PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :333 Q&As
  • Last Updated
    :Jul 12, 2026

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

  • Question 91:

    You are migrating to Cloud DNS and want to import your BIND zone file.

    Which command should you use?

    A. gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
    B. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE
    C. gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE
    D. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED_ZONE

  • Question 92:

    Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design.

    What should you do?

    A. 1. Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.2. Configure DNS peering from the spoke VPCs to the hub VPC.
    B. 1. Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.2. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.
    C. 1. Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.2. Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.
    D. 1. Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.2. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

  • Question 93:

    You have configured a single IPSec Cloud VPN tunnel for your organization to one of your customers. The VPN Tunnel Status is showing as Established; however the BGP Session Status is showing as BGP not configured. Your customer's

    BGP settings are:

    Customer BGP address: 169.254.11.1/30 Customer ASN: 64515 Google Cloud BGP address:

    169.254.11.2 Google Cloud ASN: 64517 MD5 Authentication: Disabled. You need to configure your local BGP session for this tunnel based on the settings provided by the third party customer. You have already associated the Cloud Router

    with the Cloud VPN Tunnel.

    What should you do?

    A. Create a BGP session with these settings: Peer ASN: 64517 Advertise Route Priority (MED): 100 Local BGP IP: 169.254.11.2 Peer BGP IP: 169.254.11.1 MD5 Authentication: Disabled.
    B. Create a BGP session with these settings: Peer ASN: 64515 Advertise Route Priority (MED): 100 Local BGP IP: 169.254.11.1 Peer BGP IP: 169.254.11.2 MD5 Authentication: Disabled.
    C. Create a BGP session with these settings: Peer ASN: 64515 Advertise Route Priority (MED): 100 Local BGP IP: 169.254.11.2 Peer BGP IP: 169.254.11.1 MD5 Authentication: Disabled.
    D. Create a BGP session with these settings: Peer ASN: 64515 Advertise Route Priority (MED): 1000 Local BGP IP: 169.254.11.2 Peer BGP IP: 169.254.11.1 MD5 Authentication: Enabled.

  • Question 94:

    You have recently taken over responsibility for your organization's Google Cloud network security configurations. You want to review your Cloud Next Generation Firewall (Cloud NGFW) configurations and ensure there are no rules that are allowing ingress traffic to your VMs and services from the internet. You want to avoid manual work.

    What should you do?

    A. Review the firewall policy rules associated with the VPC, and filter for rules that allow ingress from 0.0.0.0/0.
    B. Enable "Overly permissive rules insights" in Firewall Insights. Review results for rules that show allowed ingress traffic from internet sources.
    C. Run Connectivity Tests from multiple external sources to double-check ingress traffic settings.
    D. Enable the Network Analyzer API and review the "VPC Network" category insights.

  • Question 95:

    Your company distributes software updates using a Cloud Storage bucket fronted by a global external HTTPS Application Load Balancer with Cloud CDN enabled. You uploaded a critical security patch to a file named latest_update.zip. The security patch eliminates a vulnerability that could be exploited by cybercriminals. You need to ensure that all users worldwide immediately receive the new version, and that any previously cached copies of latest_update.zip are purged from the Cloud CDN network.

    What should you do?

    A. Disable and then re-enable Cloud CDN for the entire backend bucket to flush the cache.
    B. Modify the metadata of the latest_update.zip object in Cloud Storage to set the Cache-Control header to no-cache.
    C. Run the gcloud compute url-maps invalidate-cdn-cache command, specifying the load balancer's URL map and the exact path to the latest_update.zip file.
    D. Change the Cloud CDN cache mode for the backend bucket from CACHE_ALL_STATIC to USE_ORIGIN_HEADERS and then back to CACHE_ALL_STATIC.

  • Question 96:

    You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.

    What should you do?

    A. Configure a policy-based route rule to prioritize the traffic.
    B. Configure an HTTP load balancer, and direct the traffic to it.
    C. Configure Dynamic Routing for the subnet hosting the application.
    D. Configure the TTL for the DNS zone to decrease the time between updates.

  • Question 97:

    Your company requires a highly available hybrid connection from an on-premises data center to Google Cloud. The design must support dynamic routing and encrypted traffic over the public internet, and must provide a 99.99% availability architecture when configured according to Google guidance.

    What should you deploy?

    A. Classic VPN with one tunnel and static routes.
    B. HA VPN with two interfaces, two tunnels to the peer gateway, and Cloud Router for BGP.
    C. Direct Peering with static routes to the VPC subnet ranges.
    D. Partner Interconnect without VLAN attachments.

  • Question 98:

    Your organization needs to migrate from project-level VPC firewall rules to a centrally managed policy model. The security team also wants rules that can target workloads by secure tags.

    What should you use?

    A. Cloud Next Generation Firewall policies.
    B. Cloud CDN cache policies.
    C. Cloud Router custom route advertisements.
    D. Cloud DNS response policies only.

  • Question 99:

    You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) instances.

    What two prerequisite tasks must be completed before creating the load balancer? (Choose two.)

    A. Choose a region.
    B. Create firewall rules for health checks.
    C. Reserve a static IP address for the load balancer.
    D. Determine the subnet mask for a proxy-only subnet.
    E. Determine the subnet mask for Serverless VPC Access.

  • Question 100:

    You are configuring your organization's Google Cloud environment to connect to your on-premises network, which does not support Border Gateway Protocol (BGP). Your on-premises network has 30 CIDR ranges that must be reachable from Google Cloud. Your VPN gateway creates a unique child security association (SA) per CIDR. You must ensure that the 30 CIDR ranges in your on-premises network are reachable from Google Cloud.

    Following Google-recommended practices, which two methods can you use to accomplish this? (Choose two.)

    A. Create a single Cloud VPN tunnel that uses route-based VPN.
    B. Create a single Cloud VPN tunnel that uses policy-based routing with 30 CIDRs as the remote traffic selectors.
    C. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to unique peer IP addresses.
    D. Create multiple Cloud VPN tunnels that use policy-based routing with 10 CIDR per tunnel as the remote traffic selectors.
    E. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to the same peer IP address.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.