Options:

A.

Configure a custom route advertisement on the Cloud Router.

B.

Enable IP forwarding in the asia-southeast1 region.

C.

Change the VPC dynamic routing mode to Global.

D.

Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

Buy Now
Questions 12

You have just deployed your infrastructure on Google Cloud. You now need to configure the DNS to meet the following requirements:

Your on-premises resources should resolve your Google Cloud zones.

Your Google Cloud resources should resolve your on-premises zones.

You need the ability to resolve “. internal” zones provisioned by Google Cloud.

What should you do?

Options:

A.

Configure an outbound server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.

B.

Configure both an inbound server policy and outbound DNS forwarding zones with the target as the on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver.

C.

Configure an outbound DNS server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver.

D.

Configure Cloud DNS to DNS peer with your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.

Buy Now
Questions 13

Your company's logo is published as an image file across multiple websites that are hosted by your company You have implemented Cloud CDN, however, you want to improve the performance of the cache hit ratio associated with this image file. What should you do?

Options:

A.

Configure custom cache keys for the backend service that holds the image file, and clear the Host and Protocol checkboxes-

B.

Configure Cloud Storage as a custom origin backend to host the image file, and select multi-region as the location type

C.

Configure versioned IJRLs for each domain to serve users the •mage file before the cache entry expires

D.

Configure the default time to live (TTL) as O for the image file.

Buy Now
Questions 14

You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed.

What is the most likely cause of the problem?

Options:

A.

You have not configured compression in Cloud CDN.

B.

You have configured the web servers and Cloud CDN with different compression types.

C.

The web servers behind the load balancer are configured with different compression types.

D.

You have to configure the web servers to compress responses even if the request has a Via header.

Buy Now
Questions 15

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.

Which connectivity model should you use?

Options:

A.

Direct Peering

B.

Dedicated Interconnect

C.

Partner Interconnect with a layer 2 partner

D.

Partner Interconnect with a layer 3 partner

Buy Now
Questions 16

You work for a university that is migrating to Google Cloud.

These are the cloud requirements:

On-premises connectivity with 10 Gbps

Lowest latency access to the cloud

Centralized Networking Administration Team

New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.

What should you do?

Options:

A.

Use Shared VPC, and deploy the VLAN attachments and Dedicated Interconnect in the host project.

B.

Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.

C.

Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Dedicated Interconnects.

D.

Use standalone projects and deploy the VLAN attachments and Dedicated Interconnects in each of the individual projects.

Buy Now
Questions 17

Your company is planning a migration to Google Kubernetes Engine. Your application team informed you that they require a minimum of 60 Pods per node and a maximum of 100 Pods per node Which Pod per node CIDR range should you

use?

Options:

A.

/24

B.

/25

C.

/26

D.

/28

Buy Now
Questions 18

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.

What should you do?

Options:

A.

Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.

B.

Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.

C.

Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.

D.

Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.

Buy Now
Questions 19

You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.

How should you configure the Distribution VPC?

Options:

A.

Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.

B.

Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.

C.

Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.

D.

Rename the default VPC as "Distribution" and peer it via network peering.

Buy Now
Questions 20

You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?

Options:

A.

Review the VPC audit logs in Cloud Logging for the affected instances.

B.

Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.

C.

Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.

D.

Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.

Buy Now
Questions 21

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet. What should you do?

Options:

A.

Use the default public domains for all Google APIs and services.

B.

Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.

C.

Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.

D.

Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.

Buy Now
Questions 22

Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates.

Which Google Cloud load balancer should you use?

Options:

A.

SSL proxy load balancer

B.

Network load balancer

C.

HTTPS load balancer

D.

TCP proxy load balancer

Buy Now
Questions 23

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.

Which connection type should you choose?

Options:

A.

Carrier Peering

B.

Direct Peering

C.

Dedicated Interconnect

D.

Partner Interconnect

Buy Now
Questions 24

You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do?

Options:

A.

Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.

B.

Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.

C.

Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.

D.

Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

Buy Now
Questions 25

Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP environments.

• Each organization has enabled full connectivity between all of its projects by using Shared VPC.

• Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.

• There are no prefix overlaps between the two organizations.

• Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.

• Neither organization has Interconnects to their on-premises environment.

You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.

Which two steps should you take? (Choose two.)

Options:

A.

Provision Cloud Interconnect to connect both organizations together.

B.

Set up some variant of DNS forwarding and zone transfers in each organization.

C.

Connect VPCs in both organizations using Cloud VPN together with Cloud Router.

