Google Google Certifications PROFESSIONAL-CLOUD-NETWORK-ENGINEER Questions & Answers

• Question 151:

  You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

  A. Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.

  B. Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.

  C. Configure VPC Flow Logs. Review the logs by filtering on the source and destination.

  D. Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

  Correct Answer: B

• Question 152:

  You have the networking configuration shown in the diagram. A pair of redundant Dedicated Interconnect connections (int-Igal and int-Iga2) terminate on the same Cloud Router. The Interconnect connections terminate on two separate on-premises routers. You are advertising the same prefixes from the Border Gateway Protocol (BGP) sessions associated with the Dedicated Interconnect connections. You need to configure one connection as Active for both ingress and egress traffic. If the active Interconnect connection fails, you want the passive Interconnect connection to automatically begin routing all traffic Which two actions should you take to meet this requirement? (Choose Two)

  

  A. Configure the advertised route priority > 10,200 on the active Interconnect connection.

  B. Advertise a lower MED on the passive Interconnect connection from the on-premises router

  C. Configure the advertised route priority as 200 for the BGP session associated with the active Interconnect connection.

  D. Configure the advertised route priority as 200 for the BGP session associated with the passive Interconnect connection.

  E. Advertise a lower MED on the active Interconnect connection from the on-premises router

  Correct Answer: CE

  This answer meets the requirement of configuring one connection as Active for both ingress and egress traffic, and enabling automatic failover to the passive connection in case of failure. The reason is: The advertised route priority is a value that Cloud Router uses to set the route priority when advertising routes to your on-premises router. The lower the value, the higher the priority1. By setting the advertised route priority as 200 for the active connection, you ensure that it has a higher priority than the passive connection, which has the default value of 1001. This way, your on-premises router will prefer the routes from the active connection over the passive one for ingress traffic. The MED (Multi-Exit Discriminator) is a value that your on-premises router uses to indicate its preference for receiving traffic from Cloud Router. The lower the value, the higher the preference2. By advertising a lower MED on the active connection from your on-premises router, you ensure that Cloud Router will prefer sending traffic to the active connection over the passive one for egress traffic. If the active connection fails, Cloud Router will stop receiving routes from it and will start using the routes from the passive connection for egress traffic. Similarly, your on-premises router will stop receiving routes with priority 200 from the active connection and will start using the routes with priority 100 from the passive connection for ingress traffic. This achieves automatic failover without any manual intervention. Option A is incorrect because setting the advertised route priority > 10,200 on the active connection would deprioritize it globally in your VPC network, which is not what you want1. Option B is incorrect because advertising a lower MED on the passive connection would make Cloud Router prefer sending traffic to it over the active one, which is not what you want2. Option D is incorrect because setting the advertised route priority as 200 for both connections would make them equally preferred by your on-premises router, which is not what you want1. References: Update the base route priority | Cloud Router | Google Cloud Configuring BGP sessions | Cloud Router | Google Cloud

• Question 153:

  You are in the early stages of planning a migration to GCP. You want to test the functionality of your hybrid cloud design before you start to implement it in production. The design includes services running on a Compute Engine Virtual Machine instance that need to communicate to on-premises servers using private IP addresses. The on-premises servers have connectivity to the internet, but you have not yet established any Cloud Interconnect connections. You want to choose the lowest cost method of enabling connectivity between your instance and on-premises servers and complete the test in 24 hours.

  Which connectivity method should you choose?

  A. Cloud VPN

  B. 50-Mbps Partner VLAN attachment

  C. Dedicated Interconnect with a single VLAN attachment

  D. Dedicated Interconnect, but don't provision any VLAN attachments

  Correct Answer: A

• Question 154:

  You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.

  What should you do?

  A. Check the VPC flow logs for the instance.

  B. Try connecting to the instance via SSH, and check the logs.

  C. Create a new firewall rule to allow traffic from port 22, and enable logs.

  D. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

  Correct Answer: D

  Ingress packets in VPC Flow Logs are sampled after ingress firewall rules. If an ingress firewall rule denies inbound packets, those packets are not sampled by VPC Flow Logs. We want to see the logs for blocked traffic so we have to look for them in firewall logs. https://cloud.google.com/vpc/docs/flow-logs#key_properties

• Question 155:

  You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.

