Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer sample Question + Exam 2025 Practice Exam Dumps

Question # 4

You are creating an instance group and need to create a new health check for HTTP(s) load balancing.

Which two methods can you use to accomplish this? (Choose two.)

Create a new health check using the gcloud command line tool.

Create a new health check using the VPC Network section in the GCP Console.

Create a new health check, or select an existing one, when you complete the load balancerâ€™s backend configuration in the GCP Console.

Create a new legacy health check using the gcloud command line tool.

Create a new legacy health check using the Health checks section in the GCP Console.

Full Access

Question # 5

In your Google Cloud organization, you have two folders: Dev and Prod. You want a scalable and consistent way to enforce the following firewall rules for all virtual machines (VMs) with minimal cost:

Port 8080 should always be open for VMs in the projects in the Dev folder.

Any traffic to port 8080 should be denied for all VMs in your projects in the Prod folder.

What should you do?

Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.

Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects. Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared VPCs.

In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080.

Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev VMs and deny traffic to port 8080 on the Prod VMs.

Full Access

Question # 6

Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer You need to protect the application from potential application-level attacks. What should you do?

Enable Cloud CDN on the backend service.

Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer

Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service.

Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service

Full Access

Question # 7

You deployed a hub-and-spoke architecture in your Google Cloud environment that uses VPC Network Peering to connect the spokes to the hub. For security reasons, you deployed a private Google Kubernetes Engine (GKE) cluster in one of the spoke projects with a private endpoint for the control plane. You configured authorized networks to be the subnet range where the GKE nodes are deployed. When you attempt to reach the GKE control plane from a different spoke project, you cannot access it. You need to allow access to the GKE control plane from the other spoke projects. What should you do?

Add a firewall rule that allows port 443 from the other spoke projects.

Enable Private Google Access on the subnet where the GKE nodes are deployed.

Configure the authorized networks to be the subnet ranges of the other spoke projects.

Deploy a proxy in the spoke project where the GKE nodes are deployed and connect to the control plane through the proxy.

Full Access

Question # 8

Your company has provisioned 2000 virtual machines (VMs) in the private subnet of your Virtual Private Cloud (VPC) in the us-east1 region. You need to configure each VM to have a minimum of 128 TCP connections to a public repository so that users can download software updates and packages over the internet. You need to implement a Cloud NAT gateway so that the VMs are able to perform outbound NAT to the internet. You must ensure that all VMs can simultaneously connect to the public repository and download software updates and packages. Which two methods can you use to accomplish this? (Choose two.)

Configure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.

Create a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.

Use the default Cloud NAT gateway's NAT proxy to dynamically scale using a single NAT IP address.

Use the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.

Configure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.

Full Access

Question # 9

Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.

Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.

Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.

Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

Full Access

Question # 10

Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.

How should you design this topology?

Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.

Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.

Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.

Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.

Full Access

Question # 11

Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design. What should you do?

Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.

Configure DNS peering from the spoke VPCs to the hub VPC.

Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.

Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.

Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.

Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.

Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

Full Access

Question # 12

You are troubleshooting an application in your organization's Google Cloud network that is not functioning as expected. You suspect that packets are getting lost somewhere. The application sends packets intermittently at a low volume from a Compute Engine VM to a destination on your on-premises network through a pair of Cloud Interconnect VLAN attachments. You validated that the Cloud Next Generation Firewall (Cloud NGFW) rules do not have any deny statements blocking egress traffic, and you do not have any explicit allow rules. Following Google-recommended practices, you need to analyze the flow to see if packets are being sent correctly out of the VM to isolate the issue. What should you do?

Create a packet mirroring policy that is configured with your VM as the source and destined to a collector. Analyze the packet captures.

Enable VPC Flow Logs on the subnet that the VM is deployed in with sample_rate = 1.0, and run a query in Logs Explorer to analyze the packet flow.

Enable Firewall Rules Logging on your firewall rules and review the logs.

Verify the network/attachment/egress_dropped_packet.s_count Cloud Interconnect VLAN attachment metric.

Full Access

Question # 13

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.

What should you do?

Create a Cloud Armor Policy rule that denies traffic and review necessary logs.

Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.

Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.

Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

Full Access

Question # 14

You are deploying an HA VPN within Google Cloud. You need to exchange routes dynamically between your on-premises gateway and Google Cloud. You have already created an HA VPN gateway and a peer VPN gateway resource. What should you do?

Create a Cloud Router, add VPN tunnels, and then configure BGP sessions.

Create a second HA VPN gateway, add VPN tunnels, and enable global dynamic routing.

Create a Cloud Router, add VPN tunnels, and enable global dynamic routing.

Create a Cloud Router, add VPN tunnels, and then configure static routes to your subnet ranges.

Full Access

Question # 15

Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.

During troubleshooting you find:

â€¢Each on-premises router is configured with the same ASN.

â€¢Each on-premises router is configured with the same routes and priorities.

â€¢Both on-premises routers are configured with a VPN connected to a single Cloud Router.

â€¢The VPN logs have no-proposal-chosen lines when the VPNs are connecting.

â€¢BGP session is not established between one on-premises router and the Cloud Router.

What is the most likely cause of this problem?

One of the VPN sessions is configured incorrectly.

A firewall is blocking the traffic across the second VPN connection.

You do not have a load balancer to load-balance the network traffic.

BGP sessions are not established between both on-premises routers and the Cloud Router.

Full Access

Question # 16

Youâ€™ve received reports of latency between two application VMs which run in two different regions of your Google Cloud VPC network. There is typically about 8ms of latency, but now there is approximately 17ms of latency. You've eliminated application issues as a root cause, and you suspect that the latency may be a Google Cloud platform issue. You need to confirm this hypothesis using Google-recommended practices. What should you do?

