PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :333 Q&As
  • Last Updated
    :Jul 12, 2026

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

  • Question 1:

    Your organization has a legacy VPN device that uses IKEv1 and does not support BGP. Connectivity from your on-premises environment to Google Cloud needs to be established. You are using 172.16.100.0/24, 172.16.101.0/24, and

    172.16.102.0/24 in your on-premises environment, and 192.168.100.0/24, 192.168.101.0/24, and 192.168.102.0/24 in your Google Cloud environment. You have configured a VPN gateway and you need to configure a policy-based VPN

    tunnel.

    What should you do?

    A. Configure the tunnel with LOCAL_TS set to 172.16.100.0/22 and REMOTE_TS set to 192.168.100.0/22.
    B. Configure the tunnel with LOCAL_TS set to 192.168.100.0/22 and REMOTE_TS set to 172.16.100.0/22.
    C. Configure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, and REMOTE_TS set to 192.168.100.0/24,192.168.101.0/24, and 192.168.102.0/24.
    D. Configure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, and REMOTE_TS set to 0.0.0.0/0.

  • Question 2:

    You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection.

    Which two actions can accomplish this? (Choose two.)

    A. Open a Cloud Support ticket under the Cloud Interconnect category.
    B. Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.
    C. Run gcloud compute interconnects describe <interconnect>.
    D. Check the email for the account of the NOC contact that you specified during the ordering process.
    E. Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.

  • Question 3:

    You need to create the network infrastructure to deploy a highly available web application in the us-east1 and us-west1 regions. The application runs on Compute Engine instances, and it does not require the use of a database. You want to follow Google-recommended practices.

    What should you do?

    A. Create one VPC with one subnet in each region. Create a regional network load balancer in each region with a static IP address. Enable Cloud CDN on the load balancers. Create an A record in Cloud DNS with both IP addresses for the load balancers.
    B. Create one VPC with one subnet in each region. Create a global load balancer with a static IP address. Enable Cloud CDN and Google Cloud Armor on the load balancer. Create an A record using the IP address of the load balancer in Cloud DNS.
    C. Create one VPC in each region, and peer both VPCs. Create a global load balancer. Enable Cloud CDN on the load balancer. Create a CNAME for the load balancer in Cloud DNS.
    D. Create one VPC with one subnet in each region. Create an HTTP(S) load balancer with a static IP address. Choose the standard tier for the network. Enable Cloud CDN on the load balancer. Create a CNAME record using the load balancer's IP address in Cloud DNS.

  • Question 4:

    Your GKE cluster is running out of Pod IP addresses in its current secondary range. You need to add capacity for new nodes without recreating the cluster.

    What should you do?

    A. Add a new secondary Pod range to the subnet and configure the cluster or new node pool to use the additional Pod range.
    B. Convert the cluster from VPC-native mode to routes-based mode.
    C. Enable Cloud NAT on the subnet that contains the GKE nodes.
    D. Create a public DNS zone for the cluster service names.

  • Question 5:

    Your application is protected by Cloud Armor behind an external Application Load Balancer. A small number of client IP addresses are sending excessive requests to an expensive API path. You need to slow those clients while allowing normal users to continue accessing the application.

    What should you configure?

    A. A Cloud Armor rate limiting rule that uses the client IP address as the enforcement key.
    B. A Cloud DNS forwarding zone for the application domain.
    C. A Cloud NAT gateway with dynamic port allocation.
    D. A VPC firewall egress deny rule for the backend instances.

  • Question 6:

    A Cloud Run service needs to call a private internal application that is reachable only inside a VPC network. The service should send only private destination traffic through the VPC and continue using normal internet egress for public destinations.

    What should you configure?

    A. A Serverless VPC Access connector and egress settings for private ranges only.
    B. A Cloud NAT gateway attached directly to the Cloud Run service.
    C. A public external Application Load Balancer in front of the internal application.
    D. DNSSEC on the Cloud Run service URL.

  • Question 7:

    You manage your company's network security and have noticed unusual outbound traffic from a Compute Engine VM that is part of a production subnet. You suspect the VM may be compromised, because it is attempting to communicate with a malicious external IP address. You want to capture detailed metadata for every IP connection to and from this specific VM. including source/destination IP, port, protocol, and the amount of data transferred.

    What should you do?

    A. Enable VPC Flow Logs on the subnet containing the VM. Set the sampling rate to 1.0 for maximum detail, and filter the logs in Cloud Logging for the VM's IP address.
    B. Navigate to Network Intelligence Center, and run a new connectivity test for the VM. Analyze the report to see which configurations are allowing the traffic.
    C. Use Packet Mirroring to create a real-time copy of all network packets from the suspected VM. Forward the copies to a collector VM for analysis.
    D. Create a new egress firewall rule with a priority of 65535 that allows all outbound traffic. Enable Firewall Rules Logging on this new rule to capture all connection details.

  • Question 8:

    You manage a Google Kubernetes Engine (GKE) cluster that needs to communicate with a legacy monitoring service running in your on-premises data center. The on-premises network uses the 192.168.10.0/24 address range and is connected to your VPC through Cloud VPN. The legacy monitoring service can only accept traffic from the GKE clusters' node IP addresses, not from Pod IP addresses. You notice that traffic from Pods is failing. You need to ensure that traffic from Pods can seamlessly flow to the on-premises network.

    What should you do?

    A. Configure a hybrid Cloud NAT gateway on the Cloud Router associated with the Cloud VPN tunnel.
    B. Ensure that the ip-masq-agent is deployed and that 192.168.10.0/24 is not present in the nonMasqueradeCIDRs list in the GKE cluster.
    C. Add 192.168.10.0/24 to the nonMasqueradeCIDRs list in the ip-masq-agent's ConfigMap in the GKE Cluster.
    D. Configure a Public Cloud NAT gateway for the GKE cluster's subnet.

  • Question 9:

    You need to configure the Border Gateway Protocol (BGP) session for a VPN tunnel you just created between two Google Cloud VPCs, 10.1.0.0/16 and 172.16.0.0/16. You have a Cloud Router (router-1) in the 10.1.0.0/16 network and a

    second Cloud Router (router-2) in the 172.16.0.0/16 network.

    Which configuration should you use for the BGP session?

    A. Option A
    B. Option B
    C. Option C
    D. Option D

  • Question 10:

    Your company recently migrated to Google Cloud. You configured separate Virtual Private Cloud (VPC) networks for Department A and Department B. You need to configure both VPC networks to have access to the same on-premises location through separate links with full isolation between the VPC networks. Your design must also query on-premises DNS servers from workloads in Google Cloud using conditional forwarding. You want to minimize operational overhead.

    What should you do?

    A. Customize the operating system DNS configuration files to target the on-premises DNS servers.
    B. Keep the different VPC networks from both departments isolated with different on-premises links, and separate Cloud DNS private zones and Cloud DNS forwarding zones.
    C. Peer Department A's and Department B's VPC networks to have all on-premises connectivity via a single VPC network. Use separate Cloud DNS private zones and Cloud DNS forwarding zones.
    D. Configure a Cloud DNS Peering zone in Department A's VPC network pointing to Department B's VPC and a Cloud DNS outbound forwarding zone in Department B's VPC network. Use separate on-premises links in each VPC network.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.