Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 101:
You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.
Which GKE resource should you use?
A. GKE Node B. GKE Pod C. GKE Cluster D. GKE Ingress
D. GKE Ingress
Question 102:
You are designing a solution to inspect all traffic between your company's production-vpc and development-vpc for threat detection and compliance logging. The company will deploy a fleet of third-party Cloud Next Generation Firewall (NGFW) appliances that provide intrusion prevention system (IPS) capabilities. You need to prevent attacks by blocking malicious traffic in real time before it reaches its destination without adding significant latency or creating a single point of failure for inter-VPC communication.
What should you do?
A. - Deploy the third-party NGFW appliances as multi-NIC VMs, with an NIC in each VPC. - Create custom static routes in each VPC that direct traffic destined for the other VPC to an internal TCP/UDP load balancer that uses the NGFW appliances as its backends. B. - Use Packet Mirroring to send traffic to the third-party NGFW appliances. - When a threat is detected, have the appliances use the Google Cloud Armor API to insert a rule blocking the malicious source. C. - Use Packet Mirroring to create a copy of all inter-VPC traffic. - Forward it to an internal Application Load Balancer that distributes the traffic to the NGFW appliance fleet for analysis. D. - Configure a Cloud NAT gateway to handle routing between the two VPCs, and enable NAT logging. - Use a script to parse the logs, and send them to the NGFW appliances.
A. - Deploy the third-party NGFW appliances as multi-NIC VMs, with an NIC in each VPC. - Create custom static routes in each VPC that direct traffic destined for the other VPC to an internal TCP/UDP load balancer that uses the NGFW appliances as its backends.
Explanation
To block malicious traffic in real time, the NGFW appliances must be placed inline on the traffic path, not just receive mirrored copies. Google Cloud supports this pattern by using multi-NIC virtual appliances and custom static routes whose next hop is an internal passthrough Network Load Balancer with the appliances as backends. This provides active inspection and enforcement for traffic between the two VPCs while avoiding a single appliance bottleneck by distributing traffic across a fleet of health-checked firewall instances. Packet Mirroring is for out-of-band detection and analysis, not inline prevention.
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?
A. Cloud NAT B. An instance with IP forwarding enabled C. An instance configured with iptables DNAT rules D. An instance configured with iptables SNAT rules
A. Cloud NAT
Explanation
References:
https://cloud.google.com/nat/docs/overview
Question 104:
Your company's current network architecture has two VPCs that are connected by a dual-NIC instance that acts as a bump-in-the-wire firewall between the two VPCs. Flows between pairs of subnets across the two VPCs are working correctly. Suddenly, you receive an alert that none of the flows between the two VPCs are working anymore. You need to troubleshoot the problem.
What should you do? (Choose two.)
A. Verify that a VPC Service Controls perimeter has not been enabled for the project that contains the two VPCs and the dual-NIC instance. B. Use Cloud Logging to verify that there were no modifications to the VPC firewall rules or policies that were applied to the two network interfaces of the dual-NIC instance. C. Verify that a public IP address has not been assigned to any network interface of the dual-NIC instance. D. Verify that the dual-NIC instance has the --can-Ip-Forward attribute enabled. E. Verify that the dual-NIC instance has not been added to a backend service.
B. Use Cloud Logging to verify that there were no modifications to the VPC firewall rules or policies that were applied to the two network interfaces of the dual-NIC instance. D. Verify that the dual-NIC instance has the --can-Ip-Forward attribute enabled.
Explanation
Use Cloud Logging to verify modifications to firewall rules or policies: Firewall rules are critical in ensuring that traffic flows between the two VPCs. Any changes to firewall rules or policies applied to the dual-NIC instance could disrupt traffic.
Reviewing Cloud Logging for modifications helps determine whether a recent change caused the connectivity issue.
Verify the --can-Ip-Forward attribute: For a dual-NIC instance to act as a bump-in-the-wire firewall and forward traffic between VPCs, it must have the --can-Ip-Forward attribute enabled. If this attribute is accidentally disabled, the instance cannot forward packets between its two interfaces, resulting in connectivity issues between the VPCs.
Question 105:
Your organization has a highly available application that is not HTTP-based. The application runs on multiple TCP ports and is hosted in multiple regions. You need to design a solution to load balance the application in the same Shared VPC where the service will be accessed. The IP address header must contain the client's true source IP address. No public internet access is required.
What should you do?
A. Configure multiple regional internal proxy Network Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions. B. Configure multiple regional internal Application Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions. C. Configure a single cross region internal proxy Network Load Balancer. D. Configure multiple regional internal passthrough Network Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions.
