google professional cloud network engineer practice test

Professional Cloud Network Engineer

Last exam update: May 13 ,2024
Page 1 out of 5. Viewing questions 1-15 out of 80

Question 1

Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate
organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host
names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP
environments.
Each organization has enabled full connectivity between all of its projects by using Shared VPC.
Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the
instances) and load balancers for serving web traffic.
There are no prefix overlaps between the two organizations.
Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address
space.
Neither organization has Interconnects to their on-premises environment.
You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal
downtime.
Which two steps should you take? (Choose two.)

  • A. Provision Cloud Interconnect to connect both organizations together.
  • B. Set up some variant of DNS forwarding and zone transfers in each organization.
  • C. Connect VPCs in both organizations using Cloud VPN together with Cloud Router.
  • D. Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.
  • E. Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.
Answer:

C D

User Votes:
A
50%
B
50%
C
50%
D
50%
E
50%
Discussions
vote your answer:
A
B
C
D
E
0 / 1000

Question 2

You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-
based routing using the gcloud command.
Which next hop should you choose?

  • A. The default internet gateway
  • B. The IP address of the Cloud VPN gateway
  • C. The name and region of the Cloud VPN tunnel
  • D. The IP address of the instance on the remote side of the VPN tunnel
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://cloud.google.com/vpn/docs/how-to/creating-static-vpns

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All
applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced
across the 2 connections as desired.
During troubleshooting you find:
Each on-premises router is configured with a unique ASN.
Each on-premises router is configured with the same routes and priorities.
Both on-premises routers are configured with a VPN connected to a single Cloud Router.
BGP sessions are established between both on-premises routers and the Cloud Router.
Only 1 of the on-premises routers routes are being added to the routing table.
What is the most likely cause of this problem?

  • A. The on-premises routers are configured with the same routes.
  • B. A firewall is blocking the traffic across the second VPN connection.
  • C. You do not have a load balancer to load-balance the network traffic.
  • D. The ASNs being used on the on-premises routers are different.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict
reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway
Protocol (BGP).
Which routing option should you choose?

  • A. Dynamic routing using Cloud Router
  • B. Route-based routing using default traffic selectors
  • C. Policy-based routing using a custom local traffic selector
  • D. Policy-based routing using the default local traffic selector
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://cloud.google.com/vpn/docs/concepts/overview

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of
its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP)
configuration.
Which connectivity model should you use?

  • A. Direct Peering
  • B. Dedicated Interconnect
  • C. Partner Interconnect with a layer 2 partner
  • D. Partner Interconnect with a layer 3 partner
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://cloud.google.com/interconnect/docs/support/faq

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to
host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years,
there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with
alias IP ranges, while minimizing address consumption.
How should you design this topology?

  • A. Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.
  • B. Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.
  • C. Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.
  • D. Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

You are in the early stages of planning a migration to GCP. You want to test the functionality of your hybrid cloud design
before you start to implement it in production. The design includes services running on a Compute Engine Virtual Machine
instance that need to communicate to on-premises servers using private IP addresses. The on-premises servers have
connectivity to the internet, but you have not yet established any Cloud Interconnect connections. You want to choose the
lowest cost method of enabling connectivity between your instance and on-premises servers and complete the test in 24
hours.
Which connectivity method should you choose?

  • A. Cloud VPN
  • B. 50-Mbps Partner VLAN attachment
  • C. Dedicated Interconnect with a single VLAN attachment
  • D. Dedicated Interconnect, but don’t provision any VLAN attachments
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow
HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the
login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You
want to see the logs for blocked traffic.
What should you do?

  • A. Check the VPC flow logs for the instance.
  • B. Try connecting to the instance via SSH, and check the logs.
  • C. Create a new firewall rule to allow traffic from port 22, and enable logs.
  • D. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You
receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid
What should you do?

  • A. Add the resourcemanager.projects.get permission, and try again.
  • B. Try again with a different role with a new name but the same permissions.
  • C. Remove the resourcemanager.projects.list permission, and try again.
  • D. Add the resourcemanager.projects.setIamPolicy permission, and try again.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://cloud.google.com/iam/docs/understanding-custom-roles

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?

  • A. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
  • B. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.
  • C. Create a single firewall rule to allow port 22 with priority 1000.
  • D. Create a single firewall rule to allow port 3389 with priority 1000.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://geekflare.com/gcp-firewall-configuration/

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access
is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your
origin to allow connections only from the traffic-scrubbing service.
What should you do?

  • A. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.
  • B. Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.
  • C. Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.
  • D. Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does
not require a third-party service provider.
Which connection type should you choose?

  • A. Carrier Peering
  • B. Direct Peering
  • C. Dedicated Interconnect
  • D. Partner Interconnect
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://cloud.google.com/interconnect/docs/how-to/direct-peering

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

After a network change window one of your companys applications stops working. The application uses an on-premises
database server that no longer receives any traffic from the application.
The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC
subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router
is advertising 10.0.0.0/8.
What is the most likely cause of this problem?

  • A. The less specific VPC subnet route is taking priority.
  • B. The more specific VPC subnet route is taking priority.
  • C. The on-premises router is not advertising a route for the database server.
  • D. A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is
configured on the web servers, but responses served by Cloud CDN are not compressed.
What is the most likely cause of the problem?

  • A. You have not configured compression in Cloud CDN.
  • B. You have configured the web servers and Cloud CDN with different compression types.
  • C. The web servers behind the load balancer are configured with different compression types.
  • D. You have to configure the web servers to compress responses even if the request has a Via header.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
If responses served by Cloud CDN are not compressed but should be, check that the web server software running on your
instances is configured to compress responses. By default, some web server software will automatically disable compression
for requests that include a Via header. The presence of a Via header indicates the request was forwarded by a proxy. HTTP
proxies such as HTTP(S) load balancing add a Via header to each request as required by the HTTP specification. To enable
compression, you may have to override your web server's default configuration to tell it to compress responses even if the
request had a Via header.
Reference: https://cloud.google.com/cdn/docs/troubleshooting-steps

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Your companys Google Cloud-deployed, streaming application supports multiple languages. The application development
team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage
buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory
structure:
/fr/video
/en/video
/es/video /../video
/fr/audio
/en/audio
/es/audio /../audio
Which solution should you recommend?

  • A. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.
  • B. Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.
  • C. Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and \/[a- z]{2}\/audio.
  • D. Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/audio.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2