March Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 2493360325

Good News !!! Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer is now Stable and With Pass Result

Professional-Cloud-Network-Engineer Practice Exam Questions and Answers

Google Cloud Certified - Professional Cloud Network Engineer

Last Update 19 hours ago
Total Questions : 170

Professional-Cloud-Network-Engineer is stable now with all latest exam questions are added 19 hours ago. Just download our Full package and start your journey with Google Cloud Certified - Professional Cloud Network Engineer certification. All these Google Professional-Cloud-Network-Engineer practice exam questions are real and verified by our Experts in the related industry fields.

Professional-Cloud-Network-Engineer PDF

Professional-Cloud-Network-Engineer PDF (Printable)
$48
$119.99

Professional-Cloud-Network-Engineer Testing Engine

Professional-Cloud-Network-Engineer PDF (Printable)
$56
$139.99

Professional-Cloud-Network-Engineer PDF + Testing Engine

Professional-Cloud-Network-Engineer PDF (Printable)
$70.8
$176.99
Question # 1

You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:

  • IP ranges for pods and services must be as small as possible.
  • The nodes and the master must not be reachable from the internet.
  • You must be able to use kubectl commands from on-premises subnets to manage the cluster.

How should you create the GKE cluster?

Options:

A.  

• Create a private cluster that uses VPC advanced routes.

•Set the pod and service ranges as /24.

•Set up a network proxy to access the master.

B.  

• Create a VPC-native GKE cluster using GKE-managed IP ranges.

•Set the pod IP range as /21 and service IP range as /24.

•Set up a network proxy to access the master.

C.  

• Create a VPC-native GKE cluster using user-managed IP ranges.

•Enable a GKE cluster network policy, set the pod and service ranges as /24.

•Set up a network proxy to access the master.

•Enable master authorized networks.

D.  

• Create a VPC-native GKE cluster using user-managed IP ranges.

•Enable privateEndpoint on the cluster master.

•Set the pod and service ranges as /24.

•Set up a network proxy to access the master.

•Enable master authorized networks.

Discussion 0
Question # 2

Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.

How should you design this topology?

Options:

A.  

Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.

B.  

Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.

C.  

Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.

D.  

Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.

Discussion 0
Question # 3

You recently deployed Cloud VPN to connect your on-premises data canter to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

Options:

A.  

In the Network Intelligence Canter, check for the number of packet drops on the VPN.

B.  

In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

C.  

In the Monitoring section of the Google Cloud Console, use the Dashboard section to select a default dashboard for VPN usage.

D.  

In the VPN section of the Google Cloud Console, select the VPN under hybrid connectivity, and then select monitoring to display utilization on the dashboard.

Discussion 0
Question # 4

You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.

Which GKE resource should you use?

Options:

A.  

GKE Node

B.  

GKE Pod

C.  

GKE Cluster

D.  

GKE Ingress

Discussion 0
Question # 5

Your organization has a Google Cloud Virtual Private Cloud (VPC) with subnets in us-east1, us-west4, and europe-west4 that use the default VPC configuration. Employees in a branch office in Europe need to access the resources in the VPC using HA VPN. You configured the HA VPN associated with the Google Cloud VPC for your organization with a Cloud Router deployed in europe-west4. You need to ensure that the users in the branch office can quickly and easily access all resources in the VP

C.  

What should you do?

Options:

A.  

Create custom advertised routes for each subnet.

B.  

Configure each subnet’s VPN connections to use Cloud VPN to connect to the branch office.

C.  

Configure the VPC dynamic routing mode to Global.

D.  

Set the advertised routes to Global for the Cloud Router.

Discussion 0
Question # 6

You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.

What should you do on your on-premises servers?

Options:

A.  

Tune TCP parameters on the on-premises servers.

B.  

Compress files using utilities like tar to reduce the size of data being sent.

C.  

Remove the -m flag from the gsutil command to enable single-threaded transfers.

D.  

Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

Discussion 0
Question # 7

Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VP

C.  

There is no CIDR overlap between the VPCs.

Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

Options:

A.  

VPC peering

B.  

Shared VPC

C.  

Cloud VPN

D.  

Dedicated Interconnect

E.  

Cloud NAT

Discussion 0
Question # 8

You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

Question # 8

Options:

A.  

Configure a custom route advertisement on the Cloud Router.

B.  

Enable IP forwarding in the asia-southeast1 region.

C.  

Change the VPC dynamic routing mode to Global.

D.  

Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

Discussion 0
Question # 9

Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:

Certain data must stay in the project where it is stored and not be exfiltrated to other projects.

Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.

All DNS resolution must be done on-premises.

The solution should only provide access to APIs that are compatible with VPC Service Controls.

What should you do?

Options:

A.  

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

B.  

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

C.  

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

D.  

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

Discussion 0
Question # 10

Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP environments.

• Each organization has enabled full connectivity between all of its projects by using Shared VP

C.  

• Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.

• There are no prefix overlaps between the two organizations.

• Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.

• Neither organization has Interconnects to their on-premises environment.

You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.

Which two steps should you take? (Choose two.)

Options:

A.  

Provision Cloud Interconnect to connect both organizations together.

B.  

Set up some variant of DNS forwarding and zone transfers in each organization.

C.  

Connect VPCs in both organizations using Cloud VPN together with Cloud Router.

D.  

Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.

E.  

Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VP

C.  

Discussion 0
Question # 11

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.

