Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

• Question 161:

  You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging.

  When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.

  What should you do?

  A. Check the VPC flow logs for the instance.
  B. Try connecting to the instance via SSH, and check the logs.
  C. Create a new firewall rule to allow traffic from port 22, and enable logs.
  D. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.
  D. Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

• Question 162:

  You manage a highly dynamic e-commerce website that uses Cloud CDN to improve content delivery speed for its global customer base. A new product launched on the website with updated images and pricing information, and these changes were pushed to your Cloud Storage and Compute Engine instances behind a load balancer. However, customers are still seeing the old product images and pricing on the website. You need to immediately and efficiently push the new content to users.

  What should you do?

  A. Temporarily disable and then re-enable Cloud CDN on the backend services to force a cache reload.
  B. Invalidate the specific URLs or URL prefixes corresponding to the updated product images and pricing information in Cloud CDN.
  C. Configure a new backend service with the existing backends with Cloud CDN enabled to get the updated content.
  D. Purge all cached content from Cloud CDN by performing a full cache flush for the entire CDN service.
  B. Invalidate the specific URLs or URL prefixes corresponding to the updated product images and pricing information in Cloud CDN.

  ---

  Explanation

  URL invalidation is the fastest and most efficient way to remove stale objects from Cloud CDN while minimizing impact on other cached content. Invalidating only the updated product image and pricing URLs (or their prefixes) forces Cloud CDN to fetch the new versions from the origin on the next request and quickly propagate the update to users.

• Question 163:

  You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.

  How should you design this topology?

  A. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.
  B. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
  C. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
  D. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
  D. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.

  ---

  Explanation

  References:

  https://cloud.google.com/vpc/docs/shared-vpc

• Question 164:

  Your company is planning a migration to Google Kubernetes Engine. Your application team informed you that they require a minimum of 60 Pods per node and a maximum of 100 Pods per node.

  Which Pod per node CIDR range should you use?

  A. /24
  B. /25
  C. /26
  D. /28
  A. /24

• Question 165:

  Your company is deploying a public web application that must use path-based routing, integrate with Cloud Armor, and serve users from multiple continents with a single anycast frontend IP address.

  Which load balancer should you use?

  A. Global external Application Load Balancer.
  B. Regional internal Application Load Balancer.
  C. Passthrough Network Load Balancer.
  D. Internal passthrough Network Load Balancer.
  A. Global external Application Load Balancer.

  ---

  Explanation

  A global external Application Load Balancer supports HTTP(S) traffic management such as path-based routing, integrates with Cloud Armor, and uses a global anycast frontend. A regional internal Application Load Balancer is for private regional access inside a VPC. Passthrough Network Load Balancers are intended for layer 4 traffic and do not provide URL map path routing. Internal passthrough Network Load Balancers are private layer 4 load balancers and are not appropriate for a public global web application.

• Question 166:

  You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic.

  What should you do?

  A. Enable firewall logs, and view the logs in Firewall Insights.
  B. Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.
  C. Enable VPC Flow Logs, and view the logs in Cloud Logging.
  D. Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.
  B. Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.

• Question 167:

  Your enterprise has ten VPC networks that need controlled connectivity through a central hub. The network team wants to avoid managing a full mesh of VPC Network Peering connections and wants a topology that can add new spokes with minimal operational overhead.

  Which Google Cloud service should you use?

  A. Network Connectivity Center with a hub and VPC spokes.
  B. Cloud DNS peering zones between every pair of VPC networks.
  C. Cloud NAT gateways in each VPC network.
  D. Direct Peering between the VPC networks and Google edge points.
  A. Network Connectivity Center with a hub and VPC spokes.

  ---

  Explanation

  Network Connectivity Center provides a hub-and-spoke model for managing connectivity among supported network spokes, including VPC spokes. It reduces the operational burden of building and maintaining many individual peering relationships. Cloud DNS peering handles DNS resolution, not packet connectivity. Cloud NAT provides outbound NAT for private resources and does not connect VPC networks. Direct Peering is for peering an external network with Google and is not a VPC-to-VPC connectivity model.

• Question 168:

  Your company utilizes Network Connectivity Center (NCC) to facilitate communication between numerous spoke VPCs. A development team reports that their application instances in app-dev-spoke-vpc are unable to connect to a new database service located in db-dev-spoke-vpc. You need to diagnose this issue using an observability tool and determine the root cause.

  What should you do?

  A. Use Firewall Insights to analyze the firewall rule configuration and modify the appropriate rule.
  B. Check each firewall rule in both the app-dev-spoke-vpc and db-dev-spokevpc.
  C. Verify that the application instances in app-dev-spoke-vpc connected to Network Connectivity Center are assigned external IP addresses to reach the database service.
  D. Use Network Intelligence Center's Connectivity Tests to perform a reachability analysis between an instance in app-dev-spoke-vpc and the database service in db-dev-spoke-vpc.
  D. Use Network Intelligence Center's Connectivity Tests to perform a reachability analysis between an instance in app-dev-spoke-vpc and the database service in db-dev-spoke-vpc.