D. Configure multiple regional internal passthrough Network Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions.
Explanation
Internal passthrough Network Load Balancer: This load balancer works at the Layer 4 (TCP/UDP) level and is ideal for non-HTTP applications that run on multiple TCP ports. It preserves the client's true source IP address, which is a requirement in your case. Multiple regional load balancers: Deploying a regional load balancer in each region ensures that traffic is handled locally within a region for lower latency and redundancy. This also aligns with your application's multi-region hosting design. Global access and DNS routing policies: Enabling global access on each regional passthrough Network Load Balancer ensures that traffic from one region can be directed to another if needed. Using DNS routing policies (e.g., weighted, latency-based, or geo-based) allows you to balance traffic across regions intelligently and ensure high availability. No public internet access: The internal passthrough Network Load Balancer is internal-only, meaning it does not expose the application to the public internet. This meets the requirement of avoiding public internet access.
This design is optimized for multi-region, highly available, non-HTTP applications running on multiple TCP ports, while meeting the requirement to retain the client's true source IP address and avoid public internet access.
Question 106:
You are establishing a hybrid connection between your on-premises data center and Google Cloud. You configured a Cloud DNS private zone and an inbound server policy in your primary VPC to allow on-premises hosts to resolve private DNS zones hosted in Google Cloud, such as vm.gcp.corp.internal. The inbound server policy has been assigned an IP address, and you have configured your on-premises DNS servers to conditionally forward requests for the gcp.corp.internal domain to this IP. From your on-premises network, you can see that the routes for the inbound forwarding addresses were learned as expected, and response traffic is correctly being routed through your on-premises edge firewall to GCP. However, all DNS queries from on-premises clients for this domain are timing out, and they are unable to resolve the addresses of any Google Cloud resources.
What should you do?
A. Create a firewall rule on your on-premises firewall to allow traffic on TCP:53 and UDP:53 from the on-premises IP address range to Cloud DNS inbound server policy IP addresses. B. Ensure the Cloud DNS API is enabled in the project that contains your primary VPC. C. Create a Cloud DNS peering connection between your VPC and the VPC where the private zone is hosted. D. Configure the Cloud DNS outbound server policy with the same IP address as the inbound policy.
A. Create a firewall rule on your on-premises firewall to allow traffic on TCP:53 and UDP:53 from the on-premises IP address range to Cloud DNS inbound server policy IP addresses.
Explanation
DNS queries are timing out because the traffic still must be allowed through the on-premises firewall on both UDP 53 and TCP 53 for the inbound forwarding path to work. Google Cloud documents that the effective firewall configuration must allow DNS traffic on both protocols, so permitting that traffic to the Cloud DNS inbound forwarding addresses resolves the timeout issue.
Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements: Certain data must stay in the project where it is stored and not be exfiltrated to other projects. Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs. All DNS resolution must be done on-premises. The solution should only provide access to APIs that are compatible with VPC Service Controls.
What should you do?
A. 1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates. B. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses. C. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates. D. 1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.
B. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.
Question 108:
Your organization requires its cloud network environment to inspect and deny traffic through a third party virtual firewall appliance. You currently operate a single standalone appliance, which is the next-hop target of a custom static route. You have recently deployed a new redundant appliance for high availability and load-sharing. You need to route the cloud network traffic through these appliances in an active/active configuration, while avoiding asymmetric routing. You also need to deploy this configuration with minimal traffic disruption and follow Google-recommended practices.
What should you do?
A. Configure an internal passthrough network load balancer to send traffic to the redundant appliance. Then configure a packet mirroring policy that mirrors all traffic from the pre-existing standalone appliance to the new redundant appliance. B. Configure an internal passthrough network load balancer to balance traffic to both appliances. Create a route with this internal load balancer as a next hop at a higher priority than the existing route. Then remove the pre-existing route that directed traffic to the standalone appliance. C. Create a route for the redundant appliance at the same priority as the pre-existing standalone appliance. D. Create routes for both appliances at the same priority, but higher than the existing standalone appliance's route. Then remove the pre-existing route that directed traffic to the standalone appliance.
B. Configure an internal passthrough network load balancer to balance traffic to both appliances. Create a route with this internal load balancer as a next hop at a higher priority than the existing route. Then remove the pre-existing route that directed traffic to the standalone appliance.
Explanation
An internal passthrough Network Load Balancer is the Google-recommended way to steer traffic through multiple next-hop firewall appliances in active/active while preserving symmetry. You can introduce it with minimal disruption by creating a more preferred route that uses the load balancer as the next hop, allowing traffic to shift to the active/active service, and then safely remove the old route that pointed directly to the standalone appliance.
Question 109:
You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers.
What should you do?
A. Configure a forwarding rule on the existing load balancer for the application tier. B. Configure equal cost multi-path routing on the application servers. C. Configure a new internal HTTP(S) load balancer for the application tier. D. Configure a URL map on the existing load balancer to route traffic to the application tier.
C. Configure a new internal HTTP(S) load balancer for the application tier.
Question 110:
You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem.
What should you do?
A. Review the VPC audit logs in Cloud Logging for the affected instances. B. Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address. C. Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet. D. Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.
C. Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.