Q Use Network Intelligence Center Performance Dashboard to view the inter-region packet loss for your VPC.

O Install and run tcpdump on both instances, and calculate the latency between the two instances by comparing the timestamps in the packet captures.

Q Use Network Intelligence Center Performance Dashboard to view inter-region latency for the Google Cloud network.

Q Use Network Intelligence Center Connectivity Tests, run a test between the two VMs, and review the inter-region latency in the test results.

Full Access

Question # 17

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.

How should you set up permissions for the networking team?

Assign members of the networking team the compute.networkUser role.

Assign members of the networking team the compute.networkAdmin role.

Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

Full Access

Question # 18

You recently noticed a recurring daily spike in network usage in your Google Cloud project. You need to identify the virtual machine (VM) instances and type of traffic causing the spike in traffic utilization while minimizing the cost and management overhead required. What should you do?

Enable VPC Flow Logs and send the output to BigQuery for analysis.

Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for analysis.

Configure Packet Mirroring to send all traffic to a VM. Use Wireshark on the VM to identity traffic utilization for each VM in the VPC.

Deploy a third-party network appliance and configure it as the default gateway. Use the third-party network appliance to identify users with high network traffic.

Full Access

Question # 19

You are configuring an Application Load Balancer. The backend resides in your on-premises data center and is connected by Dedicated Interconnect. You need to ensure the load balancer can reference these on-premises resources. You do not want the traffic to traverse the internet at all. What should you do?

Q Configure a Private Service Connect network endpoint group (NEG) as a backend service as part of the load balancer. Ensure firewalls are opened for the client source IPs.

Q Configure a zonal network endpoint group (NEG) as a backend service as part of the load balancer. Ensure firewalls are opened for the client source IPs.

Q Configure an internet network endpoint group (NEG) as a backend service as part of the load balancer. Ensure firewalls are opened for the proxy-only subnet.

Q Configure a hybrid network endpoint group (NEG) as a backend service as part of the load balancer. Ensure firewalls are opened for the proxy-only subnet.

Full Access

Question # 20

You have enabled HTTP(S) load balancing for your application, and your application developers have reported that HTTP(S) requests are not being distributed correctly to your Compute Engine Virtual Machine instances. You want to find data about how the request are being distributed.

Which two methods can accomplish this? (Choose two.)

On the Load Balancer details page of the GCP Console, click on the Monitoring tab, select your backend service, and look at the graphs.

In Stackdriver Error Reporting, look for any unacknowledged errors for the Cloud Load Balancers service.

In Stackdriver Monitoring, select Resources > Metrics Explorer and search for https/request_bytes_count metric.

In Stackdriver Monitoring, select Resources > Google Cloud Load Balancers and review the Key Metrics graphs in the dashboard.

In Stackdriver Monitoring, create a new dashboard and track the https/backend_request_count metric for the load balancer.

Full Access

Question # 21

You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.

What should you do?

Configure VPC peering in a full mesh.

Alter the routing table to resolve the asymmetric route.

Create network tags to allow connectivity between all three VPCs.

Delete the legacy network and recreate it to allow transitive peering.

Full Access

Question # 22

You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

Configure a custom route advertisement on the Cloud Router.

Enable IP forwarding in the asia-southeast1 region.

Change the VPC dynamic routing mode to Global.

Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

Full Access

Question # 23

Your company recently migrated to Google Cloud in a Single region. You configured separate Virtual Private Cloud (VPC) networks for two departments. Department A and Department B. Department A has requested access to resources that are part Of Department Bis VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMS) to meet security requirements Your configuration also must

â€¢ Support both TCP and UDP protocols

â€¢ Provide fully automated failover

â€¢ Include health-checks

Require minimal manual Intervention In the client VMS

Which approach should you take?

Create the VMS In the same zone, and configure static routes With IP addresses as next hops.

Create the VMS in different zones, and configure static routes with instance names as next hops

Create an Instance template and a managed instance group. Configure a Single internal load balancer, and define a custom static route with the Internal TCP/UDP load balancer as the next hop

Create an instance template and a managed instance group. Configure two separate internal TCP/IJDP load balancers for each protocol (TCP!UDP), and configure the client VIVIS to use the internal load balancers' virtual IP addresses

Full Access

Answer:

Explanation:

The correct answer is D. Create an instance template and a managed instance group. Configure two separate internal TCP/UDP load balancers for each protocol (TCP/UDP), and configure the client VMs to use the internal load balancersâ€™ virtual IP addresses.

This answer is based on the following facts:

Using multi-NIC VMs as network virtual appliances (NVAs) allows you to route traffic between different VPC networks1. You can use NVAs to implement custom network policies and security requirements.

Using an instance template and a managed instance group allows you to create and manage multiple identical NVAs2. You can also use health checks and autoscaling policies to ensure high availability and reliability of your NVAs.

Using internal TCP/UDP load balancers allows you to distribute traffic from client VMs to NVAs based on the protocol and port3. You can also use health checks and failover policies to ensure that only healthy NVAs receive traffic.

Configuring the client VMs to use the internal load balancersâ€™ virtual IP addresses allows you to simplify the routing configuration and avoid manual intervention4. You do not need to create static routes or update them when NVAs are added or removed.

The other options are not correct because:

Option A is not suitable. Creating the VMs in the same zone does not provide high availability or failover. Using static routes with IP addresses as next hops requires manual intervention when NVAs are added or removed.

Option B is not optimal. Creating the VMs in different zones provides high availability, but not failover. Using static routes with instance names as next hops requires manual intervention when NVAs are added or removed.

