Google Google Certifications PROFESSIONAL-CLOUD-NETWORK-ENGINEER Questions & Answers

• Question 111:

  You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.

  What should you do on your on-premises servers?

  A. Tune TCP parameters on the on-premises servers.

  B. Compress files using utilities like tar to reduce the size of data being sent.

  C. Remove the -m flag from the gsutil command to enable single-threaded transfers.

  D. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

  Correct Answer: A

  https://cloud.google.com/solutions/tcp-optimization-for-network-performance-in-gcp-and-hybrid https://cloud.google.com/blog/products/gcp/5-steps-to-better-gcp-network-performance?hl=ml

• Question 112:

  Your company recently migrated to Google Cloud in a Single region. You configured separate Virtual Private Cloud (VPC) networks for two departments. Department A and Department B. Department A has requested access to resources that are part Of Department Bis VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMS) to meet security requirements Your configuration also must

  1.

  Support both TCP and UDP protocols

  2.

  Provide fully automated failover

  3.

  Include health-checks

  Require minimal manual Intervention In the client VMS

  Which approach should you take?

  A. Create the VMS In the same zone, and configure static routes With IP addresses as next hops.

  B. Create the VMS in different zones, and configure static routes with instance names as next hops

  C. Create an Instance template and a managed instance group. Configure a Single internal load balancer, and define a custom static route with the Internal TCP/UDP load balancer as the next hop

  D. Create an instance template and a managed instance group. Configure two separate internal TCP/IJDP load balancers for each protocol (TCP!UDP), and configure the client VIVIS to use the internal load balancers' virtual IP addresses

  Correct Answer: D

  The correct answer is D. Create an instance template and a managed instance group. Configure two separate internal TCP/UDP load balancers for each protocol (TCP/UDP), and configure the client VMs to use the internal load balancers'

  virtual IP addresses.

  This answer is based on the following facts:

  Using multi-NIC VMs as network virtual appliances (NVAs) allows you to route traffic between different VPC networks1. You can use NVAs to implement custom network policies and security requirements.

  Using an instance template and a managed instance group allows you to create and manage multiple identical NVAs2. You can also use health checks and autoscaling policies to ensure high availability and reliability of your NVAs. Using

  internal TCP/UDP load balancers allows you to distribute traffic from client VMs to NVAs based on the protocol and port3. You can also use health checks and failover policies to ensure that only healthy NVAs receive traffic. Configuring the

  client VMs to use the internal load balancers' virtual IP addresses allows you to simplify the routing configuration and avoid manual intervention4. You do not need to create static routes or update them when NVAs are added or removed.

  The other options are not correct because:

  Option A is not suitable. Creating the VMs in the same zone does not provide high availability or failover. Using static routes with IP addresses as next hops requires manual intervention when NVAs are added or removed. Option B is not

  optimal. Creating the VMs in different zones provides high availability, but not failover. Using static routes with instance names as next hops requires manual intervention when NVAs are added or removed. Option C is not feasible. Creating

  an instance template and a managed instance group provides high availability and reliability, but using a single internal load balancer does not support both TCP and UDP protocols. You cannot define a custom static route with an internal

  load balancer as the next hop.

• Question 113:

  You are a network administrator at your company planning a migration to Google Cloud and you need to finish the migration as quickly as possible, To ease the transition, you decided to use the same architecture as your on-premises network' a hub-and-spoke model. Your on-premises architecture consists of over 50 spokes. Each spoke does not have connectivity to the other spokes, and all traffic IS sent through the hub for security reasons. You need to ensure that the Google Cloud architecture matches your on-premises architecture. You want to implement a solution that minimizes management overhead and cost, and uses default networking quotas and limits. What should you do?

  A. Connect all the spokes to the hub with Cloud VPN.

  B. Connect all the spokes to the hub with VPC Network Peering.

  C. Connect all the spokes to the hub With Cloud VPN. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes

  D. Connect all the spokes to the hub with VPC Network Peering. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes.

  Correct Answer: D

  The correct answer is D because it meets the following requirements: It matches the hub-and-spoke model of the on-premises network, where each spoke is a separate VPC network that is connected to a central hub VPC network. It minimizes management overhead and cost, because VPC Network Peering is a simple and low-cost way to connect VPC networks without using any external IP addresses or VPN gateways1. It uses default networking quotas and limits, because VPC Network Peering does not consume any quota or limit for VPN tunnels, external IP addresses, or forwarding rules2. It prevents connectivity between the spokes, because VPC Network Peering is non-transitive by default, meaning that a spoke can only communicate with the hub, not with other spokes1. To enforce this restriction, a third-party network appliance can be used as a default gateway in each spoke VPC network, which can filter out any traffic destined for other spokes3. Option A is incorrect because it does not minimize cost, as Cloud VPN charges for egress traffic and requires external IP addresses for the VPN gateways4. Option B is incorrect because it does not prevent connectivity between the spokes, as VPC Network Peering allows direct communication between peered VPC networks by default1. Option C is incorrect because it does not minimize cost or use default quotas and limits, for the same reasons as option A. References: VPC Network Peering overview | VPC Quotas and limits | VPC Hub-and-spoke network architecture | Cloud Architecture Center Cloud VPN overview | Google Cloud

• Question 114:

  You want to create a service in GCP using IPv6.

