PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :333 Q&As
  • Last Updated
    :Jul 12, 2026

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

  • Question 101:

    You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.

    Which GKE resource should you use?

    A. GKE Node
    B. GKE Pod
    C. GKE Cluster
    D. GKE Ingress

  • Question 102:

    You are designing a solution to inspect all traffic between your company's production-vpc and development-vpc for threat detection and compliance logging. The company will deploy a fleet of third-party Cloud Next Generation Firewall (NGFW) appliances that provide intrusion prevention system (IPS) capabilities. You need to prevent attacks by blocking malicious traffic in real time before it reaches its destination without adding significant latency or creating a single point of failure for inter-VPC communication.

    What should you do?

    A. - Deploy the third-party NGFW appliances as multi-NIC VMs, with an NIC in each VPC. - Create custom static routes in each VPC that direct traffic destined for the other VPC to an internal TCP/UDP load balancer that uses the NGFW appliances as its backends.
    B. - Use Packet Mirroring to send traffic to the third-party NGFW appliances. - When a threat is detected, have the appliances use the Google Cloud Armor API to insert a rule blocking the malicious source.
    C. - Use Packet Mirroring to create a copy of all inter-VPC traffic. - Forward it to an internal Application Load Balancer that distributes the traffic to the NGFW appliance fleet for analysis.
    D. - Configure a Cloud NAT gateway to handle routing between the two VPCs, and enable NAT logging. - Use a script to parse the logs, and send them to the NGFW appliances.

  • Question 103:

    You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.

    Which NAT solution should you use?

    A. Cloud NAT
    B. An instance with IP forwarding enabled
    C. An instance configured with iptables DNAT rules
    D. An instance configured with iptables SNAT rules

  • Question 104:

    Your company's current network architecture has two VPCs that are connected by a dual-NIC instance that acts as a bump-in-the-wire firewall between the two VPCs. Flows between pairs of subnets across the two VPCs are working correctly. Suddenly, you receive an alert that none of the flows between the two VPCs are working anymore. You need to troubleshoot the problem.

    What should you do? (Choose two.)

    A. Verify that a VPC Service Controls perimeter has not been enabled for the project that contains the two VPCs and the dual-NIC instance.
    B. Use Cloud Logging to verify that there were no modifications to the VPC firewall rules or policies that were applied to the two network interfaces of the dual-NIC instance.
    C. Verify that a public IP address has not been assigned to any network interface of the dual-NIC instance.
    D. Verify that the dual-NIC instance has the --can-Ip-Forward attribute enabled.
    E. Verify that the dual-NIC instance has not been added to a backend service.

  • Question 105:

    Your organization has a highly available application that is not HTTP-based. The application runs on multiple TCP ports and is hosted in multiple regions. You need to design a solution to load balance the application in the same Shared VPC where the service will be accessed. The IP address header must contain the client's true source IP address. No public internet access is required.

    What should you do?

    A. Configure multiple regional internal proxy Network Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions.
    B. Configure multiple regional internal Application Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions.
    C. Configure a single cross region internal proxy Network Load Balancer.
    D. Configure multiple regional internal passthrough Network Load Balancers and enable global access. Use DNS routing policies to balance traffic across regions.

  • Question 106:

    You are establishing a hybrid connection between your on-premises data center and Google Cloud. You configured a Cloud DNS private zone and an inbound server policy in your primary VPC to allow on-premises hosts to resolve private DNS zones hosted in Google Cloud, such as vm.gcp.corp.internal. The inbound server policy has been assigned an IP address, and you have configured your on-premises DNS servers to conditionally forward requests for the gcp.corp.internal domain to this IP. From your on-premises network, you can see that the routes for the inbound forwarding addresses were learned as expected, and response traffic is correctly being routed through your on-premises edge firewall to GCP. However, all DNS queries from on-premises clients for this domain are timing out, and they are unable to resolve the addresses of any Google Cloud resources.

    What should you do?

    A. Create a firewall rule on your on-premises firewall to allow traffic on TCP:53 and UDP:53 from the on-premises IP address range to Cloud DNS inbound server policy IP addresses.
    B. Ensure the Cloud DNS API is enabled in the project that contains your primary VPC.
    C. Create a Cloud DNS peering connection between your VPC and the VPC where the private zone is hosted.
    D. Configure the Cloud DNS outbound server policy with the same IP address as the inbound policy.

  • Question 107:

    Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements: Certain data must stay in the project where it is stored and not be exfiltrated to other projects. Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs. All DNS resolution must be done on-premises. The solution should only provide access to APIs that are compatible with VPC Service Controls.

    What should you do?

    A. 1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
    B. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.
    C. 1. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.
    D. 1. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.2. Create a CNAME record for *.googleapis.com that points to the A record.3. Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.4. Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

  • Question 108:

    Your organization requires its cloud network environment to inspect and deny traffic through a third party virtual firewall appliance. You currently operate a single standalone appliance, which is the next-hop target of a custom static route. You have recently deployed a new redundant appliance for high availability and load-sharing. You need to route the cloud network traffic through these appliances in an active/active configuration, while avoiding asymmetric routing. You also need to deploy this configuration with minimal traffic disruption and follow Google-recommended practices.

    What should you do?

    A. Configure an internal passthrough network load balancer to send traffic to the redundant appliance. Then configure a packet mirroring policy that mirrors all traffic from the pre-existing standalone appliance to the new redundant appliance.
    B. Configure an internal passthrough network load balancer to balance traffic to both appliances. Create a route with this internal load balancer as a next hop at a higher priority than the existing route. Then remove the pre-existing route that directed traffic to the standalone appliance.
    C. Create a route for the redundant appliance at the same priority as the pre-existing standalone appliance.
    D. Create routes for both appliances at the same priority, but higher than the existing standalone appliance's route. Then remove the pre-existing route that directed traffic to the standalone appliance.

  • Question 109:

    You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers.

    What should you do?

    A. Configure a forwarding rule on the existing load balancer for the application tier.
    B. Configure equal cost multi-path routing on the application servers.
    C. Configure a new internal HTTP(S) load balancer for the application tier.
    D. Configure a URL map on the existing load balancer to route traffic to the application tier.

  • Question 110:

    You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem.

    What should you do?

    A. Review the VPC audit logs in Cloud Logging for the affected instances.
    B. Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.
    C. Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.
    D. Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.