Option C is not feasible. Creating an instance template and a managed instance group provides high availability and reliability, but using a single internal load balancer does not support both TCP and UDP protocols. You cannot define a custom static route with an internal load balancer as the next hop.

Question # 24

You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers. What should you do?

Configure a forwarding rule on the existing load balancer for the application tier.

Configure equal cost multi-path routing on the application servers.

Configure a new internal HTTP(S) load balancer for the application tier.

Configure a URL map on the existing load balancer to route traffic to the application tier.

Full Access

Question # 25

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.

Which connection type should you choose?

Carrier Peering

Direct Peering

Dedicated Interconnect

Partner Interconnect

Full Access

Question # 26

In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.

What should you do?

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.

Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.

Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.

Full Access

Question # 27

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space In your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected --disable-default-snat, â€”enable-ip-alias, andâ€”enable-private-nodes

Full Access

Answer:

Explanation:

This answer follows the Google-recommended practices for using privately used public IP (PUPI) addresses for GKE Pod address blocks1. The benefits of this approach are:

It allows you to use any public IP addresses that are not owned by Google or your organization for your Pods, which can help mitigate address exhaustion in your enterprise.

It prevents any external traffic from reaching your Pods, as Google Cloud does not route PUPI addresses to the internet or to other VPC networks by default.

It enables you to use VPC Network Peering to connect your GKE cluster to other VPC networks that use different PUPI addresses, as long as you enable the export and import of custom routes for the peering connection.

It preserves the fully integrated network model of GKE, where Pods can communicate with nodes and other resources in the same VPC network without NAT.

The options that you need to select when creating a private GKE cluster with PUPI addresses are:

â€“disable-default-snat: This option disables source NAT for outbound traffic from Pods to destinations outside the clusterâ€™s VPC network.Â This is necessary to prevent Pods from using RFC 1918 addresses as their source IP addresses, which could cause conflicts with other networks that use the same address space2.

â€“enable-ip-alias: This option enables alias IP ranges for Pods and Services, which allows you to use separate subnet ranges for them.Â This is required to use PUPI addresses for Pods1.

â€“enable-private-nodes: This option creates a private cluster, where nodes do not have external IP addresses and can only communicate with the control plane through a private endpoint.Â This enhances the security and privacy of your cluster3.

Option A is incorrect because it does not use PUPI addresses for Pods, but rather RFC 1918 addresses. This does not solve the problem of address exhaustion in your enterprise. Option B is incorrect because it reuses the secondary address range for Services across multiple private GKE clusters, which could cause IP conflicts and routing issues. Option C is incorrect because it does not specify the options that are needed to create a private GKE cluster with PUPI addresses.

Question # 28

You just finished your companyâ€™s migration to Google Cloud and configured an architecture with 3 Virtual Private Cloud (VPC) networks: one for Sales, one for Finance, and one for Engineering. Every VPC contains over 100 Compute Engine instances, and now developers using instances in the Sales VPC and the Finance VPC require private connectivity between each other. You need to allow communication between Sales and Finance without compromising performance or security. What should you do?

Configure an HA VPN gateway between the Finance VPC and the Sales VPC.

Configure the instances that require communication between each other with an external IP address.

Create a VPC Network Peering connection between the Finance VPC and the Sales VPC.

Configure Cloud NAT and a Cloud Router in the Sales and Finance VPCs.

Full Access

Question # 29

Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:

Certain data must stay in the project where it is stored and not be exfiltrated to other projects.

Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.

All DNS resolution must be done on-premises.

The solution should only provide access to APIs that are compatible with VPC Service Controls.

What should you do?

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

Full Access

Question # 30

You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed.

What is the most likely cause of the problem?

You have not configured compression in Cloud CDN.

You have configured the web servers and Cloud CDN with different compression types.

The web servers behind the load balancer are configured with different compression types.

You have to configure the web servers to compress responses even if the request has a Via header.

Full Access

Question # 31

Your organization is migrating workloads from AWS to Google Cloud. Because a particularly critical workload will take longer to migrate, you need to set up Google Cloud CDN and point it to the existing application at AWS. What should you do?

Create a hybrid NEG that points to the existing IP of the application.

â€¢ Map the NEG to a passthrough Network Load Balancer as a target pool.

â€¢ Enable Cloud CDN on the target pool.

Create an internet NEG that points to the existing FQDN of the application.

â€¢ Map the NEG to an Application Load Balancer as a backend service.

â€¢ Enable Cloud CDN on the backend service.

Create a hybrid NEG that points to the existing IP of the application.

â€¢ Map the NEG to an Application Load Balancer as a backend service.

â€¢ Enable Cloud CDN on the backend service.

Create an internet NEG that points to the existing FQDN of the application.

â€¢ Map the NEG to a passthrough Network Load Balancer as a backend service.

â€¢ Enable Cloud CDN on the backend service.

Full Access

Question # 32

You recently deployed your application in Google Cloud. You need to verify your Google Cloud network configuration before deploying your on-premises workloads. You want to confirm that your Google Cloud network configuration allows traffic to flow from your cloud resources to your on- premises network. This validation should also analyze and diagnose potential failure points in your Google Cloud network configurations without sending any data plane test traffic. What should you do?

Use Network Intelligence Center's Connectivity Tests.

Enable Packet Mirroring on your application and send test traffic.

Use Network Intelligence Center's Network Topology visualizations.

Enable VPC Flow Logs and send test traffic.

