Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer Questions and Answers

Questions 4

You need to configure the Border Gateway Protocol (BGP) session for a VPN tunnel you just created between two Google Cloud VPCs, 10.1.0.0/16 and 172.16.0.0/16. You have a Cloud Router (router-1) in the 10.1.0.0/16 network and a second Cloud Router (router-2) in the 172.16.0.0/16 network. Which configuration should you use for the BGP session?

Options:

Professional-Cloud-Network-Engineer Question 4 Option 1

Buy Now

Questions 5

Your organization has resources in two different VPCs, each in different Google Cloud projects, and requires connectivity between the resources in the two VPCs. You have already determined that there is no IP address overlap; however, one VPC uses privately used public IP (PUPI) ranges. You would like to enable connectivity between these resources by using a lower cost and higher performance method. What should you do?

Options:

Create an HA VPN between the two VPCs that includes the PUPI ranges in the custom route advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

Create a VPC Network Peering connection between the two VPCs that allows the export and import of custom routes for public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using service accounts as the source filter.

Create a VPC Network Peering connection between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

Buy Now

Questions 6

You configured a single IPSec Cloud VPN tunnel for your organization to a third-party customer. You confirmed that the VPN tunnel is established; however, the BGP session status states that BGP is not configured. The customer has provided you with their BGP settings:

Local BGP address: 169.254.11.1/30

Local ASN: 64515

Peer BGP address: 169.254.11.2

Peer ASN: 64517

Base MED: 1000

MD5 Authentication: Disabled

You need to configure the local BGP session for this tunnel based on the settings provided by the customer. You already associated the Cloud Router with the Cloud VPN Tunnel. What settings should you use for the BGP session?

Options:

Peer ASN: 64517

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Disabled

Peer ASN: 64515

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Disabled

Peer ASN: 64515

Advertised Route Priority (MED): 1000

Local BGP IP: 169.254.11.2

Peer BGP IP: 169.254.11.1

MD5 Authentication: Enabled

Peer ASN: 64515

Advertised Route Priority (MED): 100

Local BGP IP: 169.254.11.1

Peer BGP IP: 169.254.11.2

MD5 Authentication: Disabled

Buy Now

Questions 7

You are responsible for designing a new connectivity solution for your organization's enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider's internet access. You want to set up a direct connection between your network and Google. What should you do?

Options:

Order a Dedicated Interconnect connection in the same metropolitan area. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.

Order a Direct Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.

Order a Carrier Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Buy Now

Questions 8

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters, Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new dusters. You want to follow Google-recommended practices, What should you do after designing your IP scheme?

Options:

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected: --enab1e-ip-a1ias and --enable-private-nodes.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and – siable-default-snat, --enable-ip-alias, and –enable-private-nodes

Buy Now

Answer:

Explanation:

The correct answer is D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --disable-default-snat, --enable-ip-alias, and --enable-private-nodes.

This answer is based on the following facts:

Privately used public IP (PUPI) addresses are any public IP addresses not owned by Google that a customer can use privately on Google Cloud1. You can use PUPI addresses for GKE pods and services in private clusters to mitigate address exhaustion.

A private GKE cluster is a cluster that has no public IP addresses on the nodes2. You can use private clusters to isolate your workloads from the public internet and enhance security.

The --disable-default-snat option disables source network address translation (SNAT) for the cluster3. This option allows you to use PUPI addresses without conflicting with other public IP addresses on the internet.

The --enable-ip-alias option enables alias IP ranges for the cluster4. This option allows you to use separate subnet ranges for nodes, pods, and services, and to specify the size of those ranges.

The --enable-private-nodes option enables private nodes for the cluster5. This option ensures that the nodes have no public IP addresses and can only communicate with other Google Cloud resources in the same VPC network or peered networks.

The other options are not correct because:

Option A is not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for pods across multiple private GKE clusters can cause IP conflicts and routing issues.

Option B is also not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for services across multiple private GKE clusters can cause IP conflicts and routing issues.

Option C is not feasible. Creating privately used public IP primary and secondary subnet ranges for the clusters is a valid step, but creating a private GKE cluster with only --enable-ip-alias and --enable-private-nodes options is not enough. You also need to disable default SNAT to avoid IP conflicts with other public IP addresses on the internet.

