Google Google Certifications PROFESSIONAL-CLOUD-NETWORK-ENGINEER Questions & Answers

• Question 131:

  Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates.

  Which Google Cloud load balancer should you use?

  A. SSL proxy load balancer

  B. Network load balancer

  C. HTTPS load balancer

  D. TCP proxy load balancer

  Correct Answer: D

  https://cloud.google.com/security/encryption-in-transit/ Automatic encryption between GFEs and backends For the following load balancer types, Google automatically encrypts traffic between Google Front Ends (GFEs) and your backends that reside within Google Cloud VPC networks: HTTP(S) Load Balancing TCP Proxy Load Balancing SSL Proxy Load Balancing

• Question 132:

  You work for a university that is migrating to Google Cloud.

  These are the cloud requirements:

  On-premises connectivity with 10 Gbps

  Lowest latency access to the cloud

  Centralized Networking Administration Team

  New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.

  What should you do?

  A. Use Shared VPC, and deploy the VLAN attachments and Dedicated Interconnect in the host project.

  B. Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.

  C. Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Dedicated Interconnects.

  D. Use standalone projects and deploy the VLAN attachments and Dedicated Interconnects in each of the individual projects.

  Correct Answer: A

• Question 133:

  You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses. Which two actions should you take? (Choose two.)

  A. Activate the Service Networking API in your project.

  B. Activate the Cloud Datastore API in your project.

  C. Create a private connection to a service producer.

  D. Create a custom static route to allow the traffic to reach the Cloud SQL API.

  E. Enable Private Google Access.

  Correct Answer: CE

  https://cloud.google.com/sql/docs/mysql/configure-private-services-access#console_1

  C: If you are using private IP for any of your Cloud SQL instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Cloud SQL instance. If your Google Cloud project has a Cloud SQL instance, you can either configure it yourself or let Cloud SQL do it for you to use private IP. Cloud SQL configures private services access for you when all the conditions below are true: https://cloud.google.com/sql/ docs/postgres/configure-private-services-access#before_you_begin

  E: You can enable Private Google access on a subnet level and any VMs on that subnet can access Google APIs by using their internal IP address. https://cloud.google.com/vpc/docs/configure-private-google-access

• Question 134:

  You have the following private Google Kubernetes Engine (GKE) cluster deployment: You have a virtual machine (VM) deployed in the same VPC in the subnetwork kubernetes-management with internal IP address 192.168.40 2/24 and no external IP address assigned. You need to communicate with the cluster master using kubectl. What should you do?

  

  A. Add the network 192.168.40.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2.

  B. Add the network 192.168.38.0/28 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

  C. Add the network 192.168.36.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

  D. Add an external IP address to the VM, and add this IP address in the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 35.224.37.17.

  Correct Answer: A

• Question 135:

  You ate planning to use Terraform to deploy the Google Cloud infrastructure for your company, The design must meet the following requirements

  1.

  Each Google Cloud project must represent an Internal project that your team Will work on

  2.

  After an Internal project is finished, the infrastructure must be deleted

  3.

  Each Internal project must have Its own Google Cloud project owner to manage the Google Cloud resources.

  4.

  You have 10--100 projects deployed at a time

  While you are writing the Terraform code, you need to ensure that the deployment is simple and the code is reusable With centralized management What should you do?

  A. Create a Single project and additional VPCs for each internal project

  B. Create a Single Shared VPC and attach each Google Cloud project as a service project

  C. Create a Single project and Single VPC for each internal project

  D. Create a Shared VPC and service project for each internal project

  Correct Answer: D

  The correct answer is D because it meets the following requirements: Each internal project has its own Google Cloud project, which can be easily created and deleted by Terraform using the google_project resource1. Each internal project has its own Google Cloud project owner, which can be assigned by Terraform using the google_project_iam_member resource1. The deployment is simple and the code is reusable with centralized management, because the Shared VPC allows you to connect multiple service projects to a single host project that contains the network resources2. This way, you can use Terraform modules to create and manage the network resources in the host project, and then reference them in the service projects3. Option A is incorrect because it does not create separate Google Cloud projects for each internal project, which makes it harder to delete the infrastructure and assign project owners. Option B is incorrect because it does not create separate Google Cloud projects for each internal project, and also because it attaches the service projects to a Shared VPC, which is not recommended for short-lived projects2. Option C is incorrect because it does not use a Shared VPC, which means that each internal project has to create and manage its own network resources, which increases complexity and reduces reusability. References: google_project -Terraform Registry Managing infrastructure as code with Terraform, Cloud Build, and GitOps | Google Cloud Automating your automation by Creating Google Cloud Projects Automatically

• Question 136:

  Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?