D.

Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.

E.

Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.

Buy Now
Questions 26

You want to configure load balancing for an internet-facing, standard voice-over-IP (VOIP) application.

Which type of load balancer should you use?

Options:

A.

HTTP(S) load balancer

B.

Network load balancer

C.

Internal TCP/UDP load balancer

D.

TCP/SSL proxy load balancer

Buy Now
Questions 27

You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.

How should you design this topology?

Options:

A.

Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.

B.

Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

C.

Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

D.

Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.

Buy Now
Questions 28

Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:

Certain data must stay in the project where it is stored and not be exfiltrated to other projects.

Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.

All DNS resolution must be done on-premises.

The solution should only provide access to APIs that are compatible with VPC Service Controls.

What should you do?

Options:

A.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

B.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

C.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

D.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

Buy Now
Questions 29

Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the internet can be inspected using the same third-party appliances. What should you do?

Options:

A.

Configure the third-party appliances with multiple interfaces and specific Partner Interconnect VLAN attachments per project. Create the relevant routes on the third-party appliances and VPC networks.

B.

Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create separate VPC networks for on- premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks.

C.

Consolidate all existing projects’ subnetworks into a single VPC. Create separate VPC networks for on-premises and internet connectivity. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create the relevant routes on the third-party appliances and VPC networks.

D.

Configure the third-party appliances with multiple interfaces. Create a hub VPC network for all projects, and create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks. Use VPC Network Peering to connect all projects’ VPC networks to the hub VPC. Export custom routes from the hub VPC and import on all projects’ VPC networks.

Buy Now
Questions 30

Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.

How should you design this topology?

Options:

A.

Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.

B.

Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.

C.

Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.

D.

Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.

Buy Now
Questions 31

You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?

Options:

A.

Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.

B.

Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.

C.

Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.

D.

Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.

Buy Now
Questions 32

Your company's web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers. The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend. You want to use a GCP-native solution when possible.

How should you deploy this service in GCP?

Options:

A.

Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.

B.

Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.

C.

Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.

D.

Use GCP's ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.

Buy Now
Questions 33

Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows. What should you do?

Options:

A.

Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.

B.

Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center.

C.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway.

D.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-

premises data center.

Buy Now
Questions 34

You are deploying a global external TCP load balancing solution and want to preserve the source IP address of the original layer 3 payload.

Which type of load balancer should you use?

Options:

A.

HTTP(S) load balancer

B.

Network load balancer

C.

Internal load balancer

D.

TCP/SSL proxy load balancer

Buy Now
Questions 35

You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.

Which two methods can you use to accomplish this? (Choose two.)

Options:

A.

Enable Private Google Access on all the subnets.

B.

Enable Private Google Access on the VPC.

C.

Enable Private Services Access on the VPC.

D.

Create network peering between your VPC and BigQuery.

E.

Create a Cloud NAT, and route the application traffic via NAT gateway.

Buy Now
Questions 36

You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

Options:

A.

Configure the remote autonomous system number (ASN) to 4096.

B.

Configure a second Cloud Router to scale bandwidth in and out of the VPC.

C.

Configure the maximum transmission unit (MTU) to its highest supported value.

D.

Configure a second set of active/passive VPN tunnels.

Buy Now
Questions 37

You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.

How should you configure the health check?

Options:

A.

Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.

B.

Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.

C.

Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.

D.

Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.

Buy Now
Questions 38

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with on-premises connectivity already in place. You are deploying a new application using Google Kubernetes Engine (GKE), which must be accessible only from the same VPC network and on-premises locations. You must ensure that the GKE control plane is exposed to a predefined list of on-premises subnets through private connectivity only. What should you do?

Options:

A.

Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.

B.

Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.

C.

Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.

D.

Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.

Buy Now
Questions 39

You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.

Always allow Secure Shell (SSH) from your corporate IP address.

Restrict SSH access from all other IP addresses.

There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements. What should you do?

Options:

A.

Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.

Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.

B.

Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.

Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.

C.

Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.

Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.

D.

Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1

Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

Buy Now
Questions 40

In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.

What should you do?

Options:

A.

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

B.

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.

C.

Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.

D.

Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.

Buy Now
Questions 41

You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.

What should you do?

Options:

A.

Ensure that the object you don’t want to be cached anymore is not shared publicly.

B.

Create a new storage bucket, and move the object you don’t want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.

C.

Add an appropriate lifecycle rule on the storage bucket containing the two objects.

D.

Add a Cache-Control entry with value private to the metadata of the object you don’t want to be cached anymore. Invalidate all the previously cached copies.