Questions 9

You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the 172.16.45.0/24 network.

What should you do?

Options:

Configure global load balancing to point 172.16.45.0/24 to the correct instance.

Create unique DNS records for each service that sends traffic to the desired IP address.

Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.

Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.

Buy Now

Questions 10

You recently deployed Cloud VPN to connect your on-premises data canter to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

Options:

In the Network Intelligence Canter, check for the number of packet drops on the VPN.

In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

In the Monitoring section of the Google Cloud Console, use the Dashboard section to select a default dashboard for VPN usage.

In the VPN section of the Google Cloud Console, select the VPN under hybrid connectivity, and then select monitoring to display utilization on the dashboard.

Buy Now

Questions 11

You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed.

What is the most likely cause of the problem?

Options:

You have not configured compression in Cloud CDN.

You have configured the web servers and Cloud CDN with different compression types.

The web servers behind the load balancer are configured with different compression types.

You have to configure the web servers to compress responses even if the request has a Via header.

Buy Now

Questions 12

You are migrating to Cloud DNS and want to import your BIND zone file.

Which command should you use?

Options:

gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE

gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE

gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE

gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE

Buy Now

Questions 13

After a network change window one of your company’s applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.

What is the most likely cause of this problem?

Options:

The less specific VPC subnet route is taking priority.

The more specific VPC subnet route is taking priority.

The on-premises router is not advertising a route for the database server.

A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

Buy Now

Questions 14

You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

Options:

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 10.204.0.0/24.

Set a custom route advertisement on the Cloud Router for 10.204.0.0/24

Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88.

Configure your on-premises firewall to accept traffic from 35.199.192.0/19

Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 10.204.0.0/24.

Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88

Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com.

Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88.

Configure your on-premises firewall to accept traffic from 35.199.192.0/19.

Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

Buy Now

Questions 15

You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

Professional-Cloud-Network-Engineer Question 15

Options:

Configure a custom route advertisement on the Cloud Router.

Enable IP forwarding in the asia-southeast1 region.

Change the VPC dynamic routing mode to Global.

Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

Buy Now

Questions 16

You recently deployed two network virtual appliances in us-central1. Your network appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to configure the routing for your Virtual Private Cloud (VPC). Your design must meet the following requirements:

All access to your on-premises network must go through the network virtual appliances.

Allow on-premises access in the event of a single network virtual appliance failure.

Both network virtual appliances must be used simultaneously.

Which method should you use to accomplish this?

Options:

Configure two routes for 10.0.0.0/8 with different priorities, each pointing to separate network virtual appliances.

Configure an internal HTTP(S) load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal HTTP(S) load balancer as the next hop.

Configure a network load balancer for the two network virtual appliances. Configure a route for 10.0.0.0/8 with the network load balancer as the next hop.

Configure an internal TCP/UDP load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.

Buy Now

Questions 17

You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.

What should you do?

Options:

Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.

Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.

Buy Now

Questions 18

You recently deployed Cloud VPN to connect your on-premises data center to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

Options:

In the Monitoring section of the Google Cloud console, use the Dashboard section to select a default dashboard for VPN usage.

In Network Intelligence Center, check for the number of packet drops on the VPN.

In the VPN section of the Google Cloud console, select the VPN under hybrid connectivity and then select monitoring to display utilization on the dashboard.

In the Google Cloud console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

Buy Now

Questions 19

All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.

What should you do?

Options:

Open the Cloud Shell SSH into the instance using gcloud compute ssh.

Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.

Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.

Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.

Buy Now

Questions 20

You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?

Options:

Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.

Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.

Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.

Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.

Buy Now

Questions 21

You work for a university that is migrating to Google Cloud.

These are the cloud requirements:

On-premises connectivity with 10 Gbps

Lowest latency access to the cloud

Centralized Networking Administration Team

New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.

What should you do?

Options:

Use Shared VPC, and deploy the VLAN attachments and Dedicated Interconnect in the host project.

Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.

Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Dedicated Interconnects.

Use standalone projects and deploy the VLAN attachments and Dedicated Interconnects in each of the individual projects.