  How should you update your instances?

  A. Manually patch some of the instances, and then perform a rolling restart on the instance group.

  B. Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.

  C. Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.

  D. Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.

  Correct Answer: D

  https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups#starting_a_canary_update https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups

• Question 156:

  You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You

  want to serve the content with the lowest possible latency while ensuring high availability and autoscaling.

  Which configuration should you use?

  A. Use global SSL Proxy Load Balancing with backends in both regions.

  B. Use global TCP Proxy Load Balancing with backends in both regions.

  C. Use global external HTTP(S) Load Balancing with backends in both regions.

  D. Use Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.

  Correct Answer: D

• Question 157:

  Your organization has a Google Cloud Virtual Private Cloud (VPC) with subnets in us-east1, us-west4, and europe-west4 that use the default VPC configuration. Employees in a branch office in Europe need to access the resources in the VPC using HA VPN. You configured the HA VPN associated with the Google Cloud VPC for your organization with a Cloud Router deployed in europe-west4. You need to ensure that the users in the branch office can quickly and easily access all resources in the VPC. What should you do?

  A. Create custom advertised routes for each subnet.

  B. Configure each subnet's VPN connections to use Cloud VPN to connect to the branch office.

  C. Configure the VPC dynamic routing mode to Global.

  D. Set the advertised routes to Global for the Cloud Router.

  Correct Answer: C

• Question 158:

  You work for a university that is migrating to GCP.

  These are the cloud requirements:

  1.

  On-premises connectivity with 10 Gbps

  2.

  Lowest latency access to the cloud

  3.

  Centralized Networking Administration Team

  New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.

  What should you do?

  A. Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.

  B. Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.

  C. Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.

  D. Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

  Correct Answer: A

  https://cloud.google.com/interconnect/docs/how-to/dedicated/using-interconnects-other-projects

  Using Cloud Interconnect with Shared VPC You can use Shared VPC to share your VLAN attachment in a project with other VPC networks. Choosing Shared VPC is preferable if you need to create many projects and would like to prevent individual project owners from managing their connectivity back to your on-premises network. In this scenario, the host project contains a common Shared VPC network usable by VMs in service projects. Because VMs in the service projects use this network, Service Project Admins don't need to create other VLAN attachments or Cloud Routers in the service projects. In this scenario, you must create VLAN attachments and Cloud Routers for a Cloud Interconnect connection only in the Shared VPC host project. The combination of a VLAN attachment and its associated Cloud Router are unique to a given Shared VPC network. https://cloud.google.com/network-connectivity/docs/interconnect/how-to/enabling-multiplenetworks-access-same-attachment#using_with

  https://cloud.google.com/vpc/docs/shared-vpc

• Question 159:

  After a network change window one of your company's applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.

  What is the most likely cause of this problem?

  A. The less specific VPC subnet route is taking priority.

  B. The more specific VPC subnet route is taking priority.

  C. The on-premises router is not advertising a route for the database server.

  D. A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

  Correct Answer: B

• Question 160:

  You just finished your company's migration to Google Cloud and configured an architecture with 3 Virtual Private Cloud (VPC) networks: one for Sales, one for Finance, and one for Engineering. Every VPC contains over 100 Compute Engine instances, and now developers using instances in the Sales VPC and the Finance VPC require private connectivity between each other. You need to allow communication between Sales and Finance without compromising performance or security. What should you do?

  A. Configure an HA VPN gateway between the Finance VPC and the Sales VPC.

  B. Configure the instances that require communication between each other with an external IP address.

  C. Create a VPC Network Peering connection between the Finance VPC and the Sales VPC.

  D. Configure Cloud NAT and a Cloud Router in the Sales and Finance VPCs.

  Correct Answer: C