How should you set up permissions for the networking team?

Options:

A.  

Assign members of the networking team the compute.networkUser role.

B.  

Assign members of the networking team the compute.networkAdmin role.

C.  

Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

D.  

Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

Discussion 0
Question # 12

You work for a multinational enterprise that is moving to GCP.

These are the cloud requirements:

• An on-premises data center located in the United States in Oregon and New York with Dedicated Interconnects connected to Cloud regions us-west1 (primary HQ) and us-east4 (backup)

• Multiple regional offices in Europe and APAC

• Regional data processing is required in europe-west1 and australia-southeast1

• Centralized Network Administration Team

Your security and compliance team requires a virtual inline security appliance to perform L7 inspection for URL filtering. You want to deploy the appliance in us-west1.

What should you do?

Options:

A.  

• Create 2 VPCs in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Host Project.• Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.• Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

B.  

• Create 2 VPCs in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Service Project.• Attach NIC0 in VPC #1 us-west1 subnet of the Host Project.• Attach NIC1 in VPC #2 us-west1 subnet of the Host Project.• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

C.  

• Create 1 VPC in a Shared VPC Host Project.• Configure a 2-NIC instance in zone us-west1-a in the Host Project.• Attach NIC0 in us-west1 subnet of the Host Project.• Attach NIC1 in us-west1 subnet of the Host Project• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

D.  

• Create 1 VPC in a Shared VPC Service Project.• Configure a 2-NIC instance in zone us-west1-a in the Service Project.• Attach NIC0 in us-west1 subnet of the Service Project.• Attach NIC1 in us-west1 subnet of the Service Project• Deploy the instance.• Configure the necessary routes and firewall rules to pass traffic through the instance.

Discussion 0
Question # 13

You work for a university that is migrating to GCP.

These are the cloud requirements:

• On-premises connectivity with 10 Gbps

• Lowest latency access to the cloud

• Centralized Networking Administration Team

New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.

What should you do?

Options:

A.  

Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.

B.  

Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.

C.  

Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.

D.  

Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

Discussion 0
Question # 14

Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the internet can be inspected using the same third-party appliances. What should you do?

Options:

A.  

Configure the third-party appliances with multiple interfaces and specific Partner Interconnect VLAN attachments per project. Create the relevant routes on the third-party appliances and VPC networks.

B.  

Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create separate VPC networks for on- premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks.

C.  

Consolidate all existing projects’ subnetworks into a single VP

C.  

Create separate VPC networks for on-premises and internet connectivity. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create the relevant routes on the third-party appliances and VPC networks.

D.  

Configure the third-party appliances with multiple interfaces. Create a hub VPC network for all projects, and create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks. Use VPC Network Peering to connect all projects’ VPC networks to the hub VP

C.  

Export custom routes from the hub VPC and import on all projects’ VPC networks.

Discussion 0
Question # 15

You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

Options:

A.  

Configure the remote autonomous system number (ASN) to 4096.

B.  

Configure a second Cloud Router to scale bandwidth in and out of the VP

C.  

C.  

Configure the maximum transmission unit (MTU) to its highest supported value.

D.  

Configure a second set of active/passive VPN tunnels.

Discussion 0
Question # 16

You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

Options:

A.  

Use Network Load Balancing

B.  

Use TCP Proxy Load Balancing with PROXY protocol enabled

C.  

Use External HTTP(S) Load Balancing with URL Maps and custom headers

D.  

Use External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header

Discussion 0
Question # 17

You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers. What should you do?

Options:

A.  

Configure a forwarding rule on the existing load balancer for the application tier.

B.  

Configure equal cost multi-path routing on the application servers.

C.  

Configure a new internal HTTP(S) load balancer for the application tier.

D.  

Configure a URL map on the existing load balancer to route traffic to the application tier.

Discussion 0
Question # 18

In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.

What should you do?

Options:

A.  

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

B.  

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-

A.  

C.  

Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-

A.  

D.  

Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-

A.  

Discussion 0
Question # 19

You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.

Which next hop should you choose?

Options:

A.  

The default internet gateway

B.  

The IP address of the Cloud VPN gateway

C.  

The name and region of the Cloud VPN tunnel

D.  

The IP address of the instance on the remote side of the VPN tunnel

Discussion 0
Question # 20

You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.

Always allow Secure Shell (SSH) from your corporate IP address.

Restrict SSH access from all other IP addresses.

There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements. What should you do?

Options:

A.  

Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.

Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.

B.  

Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.

Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.

C.  

Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.

Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.

D.  

Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1

Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

Discussion 0
Question # 21

You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:

gcloud compute routes create no-ip-internet-route \

--network custom-network1 \

--destination-range 0.0.0.0/0 \

--next-hop instance nat-gateway \

--next-hop instance-zone us-central1-a \

--tags no-ip --priority 800

You want existing instances to use the new NAT gateway. Which command should you execute?

Options:

A.  

sudo sysctl -w net.ipv4.ip_forward=1

B.  

gcloud compute instances add-tags [existing-instance] --tags no-ip

C.  

gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip

D.  

gcloud compute instances create example-instance --network custom-network1 \

--subnet subnet-us-central \

--no-address \

--zone us-central1-a \

--image-family debian-9 \

--image-project debian-cloud \

--tags no-ip

Discussion 0
Get Professional-Cloud-Network-Engineer dumps and pass your exam in 24 hours!

Free Exams Sample Questions