Buy Now

Questions 22

You want to configure load balancing for an internet-facing, standard voice-over-IP (VOIP) application.

Which type of load balancer should you use?

Options:

HTTP(S) load balancer

Network load balancer

Internal TCP/UDP load balancer

TCP/SSL proxy load balancer

Buy Now

Questions 23

You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) Instances What two prerequisite tasks must be completed before creating the load balancer?

Choose 2 answers

Options:

Choose a region.

Create firewall rules for health checks

Reserve a static IP address for the load balancer

Determine the subnet mask for a proxy-only subnet.

Determine the subnet mask for Serverless VPC Access.

Buy Now

Questions 24

Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that the caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it as a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.

Which two steps should you take? (Choose two.)

Options:

Use Cloud Armor to blacklist the attacker’s IP addresses.

Increase the maximum autoscaling backend to accommodate the severe bursty traffic.

Create a global HTTP(s) load balancer and move your application backend to this load balancer.

Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.

SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.

Buy Now

Questions 25

Your organization recently created a sandbox environment for a new cloud deployment. To have parity with the production environment, a pair of Compute Engine instances with multiple network interfaces (NICs) were deployed. These Compute Engine instances have a NIC in the Untrusted VPC (10.0.0.0/23) and a NIC in the Trusted VPC (10.128.0.0/9). A HA VPN tunnel has been established to the on-premises environment from the Untrusted VPC. Through this pair of VPN tunnels, the on-premises environment receives the route advertisements for the Untrusted and Trusted VPCs. In return, the on-premises environment advertises a number of CIDR ranges to the Untrusted VPC. However, when you tried to access one of the test services from the on-premises environment to the Trusted VPC, you received no response. You need to configure a highly available solution to enable the on-premises users to connect to the services in the Trusted VPC. What should you do?

Options:

Add both multi-NIC VMs to a new unmanaged instance group, named nva-uig.

Create an internal passthrough Network Load Balancer in the Untrusted VPC, named ilb-untrusted, with the nva-uig unmanaged instance group designated as the backend.

Create a custom static route in the Untrusted VPC for destination 10.123.0.0/9 and the next hop ilb-untrusted.

Create an internal passthrough Network Load Balancer in the Trusted VP

Add both multi-NIC VMs to a new unmanaged instance group, named nva-uig.

Create an internal passthrough Network Load Balancer in the Untrusted VPC, named ilb-untrusted, with the nva-uig unmanaged instance group designated as the backend.

Create a custom static route in the Untrusted VPC for destination 10.128.0.0/9 and the next hop ilb-untrusted.

Create an internal passthrough Network Load Balancer in the Trusted VP

Add both multi-NIC VMs to a new unmanaged instance group, named nva-uigO.

Create an internal passthrough Network Load Balancer in the Untrusted VPC, named ilb-untrusted, with the nva-uigO as backend.

Create a custom static route in the Untrusted VPC for destination 10.128.0.0/9 and the next hop ilb-untrusted.

Add both multi-NIC VMs to a new unmanaged instance group, named nva-uigl.

Create an internal passthrou

Add both multi-NIC VMs to a new unmanaged instance group, named nva-uig.

Create two custom static routes in the Untrusted VPC for destination 10.128.0.0/9 and set each of the VMs’ NIC as the next hop.

Create two custom static routes in the Trusted VPC for destination 10.0.0.0/23 and set each of the VMs' NIC as the next hop.

Buy Now

Questions 26

Question:

You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. Connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights into what is occurring within Google Cloud. What should you do?

Options:

Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.

Enable and review Cloud Logging on your Cloud NAT gateway. Look for logs with errors matching the destination IP address of the public SaaS provider.

Enable the Firewall insights API. Set the deny rule insights observation period to one day. Review the insights to assure there are no firewall rules denying traffic.

Enable and review Cloud Logging for Cloud Armor. Look for logs with errors matching the destination IP address of the public SaaS provider.

Buy Now

Questions 27

Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?

Options:

Configure your VPC routing in regional mode.

Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

Configure your VPC routing in global mode.

Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

Configure your VPC routing in global mode.

Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2.

Configure your VPC routing in regional mode.

Add additional Cloud Interconnect VLAN attachments in the us-west2 and us-central1 regions, and configure Cloud Routers in us-west2 and us-central1.

Buy Now

Questions 28

You are configuring the firewall endpoints as part of the Cloud Next Generation Firewall (Cloud NGFW) intrusion prevention service in Google Cloud. You have configured a threat prevention security profile, and you now need to create an endpoint for traffic inspection. What should you do?

Options:

Create a Private Service Connect endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Create a firewall endpoint within the region, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Create a firewall endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Attach the profile to the VPC network, create a firewall endpoint within the zone, and use a firewall policy rule to apply the L7 inspection.

Buy Now

Questions 29

You need to create the network infrastructure to deploy a highly available web application in the us-east1 and us-west1 regions. The application runs on Compute Engine instances, and it does not require the use of a database. You want to follow Google-recommended practices. What should you do?

Options:

Create one VPC with one subnet in each region.

Create a regional network load balancer in each region with a static IP address.

Enable Cloud CDN on the load balancers.

Create an A record in Cloud DNS with both IP addresses for the load balancers.

Create one VPC with one subnet in each region.

Create a global load balancer with a static IP address.

Enable Cloud CDN and Google Cloud Armor on the load balancer.

Create an A record using the IP address of the load balancer in Cloud DNS.

Create one VPC in each region, and peer both VPCs.

Create a global load balancer.

Enable Cloud CDN on the load balancer.

Create a CNAME for the load balancer in Cloud DNS.

Create one VPC with one subnet in each region.

Create an HTTP(S) load balancer with a static IP address.

Choose the standard tier for the network.

Enable Cloud CDN on the load balancer.

Create a CNAME record using the load balancer’s IP address in Cloud DNS.

Buy Now

Questions 30

You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

Options:

Configure the remote autonomous system number (ASN) to 4096.

Configure a second Cloud Router to scale bandwidth in and out of the VPC.

Configure the maximum transmission unit (MTU) to its highest supported value.

Configure a second set of active/passive VPN tunnels.

Buy Now

Questions 31

You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.

How should you configure your firewall rules?

Options:

Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.

Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.

Create a single firewall rule to allow port 22 with priority 1000.

Create a single firewall rule to allow port 3389 with priority 1000.

Buy Now

Questions 32

You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.

How should you update your instances?

Options:

Manually patch some of the instances, and then perform a rolling restart on the instance group.

Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.

Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.

Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.

Buy Now

Questions 33

You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.

How should you design this topology?

Options:

Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.

Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.

Buy Now

Questions 34

You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).

Which routing option should you choose?

Options:

Dynamic routing using Cloud Router

Route-based routing using default traffic selectors

Policy-based routing using a custom local traffic selector

Policy-based routing using the default local traffic selector

Buy Now

Questions 35

You create multiple Compute Engine virtual machine instances to be used as TFTP servers.

Which type of load balancer should you use?

Options:

HTTP(S) load balancer

SSL proxy load balancer

TCP proxy load balancer

Network load balancer

Buy Now

Questions 36

Question:

Recently, your networking team enabled Cloud CDN for one of the external-facing services that is exposed through an external Application Load Balancer. The application team has already defined which content should be cached within the responses. Upon testing the load balancer, you did not observe any change in performance after the Cloud CDN enablement. You need to resolve the issue. What should you do?

Options:

Configure the CACHE_MAX_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses from the backends.

Configure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content based on response headers from the backends.

Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches all static content as well as content defined by the backends.

Configure the FORCE_CACHE_ALL caching mode on Cloud CDN to ensure all appropriate content is cached.

Buy Now

Questions 37

You are designing a hub-and-spoke network architecture for your company’s cloud-based environment. You need to make sure that all spokes are peered with the hub. The spokes must use the hub's virtual appliance for internet access.

The virtual appliance is configured in high-availability mode with two instances using an internal load balancer with IP address 10.0.0.5. What should you do?

Options:

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub.

Import the custom routes in the spokes.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

Delete the default internet gateway route of the spokes.

Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Export the custom routes in the hub. Import the custom routes in the spokes.