Full Access

Question # 33

You manage two VPCs: VPC1 and VPC2, each with resources spread across two regions. You connected the VPCs with HA VPN in both regions to ensure redundancy. Youâ€™ve observed that when one VPN gateway fails, workloads that are located within the same region but different VPCs lose communication with each other. After further debugging, you notice that VMs in VPC2 receive traffic but their replies never get to the VMs in VPC1. You need to quickly fix the issue. What should you do?

Q Enable regional dynamic routing mode in VPC2.

Q Enable global dynamic routing mode in VPC1.

Q Enable global dynamic routing mode in VPC2.

Q Enable regional dynamic routing mode in VPC1.

Full Access

Question # 34

You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements:

IP ranges for pods and services must be as small as possible.

The nodes and the master must not be reachable from the internet.

You must be able to use kubectl commands from on-premises subnets to manage the cluster.

How should you create the GKE cluster?

â€¢ Create a private cluster that uses VPC advanced routes.

â€¢Set the pod and service ranges as /24.

â€¢Set up a network proxy to access the master.

â€¢ Create a VPC-native GKE cluster using GKE-managed IP ranges.

â€¢Set the pod IP range as /21 and service IP range as /24.

â€¢Set up a network proxy to access the master.

â€¢ Create a VPC-native GKE cluster using user-managed IP ranges.

â€¢Enable a GKE cluster network policy, set the pod and service ranges as /24.

â€¢Set up a network proxy to access the master.

â€¢Enable master authorized networks.

â€¢ Create a VPC-native GKE cluster using user-managed IP ranges.

â€¢Enable privateEndpoint on the cluster master.

â€¢Set the pod and service ranges as /24.

â€¢Set up a network proxy to access the master.

â€¢Enable master authorized networks.

Full Access

Question # 35

Your company's on-premises office is connected to Google Cloud using HA VPN. The security team will soon enable VPC Service Controls. You need to create a plan with minimal configuration adjustments, so clients at the office will still be able to privately call the Google APIs and be protected by VPC Service Controls. What should you do?

Create a design with a DNS configuration that resolves the Google APIs to 199.36.153.4/30; advertise 199.36.153.4/30 from Google Cloud to the onpremises routers; add an access level to authorize the on-premises network to access the APIs.

Create a design with a DNS configuration that resolves the Google APIs to 199.36.153.8/30; advertise 199.36.153.8/30 from Google Cloud to the onpremises routers.

Create a design with a DNS configuration that resolves the Google APIs to 199.36.153.8/30; advertise 199.36.153.8/30 from Google Cloud to the onpremise routers: add an access level to authorize the on-premises network to access the APIs.

Create a design with a DNS configuration that resolves the Google APIs to 199.36.153.4/30; advertise 199.36.153.4/30 from Google Cloud to the onpremises routers.

Full Access

Question # 36

Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.

Which two products should you incorporate into the solution? (Choose two.)

VPC flow logs

Firewall logs

Cloud Audit logs

Stackdriver Trace

Compute Engine instance system logs

Full Access

Question # 37

You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use Cloud Run and Cloud Functions to access the microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to communicate with any of your microservices. You want to implement a solution that minimizes cost. What should you do?

Deploy your serverless services to the serverless VPC. Peer the serverless service VPC to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices.

Create a serverless VPC access connector for each serverless service. Configure the connectors to allow traffic between the serverless services and your existing microservices.

Deploy your serverless services to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices.

Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices.

Full Access

Question # 38

Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:

Your ISP is a Google Partner Interconnect provider.

Your on-premises VPN deviceâ€™s internet uplink and downlink speeds are 10 Gbps.

A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses.

Most of the data transfer will be from GCP to the on-premises environment.

The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.

Cost and the complexity of the solution should be minimal.

How should you provision the connectivity solution?

Provision a Partner Interconnect through your ISP.

Provision a Dedicated Interconnect instead of a VPN.

Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.

Use network compression over your VPN to increase the amount of data you can send over your VPN.

Full Access

Question # 39

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet. What should you do?

Use the default public domains for all Google APIs and services.

Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.

Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.

Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.

Full Access

Question # 40

You are designing a packet mirroring policy as pan of your network security architecture for your gaming workload. Your Infrastructure is located in the us-west2 region and deployed across several zones: us-west2-a. us-west2-b. and us-west2-c The Infrastructure Is running a web-based application on TCP ports 80 and 443 with other game servers that utilize the UDP protocol. You need to deploy packet mirroring policies and collector instances to monitor web application traffic while minimizing inter-zonal network egress costs.

Following Google-recommended practices, how should you deploy the packet mirroring policies and collector instances?

Create three packet mirroring policies: one for each zone. Create three groups of collector instances: one group for each zone. Configure each policy to match traffic for Its zone based on instance-tags, and create a filter for TCP traffic.

Create three packet mirroring policies: one for each zone. Create three groups of collector instances: one group for each zone. Configure

each policy to match traffic for its zone based on subnets, and create a filter for TCP traffic

Create one packet mirroring policy for the us-west2 region. Create one group of collector instances for the us-west2 region Configure the

packet mirroring policy to match traffic for web server instances based on instance-tags, and create a filter for TCP traffic.

Create three packet mirroring policies: one for each zone. Create one group of collector instances for the us-west2 region. Configure each packet mirroring policy to match traffic for its zone based on instance-tags, and create a filter for TCP traffic

Full Access

Question # 41

Question:

Your organization is deploying a mission-critical application with components in different regions due to strict compliance requirements. There are latency issues between different applications that reside in us-central1 and us-east4. The application team suspects the Google Cloud network as the source of the excessive latency despite using the Premium Network Service Tier. You need to use Google-recommended practices with the least amount of effort to verify the inter-region latency by investigating network performance. What should you do?

