Winter Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpm65

Hot Vendors
  1. Home
  2. Google
  3. Google Cloud Platform
  4. Professional-Cloud-Network-Engineer
  5. Google Cloud Certified - Professional Cloud Network Engineer Questions and Answers

Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer Questions and Answers

Questions 4

You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.

Which two methods can you use to accomplish this? (Choose two.)

Options:

A.

Enable Private Google Access on all the subnets.

B.

Enable Private Google Access on the VPC.

C.

Enable Private Services Access on the VPC.

D.

Create network peering between your VPC and BigQuery.

E.

Create a Cloud NAT, and route the application traffic via NAT gateway.

Buy Now
Questions 5

You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.

How should you design this topology?

Options:

A.

Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.

B.

Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.

C.

Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.

D.

Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.

Buy Now
Questions 6

You just finished your company’s migration to Google Cloud and configured an architecture with 3 Virtual Private Cloud (VPC) networks: one for Sales, one for Finance, and one for Engineering. Every VPC contains over 100 Compute Engine instances, and now developers using instances in the Sales VPC and the Finance VPC require private connectivity between each other. You need to allow communication between Sales and Finance without compromising performance or security. What should you do?

Options:

A.

Configure an HA VPN gateway between the Finance VPC and the Sales VPC.

B.

Configure the instances that require communication between each other with an external IP address.

C.

Create a VPC Network Peering connection between the Finance VPC and the Sales VPC.

D.

Configure Cloud NAT and a Cloud Router in the Sales and Finance VPCs.

Buy Now
Questions 7

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.

Which connectivity model should you use?

Options:

A.

Direct Peering

B.

Dedicated Interconnect

C.

Partner Interconnect with a layer 2 partner

D.

Partner Interconnect with a layer 3 partner

Buy Now
Questions 8

You recently deployed two network virtual appliances in us-central1. Your network appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to configure the routing for your Virtual Private Cloud (VPC). Your design must meet the following requirements:

All access to your on-premises network must go through the network virtual appliances.

Allow on-premises access in the event of a single network virtual appliance failure.

Both network virtual appliances must be used simultaneously.

Which method should you use to accomplish this?

Options:

A.

Configure two routes for 10.0.0.0/8 with different priorities, each pointing to separate network virtual appliances.

B.

Configure an internal HTTP(S) load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal HTTP(S) load balancer as the next hop.

C.

Configure a network load balancer for the two network virtual appliances. Configure a route for 10.0.0.0/8 with the network load balancer as the next hop.

D.

Configure an internal TCP/UDP load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.

Buy Now
Questions 9

Your company's security team tends to use managed services when possible. You need to build a dashboard to show the number of deny hits that occur against configured firewall rules without increasing operational overhead. What should you do?

Options:

A.

Configure Firewall Rules Logging. Use Firewall Insights to display the number of hits.

B.

Configure Firewall Rules Logging. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.

C.

Configure a firewall appliance from the Google Cloud Marketplace. Route all traffic through this appliance, and apply the firewall rules at this layer. Use the firewall appliance to display the number of hits.

D.

Configure Packet Mirroring on the VPC. Apply a filter with an IP address list of the Denied Firewall rules. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.

Buy Now
Questions 10

You are designing the network architecture for your organization. Your organization has three developer teams: Web, App, and Database. All of the developer teams require access to Compute Engine instances to perform their critical tasks. You are part of a small network and security team that needs to provide network access to the developers. You need to maintain centralized control over network resources, including subnets, routes, and firewalls. You want to minimize operational overhead. How should you design this topology?

Options:

A.

Configure a host project with a Shared VPC. Create service projects for Web, App, and Database.

B.

Configure one VPC for Web, one VPC for App, and one VPC for Database. Configure HA VPN between each VPC.

C.

Configure three Shared VPC host projects, each with a service project: one for Web, one for App, and one for Database.

D.

Configure one VPC for Web, one VPC for App, and one VPC for Database. Use VPC Network Peering to connect all VPCs in a full mesh.

Buy Now
Questions 11

Your organization wants to set up hybrid connectivity with VLAN attachments that terminate in a single Cloud Router with 99.9% uptime. You need to create a network design for your on-premises router that meets those requirements and has an active/passive configuration that uses only one VLAN attachment at a time. What should you do?

Options:

A.

Create a design that uses a BGP multi-exit discriminator (MED) attribute to influence the egress path from Google Cloud to the on-premises environment.