  A. Configure your VPC routing in regional mode. Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

  B. Configure your VPC routing in global mode. Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

  C. Configure your VPC routing in global mode. Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2.

  D. Configure your VPC routing in regional mode. Add additional Cloud Interconnect VLAN attachments in the us-west2 and us-central1 regions, and configure Cloud Routers in us-west2 and us-central1.

  Correct Answer: B

• Question 137:

  You create multiple Compute Engine virtual machine instances to be used as TFTP servers.

  Which type of load balancer should you use?

  A. HTTP(S) load balancer

  B. SSL proxy load balancer

  C. TCP proxy load balancer

  D. Network load balancer

  Correct Answer: D

  "TFTP is a UDP-based protocol. Servers listen on port 69 for the initial client-to-server packet to establish the TFTP session, then use a port above 1023 for all further packets during that session. Clients use ports above 1023" https:// docstore.mik.ua/orelly/networking_2ndEd/fire/ch17_02.htm Besides, Google Cloud external TCP/UDP Network Load Balancing (after this referred to as Network Load Balancing) is a regional, non-proxied load balancer. Network Load Balancing distributes traffic among virtual machine (VM) instances in the same region in a Virtual Private Cloud (VPC) netw

• Question 138:

  You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses. Which two methods can you use to accomplish this? (Choose two.)

  A. Enable Private Google Access on all the subnets.

  B. Enable Private Google Access on the VPC.

  C. Enable Private Services Access on the VPC.

  D. Create network peering between your VPC and BigQuery.

  E. Create a Cloud NAT, and route the application traffic via NAT gateway.

  Correct Answer: AE

  https://cloud.google.com/nat/docs/overview#interaction-pga Specifications https://cloud.google.com/vpc/docs/configure-private-google-access#specifications

• Question 139:

  You have provisioned a Dedicated Interconnect connection of 20 Gbps with a VLAN attachment of 10 Gbps. You recently noticed a steady increase in ingress traffic on the Interconnect connection from the on-premises data center. You need to ensure that your end users can achieve the full 20 Gbps throughput as quickly as possible. Which two methods can you use to accomplish this? (Choose two.)

  A. Configure an additional VLAN attachment of 10 Gbps in another region. Configure the on-premises router to advertise routes with the same multi-exit discriminator (MED).

  B. Configure an additional VLAN attachment of 10 Gbps in the same region. Configure the on-premises router to advertise routes with the same multi-exit discriminator (MED).

  C. From the Google Cloud Console, modify the bandwidth of the VLAN attachment to 20 Gbps.

  D. From the Google Cloud Console, request a new Dedicated Interconnect connection of 20 Gbps, and configure a VLAN attachment of 10 Gbps.

  E. Configure Link Aggregation Control Protocol (LACP) on the on-premises router to use the 20-Gbps Dedicated Interconnect connection.

  Correct Answer: CE

• Question 140:

  You need to configure a Google Kubernetes Engine (GKE) cluster. The initial deployment should have 5 nodes with the potential to scale to 10 nodes. The maximum number of Pods per node is 8. The number of services could grow from 100 to up to 1024. How should you design the IP schema to optimally meet this requirement?

  A. Configure a /28 primary IP address range for the node IP addresses. Configure a (25 secondary IP range for the Pods. Configure a /22 secondary IP range for the Services.

  B. Configure a /28 primary IP address range for the node IP addresses. Configure a /25 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.

  C. Configure a /28 primary IP address range for the node IP addresses. Configure a /28 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.

  D. Configure a /28 primary IP address range for the node IP addresses. Configure a /24 secondary IP range for the Pads. Configure a /22 secondary IP range for the Services.

  Correct Answer: A