Create a default route in the hub VPC that points to IP address 10.0.0.5.

Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway.

Create a new route in the spoke VPC that points to IP address 10.0.0.5.

Buy Now

Questions 38

You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.

Which GKE resource should you use?

Options:

GKE Node

GKE Pod

GKE Cluster

GKE Ingress

Buy Now

Questions 39

You are designing a new global application using Compute Engine instances that will be exposed by a global HTTP(S) load balancer. You need to secure your application from distributed denial-of-service and application layer (layer 7) attacks. What should you do?

Options:

Configure VPC Service Controls and create a secure perimeter. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.

Configure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.

Configure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.

Configure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.

Buy Now

Questions 40

You are the network administrator responsible for hybrid connectivity at your organization. Your developer team wants to use Cloud SQL in the us-west1 region in your Shared VPC. You configured a Dedicated Interconnect connection and a Cloud Router in us-west1, and the connectivity between your Shared VPC and on-premises data center is working as expected. You just created the private services access connection required for Cloud SQL using the reserved IP address range and default settings. However, your developers cannot access the Cloud SQL instance from on-premises. You want to resolve the issue. What should you do?

Options:

Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.

Change the VPC routing mode to global.

Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.

Create an additional Cloud Router in us-west2.

Create a new Border Gateway Protocol (BGP) peering connection to your on-premises data center.

Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

Change the VPC routing mode to global.

Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

Buy Now

Questions 41

(You need to migrate multiple PostgreSQL databases from your on-premises data center to Google Cloud. You want to significantly improve the performance of your databases while minimizing changes to your data schema and application code. You expect to exceed 150 TB of data per geographical region. You want to follow Google-recommended practices and minimize your operational costs. What should you do?)

Options:

Migrate your data to AlloyDB.

Migrate your data to Spanner.

Migrate your data to Firebase.

Migrate your data to Bigtable.

Buy Now

Answer:

A, C, D

Explanation:

Let's analyze each option based on the requirements: PostgreSQL compatibility, significant performance improvement, minimal schema/code changes, handling large data volumes, Google-recommended practices, and cost minimization:

A. Migrate your data to AlloyDB: AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible database service that offers significant performance improvements over standard PostgreSQL due to its architectural optimizations. It is designed to handle large data volumes and minimizes the need for schema and application code changes as it's wire-compatible with PostgreSQL. This aligns well with the requirements for performance improvement, minimal changes, large data, and being a Google-recommended option for PostgreSQL workloads.

B. Migrate your data to Spanner: Spanner is a globally distributed, horizontally scalable database with strong consistency. While it offers excellent scalability and performance, it's not directly PostgreSQL-compatible. Migrating to Spanner would likely require significant schema and application code changes due to differences in data modeling and SQL dialect.

C. Migrate your data to Firebase: Firebase is a suite of mobile and web development tools, with its primary database offering being Firestore (a NoSQL document database) and Realtime Database. These are not PostgreSQL-compatible and would require substantial changes to the data model and application code.

D. Migrate your data to Bigtable: Bigtable is a highly scalable NoSQL wide-column store. It's not compatible with PostgreSQL and requires a completely different data model and application logic.

Therefore, AlloyDB is the most suitable option as it provides PostgreSQL compatibility for minimal migration effort, significant performance improvements, scalability for large data volumes, and is a recommended Google Cloud database service for PostgreSQL workloads.

Google Cloud Documentation References:

AlloyDB for PostgreSQL Overview: https://cloud.google.com/alloydb/docs/overview - This document highlights AlloyDB 's PostgreSQL compatibility, performance benefits, scalability, and suitability for migrating existing PostgreSQL workloads.

Spanner Overview: https://cloud.google.com/spanner/docs/overview - This emphasizes Spanner 's unique features and differences from traditional relational databases like PostgreSQL.

Firebase Documentation: https://firebase.google.com/docs - This outlines the features of Firebase, including Firestore and Realtime Database, highlighting their NoSQL nature and incompatibility with PostgreSQL.

Cloud Bigtable Overview: https://cloud.google.com/bigtable/docs/overview - This describes Bigtable as a NoSQL database, emphasizing its differences from relational databases like PostgreSQL.