Set up the Performance Dashboard in Network Intelligence Center. Select the traffic type (cross-zonal), the metric (latency - RTT), the time period, the desired regions (us-central1 and us-east4), and the network tier.

Enable VPC Flow Logs for the VPC. Identify major bottlenecks from the application level using Flow Analyzer.

Configure two Linux VMs in each zone for each region. Install the application, and run a load test using each zone from different regions.

Configure a VM with a probe in Network Intelligence Center in each zone for each region. Choose the traffic type (cross-zonal), metric (latency - RTT), desired regions (us-central1 and us-east4), and the network tier.

Full Access

Question # 42

(You are managing an application deployed on Cloud Run. The development team has released a new version of the application. You want to deploy and redirect traffic to this new version of the application. To ensure traffic to the new version of the application is served with no startup time, you want to ensure that there are two idle instances available for incoming traffic before adjusting the traffic flow. You also want to minimize administrative overhead. What should you do?)

Ensure the checkbox "Serve this revision immediately" is unchecked when deploying the new revision. Before changing the traffic rules, use a traffic simulation tool to send load to the new revision.

Configure service autoscaling and set the minimum number of instances to 2.

Configure revision autoscaling for the new revision and set the minimum number of instances to 2.

Configure revision autoscaling for the existing revision and set the minimum number of instances to 2.

Full Access

Answer:

Explanation:

Comprehensive and Detailed In Depth Explanation:

Let's analyze each option to find the one that meets the requirements of no startup time for new traffic, two idle instances, and minimal administrative overhead:

A. Unchecking "Serve this revision immediately" and using a traffic simulation tool: Unchecking "Serve this revision immediately" does prevent the new revision from receiving traffic immediately. However, manually using a traffic simulation tool adds administrative overhead. It also doesn't guarantee that two idle instances will be ready before traffic is shifted; you would need to monitor and adjust traffic manually based on the simulation.

B. Configuring service autoscaling and setting the minimum number of instances to 2: Service-level autoscaling applies to all revisions of the service. Setting the minimum instances at the service level would ensure at least two instances are running across all active revisions, not specifically for the new revision before traffic shift.

C. Configuring revision autoscaling for the new revision and setting the minimum number of instances to 2: This is the correct approach. By configuring revision autoscaling specifically for the new revision and setting the minimum number of instances to 2, Cloud Run will ensure that at least two instances of the new version are running and ready to serve traffic before you redirect any traffic to it. This eliminates startup latency when you do shift traffic. It also minimizes administrative overhead as Cloud Run manages the instance scaling based on this configuration.

D. Configuring revision autoscaling for the existing revision and setting the minimum number of instances to 2: This would ensure the existing version has at least two idle instances, which doesn't directly address the requirement of having idle instances ready for the new version before traffic redirection.

Google Cloud Documentation References:

Cloud Run Autoscaling: https://cloud.google.com/run/docs/configuring/min-instances - This document explains how to configure minimum and maximum instances for Cloud Run services and revisions. It clarifies that you can set minimum instances at the revision level to ensure instances are always ready.

Cloud Run Traffic Management: https://cloud.google.com/run/docs/managing/traffic - This describes how to deploy new revisions and gradually shift traffic between them. Combining minimum instances on the new revision with traffic splitting allows for zero-downtime deployments with pre-warmed instances.

===========

Question # 43

Your organization uses a Shared VPC architecture with a host project and three service projects. You have Compute Engine instances that reside in the service projects. You have critical workloads in your on-premises data center. You need to ensure that the Google Cloud instances can resolve on-premises hostnames via the Dedicated Interconnect you deployed to establish hybrid connectivity. What should you do?

Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the private zone to the on-premises DNS servers.

In your Cloud Router, add a custom route advertisement for the IP 35.199.192.0/19 to the on-premises environment.

Create a Cloud DNS private forwarding zone in the host project of the Shared VPC that forwards the Private zone to the on-premises DNS servers.

In your Cloud Router, add a custom route advertisement for the IP 169.254 169.254 to the on-premises environment.

Configure a Cloud DNS private zone in the host project of the Shared VPC.

Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project

In your Cloud Router, add a custom route advertisement for the IP 169.254 169 254 to the on-premises environment.

Configure a Cloud DNS private zone in the host project of the Shared VPC.

Set up DNS forwarding to your Google Cloud private zone on your on-premises DNS servers to point to the inbound forwarder IP address in your host project.

Configure a DNS policy in the Shared VPC to allow inbound query forwarding with your on-premises DNS server as the alternative DNS server.

Full Access

Question # 44

You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

You need to update the firewall rule to add the following rule to the ruleset:

You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

Assign the compute.securityAdmin and logging.viewer rule to the new user account. Apply the new firewall rule with a priority of 50.

Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.

Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

Full Access

Question # 45

You have recently taken over responsibility for your organization's Google Cloud network security configurations. You want to review your Cloud Next Generation Firewall (Cloud NGFW) configurations to ensure that there are no rules allowing ingress traffic to your VMs and services from the internet. You want to avoid manual work. What should you do?

Use Firewall Insights, and enable insights for overly permissive rules.

Review Network Analyzer insights on the VPC network category.

Export all your Cloud NGFW rules into a CSV file and search for 0.0.0.0/0.

Run Connectivity Tests from multiple external sources to confirm that traffic is not allowed to ingress to your most critical services in Google Cloud.

Full Access

Question # 46

You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:

INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid

What should you do?

Add the resourcemanager.projects.get permission, and try again.

Try again with a different role with a new name but the same permissions.

Remove the resourcemanager.projects.list permission, and try again.

Add the resourcemanager.projects.setIamPolicy permission, and try again.