B.

Create a design that uses the as_path BGP attribute to influence the egress path from Google Cloud to the on-premises environment.

C.

Create a design that uses an equal-cost multipath (ECMP) with flow-based hashing on your on-premises devices.

D.

Create a design that uses the local_pref BGP attribute to influence the egress path from Google Cloud to the on-premises environment.

Buy Now
Questions 12

Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect connections in two different regions: us-west1 and us-east1. Each Dedicated Interconnect connection is attached to a Cloud Router in its respective region by a VLAN attachment. You need to configure a high availability failover path. By default, all ingress traffic from the on-premises environment should flow to the VPC using the us-west1 connection. If us-west1 is unavailable, you want traffic to be rerouted to us-east1. How should you configure the multi-exit discriminator (MED) values to enable this failover path?

Options:

A.

Use regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

B.

Use global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

C.

Use regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

D.

Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

Buy Now
Questions 13

You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running.

What should you do to solve the problem?

Options:

A.

Assign a public IP address to the instance.

B.

Create a route to reach the Master, pointing to the default internet gateway.

C.

Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.

D.

Create the appropriate master authorized network entries to allow the instance to communicate to the master.

Buy Now
Questions 14

Question:

Your organization has distributed geographic applications with significant data volumes. You need to create a design that exposes the HTTPS workloads globally and keeps traffic costs to a minimum. What should you do?

Options:

A.

Deploy a regional external Application Load Balancer with Standard Network Service Tier.

B.

Deploy a regional external Application Load Balancer with Premium Network Service Tier.

C.

Deploy a global external proxy Network Load Balancer with Standard Network Service Tier.

D.

Deploy a global external Application Load Balancer with Premium Network Service Tier.

Buy Now
Questions 15

Your company’s Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:

/fr/video

/en/video

/es/video

/../video

/fr/audio

/en/audio

/es/audio

/../audio

Which solution should you recommend?

Options:

A.

Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.

B.

Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.

C.

Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and

\/[a-z]{2}\/audio.

D.

Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.

Buy Now
Questions 16

You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.

Which subnet mask should you use for the Pod IP address range?

Options:

A.

/21

B.

/22

C.

/23

D.

/25

Buy Now
Questions 17

You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?

Options:

A.

Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.

B.

Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.

C.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.

D.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.

Buy Now
Questions 18

You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.

How should you configure your firewall rules?

Options:

A.

Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.

B.

Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.

C.

Create a single firewall rule to allow port 22 with priority 1000.

D.

Create a single firewall rule to allow port 3389 with priority 1000.

Buy Now
Questions 19

Your organization has a Google Cloud Virtual Private Cloud (VPC) with subnets in us-east1, us-west4, and europe-west4 that use the default VPC configuration. Employees in a branch office in Europe need to access the resources in the VPC using HA VPN. You configured the HA VPN associated with the Google Cloud VPC for your organization with a Cloud Router deployed in europe-west4. You need to ensure that the users in the branch office can quickly and easily access all resources in the VPC. What should you do?

Options:

A.

Create custom advertised routes for each subnet.

B.

Configure each subnet’s VPN connections to use Cloud VPN to connect to the branch office.

C.

Configure the VPC dynamic routing mode to Global.

D.

Set the advertised routes to Global for the Cloud Router.

Buy Now
Questions 20

Your organization uses a Shared VPC architecture with a host project and three service projects. You have Compute Engine instances that reside in the service projects. You have critical workloads in your on-premises data center. You need to ensure that the Google Cloud instances can resolve on-premises hostnames via the Dedicated Interconnect you deployed to establish hybrid connectivity. What should you do?

Options:

A.

Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the private zone to the on-premises DNS servers.

In your Cloud Router, add a custom route advertisement for the IP 35.199.192.0/19 to the on-premises environment.

B.

Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the Private zone to the on-premises DNS servers.

In your Cloud Router, add a custom route advertisement for the IP 169.254 169.254 to the on-premises environment.

C.

Configure a Cloud DNS private zone in the host project of the Shared VPC.

Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project

In your Cloud Router, add a custom route advertisement for the IP 169.254 169 254 to the on-premises environment.

D.

Configure a Cloud DNS private zone in the host project of the Shared VPC.

Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project.

Configure a DNS policy in the Shared VPC to allow inbound query forwarding with your on-premises DNS server as the alternative DNS server.