Buy Now
Questions 42

You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.

What should you do?

Options:

A.

Check the VPC flow logs for the instance.

B.

Try connecting to the instance via SSH, and check the logs.

C.

Create a new firewall rule to allow traffic from port 22, and enable logs.

D.

Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

Buy Now
Questions 43

Your company is planning a migration to Google Kubernetes Engine. Your application team informed you that they require a minimum of 60 Pods per node and a maximum of 100 Pods per node Which Pod per node CIDR range should you use?

Options:

A.

/24

B.

/25

C.

/26

D.

/28

Buy Now
Questions 44

You have the networking configuration shown in the diagram. A pair of redundant Dedicated Interconnect connections (int-Igal and int-Iga2) terminate on the same Cloud Router. The Interconnect connections terminate on two separate on-premises routers. You are advertising the same prefixes from the Border Gateway Protocol (BGP) sessions associated with the Dedicated Interconnect connections. You need to configure one connection as Active for both ingress and egress traffic. If the active Interconnect connection fails, you want the passive Interconnect connection to automatically begin routing all traffic Which two actions should you take to meet this requirement? (Choose Two)

Professional-Cloud-Network-Engineer Question 44

Options:

A.

Configure the advertised route priority > 10,200 on the active Interconnect connection.

B.

Advertise a lower MED on the passive Interconnect connection from the on-premises router

C.

Configure the advertised route priority as 200 for the BGP session associated with the active Interconnect connection.

D.

Configure the advertised route priority as 200 for the BGP session associated with the passive Interconnect connection.

E.

Advertise a lower MED on the active Interconnect connection from the on-premises router

Buy Now
Questions 45

You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.

How should you provision your instances?

Options:

A.

Create a single managed instance group, specify the desired region, and select Multiple zones for the location.

B.

Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.

C.

Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.

D.

Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.

Buy Now
Questions 46

You recently deployed Cloud VPN to connect your on-premises data canter to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

Options:

A.

In the Network Intelligence Canter, check for the number of packet drops on the VPN.

B.

In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

C.

In the Monitoring section of the Google Cloud Console, use the Dashboard section to select a default dashboard for VPN usage.

D.

In the VPN section of the Google Cloud Console, select the VPN under hybrid connectivity, and then select monitoring to display utilization on the dashboard.

Buy Now
Questions 47

You are a network administrator at your company planning a migration to Google Cloud and you need to finish the migration as quickly as possible, To ease the transition, you decided to use the same architecture as your on-premises network' a hub-and-spoke model. Your on-premises architecture consists of over 50 spokes. Each spoke does not have connectivity to the other spokes, and all traffic IS sent through the hub for security reasons. You need to ensure that the Google Cloud architecture matches your on-premises architecture. You want to implement a solution that minimizes management overhead and cost, and uses default networking quotas and limits. What should you do?

Options:

A.

Connect all the spokes to the hub with Cloud VPN.

B.

Connect all the spokes to the hub with VPC Network Peering.

C.

Connect all the spokes to the hub With Cloud VPN. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes

D.

Connect all the spokes to the hub with VPC Network Peering. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes.

Buy Now
Questions 48

Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2. What should you do?

Options:

A.

Enable firewall logging, and forward all filtered egress firewall logs to the IDS.

B.

Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.

C.

Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

D.

Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

Buy Now
Questions 49

You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs?

Options:

A.

resource.type= “gce_router”

B.

resource.type= “gce_network_region”

C.

resource.type= “vpn_tunnel”

D.

resource.type= “vpn_gateway”

Buy Now
Questions 50

You are configuring your Google Cloud environment to connect to your on-premises network. Your configuration must be able to reach Cloud Storage APIs and your Google Kubernetes Engine nodes across your private Cloud Interconnect network. You have already configured a Cloud Router with your Interconnect VLAN attachments. You now need to set up the appropriate router advertisement configuration on the Cloud Router. What should you do?

Options:

A.

Configure the route advertisement to the default setting.

B.

On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address.

C.

Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings.

D.

Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.

Buy Now
Exam Name: Google Cloud Certified - Professional Cloud Network Engineer
Last Update: Mar 29, 2024
Questions: 170

PDF + Testing Engine

$66.4  $165.99

Testing Engine

$46  $114.99
buy now Professional-Cloud-Network-Engineer testing engine

PDF (Q&A)

$42  $104.99
buy now Professional-Cloud-Network-Engineer pdf