  What should you do?

  A. Create the instance with the designated IPv6 address.

  B. Configure a TCP Proxy with the designated IPv6 address.

  C. Configure a global load balancer with the designated IPv6 address.

  D. Configure an internal load balancer with the designated IPv6 address.

  Correct Answer: C

  https://cloud.google.com/load-balancing/docs/load-balancing-overview mentions to use global load balancer for IPv6 termination.

• Question 115:

  You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers. What should you do?

  A. Configure a forwarding rule on the existing load balancer for the application tier.

  B. Configure equal cost multi-path routing on the application servers.

  C. Configure a new internal HTTP(S) load balancer for the application tier.

  D. Configure a URL map on the existing load balancer to route traffic to the application tier.

  Correct Answer: A

• Question 116:

  You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection.

  Which two actions can accomplish this? (Choose two.)

  A. Open a Cloud Support ticket under the Cloud Interconnect category.

  B. Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.

  C. Run gcloud compute interconnects describe .

  D. Check the email for the account of the NOC contact that you specified during the ordering process.

  E. Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.

  Correct Answer: DE

  https://cloud.google.com/network-connectivity/docs/interconnect/how-to/dedicated/retrieving-loas

• Question 117:

  You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space In your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

  A. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

  B. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters

  C. Create privately used public IP primary and secondary subnet ranges for the clusters.Create a private GKE cluster with the following options selected and

  D. Create privately used public IP primary and secondary subnet ranges for the clusters.Create a private GKE cluster With the following options selected --disable-default-snat, --enable-ip-alias, and--enable-private-nodes

  Correct Answer: D

  This answer follows the Google-recommended practices for using privately used public IP (PUPI) addresses for GKE Pod address blocks1. The benefits of this approach are:

  It allows you to use any public IP addresses that are not owned by Google or your organization for your Pods, which can help mitigate address exhaustion in your enterprise.

  It prevents any external traffic from reaching your Pods, as Google Cloud does not route PUPI addresses to the internet or to other VPC networks by default.

  It enables you to use VPC Network Peering to connect your GKE cluster to other VPC networks that use different PUPI addresses, as long as you enable the export and import of custom routes for the peering connection.

  It preserves the fully integrated network model of GKE, where Pods can communicate with nodes and other resources in the same VPC network without NAT.

  The options that you need to select when creating a private GKE cluster with PUPI

  addresses are:

  –disable-default-snat: This option disables source NAT for outbound traffic from Pods to destinations outside the cluster's VPC network. This is necessary to prevent Pods from using RFC 1918 addresses as their source IP addresses, which

  could cause conflicts with other networks that use the same address space2.

  –enable-ip-alias: This option enables alias IP ranges for Pods and Services, which allows you to use separate subnet ranges for them. This is required to use PUPI addresses for Pods1.

  –enable-private-nodes: This option creates a private cluster, where nodes do not have external IP addresses and can only communicate with the control plane through a private endpoint. This enhances the security and privacy of your

  cluster3.

  Option A is incorrect because it does not use PUPI addresses for Pods, but rather RFC 1918 addresses. This does not solve the problem of address exhaustion in your enterprise.

  Option B is incorrect because it reuses the secondary address range for Services across multiple private GKE clusters, which could cause IP conflicts and routing issues.

  Option C is incorrect because it does not specify the options that are needed to create a private GKE cluster with PUPI addresses.

  1: Configuring privately used public IPs for GKE | Kubernetes Engine | Google Cloud 2: Using Cloud NAT with GKE | Kubernetes Engine | Google Cloud 3: Private clusters | Kubernetes Engine | Google Cloud

• Question 118:

  You need to define an address plan for a future new Google Kubernetes Engine (GKE) cluster in your Virtual Private Cloud (VPC). This will be a VPC-native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses. Which subnet mask should you use for the Pod IP address range?

  A. /21

  B. /22

  C. /23

  D. /25

  Correct Answer: A

• Question 119:

  Your company's Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:

  /fr/video

  /en/video

  /es/video

  /../video

  /fr/audio

  /en/audio

  /es/audio

  /../audio

  Which solution should you recommend?

  A. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.

  B. Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.

  C. Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and \/[a-z]{2}\/audio.

  D. Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.

  Correct Answer: A

  https://cloud.google.com/load-balancing/docs/url-map#configuring_url_maps

  Path matcher constraints Path matchers and path rules have the following constraints: A path rule can only include a wildcard character (*) after a forward slash character (/). For example, /videos/* and /videos/hd/* are valid for path rules, but /videos* and /videos/hd* are not. Path rules do not use regular expression or substring matching. For example, path rules for either /videos/hd or /videos/hd/* do not apply to a URL with the path /video/hd-abcd. However, a path rule for / video/* does apply to that path. https://cloud.google.com/load-balancing/docs/url-map-concepts#pm-constraints

• Question 120:

  You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).

  Which routing option should you choose?

  A. Dynamic routing using Cloud Router

  B. Route-based routing using default traffic selectors

  C. Policy-based routing using a custom local traffic selector

  D. Policy-based routing using the default local traffic selector

  Correct Answer: C

  Reference: https://cloud.google.com/vpn/docs/concepts/overview