Buy Now
Questions 21

You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.

Which level of permissions should you request?

Options:

A.

Security Admin privileges from the Shared VPC Admin.

B.

Service Project Admin privileges from the Shared VPC Admin.

C.

Shared VPC Admin privileges from the Organization Admin.

D.

Organization Admin privileges from the Organization Admin.

Buy Now
Questions 22

Your organization has a hub and spoke architecture with VPC Network Peering, and hybrid connectivity is centralized at the hub. The Cloud Router in the hub VPC is advertising subnet routes, but the on-premises router does not appear to be receiving any subnet routes from the VPC spokes. You need to resolve this issue. What should you do?

Options:

A.

Create custom routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

B.

Create custom learned routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

C.

Create custom routes at the Cloud Router in the spokes to advertise the subnets of the VPC spokes.

D.

Create a BGP route policy at the Cloud Router, and ensure the subnets of the VPC spokes are being announced towards the on-premises environment.

Buy Now
Questions 23

You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.

How should you configure the health check?

Options:

A.

Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.

B.

Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.

C.

Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.

D.

Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.

Buy Now
Questions 24

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.

What should you do?

Options:

A.

Enable logging on the default Deny Any Firewall Rule.

B.

Enable logging on the VM Instances that receive traffic.

C.

Create a logging sink forwarding all firewall logs with no filters.

D.

Create an explicit Deny Any rule and enable logging on the new rule.

Buy Now
Questions 25

You are designing a hub-and-spoke network architecture for your company’s cloud-based environment. You need to make sure that all spokes are peered with the hub. The spokes must use the hub's virtual appliance for internet access.

The virtual appliance is configured in high-availability mode with two instances using an internal load balancer with IP address 10.0.0.5. What should you do?

Options:

A.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub.

Import the custom routes in the spokes.

B.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

Delete the default internet gateway route of the spokes.

C.

Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

D.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Create a new route in the spoke VPC that points to IP address 10.0.0.5.

Buy Now
Questions 26

You need to enable Cloud CDN for all the objects inside a storage bucket. You want to ensure that all the object in the storage bucket can be served by the CDN.

What should you do in the GCP Console?

Options:

A.

Create a new cloud storage bucket, and then enable Cloud CDN on it.

B.

Create a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.

C.

Create a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.

D.

Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.

Buy Now
Questions 27

Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates.

Which Google Cloud load balancer should you use?

Options:

A.

SSL proxy load balancer

B.

Network load balancer

C.

HTTPS load balancer

D.

TCP proxy load balancer

Buy Now
Questions 28

Question:

Your organization's security team recently discovered that there is a high risk of malicious activities originating from some of your VMs connected to the internet. These malicious activities are currently undetected when TLS communication is used. You must ensure that encrypted traffic to the internet is inspected. What should you do?

Options:

A.

Enable Cloud Armor TLS inspection policy, and associate the policy with the backend VMs.

B.

Use Cloud NGFW Enterprise. Create a firewall rule for egress traffic with the tls-inspect flag and associate the firewall rules with the VMs.

C.

Configure a TLS agent on every VM to intercept TLS traffic before it reaches the internet. Configure Sensitive Data Protection to analyze and allow/deny the content.

D.

Use Cloud NGFW Essentials. Create a firewall rule for egress traffic and enable VPC Flow Logs with the TLS inspect option. Analyze the output logs content and block the outputs that have malicious activities.

Buy Now
Questions 29

You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.

Which two actions should you take? (Choose two.)

Options:

A.

Activate the Service Networking API in your project.

B.

Activate the Cloud Datastore API in your project.

C.

Create a private connection to a service producer.

D.

Create a custom static route to allow the traffic to reach the Cloud SQL API.

E.

Enable Private Google Access.

Buy Now
Questions 30

In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers. What should you do?

Options:

A.

Create network tag app-server and service account sa-db@my-project.iam.gserviceaccount.com. Add the tag to the application servers, and associate the service account with the database servers. Run the following command:

gcloud compute firewall-rules create app-db-firewall-rule \

--action allow \

--direction ingress \

--rules top:3306 \

--source-tags app-server \

--target-service-accounts sa-db@my-<

B.