===========

Questions 42

Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.

Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

Options:

VPC peering

Shared VPC

Cloud VPN

Dedicated Interconnect

Cloud NAT

Buy Now

Questions 43

You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on- premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team’s requirements?

Options:

Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.

Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.

Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.

Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range.

Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range.

Create a custom route that points Google's private API address range to the default internet gateway as the next hop.

Buy Now

Questions 44

Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

Options:

Firewall rule direction: ingress

Action: allow

Target: VM B service account

Source ranges: VM A service account

Priority: 1000

Firewall rule direction: ingress

Action: allow

Target: specific VM B tag

Source ranges: VM A tag and VM A source IP address

Priority: 1000

Firewall rule direction: ingress

Action: allow

Target: VM A service account

Source ranges: VM B service account and VM B source IP address

Priority: 100

Firewall rule direction: ingress

Action: allow

Target: specific VM A tag

Source ranges: VM B tag and VM B source IP address

Priority: 100

Buy Now

Questions 45

You need to create the technical architecture for hybrid connectivity from your data center to Google Cloud This will be managed by a partner. You want to follow Google-recommended practices for production-level applications. What should you do?

Options:

Ask the partner to install two security appliances in the data center. Configure one VPN connection from each of these devices to Google

Cloud, and ensure that the VPN devices on-premises are in separate racks on separate power and cooling systems.

Configure two Partner Interconnect connections in one metropolitan area (metro). Make sure the Interconnect connections are placed in

different metro edge availability domains. Configure two VLAN attachments in a single region, and configure regional dynamic routing on

the VPC

Configure two Partner Interconnect connections in one metro and two connections in another metro Make sure the Interconnect

connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN

attachments in another region, and configure global dynamic routing on the VPC

Configure two Partner Interconnect connections in one metro and two connections in another metro. Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN attachments in another region, and configure regional dynamic routing on the VPC.

Buy Now

Questions 46

You are a network administrator at your company planning a migration to Google Cloud and you need to finish the migration as quickly as possible, To ease the transition, you decided to use the same architecture as your on-premises network' a hub-and-spoke model. Your on-premises architecture consists of over 50 spokes. Each spoke does not have connectivity to the other spokes, and all traffic IS sent through the hub for security reasons. You need to ensure that the Google Cloud architecture matches your on-premises architecture. You want to implement a solution that minimizes management overhead and cost, and uses default networking quotas and limits. What should you do?

Options:

Connect all the spokes to the hub with Cloud VPN.

Connect all the spokes to the hub with VPC Network Peering.

Connect all the spokes to the hub With Cloud VPN. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes

Connect all the spokes to the hub with VPC Network Peering. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes.

Buy Now

Questions 47

Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect connections in two different regions: us-west1 and us-east1. Each Dedicated Interconnect connection is attached to a Cloud Router in its respective region by a VLAN attachment. You need to configure a high availability failover path. By default, all ingress traffic from the on-premises environment should flow to the VPC using the us-west1 connection. If us-west1 is unavailable, you want traffic to be rerouted to us-east1. How should you configure the multi-exit discriminator (MED) values to enable this failover path?

Options:

Use regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

Use global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

Use regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

Buy Now

Questions 48

Question:

Your organization has a hub and spoke architecture with VPC Network Peering, and hybrid connectivity is centralized at the hub. The Cloud Router in the hub VPC is advertising subnet routes, but the on-premises router does not appear to be receiving any subnet routes from the VPC spokes. You need to resolve this issue. What should you do?

Options:

Create custom learned routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

Create custom routes at the Cloud Router in the spokes to advertise the subnets of the VPC spokes.

Create a BGP route policy at the Cloud Router, and ensure the subnets of the VPC spokes are being announced towards the on-premises environment.

Create custom routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

Buy Now

Questions 49

Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:

Certain data must stay in the project where it is stored and not be exfiltrated to other projects.

Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.

All DNS resolution must be done on-premises.

The solution should only provide access to APIs that are compatible with VPC Service Controls.

What should you do?

