Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

• Question 111:

  In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers.

  What should you do?

  A. Create network tag app-server and service account [email protected]. Add the tag to the application servers, and associate the service account with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \ --action allow \ --direction ingress \ --rules top:3306 \ --source-tags app-server \ --target-service-accounts [email protected]
  B. Create service accounts [email protected] and [email protected]. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-service-accounts [email protected] \ --target-service-accounts [email protected]
  C. Create service accounts [email protected] and [email protected]. Associate the service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-ranges 10.128.0.0/20 \ --source-service-accounts [email protected] \ --target-service-accounts [email protected]
  D. Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \ --action allow \ --direction ingress \ --rules tcp:3306 \ --source-ranges 10.128.0.0/20 \ --source-tags app-server \ --target-tags db-server
  B. Create service accounts [email protected] and [email protected]. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-service-accounts [email protected] \ --target-service-accounts [email protected]

• Question 112:

  Your organization has a critical project that requires a highly secure connectivity tunnel attached to the on-premises network. A Google Cloud network availability of 99.99% must be maintained. The on-premises network has one device and two interfaces, each with their own external IP addresses. You need to configure the appropriate Cloud HA VPN to address the project requirements.

  What should you do?

  A. Configure an HA VPN gateway with two VPN tunnel interfaces that connect to the on-premises device interface 0 and interface 1. Peer each tunnel to each external IP address. Set the REDUNDANCY_TYPE to TWO_IPS_REDUNDANCY.
  B. Configure an HA VPN gateway with one VPN tunnel and two IP addresses that connect to the on-premises device interface 0. Use Cloud Router BGP MED and AS_PATH attributes to define redundancy with the on-premises device.
  C. Configure an HA VPN gateways with two VPN tunnel interfaces that connect to the on-premises device interface 0 and interface 1. Peer each tunnel to each external IP address. Set the REDUNDANCY_TYPE to SINGLE_IP_INTERNALLY_REDUNDANT.
  D. Configure an HA VPN gateway with one VPN tunnel and two interfaces that connect to the on-premises device interface 0 and interface 1. Peer each tunnel to each external IP address. Set the REDUNDANCY_TYPE to TWO_IPS_REDUNDANCY.
  A. Configure an HA VPN gateway with two VPN tunnel interfaces that connect to the on-premises device interface 0 and interface 1. Peer each tunnel to each external IP address. Set the REDUNDANCY_TYPE to TWO_IPS_REDUNDANCY.

  ---

  Explanation

  With one on-premises device that has two distinct external IP addresses (one per interface), you should model it as an external VPN gateway with two IPs and use TWO_IPS_REDUNDANCY. Then, create two HA VPN tunnels (one per HA VPN interface) so each tunnel peers to a different on-premises external IP, eliminating a single point of failure and meeting the 99.99% availability requirement.

• Question 113:

  You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can resolve on-premises private hostnames using the domain corp.altostrat.com while also

  resolving Google Cloud hostnames. You want to follow Google-recommended practices.

  What should you do?

  A. 1. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.2. Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.4. Configure VPC peering in the spoke VPCs to peer with the hub VPC.
  B. 1. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88.2. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target.3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
  C. 1. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.2. Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.4. Create a hub-and-spoke VPN deployment in each spoke VPC to connect back to the on-premises network directly.
  D. 1. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to192. 168.20.88. Associate the zone with the hub VPC.2. Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.3. Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19.4. Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.
  A. 1. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC.2. Create a private peering zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target.3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.4. Configure VPC peering in the spoke VPCs to peer with the hub VPC.

• Question 114:

  Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer. You need to protect the application from potential application-level attacks.

  What should you do?

  A. Enable Cloud CDN on the backend service.
  B. Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer.
  C. Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service
  D. Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service.
  C. Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service

• Question 115:

  After a network change window, one of your company's applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25.

  You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24.

  The on-premises router is advertising 10.0.0.0/8.

  What is the most likely cause of this problem?

  A. The less specific VPC subnet route is taking priority.
  B. The more specific VPC subnet route is taking priority.
  C. The on-premises router is not advertising a route for the database server.
  D. A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.
  B. The more specific VPC subnet route is taking priority.

• Question 116:

  You are designing the architecture for your organization so that clients can connect to certain Google APIs. Your plan must include a way to connect to Cloud Storage and BigQuery. You also need to ensure the traffic does not traverse the internet. You want your solution to be cloud-first and require the least amount of configuration steps.

  What should you do?

  A. Configure Private Google Access on the VPC resource. Create a default route to the internet.
  B. Configure Private Google Access on the subnet resource. Create a default route to the internet.
  C. Configure Cloud NAT, and remove the default route to the internet.
  D. Configure a global Secure Web Proxy, and remove the default route to the internet.
  B. Configure Private Google Access on the subnet resource. Create a default route to the internet.