Create service accounts sa-app@my-project.iam.gserviceaccount.com and sa-db@my-project.iam.gserviceaccount.com. Associate service account sa-app with the application servers, and associate the

service account sa-db with the database servers. Run the following command:

gcloud compute firewall-rules create app-db-firewall-ru

--allow TCP:3306 \

--source-service-accounts sa-app@democloud-idp-

demo.iam.gserv

C.

Create service accounts sa-app@my-project.iam.gserviceaccount.com and sa-db@my-project.iam.gserviceaccount.com. Associate the service account sa-app with the application servers, and associate

the service account sa-db with the database servers. Run the following command:

gcloud compute firewall-rules create app-db-firewall-ru

--allow TCP:3306 \

--source-ranges 10.128.0.0/20 \

--source-service-accounts

D.

Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command:

gcloud compute firewall-rules create app-db-firewall-rule \

--action allow \

--direction ingress \

--rules tcp:3306 \

--source-ranges 10.128.0.0/20 \

--source-tags app-server \

--target-tags db-server

Buy Now
Questions 31

All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.

What should you do?

Options:

A.

Open the Cloud Shell SSH into the instance using gcloud compute ssh.

B.

Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.

C.

Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.

D.

Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.

Buy Now
Questions 32

You are designing a packet mirroring policy as pan of your network security architecture for your gaming workload. Your Infrastructure is located in the us-west2 region and deployed across several zones: us-west2-a. us-west2-b. and us-west2-c The Infrastructure Is running a web-based application on TCP ports 80 and 443 with other game servers that utilize the UDP protocol. You need to deploy packet mirroring policies and collector instances to monitor web application traffic while minimizing inter-zonal network egress costs.

Following Google-recommended practices, how should you deploy the packet mirroring policies and collector instances?

Options:

A.

Create three packet mirroring policies: one for each zone. Create three groups of collector instances: one group for each zone. Configure each policy to match traffic for Its zone based on instance-tags, and create a filter for TCP traffic.

B.

Create three packet mirroring policies: one for each zone. Create three groups of collector instances: one group for each zone. Configure

each policy to match traffic for its zone based on subnets, and create a filter for TCP traffic

C.

Create one packet mirroring policy for the us-west2 region. Create one group of collector instances for the us-west2 region Configure the

packet mirroring policy to match traffic for web server instances based on instance-tags, and create a filter for TCP traffic.

D.

Create three packet mirroring policies: one for each zone. Create one group of collector instances for the us-west2 region. Configure each packet mirroring policy to match traffic for its zone based on instance-tags, and create a filter for TCP traffic

Buy Now
Questions 33

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters, Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new dusters. You want to follow Google-recommended practices, What should you do after designing your IP scheme?

Options:

A.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.

B.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters.

C.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected: --enab1e-ip-a1ias and --enable-private-nodes.

D.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and – siable-default-snat, --enable-ip-alias, and –enable-private-nodes

Buy Now
Questions 34

You are planning a large application deployment in Google Cloud that includes on-premises connectivity. The application requires direct connectivity between workloads in all regions and on-premises locations without address translation, but all RFC 1918 ranges are already in use in the on-premises locations. What should you do?

Options:

A.

Use multiple VPC networks with a transit network using VPC Network Peering.

B.

Use overlapping RFC 1918 ranges with multiple isolated VPC networks.

C.

Use overlapping RFC 1918 ranges with multiple isolated VPC networks and Cloud NAT.

D.

Use non-RFC 1918 ranges with a single global VPC.

Buy Now
Questions 35

You recently deployed your application in Google Cloud. You need to verify your Google Cloud network configuration before deploying your on-premises workloads. You want to confirm that your Google Cloud network configuration allows traffic to flow from your cloud resources to your on- premises network. This validation should also analyze and diagnose potential failure points in your Google Cloud network configurations without sending any data plane test traffic. What should you do?

Options:

A.

Use Network Intelligence Center's Connectivity Tests.

B.

Enable Packet Mirroring on your application and send test traffic.

C.

Use Network Intelligence Center's Network Topology visualizations.

D.

Enable VPC Flow Logs and send test traffic.

Buy Now
Questions 36

Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

Options:

A.

Firewall rule direction: ingress

Action: allow

Target: VM B service account

Source ranges: VM A service account

Priority: 1000

B.

Firewall rule direction: ingress

Action: allow

Target: specific VM B tag

Source ranges: VM A tag and VM A source IP address

Priority: 1000

C.