Full Access

Question # 47

You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

Full Access

Question # 48

You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?

Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.

Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.

Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.

Full Access

Question # 49

You have provisioned a Dedicated Interconnect connection of 20 Gbps with a VLAN attachment of 10 Gbps. You recently noticed a steady increase in ingress traffic on the Interconnect connection from the on-premises data center. You need to ensure that your end users can achieve the full 20 Gbps throughput as quickly as possible. Which two methods can you use to accomplish this? (Choose two.)

Configure an additional VLAN attachment of 10 Gbps in another region. Configure the on-premises router to advertise routes with the same multi-exit discriminator (MED).

Configure an additional VLAN attachment of 10 Gbps in the same region. Configure the on-premises router to advertise routes with the same multi-exit discriminator (MED).

From the Google Cloud Console, modify the bandwidth of the VLAN attachment to 20 Gbps.

From the Google Cloud Console, request a new Dedicated Interconnect connection of 20 Gbps, and configure a VLAN attachment of 10 Gbps.

Configure Link Aggregation Control Protocol (LACP) on the on-premises router to use the 20-Gbps Dedicated Interconnect connection.

Full Access

Question # 50

You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.

How should you configure the Distribution VPC?

Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.

Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.

Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.

Rename the default VPC as "Distribution" and peer it via network peering.

Full Access

Question # 51

Question:

Your organization has an on-premises data center. You need to provide connectivity from the on-premises data center to Google Cloud. Bandwidth must be at least 1 Gbps, and the traffic must not traverse the internet. What should you do?

Configure HA VPN by using high availability gateways and tunnels.

Configure Dedicated Interconnect by creating a VLAN attachment, activate the connection, and submit the pairing key to your service provider.

Configure Cross-Cloud Interconnect by creating a VLAN attachment, activate the connection, and then submit the pairing key to your service provider.

Configure Partner Interconnect by creating a VLAN attachment, submit the pairing key to your service provider, and activate the connection.

Full Access

Question # 52

Your company's security team tends to use managed services when possible. You need to build a dashboard to show the number of deny hits that occur against configured firewall rules without increasing operational overhead. What should you do?

Configure Firewall Rules Logging. Use Firewall Insights to display the number of hits.

Configure Firewall Rules Logging. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.

Configure a firewall appliance from the Google Cloud Marketplace. Route all traffic through this appliance, and apply the firewall rules at this layer. Use the firewall appliance to display the number of hits.

Configure Packet Mirroring on the VPC. Apply a filter with an IP address list of the Denied Firewall rules. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.

Full Access

Question # 53

(You are deploying an application to Google Kubernetes Engine (GKE). The application needs to make API calls to a private Cloud Storage bucket. You need to configure your application Pods to authenticate to the Cloud Storage API, but your organization policy prevents the usage of service account keys. You want to follow Google-recommended practices. What should you do?)

Create the GKE cluster and deploy the application. Request a security exception to create a Google service account key. Set the constraints/iam.serviceAccountKeyExpiryHours organization policy to 8 hours.

Create the GKE cluster with Workload Identity Federation. Configure the default node service account to access the bucket. Deploy the application into the cluster so the application can use the node service account permissions. Use Identity and Access Management (IAM) to grant the service account access to the bucket.

Create the GKE cluster with Workload Identity Federation. Create a Google service account and a Kubernetes ServiceAccount, and configure both service accounts to use Workload Identity Federation. Attach the Kubernetes ServiceAccount to the application Pods and configure the Google service account to access the bucket with Identity and Access Management (IAM).

Full Access

Answer:

Explanation:

Create a Google Service Account: You create a dedicated Google service account specifically for your application's interaction with the private Cloud Storage bucket. This allows you to grant precise IAM permissions to this service account on the bucket (e.g., roles/storage.objectViewer or roles/storage.objectCreator).

Create a Kubernetes ServiceAccount: You create a Kubernetes ServiceAccount within your GKE cluster. This is the identity that your application Pods will assume within the cluster.

Configure Workload Identity Federation: You establish a trust relationship between the Kubernetes ServiceAccount and the Google service account using Workload Identity Federation. This involves configuring IAM policies that allow the Kubernetes ServiceAccount to impersonate the Google service account.

Annotate Pods with the Kubernetes ServiceAccount: You associate the created Kubernetes ServiceAccount with your application Pods. When the application in these Pods makes a call to the Cloud Storage API, the Workload Identity agent running on the GKE nodes automatically exchanges the Kubernetes ServiceAccount token for a short-lived Google Cloud access token for the associated Google service account.

This approach offers several security advantages and aligns with Google's recommended practices:

Principle of Least Privilege: The Google service account is granted only the necessary permissions to access the specific Cloud Storage bucket.

No Service Account Keys to Manage: You avoid the security risks associated with creating, storing, and rotating service account keys.

Auditable Authentication: All API calls are attributed to the specific Google service account, providing better auditability.

Simplified Management: Workload Identity Federation automates the credential management process for your application.

Google Cloud Documentation References:

Workload Identity: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity 1 - This is the primary documentation explaining how to use Workload Identity to allow applications in GKE to access Google Cloud services securely without using service account keys.

Question # 54

You are planning a large application deployment in Google Cloud that includes on-premises connectivity. The application requires direct connectivity between workloads in all regions and on-premises locations without address translation, but all RFC 1918 ranges are already in use in the on-premises locations. What should you do?

Use multiple VPC networks with a transit network using VPC Network Peering.

Use overlapping RFC 1918 ranges with multiple isolated VPC networks.

Use overlapping RFC 1918 ranges with multiple isolated VPC networks and Cloud NAT.