  ---

  Explanation

  Enabling Private Google Access on the subnet lets VMs without public IPs reach Google APIs (including Cloud Storage and BigQuery) over Google's private network, no internet egress needed. This is a one-step, cloud-native configuration per subnet, without touching routing or proxy components.

• Question 117:

  You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

  

  You need to update the firewall rule to add the following rule to the ruleset:

  

  You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs.

  What should you do?

  A. Assign the compute.securityAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.
  B. Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.
  C. Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.
  D. Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account.Apply the new firewall rule with a priority of 150.
  A. Assign the compute.securityAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.

• Question 118:

  Your company's Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:

  /fr/video /en/video /es/video /../video

  /fr/audio /en/audio /es/audio /../audio

  Which solution should you recommend?

  A. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.
  B. Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.
  C. Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and \/[a-z]{2}\/audio.
  D. Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/audio.
  A. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.

• Question 119:

  Your frontend application VMs and your backend database VMs are all deployed in the same VPC but across different subnets. Global network firewall policy rules are configured to allow traffic from the frontend VMs to the backend VMs.

  Based on a recent compliance requirement, this traffic must now be inspected by network virtual appliances (NVAs) firewalls that are deployed in the same VPC. The NVAs are configured to be full network proxies and will source NAT-allowed traffic. You need to configure VPC routing to allow the NVAs to inspect the traffic between subnets.

  What should you do?

  A. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add the global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the backend VM subnet, destination IP range of the frontend VM subnet, and the next hop of ILB1. Scope the PBR to the VMs with the backend network tag. Add a backend network tag to your backend servers.
  B. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a custom static route with the destination IP range of the backend VM subnet, frontend instance tag, and the next hop of ILB1. Add a frontend network tag to your frontend VMs.
  C. Create your NVA with multiple interfaces. Configure NIC0 for NVA in the backend subnet. Configure NIC1 for NVA in the frontend subnet. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a custom static route with the destination IP range of the backend VM subnet, frontend instance tag, and the next hop of ILB1. Add a frontend network tag to your frontend VMs.
  D. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the frontend VM subnet, destination IP range of the backend VM subnet, and the next hop of ILB1. Scope the PBR to the VMs with the frontend network tag. Add a frontend network tag to your frontend servers.
  D. Place your NVAs behind an internal passthrough Network Load Balancer named ILB1. Add global network firewall policy rules to allow traffic through your NVAs. Create a policy-based route (PBR) with the source IP range of the frontend VM subnet, destination IP range of the backend VM subnet, and the next hop of ILB1. Scope the PBR to the VMs with the frontend network tag. Add a frontend network tag to your frontend servers.

  ---

  Explanation

  Internal Passthrough Network Load Balancer (ILB): By placing the NVAs behind an internal passthrough Network Load Balancer (ILB), you ensure that traffic between subnets is directed through the NVAs. ILBs handle load balancing and ensure scalability of the inspection process.

  Policy-Based Routing (PBR): A PBR allows you to route traffic based on specific criteria such as the source IP range (frontend VM subnet) and destination IP range (backend VM subnet). The next hop is set to the ILB, directing traffic through the NVAs for inspection.

  Frontend Network Tag: Applying the PBR to VMs with the frontend network tag ensures that only traffic originating from the frontend VMs is routed through the NVAs, aligning with the requirement to inspect traffic from frontend to backend

  VMs.

  Global Network Firewall Policy Rules: Configuring global network firewall rules ensures that traffic through the NVAs is allowed and not blocked by any restrictive firewall policies.

• Question 120:

  Your organization wants to set up hybrid connectivity with VLAN attachments that terminate in a single Cloud Router with 99.9% uptime. You need to create a network design for your on-premises router that meets those requirements and has

  an active/passive configuration that uses only one VLAN attachment at a time.

  What should you do?

  A. Create a design that uses the LOCAL_PREF BGP attribute to influence the egress path from Google Cloud to the on-premises environment.
  B. Create a design that uses an equal-cost multipath (ECMP) with flow-based hashing on your on-premises devices.
  C. Create a design that uses a BGP multi-exit discriminator (MED) attribute to influence the egress path from Google Cloud to the on-premises environment.
  D. Create a design that uses the AS_PATH BGP attribute to influence the egress path from Google Cloud to the on-premises environment.
  A. Create a design that uses the LOCAL_PREF BGP attribute to influence the egress path from Google Cloud to the on-premises environment.

  ---

  Explanation

  In an active/passive configuration with hybrid connectivity, where only one VLAN attachment is active at a time, the LOCAL_PREF BGP attribute is used to influence the egress path from Google Cloud to the on-premises environment.

  LOCAL_PREF is a BGP attribute that determines the preferred path for outgoing traffic within an autonomous system. By configuring LOCAL_PREF, you can ensure that traffic egresses through the active VLAN attachment and not the passive one. This approach provides the required active/passive configuration and ensures a reliable setup with 99.9% uptime.