Firewall rule direction: ingress

Action: allow

Target: VM A service account

Source ranges: VM B service account and VM B source IP address

Priority: 100

D.

Firewall rule direction: ingress

Action: allow

Target: specific VM A tag

Source ranges: VM B tag and VM B source IP address

Priority: 100

Buy Now
Questions 37

You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed.

What is the most likely cause of the problem?

Options:

A.

You have not configured compression in Cloud CDN.

B.

You have configured the web servers and Cloud CDN with different compression types.

C.

The web servers behind the load balancer are configured with different compression types.

D.

You have to configure the web servers to compress responses even if the request has a Via header.

Buy Now
Questions 38

Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2. What should you do?

Options:

A.

Enable firewall logging, and forward all filtered egress firewall logs to the IDS.

B.

Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.

C.

Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

D.

Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

Buy Now
Questions 39

Question:

You are configuring the firewall endpoints as part of the Cloud Next Generation Firewall (Cloud NGFW) intrusion prevention service in Google Cloud. You have configured a threat prevention security profile, and you now need to create an endpoint for traffic inspection. What should you do?

Options:

A.

Attach the profile to the VPC network, create a firewall endpoint within the zone, and use a firewall policy rule to apply the L7 inspection.

B.

Create a firewall endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

C.

Create a firewall endpoint within the region, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

D.

Create a Private Service Connect endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Buy Now
Questions 40

You have provisioned a Partner Interconnect connection to extend connectivity from your on-premises data center to Google Cloud. You need to configure a Cloud Router and create a VLAN attachment to connect to resources inside your VPC. You need to configure an Autonomous System number (ASN) to use with the associated Cloud Router and create the VLAN attachment.

What should you do?

Options:

A.

Use a 4-byte private ASN 4200000000-4294967294.

B.

Use a 2-byte private ASN 64512-65535.

C.

Use a public Google ASN 15169.

D.

Use a public Google ASN 16550.

Buy Now
Questions 41

Question:

You are designing the architecture for your organization so that clients can connect to certain Google APIs. Your plan must include a way to connect to Cloud Storage and BigQuery. You also need to ensure the traffic does not traverse the internet. You want your solution to be cloud-first and require the least amount of configuration steps. What should you do?

Options:

A.

Configure Private Google Access on the VPC resource. Create a default route to the internet.

B.

Configure Private Google Access on the subnet resource. Create a default route to the internet.

C.

Configure Cloud NAT and remove the default route to the internet.

D.

Configure a global Secure Web Proxy and remove the default route to the internet.

Buy Now
Questions 42

In your Google Cloud organization, you have two folders: Dev and Prod. You want a scalable and consistent way to enforce the following firewall rules for all virtual machines (VMs) with minimal cost:

Port 8080 should always be open for VMs in the projects in the Dev folder.

Any traffic to port 8080 should be denied for all VMs in your projects in the Prod folder.

What should you do?

Options:

A.

Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.

B.

Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects. Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared VPCs.

C.

In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080.

D.

Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev VMs and deny traffic to port 8080 on the Prod VMs.

Buy Now
Questions 43

You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

Professional-Cloud-Network-Engineer Question 43

You need to update the firewall rule to add the following rule to the ruleset:

Professional-Cloud-Network-Engineer Question 43

You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

Options:

A.

Assign the compute.securityAdmin and logging.viewer rule to the new user account. Apply the new firewall rule with a priority of 50.

B.

Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

C.

Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.

D.

Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

Buy Now
Questions 44

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with on-premises connectivity already in place. You are deploying a new application using Google Kubernetes Engine (GKE), which must be accessible only from the same VPC network and on-premises locations. You must ensure that the GKE control plane is exposed to a predefined list of on-premises subnets through private connectivity only. What should you do?

Options:

A.

Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.

B.

Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.

C.

Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.

D.

Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.

Buy Now
Questions 45

You recently deployed Cloud VPN to connect your on-premises data center to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

Options:

A.

In the Monitoring section of the Google Cloud console, use the Dashboard section to select a default dashboard for VPN usage.

B.

In Network Intelligence Center, check for the number of packet drops on the VPN.

C.

In the VPN section of the Google Cloud console, select the VPN under hybrid connectivity and then select monitoring to display utilization on the dashboard.

D.

In the Google Cloud console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

Buy Now
Questions 46

You have recently taken over responsibility for your organization's Google Cloud network security configurations. You want to review your Cloud Next Generation Firewall (Cloud NGFW) configurations to ensure that there are no rules allowing ingress traffic to your VMs and services from the internet. You want to avoid manual work. What should you do?