Use non-RFC 1918 ranges with a single global VPC.

Full Access

Question # 55

(You need to migrate multiple PostgreSQL databases from your on-premises data center to Google Cloud. You want to significantly improve the performance of your databases while minimizing changes to your data schema and application code. You expect to exceed 150 TB of data per geographical region. You want to follow Google-recommended practices and minimize your operational costs. What should you do?)

Migrate your data to AlloyDB.

Migrate your data to Spanner.

Migrate your data to Firebase.

Migrate your data to Bigtable.

Full Access

Answer:

Explanation:

Comprehensive and Detailed In Depth Explanation:

Let's analyze each option based on the requirements: PostgreSQL compatibility, significant performance improvement, minimal schema/code changes, handling large data volumes, Google-recommended practices, and cost minimization:

A. Migrate your data to AlloyDB: AlloyDB for PostgreSQL is a fully managed, PostgreSQL-compatible database service that offers significant performance improvements over standard PostgreSQL due to its architectural optimizations. It is designed to handle large data volumes and minimizes the need for schema and application code changes as it's wire-compatible with PostgreSQL. This aligns well with the requirements for performance improvement, minimal changes, large data, and being a Google-recommended option for PostgreSQL workloads.

B. Migrate your data to Spanner: Spanner is a globally distributed, horizontally scalable database with strong consistency. While it offers excellent scalability and performance, it's not directly PostgreSQL-compatible. Migrating to Spanner would likely require significant schema and application code changes due to differences in data modeling and SQL dialect.

C. Migrate your data to Firebase: Firebase is a suite of mobile and web development tools, with its primary database offering being Firestore (a NoSQL document database) and Realtime Database. These are not PostgreSQL-compatible and would require substantial changes to the data model and application code.

D. Migrate your data to Bigtable: Bigtable is a highly scalable NoSQL wide-column store. It's not compatible with PostgreSQL and requires a completely different data model and application logic.

Therefore, AlloyDB is the most suitable option as it provides PostgreSQL compatibility for minimal migration effort, significant performance improvements, scalability for large data volumes, and is a recommended Google Cloud database service for PostgreSQL workloads.

Google Cloud Documentation References:

AlloyDB for PostgreSQL Overview: https://cloud.google.com/alloydb/docs/overview - This document highlights AlloyDB 's PostgreSQL compatibility, performance benefits, scalability, and suitability for migrating existing PostgreSQL workloads.

Spanner Overview: https://cloud.google.com/spanner/docs/overview - This emphasizes Spanner 's unique features and differences from traditional relational databases like PostgreSQL.

Firebase Documentation: https://firebase.google.com/docs - This outlines the features of Firebase, including Firestore and Realtime Database, highlighting their NoSQL nature and incompatibility with PostgreSQL.

Cloud Bigtable Overview: https://cloud.google.com/bigtable/docs/overview - This describes Bigtable as a NoSQL database, emphasizing its differences from relational databases like PostgreSQL.

===========

Question # 56

Question:

Your company's current network architecture has three VPC Service Controls perimeters:

One perimeter (PERIMETER_PROD) to protect production storage buckets

One perimeter (PERIMETER_NONPROD) to protect non-production storage buckets

One perimeter (PERIMETER_VPC) that contains a single VPC (VPC_ONE)

In this single VPC (VPC_ONE), the IP_RANGE_PROD is dedicated to the subnets of the production workloads, and the IP_RANGE_NONPROD is dedicated to subnets of non-production workloads. Workloads cannot be created outside those two ranges. You need to ensure that production workloads can access only production storage buckets and non-production workloads can access only non-production storage buckets with minimal setup effort. What should you do?

Develop a design that uses the IP_RANGE_PROD and IP_RANGE_NONPROD perimeters to create two access levels, with each access level referencing a single range. Create two ingress access policies with each access policy referencing one of the two access levels. Update the PERIMETER_PROD and PERIMETER_NONPROD perimeters.

Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_NONPROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_PROD perimeter.

Develop a design that creates a new VPC (VPC_NONPROD) in the same project as VPC_ONE. Migrate all the non-production workloads from VPC_ONE to the PERIMETER_NONPROD perimeter. Remove the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include VPC_ONE and the PERIMETER_NONPROD perimeter to include VPC_NONPROD.

Develop a design that removes the PERIMETER_VPC perimeter. Update the PERIMETER_PROD perimeter to include the project containing VPC_ONE. Remove the PERIMETER_NONPROD perimeter.

Full Access

Question # 57

You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.

Which two methods can you use to accomplish this? (Choose two.)

GetIamPolicy() via REST API

setIamPolicy() via REST API

gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

Full Access

Question # 58

Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that the caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it as a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.

Which two steps should you take? (Choose two.)

Use Cloud Armor to blacklist the attackerâ€™s IP addresses.

Increase the maximum autoscaling backend to accommodate the severe bursty traffic.

Create a global HTTP(s) load balancer and move your application backend to this load balancer.

Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.

SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.

Full Access

Question # 59

You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) Instances What two prerequisite tasks must be completed before creating the load balancer?

Choose 2 answers

Choose a region.

Create firewall rules for health checks

Reserve a static IP address for the load balancer

Determine the subnet mask for a proxy-only subnet.

Determine the subnet mask for Serverless VPC Access.

Full Access

Question # 60

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters, Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new dusters. You want to follow Google-recommended practices, What should you do after designing your IP scheme?

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected: --enab1e-ip-a1ias and --enable-private-nodes.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and â€“ siable-default-snat, --enable-ip-alias, and â€“enable-private-nodes

Full Access

Answer:

Explanation:

The correct answer is D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --disable-default-snat, --enable-ip-alias, and --enable-private-nodes.