Options:

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

Buy Now

Questions 50

You built a web application with several containerized microservices. You want to run those microservices on Cloud Run. You must also ensure that the services are highly available to your customers with low latency. What should you do?

Options:

Deploy the Cloud Run services to multiple availability zones. Create a global TCP load balancer. Add the Cloud Run endpoints to its backend service.

Deploy the Cloud Run services to multiple regions. Create serverless network endpoint groups (NEGs) that point to the services. Create a global HTTPS load balancer, and attach the serverless NEGs as backend services of the load balancer.

Deploy the Cloud Run services to multiple availability zones. Create Cloud Endpoints that point to the services. Create a global HTTPS load balancer, and attach the Cloud Endpoints to its backend

Deploy the Cloud Run services to multiple regions. Configure a round-robin A record in Cloud DNS.

Buy Now

Questions 51

One instance in your VPC is configured to run with a private IP address only. You want to ensure that even if this instance is deleted, its current private IP address will not be automatically assigned to a different instance.

In the GCP Console, what should you do?

Options:

Assign a public IP address to the instance.

Assign a new reserved internal IP address to the instance.

Change the instance’s current internal IP address to static.

Add custom metadata to the instance with key internal-address and value reserved.

Buy Now

Questions 52

You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?

Options:

Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.

Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.

Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.

Buy Now

Questions 53

Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments. What should you do?

Options:

Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0.

Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.

Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.

Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.

Buy Now

Questions 54

You are responsible for enabling Private Google Access for the virtual machine (VM) instances in your Virtual Private Cloud (VPC) to access Google APIs. All VM instances have only a private IP address and need to access Cloud Storage. You need to ensure that all VM traffic is routed back to your on-premises data center for traffic scrubbing via your existing Cloud Interconnect connection. However, VM traffic to Google APIs should remain in the VPC. What should you do?

Options:

Delete the default route in your VPC.

Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to restricted googleapis.com, and create an A record for restricted googleapis com that resolves to the addresses in 199.36.153.4/30.

Create a static route in your VPC for the range 199.36.153.4/30 with the default internet gateway as the next hop.

Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).

Create a public Cloud DNS zone with a CNAME for *.google.com to private googleapis com, create a CNAME for * googleapis.com to private googleapis com, and create an A record for Private googleapis.com that resolves to the addresses in 199.36.153 8/30.

Create a static route in your VPC for th

Configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP) with a lower priority (MED) than the default VPC route.

Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to private googleapis com, and create an A record for private.googleapis.com that resolves to the addresses in 199 .36.153.8/30.

Create a static route in your VPC for the range 199.36. 153.8

Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).

Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30.

Create a static route in your VPC for the range 199.36.153.8/30 with the def

Buy Now

Questions 55

You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.

What should you do?

Options:

Create a Google Group for the WebServices Team.

Create a G Suite Domain for the WebServices Team.

Create a new Cloud Identity Domain for the WebServices Team.

Create a new Custom Role for all members of the WebServices Team.

Buy Now

Questions 56

You are planning a large application deployment in Google Cloud that includes on-premises connectivity. The application requires direct connectivity between workloads in all regions and on-premises locations without address translation, but all RFC 1918 ranges are already in use in the on-premises locations. What should you do?

Options:

Use multiple VPC networks with a transit network using VPC Network Peering.

Use overlapping RFC 1918 ranges with multiple isolated VPC networks.

Use overlapping RFC 1918 ranges with multiple isolated VPC networks and Cloud NAT.

Use non-RFC 1918 ranges with a single global VPC.

Buy Now

Questions 57

You have a storage bucket that contains the following objects:

- folder-a/image-a-1.jpg

- folder-a/image-a-2.jpg

- folder-b/image-b-1.jpg

- folder-b/image-b-2.jpg

Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.

What should you do?

Options:

Add an appropriate lifecycle rule on the storage bucket.

Issue a cache invalidation command with pattern /folder-a/*.

Make sure that all the objects with prefix folder-a are not shared publicly.

Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.

Buy Now

Questions 58

Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows. What should you do?

Options:

Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.

Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-

premises data center.

Buy Now

Questions 59

You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible.

What should you do?

Options:

Upload your public ssh key to the project Metadata.

Upload your public ssh key to each instance Metadata.