Options:

A.

Use Firewall Insights, and enable insights for overly permissive rules.

B.

Review Network Analyzer insights on the VPC network category.

C.

Export all your Cloud NGFW rules into a CSV file and search for 0.0.0.0/0.

D.

Run Connectivity Tests from multiple external sources to confirm that traffic is not allowed to ingress to your most critical services in Google Cloud.

Buy Now
Questions 47

Your company's logo is published as an image file across multiple websites that are hosted by your company You have implemented Cloud CDN, however, you want to improve the performance of the cache hit ratio associated with this image file. What should you do?

Options:

A.

Configure custom cache keys for the backend service that holds the image file, and clear the Host and Protocol checkboxes-

B.

Configure Cloud Storage as a custom origin backend to host the image file, and select multi-region as the location type

C.

Configure versioned IJRLs for each domain to serve users the •mage file before the cache entry expires

D.

Configure the default time to live (TTL) as O for the image file.

Buy Now
Questions 48

Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:

Certain data must stay in the project where it is stored and not be exfiltrated to other projects.

Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.

All DNS resolution must be done on-premises.

The solution should only provide access to APIs that are compatible with VPC Service Controls.

What should you do?

Options:

A.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

B.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

C.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

D.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

Buy Now
Questions 49

You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.

Which two methods can you use to accomplish this? (Choose two.)

Options:

A.

GetIamPolicy() via REST API

B.

setIamPolicy() via REST API

C.

gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

D.

gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

E.

Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

Buy Now
Questions 50

After a network change window one of your company’s applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.

What is the most likely cause of this problem?

Options:

A.

The less specific VPC subnet route is taking priority.

B.

The more specific VPC subnet route is taking priority.

C.

The on-premises router is not advertising a route for the database server.

D.

A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

Buy Now
Questions 51

You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.

What should you do?

Options:

A.

Assign each user the editor role.

B.

Assign each user the compute.networkAdmin role.

C.

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.

D.

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

Buy Now
Questions 52

You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.

How should you provision your instances?

Options:

A.

Create a single managed instance group, specify the desired region, and select Multiple zones for the location.

B.

Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.

C.

Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.

D.

Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.

Buy Now
Questions 53

You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on- premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team’s requirements?

Options:

A.

Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.

Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.

B.

Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.

Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

C.

Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range.

Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

D.

Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range.

Create a custom route that points Google's private API address range to the default internet gateway as the next hop.

Buy Now
Questions 54

You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.

What should you do on your on-premises servers?

Options:

A.

Tune TCP parameters on the on-premises servers.

B.

Compress files using utilities like tar to reduce the size of data being sent.

C.

Remove the -m flag from the gsutil command to enable single-threaded transfers.

D.

Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

Buy Now
Questions 55

You have the following Shared VPC design VPC Flow Logs is configured for Subnet-1 In the host VPC. You also want to monitor flow logs for Subnet-2. What should you do?

Professional-Cloud-Network-Engineer Question 55

Options:

A.

Configure a firewall rule to permit Subnet-2 IP addresses outbound in the host protect VPC.

B.

Configure Packet Mirroring in both the host and service project VPCs.

C.

Configure a VPC Flow Logs filter for Subnet-2 in the host project VPC.

D.

Configure VPC Flow Logs in the service project VPC for Subnet-2.

Buy Now
Questions 56

You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem. Which commands should you run?

Options:

A.

gcloud compute instances add-access-config instance-1

B.

gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

C.

gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

D.

gcloud compute health-checks update http health-check --unhealthy-threshold 10

Buy Now
Questions 57

You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.

How should you design this topology?

Options:

A.

Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.

B.

Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

C.

Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

D.

Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.

Buy Now
Questions 58

Question:

Recently, your networking team enabled Cloud CDN for one of the external-facing services that is exposed through an external Application Load Balancer. The application team has already defined which content should be cached within the responses. Upon testing the load balancer, you did not observe any change in performance after the Cloud CDN enablement. You need to resolve the issue. What should you do?

Options:

A.

Configure the CACHE_MAX_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses from the backends.

B.

Configure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content based on response headers from the backends.

C.

Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches all static content as well as content defined by the backends.

D.

Configure the FORCE_CACHE_ALL caching mode on Cloud CDN to ensure all appropriate content is cached.

