Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:May 31, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 131:
Your internet-facing application uses an external Application Load Balancer. You need to block common SQL injection and cross-site scripting requests before they reach the backend service.
What should you do?
A. Configure a Cloud Armor security policy with preconfigured WAF rules and attach it to the backend service. B. Enable VPC Flow Logs on the backend subnet and create a log-based alert. C. Configure Cloud CDN negative caching on the backend service. D. Create an ingress VPC firewall rule that denies tcp:443 from 0.0.0.0/0.
A. Configure a Cloud Armor security policy with preconfigured WAF rules and attach it to the backend service.
Explanation
Cloud Armor security policies can use preconfigured WAF rules to detect and block common application attacks such as SQL injection and cross-site scripting before traffic reaches supported load balancer backends. VPC Flow Logs provide visibility but do not block malicious requests. Cloud CDN negative caching controls caching of error responses and is not a WAF. Denying tcp:443 from all sources would block legitimate users as well as attacks.
Question 132:
You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?
A. Dynamic routing using Cloud Router B. Route-based routing using default traffic selectors C. Policy-based routing using a custom local traffic selector D. Policy-based routing using the default local traffic selector
C. Policy-based routing using a custom local traffic selector
Question 133:
You deployed a hub-and-spoke architecture in your Google Cloud environment that uses VPC Network Peering to connect the spokes to the hub. For security reasons, you deployed a private Google Kubernetes Engine (GKE) cluster in one of the spoke projects with a private endpoint for the control plane. You configured authorized networks to be the subnet range where the GKE nodes are deployed.
When you attempt to reach the GKE control plane from a different spoke project, you cannot access it. You need to allow access to the GKE control plane from the other spoke projects.
What should you do?
A. Add a firewall rule that allows port 443 from the other spoke projects. B. Enable Private Google Access on the subnet where the GKE nodes are deployed. C. Configure the authorized networks to be the subnet ranges of the other spoke projects. D. Deploy a proxy in the spoke project where the GKE nodes are deployed and connect to the control plane through the proxy.
D. Deploy a proxy in the spoke project where the GKE nodes are deployed and connect to the control plane through the proxy.
Question 134:
Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?
A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments. B. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs. C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs. D. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
Question 135:
In your Google Cloud organization, you have two folders: Dev and Prod. You want a scalable and consistent way to enforce the following firewall rules for all virtual machines (VMs) with minimal cost: Port 8080 should always be open for VMs in the projects in the Dev folder. Any traffic to port 8080 should be denied for all VMs in your projects in the Prod folder.
What should you do?
A. Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080. B. Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects. Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared VPCs. C. In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080. D. Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev VMs and deny traffic to port 8080 on the Prod VMs.
A. Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.
Question 136:
You plan to deploy Google Cloud Armor web application firewall (WAF) policies that use the preconfigured WAF rules. You want all Google Cloud Armor logs to be sent to Cloud Logging with the highest level of detail possible. You have enabled Cloud Load Balancing logs for all the backend services where Cloud Armor WAF policies are applied.
What should you do?
A. Set the sample rate of the Cloud Load Balancing logs to 0.5. B. Set the Google Cloud Armor logging option to VERBOSE. C. Enable Google Cloud Armor logging for all the backend services where Cloud Armor WAF policies are applied. Set the Google Cloud Armor logging option to VERBOSE. D. Set the sample rate of the Cloud Load Balancing logs to 1.0.
C. Enable Google Cloud Armor logging for all the backend services where Cloud Armor WAF policies are applied. Set the Google Cloud Armor logging option to VERBOSE.
Explanation
Enable Google Cloud Armor logging: Logging must be explicitly enabled for each backend service where Cloud Armor WAF policies are applied. Without enabling this logging, detailed logs for Cloud Armor won't be generated. Set logging level to VERBOSE: The VERBOSE logging level captures the most detailed information, including request headers and more granular data about rule matches and actions taken by the WAF policies. This level provides the highest level of visibility for troubleshooting and monitoring. While enabling Cloud Load Balancing logs is necessary for general traffic logs, setting the Google Cloud Armor logging to VERBOSE ensures that all relevant WAF-related details are captured and sent to Cloud Logging.
Question 137:
Your global website is hosted on Google Cloud. The website's static assets, such as images and CSS files, are stored in a Cloud Storage bucket, while the dynamic content is served by a managed instance group (MIG). You want to improve website performance, reduce latency, and create an efficient, budget-friendly solution that uses Cloud CDN to cache static assets as close to your users as possible. You also want to ensure that requests for dynamic content are sent directly to the MIG.
What should you do?
A. Create two separate global external HTTPS Application Load Balancers. One for the Cloud Storage bucket with Cloud CDN enabled, and another for the MIG without Cloud CDN. B. Create a Media CDN service, and configure it to pull content from both the Cloud Storage bucket and the MIG. C. Configure a single global external HTTPS Application Load Balancer with a backend bucket for the Cloud Storage assets and a backend service for the MIG. Enable Cloud CDN on the backend bucket configuration. D. Enable the static website hosting feature on the Cloud Storage bucket.
C. Configure a single global external HTTPS Application Load Balancer with a backend bucket for the Cloud Storage assets and a backend service for the MIG. Enable Cloud CDN on the backend bucket configuration.
Explanation
A single global external HTTPS Application Load Balancer can route requests by URL path to different backends. Using a backend bucket for Cloud Storage and enabling Cloud CDN on that backend caches static assets at the edge, improving performance and reducing latency. Requests for dynamic paths can be routed to the MIG backend service, ensuring dynamic content is served directly without being cached.
Question 138:
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)
A. VPC flow logs B. Firewall logs C. Cloud Audit logs D. Stackdriver Trace E. Compute Engine instance system logs
A. VPC flow logs B. Firewall logs
Question 139:
Your organization requires that all SMTP traffic to your cloud environment is blocked, except for traffic that originates from your corporate network. Your organization also requires that only specific VPCs across your Google Cloud projects will allow SMTP access from your corporate network. You need to configure a security policy that will enable this connectivity.
What should you do?
A. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action.2. Configure an egress hierarchical firewall rule with priority 10010 specifying the source of your corporate network as TCP port 25 and the goto_next action.3. Associate the hierarchical firewall policy at the organization level.4. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access. B. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the allow action.2. Associate the hierarchical firewall policy at the organization level.3. Configure firewall policy rules to deny TCP port 25 in the firewall policies associated with the respective VPCs that do not require that access. C. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the source of your corporate network, TCP port 25, and the goto_next action.2. Configure an ingress hierarchical firewall rule with priority 10010 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action.3. Associate the hierarchical firewall policy at the organization level.4. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access. D. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action.2. Associate the hierarchical firewall policy at the organization level.3. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access.
C. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the source of your corporate network, TCP port 25, and the goto_next action.2. Configure an ingress hierarchical firewall rule with priority 10010 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action.3. Associate the hierarchical firewall policy at the organization level.4. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access.
Explanation
You need to block all SMTP traffic by default while allowing only SMTP traffic originating from your corporate network and destined for specific VPCs. Hierarchical firewall rules allow organization-wide policies that apply to all projects under the organization, simplifying management and enforcing consistency. The goto_next action ensures that the rule passes the traffic to the next layer (VPC-level rules) for evaluation, allowing flexibility for specific VPCs. A deny-all rule with a higher priority (10010 in this case) ensures that SMTP traffic from other sources (0.0.0.0/0) is blocked. Individual firewall rules at the VPC level can then allow SMTP traffic for specific VPCs, ensuring access is restricted only to those that
explicitly allow it.
Question 140:
You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.
What should you do?
A. Configure VPC peering in a full mesh. B. Alter the routing table to resolve the asymmetric route. C. Create network tags to allow connectivity between all three VPCs. D. Delete the legacy network and recreate it to allow transitive peering.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.