Create a custom Google Compute Engine image with your public ssh key embedded.

Use gcloud compute ssh to automatically copy your public ssh key to the instance.

Buy Now

Questions 60

You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.

Which two methods can you use to accomplish this? (Choose two.)

Options:

Enable Private Google Access on all the subnets.

Enable Private Google Access on the VPC.

Enable Private Services Access on the VPC.

Create network peering between your VPC and BigQuery.

Create a Cloud NAT, and route the application traffic via NAT gateway.

Buy Now

Questions 61

Your organization has approximately 100 teams that need to manage their own environments. A central team must manage the network. You need to design a landing zone that provides separate projects for each team. You must also make sure the solution can scale. What should you do?

Options:

Configure VPC Network Peering, and peer one of the VPCs to the service project.

Configure a Shared VPC, and create a VPC network in the service project.

Configure a Shared VPC, and create a VPC network in the host project.

Configure Policy-based Routing for each team.

Buy Now

Questions 62

Question:

Your organization wants to seamlessly migrate a global external web application from Compute Engine to GKE. You need to deploy a simple, cloud-first solution that exposes both applications and sends 10% of the requests to the new application. What should you do?

Options:

Configure a global external Application Load Balancer with a Service Extension that points to an application running in a VM, which controls which requests go to each application.

Configure a global external Application Load Balancer with weighted traffic splitting.

Configure two separate global external Application Load Balancers, and use Cloud DNS geolocation routing policies.

Configure a global external Application Load Balancer with weighted request mirroring.

Buy Now

Questions 63

You work for a multinational enterprise that is moving to GCP.

These are the cloud requirements:

• An on-premises data center located in the United States in Oregon and New York with Dedicated Interconnects connected to Cloud regions us-west1 (primary HQ) and us-east4 (backup)

• Multiple regional offices in Europe and APAC

• Regional data processing is required in europe-west1 and australia-southeast1

• Centralized Network Administration Team

Your security and compliance team requires a virtual inline security appliance to perform L7 inspection for URL filtering. You want to deploy the appliance in us-west1.

What should you do?

Options:

• Create 2 VPCs in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Host Project.• Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.• Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

• Create 2 VPCs in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Service Project.• Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.• Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

• Create 1 VPC in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Host Project.• Attach NIC0 in us-west1 subnet of the Host Project.• Attach NIC1 in us-west1 subnet of the Host Project• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

• Create 1 VPC in a Shared VPC Service Project.• Configure a 2-NIC instance in zone us-west1-a in the Service Project.• Attach NIC0 in us-west1 subnet of the Service Project.• Attach NIC1 in us-west1 subnet of the Service Project• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

Buy Now

Questions 64

You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers. What should you do?

Options:

Configure a forwarding rule on the existing load balancer for the application tier.

Configure equal cost multi-path routing on the application servers.

Configure a new internal HTTP(S) load balancer for the application tier.

Configure a URL map on the existing load balancer to route traffic to the application tier.

Buy Now

Questions 65

You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.

What should you do?

Options:

Configure a policy-based route rule to prioritize the traffic.

Configure an HTTP load balancer, and direct the traffic to it.

Configure Dynamic Routing for the subnet hosting the application.

Configure the TTL for the DNS zone to decrease the time between updates.

Buy Now

Questions 66

You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:

INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid

What should you do?

Options:

Add the resourcemanager.projects.get permission, and try again.

Try again with a different role with a new name but the same permissions.

Remove the resourcemanager.projects.list permission, and try again.

Add the resourcemanager.projects.setIamPolicy permission, and try again.

Buy Now

Exam Code: Professional-Cloud-Network-Engineer

Exam Name: Google Cloud Certified - Professional Cloud Network Engineer

Last Update: Apr 29, 2025

Questions: 220

PDF + Testing Engine

$49.5 ~~$164.99~~

Testing Engine

$37.5 ~~$124.99~~

PDF (Q&A)

$31.5 ~~$104.99~~

buy now Professional-Cloud-Network-Engineer pdf

Month End Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

dumpsmate logo

Contact Email:

Hot Vendors

Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer Questions and Answers

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer: