Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 91:
You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?
A. gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE B. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE C. gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE D. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED_ZONE
C. gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE
Explanation
Once you have the exported file from your other provider, you can use the gcloud dns record-sets import command to import it into your managed zone. To import record-sets, you use the dns record-sets import command. The --zone-file-format flag tells importto expect a BIND zone formatted file. If you omit this flag, import expects a YAML-formatted records file.
Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design.
What should you do?
A. 1. Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.2. Configure DNS peering from the spoke VPCs to the hub VPC. B. 1. Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.2. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC. C. 1. Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.2. Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs. D. 1. Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.2. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.
A. 1. Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.2. Configure DNS peering from the spoke VPCs to the hub VPC.
Question 93:
You have configured a single IPSec Cloud VPN tunnel for your organization to one of your customers. The VPN Tunnel Status is showing as Established; however the BGP Session Status is showing as BGP not configured. Your customer's
169.254.11.2 Google Cloud ASN: 64517 MD5 Authentication: Disabled. You need to configure your local BGP session for this tunnel based on the settings provided by the third party customer. You have already associated the Cloud Router
with the Cloud VPN Tunnel.
What should you do?
A. Create a BGP session with these settings: Peer ASN: 64517 Advertise Route Priority (MED): 100 Local BGP IP: 169.254.11.2 Peer BGP IP: 169.254.11.1 MD5 Authentication: Disabled. B. Create a BGP session with these settings: Peer ASN: 64515 Advertise Route Priority (MED): 100 Local BGP IP: 169.254.11.1 Peer BGP IP: 169.254.11.2 MD5 Authentication: Disabled. C. Create a BGP session with these settings: Peer ASN: 64515 Advertise Route Priority (MED): 100 Local BGP IP: 169.254.11.2 Peer BGP IP: 169.254.11.1 MD5 Authentication: Disabled. D. Create a BGP session with these settings: Peer ASN: 64515 Advertise Route Priority (MED): 1000 Local BGP IP: 169.254.11.2 Peer BGP IP: 169.254.11.1 MD5 Authentication: Enabled.
C. Create a BGP session with these settings: Peer ASN: 64515 Advertise Route Priority (MED): 100 Local BGP IP: 169.254.11.2 Peer BGP IP: 169.254.11.1 MD5 Authentication: Disabled.
Explanation
You must peer with the customer's ASN (64515) and use the Cloud Router's IP (169.254.11.2) as your local BGP address, pointing at their IP (169.254.11.1). MD5 stays disabled, and a MED of 100 is a reasonable default if you choose to set it. This matches all the provided parameters so the session will establish.
Question 94:
You have recently taken over responsibility for your organization's Google Cloud network security configurations. You want to review your Cloud Next Generation Firewall (Cloud NGFW) configurations and ensure there are no rules that are allowing ingress traffic to your VMs and services from the internet. You want to avoid manual work.
What should you do?
A. Review the firewall policy rules associated with the VPC, and filter for rules that allow ingress from 0.0.0.0/0. B. Enable "Overly permissive rules insights" in Firewall Insights. Review results for rules that show allowed ingress traffic from internet sources. C. Run Connectivity Tests from multiple external sources to double-check ingress traffic settings. D. Enable the Network Analyzer API and review the "VPC Network" category insights.
B. Enable "Overly permissive rules insights" in Firewall Insights. Review results for rules that show allowed ingress traffic from internet sources.
Explanation
Firewall Insights in Google Cloud provides a feature called "Overly permissive rules insights," which automatically identifies and highlights firewall rules that allow excessive or broad access, such as ingress traffic from 0.0.0.0/0 (all internet sources). By enabling this feature, you can quickly and efficiently identify rules that could pose security risks, such as those allowing unauthorized ingress traffic to your VMs and services from the internet. This approach avoids the need for manual inspection and ensures that you have a comprehensive view of potential security issues in your network configuration.
Question 95:
Your company distributes software updates using a Cloud Storage bucket fronted by a global external HTTPS Application Load Balancer with Cloud CDN enabled. You uploaded a critical security patch to a file named latest_update.zip. The security patch eliminates a vulnerability that could be exploited by cybercriminals. You need to ensure that all users worldwide immediately receive the new version, and that any previously cached copies of latest_update.zip are purged from the Cloud CDN network.
What should you do?
A. Disable and then re-enable Cloud CDN for the entire backend bucket to flush the cache. B. Modify the metadata of the latest_update.zip object in Cloud Storage to set the Cache-Control header to no-cache. C. Run the gcloud compute url-maps invalidate-cdn-cache command, specifying the load balancer's URL map and the exact path to the latest_update.zip file. D. Change the Cloud CDN cache mode for the backend bucket from CACHE_ALL_STATIC to USE_ORIGIN_HEADERS and then back to CACHE_ALL_STATIC.
C. Run the gcloud compute url-maps invalidate-cdn-cache command, specifying the load balancer's URL map and the exact path to the latest_update.zip file.
Explanation
Invalidating the exact object path on the load balancer's URL map immediately purges the cached copies of that file from Cloud CDN edge caches, forcing the next requests worldwide to fetch the new version from the origin.
Question 96:
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do?
A. Configure a policy-based route rule to prioritize the traffic. B. Configure an HTTP load balancer, and direct the traffic to it. C. Configure Dynamic Routing for the subnet hosting the application. D. Configure the TTL for the DNS zone to decrease the time between updates.
B. Configure an HTTP load balancer, and direct the traffic to it.
Your company requires a highly available hybrid connection from an on-premises data center to Google Cloud. The design must support dynamic routing and encrypted traffic over the public internet, and must provide a 99.99% availability architecture when configured according to Google guidance.
What should you deploy?
A. Classic VPN with one tunnel and static routes. B. HA VPN with two interfaces, two tunnels to the peer gateway, and Cloud Router for BGP. C. Direct Peering with static routes to the VPC subnet ranges. D. Partner Interconnect without VLAN attachments.
B. HA VPN with two interfaces, two tunnels to the peer gateway, and Cloud Router for BGP.
Explanation
HA VPN uses two interfaces and Cloud Router with BGP for dynamic routing. When deployed with the required redundant tunnels and peer-side availability, it can provide the high-availability architecture required for site-to-site encrypted connectivity over the public internet. Classic VPN with one tunnel is not a 99.99% HA design. Direct Peering is not an encrypted site-to-site VPN into a VPC. Partner Interconnect requires VLAN attachments and is not an internet IPSec VPN
service.
Question 98:
Your organization needs to migrate from project-level VPC firewall rules to a centrally managed policy model. The security team also wants rules that can target workloads by secure tags.
What should you use?
A. Cloud Next Generation Firewall policies. B. Cloud CDN cache policies. C. Cloud Router custom route advertisements. D. Cloud DNS response policies only.
A. Cloud Next Generation Firewall policies.
Explanation
Cloud Next Generation Firewall supports centralized firewall policies, including hierarchical and network firewall policies, and can use targets such as secure tags where supported. This matches the requirement to move from project-level VPC firewall rules to a centrally managed policy model. Cloud CDN policies control content caching, not workload firewall enforcement. Cloud Router custom advertisements control routing information. Cloud DNS response policies affect DNS answers and do not replace firewall policy management.
Question 99:
You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) instances.
What two prerequisite tasks must be completed before creating the load balancer? (Choose two.)
A. Choose a region. B. Create firewall rules for health checks. C. Reserve a static IP address for the load balancer. D. Determine the subnet mask for a proxy-only subnet. E. Determine the subnet mask for Serverless VPC Access.
B. Create firewall rules for health checks. D. Determine the subnet mask for a proxy-only subnet.
Question 100:
You are configuring your organization's Google Cloud environment to connect to your on-premises network, which does not support Border Gateway Protocol (BGP). Your on-premises network has 30 CIDR ranges that must be reachable from Google Cloud. Your VPN gateway creates a unique child security association (SA) per CIDR. You must ensure that the 30 CIDR ranges in your on-premises network are reachable from Google Cloud.
Following Google-recommended practices, which two methods can you use to accomplish this? (Choose two.)
A. Create a single Cloud VPN tunnel that uses route-based VPN. B. Create a single Cloud VPN tunnel that uses policy-based routing with 30 CIDRs as the remote traffic selectors. C. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to unique peer IP addresses. D. Create multiple Cloud VPN tunnels that use policy-based routing with 10 CIDR per tunnel as the remote traffic selectors. E. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to the same peer IP address.
A. Create a single Cloud VPN tunnel that uses route-based VPN. C. Create multiple Cloud VPN tunnels that use policy-based routing so that each tunnel has one CIDR block for its local traffic selector and one CIDR block for its remote traffic selector. Connect each tunnel to unique peer IP addresses.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.