1. Home
  2. Google
  3. PROFESSIONAL-CLOUD-NETWORK-ENGINEER

Professional Cloud Network Engineer

Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :170 Q&As
  • Last Updated
    :May 21, 2025

Google Google Certifications PROFESSIONAL-CLOUD-NETWORK-ENGINEER Questions & Answers

  • Question 101:

    Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict

    your origin to allow connections only from the traffic-scrubbing service.

    What should you do?

    A. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.

    B. Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.

    C. Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.

    D. Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.

  • Question 102:

    Your company's logo is published as an image file across multiple websites that are hosted by your company You have implemented Cloud CDN, however, you want to improve the performance of the cache hit ratio associated with this image file. What should you do?

    A. Configure custom cache keys for the backend service that holds the image file, and clear the Host and Protocol checkboxes-

    B. Configure Cloud Storage as a custom origin backend to host the image file, and select multi-region as the location type

    C. Configure versioned IJRLs for each domain to serve users the mage file before the cache entry expires

    D. Configure the default time to live (TTL) as O for the image file.

  • Question 103:

    You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.

    How should you configure the Distribution VPC?

    A. Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.

    B. Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.

    C. Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.

    D. Rename the default VPC as "Distribution" and peer it via network peering.

  • Question 104:

    You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?

    A. Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.

    B. Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.

    C. Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

    D. Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.

  • Question 105:

    You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.

    Which two actions should you take? (Choose two.)

    A. Turn on Private Google Access at the subnet level.

    B. Turn on Private Google Access at the VPC level.

    C. Turn on Private Services Access at the VPC level.

    D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.

    E. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.

  • Question 106:

    You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:

    gcloud compute routes create no-ip-internet-route \

    --network custom-network1 \

    --destination-range 0.0.0.0/0 \

    --next-hop instance nat-gateway \

    --next-hop instance-zone us-central1-a \

    --tags no-ip --priority 800

    You want existing instances to use the new NAT gateway. Which command should you execute?

    A. sudo sysctl -w net.ipv4.ip_forward=1

    B. gcloud compute instances add-tags [existing-instance] --tags no-ip

    C. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip

    D. gcloud compute instances create example-instance --network custom-network1 \ --subnet subnet-us-central \ --no-address \ --zone us-central1-a \ --image-family debian-9 \ --image-project debian-cloud \ --tags no-ip

  • Question 107:

    You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on-premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team's requirements?

    A. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range. Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.

    B. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

    C. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

    D. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range. Create a custom route that points Google's private API address range to the default internet gateway as the next hop.

  • Question 108:

    Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet. What should you do?

    A. Use the default public domains for all Google APIs and services.

    B. Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.

    C. Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.

    D. Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.

  • Question 109:

    You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.

    Which NAT solution should you use?

    A. Cloud NAT

    B. An instance with IP forwarding enabled

    C. An instance configured with iptables DNAT rules

    D. An instance configured with iptables SNAT rules

  • Question 110:

    You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?

    A. Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.

    B. Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.

    C. Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.

    D. Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.