  ---

  Explanation

  Network Intelligence Center Connectivity Tests provides end-to-end reachability analysis across NCC-connected VPCs and pinpoints where traffic is failing (routing, firewall rules, or other network dependencies). It's the most direct observability tool to diagnose cross-spoke connectivity issues and identify the root cause.

• Question 169:

  Your company's current network deployment is composed of a single VPC that is connected to a single data center by a Dedicated Interconnect connection. The Dedicated Interconnect topology has a 99.9% SLA. There is a single VLAN attachment for each of the two Dedicated Interconnect links. All VLAN attachments only use IPv4 addresses. Between the data center and the VPC, only IPv4 routes are exchanged by BGP. You need to create a solution to exchange IPV6

  routes between the data center and the VPC. You must use a procedure that requires the least amount of setup effort and minimizes costs. It's impossible to add new BGP peers to the configuration of the on-premises routers. Only modifications of the existing BGP peers are possible.

  What should you do?

  A. Modify the stack type of the existing VLAN attachments from IPv4 only to dual stack. Add a pair of new IPv6-only interfaces to the cloud router. Add the new IPv6 BGP peers to the cloud router corresponding to on-premises routers.
  B. Enable BFD on the cloud router where the BGP sessions between your cloud router and the on-premises router are configured.
  C. Delete the existing VLAN attachments. Create two new dual stack VLAN attachments. Enable multiprotocol BGP (MP-BGP) on all the BGP sessions between your cloud router and the on-premises router.
  D. Modify the stack type of the existing VLAN attachments from IPv4 only to dual stack. Enable multiprotocol BGP (MP-BGP) on all the BGP sessions between your cloud router and the on-premises router.
  D. Modify the stack type of the existing VLAN attachments from IPv4 only to dual stack. Enable multiprotocol BGP (MP-BGP) on all the BGP sessions between your cloud router and the on-premises router.

  ---

  Explanation

  The least-effort and lowest-cost approach is to update the existing Dedicated Interconnect VLAN attachments from IPv4-only to dual-stack and then enable multiprotocol BGP on the existing IPv4 BGP sessions. Google Cloud supports exchanging IPv6 routes over an existing IPv4 BGP session with MP-BGP, as long as the VLAN attachment is dual-stack. This matches the constraint that you cannot add new BGP peers and only want to modify the existing ones.

• Question 170:

  Your organization is developing a landing zone architecture with the following requirements: There should be no communication possible between production and non-production environments. Communication between applications within an environment may be necessary. Network administrators should centrally manage all network resources, including subnets, routes, and firewall rules. Each application should be billed separately. Developers of an application within a project should have the autonomy to create their compute resources. They should not create or modify networking resources. Up to 1000 applications are expected per environment.

  You need to create a design that accommodates these requirements.

  What should you do?

  A. Create a design that has one Shared VPC host project for the production environment, and another Shared VPC host project for the nonproduction environment. Associate the various applications' service projects with the corresponding environment's host project.
  B. Create a design that has a Shared VPC for each project. Implement hierarchical firewall policies to apply micro-segmentation between VPCs.
  C. Create a design that implements a single Shared VPC. Use VPC firewall rules with secure tags to enforce micro-segmentation between environments.
  D. Create a design where each project in each environment has its own VPC with its own subnets, routes, and firewall rules. Ensure all VPCs are added as spokes to a Network Connectivity Center hub.
  A. Create a design that has one Shared VPC host project for the production environment, and another Shared VPC host project for the nonproduction environment. Associate the various applications' service projects with the corresponding environment's host project.

  ---

  Explanation

  Separation Between Production and Non-Production Environments: By creating separate Shared VPC host projects for production and non-production environments, you ensure complete isolation between the two environments, meeting the requirement of no communication between them. Application Communication Within an Environment: Within each Shared VPC, applications can communicate as needed using VPC-level routing and firewall rules.

  Centralized Network Management: Shared VPC allows network administrators to centrally manage networking resources, such as subnets, routes, and firewall rules, while developers retain control over their compute resources within their service projects.

  Separate Billing for Applications: Each application is associated with a separate service project, enabling separate billing and resource allocation.

  Developer Autonomy with Networking Restrictions: Developers in service projects can manage their compute resources but cannot create or modify networking resources, aligning with organizational control and autonomy requirements.

  Scalability: Shared VPC can scale to support multiple service projects, making it suitable for the expected 1000 applications per environment.