This answer is based on the following facts:

Privately used public IP (PUPI) addresses are any public IP addresses not owned by Google that a customer can use privately on Google Cloud1. You can use PUPI addresses for GKE pods and services in private clusters to mitigate address exhaustion.

A private GKE cluster is a cluster that has no public IP addresses on the nodes2. You can use private clusters to isolate your workloads from the public internet and enhance security.

The --disable-default-snat option disables source network address translation (SNAT) for the cluster3. This option allows you to use PUPI addresses without conflicting with other public IP addresses on the internet.

The --enable-ip-alias option enables alias IP ranges for the cluster4. This option allows you to use separate subnet ranges for nodes, pods, and services, and to specify the size of those ranges.

The --enable-private-nodes option enables private nodes for the cluster5. This option ensures that the nodes have no public IP addresses and can only communicate with other Google Cloud resources in the same VPC network or peered networks.

The other options are not correct because:

Option A is not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for pods across multiple private GKE clusters can cause IP conflicts and routing issues.

Option B is also not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for services across multiple private GKE clusters can cause IP conflicts and routing issues.

Option C is not feasible. Creating privately used public IP primary and secondary subnet ranges for the clusters is a valid step, but creating a private GKE cluster with only --enable-ip-alias and --enable-private-nodes options is not enough. You also need to disable default SNAT to avoid IP conflicts with other public IP addresses on the internet.

Question # 61

Your organization is developing a landing zone architecture with the following requirements:

There should be no communication between production and non-production environments.

Communication between applications within an environment may be necessary.

Network administrators should centrally manage all network resources, including subnets, routes, and firewall rules.

Each application should be billed separately.

Developers of an application within a project should have the autonomy to create their compute resources.

Up to 1000 applications are expected per environment.

You need to create a design that accommodates these requirements. What should you do?

Create a design where each project has its own VPC. Ensure all VPCs are connected by a Network Connectivity Center hub that is centrally managed by the network team.

Create a design that implements a single Shared VPC. Use VPC firewall rules with secure tags to enforce micro-segmentation between environments.

Create a design that has one host project with a Shared VPC for the production environment, another host project with a Shared VPC for the non-production environment, and a service project that is associated with the corresponding host project for each initiative.

Create a design that has a Shared VPC for each project. Implement hierarchical firewall policies to apply micro-segmentation between VPCs.

Full Access

Question # 62

You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:

gcloud compute routes create no-ip-internet-route \

--network custom-network1 \

--destination-range 0.0.0.0/0 \

--next-hop instance nat-gateway \

--next-hop instance-zone us-central1-a \

--tags no-ip --priority 800

You want existing instances to use the new NAT gateway. Which command should you execute?

sudo sysctl -w net.ipv4.ip_forward=1

gcloud compute instances add-tags [existing-instance] --tags no-ip

gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip

gcloud compute instances create example-instance --network custom-network1 \

--subnet subnet-us-central \

--no-address \

--zone us-central1-a \

--image-family debian-9 \

--image-project debian-cloud \

--tags no-ip

Full Access

Question # 63

Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two encrypted VLAN attachments that have a 5 Gbps capacity and a BGP configuration. The BGP sessions are operational. You need to complete the deployment of the HA VPN over Cloud Interconnect. What should you do?

Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Configure the HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels. Use the same encrypted Cloud Router used for the Cloud Interconnect tier.

Enable MACsec for Cloud Interconnect on the VLAN attachments.

Enable MACsec on Partner Interconnect.

Create an HA VPN gateway and associate the gateway with your two encrypted VLAN attachments. Create a new dedicated HA VPN Cloud Router, peer VPN gateway resources, and HA VPN tunnels.

Full Access

Question # 64

You are designing a new global application using Compute Engine instances that will be exposed by a global HTTP(S) load balancer. You need to secure your application from distributed denial-of-service and application layer (layer 7) attacks. What should you do?

Configure VPC Service Controls and create a secure perimeter. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.

Configure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.

Configure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.

Configure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.

Full Access

Question # 65

You need to create the technical architecture for hybrid connectivity from your data center to Google Cloud This will be managed by a partner. You want to follow Google-recommended practices for production-level applications. What should you do?

Ask the partner to install two security appliances in the data center. Configure one VPN connection from each of these devices to Google

Cloud, and ensure that the VPN devices on-premises are in separate racks on separate power and cooling systems.

Configure two Partner Interconnect connections in one metropolitan area (metro). Make sure the Interconnect connections are placed in

different metro edge availability domains. Configure two VLAN attachments in a single region, and configure regional dynamic routing on

the VPC

Configure two Partner Interconnect connections in one metro and two connections in another metro Make sure the Interconnect

connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN

attachments in another region, and configure global dynamic routing on the VPC

Configure two Partner Interconnect connections in one metro and two connections in another metro. Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN attachments in another region, and configure regional dynamic routing on the VPC.

Full Access

Question # 66

You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?

Review the VPC audit logs in Cloud Logging for the affected instances.

Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.

Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.

Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.

Full Access

Question # 67

You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

Create a network load balancer that used backend services containing one instance group with two instances.

Create a network load balancer that uses a target pool backend with two instances.

Create a TCP proxy that uses a zonal network endpoint group containing one instance.

Create a TCP proxy that uses backend services containing an instance group with two instances.

Full Access

Question # 68

Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.

How should you design the topology?

Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.

Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.

Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.

Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.

Full Access

Weekend Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer Question and Answers

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Answer:

Answer:

Explanation:

Answer:

Explanation:

Answer:

Answer:

Explanation: