Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 1:
Your organization has a legacy VPN device that uses IKEv1 and does not support BGP. Connectivity from your on-premises environment to Google Cloud needs to be established. You are using 172.16.100.0/24, 172.16.101.0/24, and
172.16.102.0/24 in your on-premises environment, and 192.168.100.0/24, 192.168.101.0/24, and 192.168.102.0/24 in your Google Cloud environment. You have configured a VPN gateway and you need to configure a policy-based VPN
tunnel.
What should you do?
A. Configure the tunnel with LOCAL_TS set to 172.16.100.0/22 and REMOTE_TS set to 192.168.100.0/22. B. Configure the tunnel with LOCAL_TS set to 192.168.100.0/22 and REMOTE_TS set to 172.16.100.0/22. C. Configure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, and REMOTE_TS set to 192.168.100.0/24,192.168.101.0/24, and 192.168.102.0/24. D. Configure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, and REMOTE_TS set to 0.0.0.0/0.
C. Configure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, and REMOTE_TS set to 192.168.100.0/24,192.168.101.0/24, and 192.168.102.0/24.
Explanation
Policy-based VPNs require explicit configuration of traffic selectors, known as LOCAL_TS (local traffic selector) and REMOTE_TS (remote traffic selector), which define the specific subnet ranges allowed to pass through the VPN tunnel.
1. Set LOCAL_TS to your on-premises subnets: Since on-premises subnets are 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, they should be included in the LOCAL_TS.
2. Set REMOTE_TS to your Google Cloud subnets: Google Cloud subnets are 192.168.100.0/24, 192.168.101.0/24, and 192.168.102.0/24, so they should be included in the REMOTE_TS.
3. Match specific subnets: Policy-based VPNs require a one-to-one mapping of the traffic selectors. Wildcard ranges (e.g., /22 or 0.0.0.0/0) cannot be used because policy-based VPNs rely on matching specific subnet ranges to establish secure connectivity.
Question 2:
You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection.
Which two actions can accomplish this? (Choose two.)
A. Open a Cloud Support ticket under the Cloud Interconnect category. B. Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console. C. Run gcloud compute interconnects describe <interconnect>. D. Check the email for the account of the NOC contact that you specified during the ordering process. E. Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.
B. Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console. D. Check the email for the account of the NOC contact that you specified during the ordering process.
Question 3:
You need to create the network infrastructure to deploy a highly available web application in the us-east1 and us-west1 regions. The application runs on Compute Engine instances, and it does not require the use of a database. You want to follow Google-recommended practices.
What should you do?
A. Create one VPC with one subnet in each region. Create a regional network load balancer in each region with a static IP address. Enable Cloud CDN on the load balancers. Create an A record in Cloud DNS with both IP addresses for the load balancers. B. Create one VPC with one subnet in each region. Create a global load balancer with a static IP address. Enable Cloud CDN and Google Cloud Armor on the load balancer. Create an A record using the IP address of the load balancer in Cloud DNS. C. Create one VPC in each region, and peer both VPCs. Create a global load balancer. Enable Cloud CDN on the load balancer. Create a CNAME for the load balancer in Cloud DNS. D. Create one VPC with one subnet in each region. Create an HTTP(S) load balancer with a static IP address. Choose the standard tier for the network. Enable Cloud CDN on the load balancer. Create a CNAME record using the load balancer's IP address in Cloud DNS.
B. Create one VPC with one subnet in each region. Create a global load balancer with a static IP address. Enable Cloud CDN and Google Cloud Armor on the load balancer. Create an A record using the IP address of the load balancer in Cloud DNS.
Question 4:
Your GKE cluster is running out of Pod IP addresses in its current secondary range. You need to add capacity for new nodes without recreating the cluster.
What should you do?
A. Add a new secondary Pod range to the subnet and configure the cluster or new node pool to use the additional Pod range. B. Convert the cluster from VPC-native mode to routes-based mode. C. Enable Cloud NAT on the subnet that contains the GKE nodes. D. Create a public DNS zone for the cluster service names.
A. Add a new secondary Pod range to the subnet and configure the cluster or new node pool to use the additional Pod range.
Explanation
GKE supports adding additional Pod IP ranges for VPC-native clusters so new node pools can use more Pod address space without recreating the cluster. Converting to routes-based networking is not the correct remediation and is not a normal migration path for this issue. Cloud NAT can provide outbound internet access but does not increase Pod IP capacity. Public DNS zones do not affect Pod secondary range exhaustion.
Question 5:
Your application is protected by Cloud Armor behind an external Application Load Balancer. A small number of client IP addresses are sending excessive requests to an expensive API path. You need to slow those clients while allowing normal users to continue accessing the application.
What should you configure?
A. A Cloud Armor rate limiting rule that uses the client IP address as the enforcement key. B. A Cloud DNS forwarding zone for the application domain. C. A Cloud NAT gateway with dynamic port allocation. D. A VPC firewall egress deny rule for the backend instances.
A. A Cloud Armor rate limiting rule that uses the client IP address as the enforcement key.
Explanation
Cloud Armor supports rate limiting policies that can throttle or ban requests based on keys such as client IP address. This allows the application to limit abusive clients while continuing to serve normal traffic through the load balancer. Cloud DNS forwarding controls DNS resolution and does not rate limit HTTP requests. Cloud NAT handles outbound NAT for private resources. A backend egress deny rule would not selectively slow excessive inbound client requests to a specific
API path.
Question 6:
A Cloud Run service needs to call a private internal application that is reachable only inside a VPC network. The service should send only private destination traffic through the VPC and continue using normal internet egress for public destinations.
What should you configure?
A. A Serverless VPC Access connector and egress settings for private ranges only. B. A Cloud NAT gateway attached directly to the Cloud Run service. C. A public external Application Load Balancer in front of the internal application. D. DNSSEC on the Cloud Run service URL.
A. A Serverless VPC Access connector and egress settings for private ranges only.
Explanation
Serverless VPC Access lets serverless workloads such as Cloud Run reach resources in a VPC network. Configuring egress for private ranges only sends private destination traffic through the connector while leaving public internet egress on the normal path. Cloud NAT is attached to VPC subnets, not directly to a Cloud Run service for private application reachability. Exposing the internal application through a public load balancer violates the private-only requirement. DNSSEC does not provide VPC connectivity.
Question 7:
You manage your company's network security and have noticed unusual outbound traffic from a Compute Engine VM that is part of a production subnet. You suspect the VM may be compromised, because it is attempting to communicate with a malicious external IP address. You want to capture detailed metadata for every IP connection to and from this specific VM. including source/destination IP, port, protocol, and the amount of data transferred.
What should you do?
A. Enable VPC Flow Logs on the subnet containing the VM. Set the sampling rate to 1.0 for maximum detail, and filter the logs in Cloud Logging for the VM's IP address. B. Navigate to Network Intelligence Center, and run a new connectivity test for the VM. Analyze the report to see which configurations are allowing the traffic. C. Use Packet Mirroring to create a real-time copy of all network packets from the suspected VM. Forward the copies to a collector VM for analysis. D. Create a new egress firewall rule with a priority of 65535 that allows all outbound traffic. Enable Firewall Rules Logging on this new rule to capture all connection details.
A. Enable VPC Flow Logs on the subnet containing the VM. Set the sampling rate to 1.0 for maximum detail, and filter the logs in Cloud Logging for the VM's IP address.
Explanation
VPC Flow Logs provide detailed, per-connection metadata including source and destination IP addresses, ports, protocol, bytes sent/received, and connection direction. Enabling them on the subnet with a sampling rate of 1.0 ensures full visibility for all traffic, and filtering by the VM's IP in Cloud Logging allows precise monitoring of the suspected compromised instance.
Question 8:
You manage a Google Kubernetes Engine (GKE) cluster that needs to communicate with a legacy monitoring service running in your on-premises data center. The on-premises network uses the 192.168.10.0/24 address range and is connected to your VPC through Cloud VPN. The legacy monitoring service can only accept traffic from the GKE clusters' node IP addresses, not from Pod IP addresses. You notice that traffic from Pods is failing. You need to ensure that traffic from Pods can seamlessly flow to the on-premises network.
What should you do?
A. Configure a hybrid Cloud NAT gateway on the Cloud Router associated with the Cloud VPN tunnel. B. Ensure that the ip-masq-agent is deployed and that 192.168.10.0/24 is not present in the nonMasqueradeCIDRs list in the GKE cluster. C. Add 192.168.10.0/24 to the nonMasqueradeCIDRs list in the ip-masq-agent's ConfigMap in the GKE Cluster. D. Configure a Public Cloud NAT gateway for the GKE cluster's subnet.
B. Ensure that the ip-masq-agent is deployed and that 192.168.10.0/24 is not present in the nonMasqueradeCIDRs list in the GKE cluster.
Explanation
You need Pod egress to on-premises to be source NATed to the node IPs so the legacy service sees node addresses instead of Pod addresses. The ip-masq-agent controls this behavior: ensuring it is deployed and that the on-premises CIDR is not in nonMasqueradeCIDRs forces masquerading for 192.168.10.0/24, making Pod traffic appear to come from the nodes and restoring connectivity.
Question 9:
You need to configure the Border Gateway Protocol (BGP) session for a VPN tunnel you just created between two Google Cloud VPCs, 10.1.0.0/16 and 172.16.0.0/16. You have a Cloud Router (router-1) in the 10.1.0.0/16 network and a
second Cloud Router (router-2) in the 172.16.0.0/16 network.
Which configuration should you use for the BGP session?
A. Option A B. Option B C. Option C D. Option D
C. Option C
Question 10:
Your company recently migrated to Google Cloud. You configured separate Virtual Private Cloud (VPC) networks for Department A and Department B. You need to configure both VPC networks to have access to the same on-premises location through separate links with full isolation between the VPC networks. Your design must also query on-premises DNS servers from workloads in Google Cloud using conditional forwarding. You want to minimize operational overhead.
What should you do?
A. Customize the operating system DNS configuration files to target the on-premises DNS servers. B. Keep the different VPC networks from both departments isolated with different on-premises links, and separate Cloud DNS private zones and Cloud DNS forwarding zones. C. Peer Department A's and Department B's VPC networks to have all on-premises connectivity via a single VPC network. Use separate Cloud DNS private zones and Cloud DNS forwarding zones. D. Configure a Cloud DNS Peering zone in Department A's VPC network pointing to Department B's VPC and a Cloud DNS outbound forwarding zone in Department B's VPC network. Use separate on-premises links in each VPC network.
D. Configure a Cloud DNS Peering zone in Department A's VPC network pointing to Department B's VPC and a Cloud DNS outbound forwarding zone in Department B's VPC network. Use separate on-premises links in each VPC network.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.