Buy Now
Questions 59

You configured a single IPSec Cloud VPN tunnel for your organization to a third-party customer. You confirmed that the VPN tunnel is established; however, the BGP session status states that BGP is not configured. The customer has provided you with their BGP settings:

    Local BGP address: 169.254.11.1/30

    Local ASN: 64515

    Peer BGP address: 169.254.11.2

    Peer ASN: 64517

    Base MED: 1000

    MD5 Authentication: Disabled

You need to configure the local BGP session for this tunnel based on the settings provided by the customer. You already associated the Cloud Router with the Cloud VPN Tunnel. What settings should you use for the BGP session?

Options:

A.

Peer ASN: 64517

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Disabled

B.

Peer ASN: 64515

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Disabled

C.

Peer ASN: 64515

Advertised Route Priority (MED): 1000

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Enabled

D.

Peer ASN: 64515

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.1

Peer BGP IP: 169.254.11.2

MD5 Authentication: Disabled

Buy Now
Questions 60

Question:

Your organization has approximately 100 teams that need to manage their own environments. A central team must manage the network. You need to design a landing zone that provides separate projects for each team and ensure the solution can scale. What should you do?

Options:

A.

Configure VPC Network Peering and peer one of the VPCs to the service project.

B.

Configure Policy-based Routing for each team.

C.

Configure a Shared VPC and create a VPC network in the host project.

D.

Configure a Shared VPC, and create a VPC network in the service project.

Buy Now
Questions 61

You are planning to use Terraform to deploy the Google Cloud infrastructure for your company The design must meet the following requirements

• Each Google Cloud project must represent an Internal project that your team Will work on

• After an internal project is finished, the infrastructure must be deleted

• Each Internal project must have Its own Google Cloud project owner to manage the Google Cloud resources-

• You have 10-100 projects deployed at a time,

While you are writing the Terraform code, you need to ensure that the deployment IS Simple, and the code IS reusable With

centralized management What should you doo

Options:

A.

Create a Single pt0Ject and additional VPCs for each Internal project

B.

Create a Single Project and Single VPC for each internal project

C.

Create a single Shared VPC and attach each Google Cloud project as a service project

D.

Create a Shared VPC and service project for each Internal project

Buy Now
Questions 62

Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:

    Your ISP is a Google Partner Interconnect provider.

    Your on-premises VPN device’s internet uplink and downlink speeds are 10 Gbps.

    A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses.

    Most of the data transfer will be from GCP to the on-premises environment.

    The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.

    Cost and the complexity of the solution should be minimal.

How should you provision the connectivity solution?

Options:

A.

Provision a Partner Interconnect through your ISP.

B.

Provision a Dedicated Interconnect instead of a VPN.

C.

Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.

D.

Use network compression over your VPN to increase the amount of data you can send over your VPN.

Buy Now
Questions 63

You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual Private Cloud (VPC). You want clients to be able to get the IP address of the service. What should you do?

Options:

A.

Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Clients should use this IP address to connect to the service.

B.

Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE] .c.[PROJECT_ID].internal/.

C.

Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Then, define an A record in Cloud DNS. Clients should use the name of the A record to connect to the service.

D.

Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION] /.

Buy Now
Questions 64

You have the following private Google Kubernetes Engine (GKE) cluster deployment:

Professional-Cloud-Network-Engineer Question 64

You have a virtual machine (VM) deployed in the same VPC in the subnetwork kubernetes-management with internal IP address 192.168.40 2/24 and no external IP address assigned. You need to communicate with the cluster master using kubectl. What should you do?

Options:

A.

Add the network 192.168.40.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2.

B.

Add the network 192.168.38.0/28 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

C.

Add the network 192.168.36.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

D.

Add an external IP address to the VM, and add this IP address in the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 35.224.37.17.

Buy Now
Exam Code: Professional-Cloud-Network-Engineer
Exam Name: Google Cloud Certified - Professional Cloud Network Engineer
Last Update: Nov 17, 2024
Questions: 215

PDF + Testing Engine

$56  $159.99
buy now Professional-Cloud-Network-Engineer pdf + testing engine

Testing Engine

$42  $119.99
buy now Professional-Cloud-Network-Engineer testing engine

PDF (Q&A)

$35  $99.99
buy now Professional-Cloud-Network-Engineer pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 21 Nov 2024