Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:May 31, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 171:
You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on-premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access.
What configuration changes should you make to enable Private Google Access while adhering to your security team's requirements?
A. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.2. Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop. B. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.2. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop. C. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range.2. Change the custom route that points the default route (0/0) to the default internet gateway as the next hop. D. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range.2. Create a custom route that points Google's private API address range to the default internet gateway as the next hop.
A. 1. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.2. Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.
Question 172:
Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments.
What should you do?
A. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0. B. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000. C. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source. D. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.
D. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.
Question 173:
Your organization recently exposed a set of services through a global external Application Load Balancer. After conducting some testing, you observed that responses would intermittently yield HTTP 4xx or 5xx error response codes. You already enabled and reviewed the health check logs. You need to identify the error.
What should you do?
A. Access a VM in the VPC through SSH to access the backend VM directly. If the request is successful from the VM, increase the quantity of backends. B. Delete the load balancer and backend services. Create a new Passthrough Network Load Balancer. Configure a failover group of VMs for the backend. C. Validate the health of the backend service. Enable logging for the backend service and identify the error response in Cloud Logging. Review the statusDetails log field. D. Validate the health of the backend service. Disable any Cloud Armor policies on the backend service, and identify any error response in Cloud Logging. Review the statusDetails log field.
C. Validate the health of the backend service. Enable logging for the backend service and identify the error response in Cloud Logging. Review the statusDetails log field.
Explanation
When using a global external Application Load Balancer, intermittent HTTP 4xx or 5xx errors are often related to backend health or configuration issues. To diagnose the issue effectively:
1. Validate the health of the backend service to ensure that the instances are correctly responding to requests and passing health checks.
2. Enable logging for the backend service in Google Cloud Logging, which provides detailed information about requests and responses, including error codes.
3. Review the statusDetails log field in Cloud Logging. This field provides specific details about why requests failed, which can help pinpoint configuration errors, network issues, or application-level problems.
Question 174:
You are configuring HA VPN for your organization to connect your on-premises environment to your Google Cloud network. Your on-premises environment is closest to the us-west1 Google Cloud region. You have Google Cloud resources in us-west2, which requires a throughput of 300,000 packets per second (PPS) and an approximate bandwidth of 4 Gbps. You need to have predictable bandwidth management and maintain an SLA of 99.99% with minimal costs.
What should you do?
A. Create an HA VPN gateway with two tunnels. Configure BGP on both tunnels with tunnel 0 configured with a base routing priority metric of 100 and tunnel 1 with a base routing priority metric of 200. Configure the on-premises router with the corresponding multi-exit discriminator (MED) value. B. Create two HA VPN gateways, each with two tunnels. Configure BGP on each of the gateways' tunnels with tunnel 0 configured with a base routing priority metric of 100 and tunnel 1 with a base routing priority metric of 100. Configure the on-premises router with the same corresponding multi-exit discriminator (MED) value. C. Create an HA VPN gateway with two tunnels. Configure BGP on both tunnels with tunnel 0 configured with a base routing priority metric of 100 and tunnel 1 with a base routing priority metric of 100. Configure the on-premises router with the corresponding multi-exit discriminator (MED) value. D. Create an HA VPN gateway with four tunnels. Configure BGP on four tunnels with tunnel 0 configured with a base routing priority metric of 100, tunnel 1 with a base routing priority metric of 200, tunnel 2 with a base routing priority of 300, and tunnel 3 with a base routing priority of 400. Configure the on-premises router with the corresponding multi-exit discriminator (MED) value.
B. Create two HA VPN gateways, each with two tunnels. Configure BGP on each of the gateways' tunnels with tunnel 0 configured with a base routing priority metric of 100 and tunnel 1 with a base routing priority metric of 100. Configure the on-premises router with the same corresponding multi-exit discriminator (MED) value.
Explanation
HA VPN throughput and redundancy requirements: Each HA VPN gateway can support a maximum of 3 Gbps of throughput per gateway with two tunnels in active/active mode. Since your requirement is approximately 4 Gbps of bandwidth and 300,000 PPS, one HA VPN gateway would not suffice. Using two HA VPN gateways ensures sufficient capacity to handle the required throughput. SLA of 99.99%: To achieve a 99.99% SLA, you need to configure HA VPN with two tunnels per gateway in active/active mode (equal routing priority). This ensures redundancy, load distribution, and high availability. BGP configuration for load balancing: By configuring the base routing priority metric (100) equally on both tunnels of each gateway, you ensure that traffic is evenly distributed across all tunnels. On the on-premises router, configure the same multi-exit discriminator (MED) values for all tunnels to maintain consistent routing behavior.
Question 175:
Your organization has resources in two different VPCs, each in different Google Cloud projects, which require connectivity between them. You have already determined that there is no IP address overlap; however, one VPC uses privately used public IP (PUPI) ranges. You would like to enable connectivity between these resources by using a lower cost and higher performance method.
What should you do?
A. Create a HA VPN between the two VPCs that includes the PUPI ranges in the Custom Route Advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using network tags as the source filter. B. Create a HA VPN between the two VPCs that includes the PUPI ranges in the Custom Route Advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter. C. Create a VPC Peering between the two VPCs that allows the export and import of custom routes. Create the necessary ingress VPC firewall rules that target the specific resources by using service accounts as the source filter. D. Create a VPC Peering between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.
D. Create a VPC Peering between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.
Explanation
VPC Peering for subnet routes with public IP addresses: VPC Peering allows the exchange of routes between the two VPCs, including routes for PUPI ranges if "import and export of subnet routes with public IP addresses" is enabled. This ensures that traffic to and from resources in the VPC using PUPI ranges can be routed correctly.
Firewall rules for ingress traffic: To control access between resources in the peered VPCs, ingress firewall rules must be created. These rules should target the specific resources using IP ranges as the source filter to ensure security and proper routing.
Question 176:
Your organization wants to deploy an internal application named app-1 in VPC-1. The application will consume services from another internal application named app-2 in VPC-2. VPC Network Peering will connect both applications. You need to apply microsegmentation between these two applications and VPCs.
What should you do?
A. Assign network tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure a hierarchical firewall policy with an ingress rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule. B. Assign secure tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure a hierarchical firewall policy with an ingress rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule. C. Assign network tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure an ingress VPC firewall rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule. D. Assign secure tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure a network firewall policy that is attached to VPC-2 with an ingress rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule.
C. Assign network tags to these applications: secure-tag-app-1 to app-1 and secure-tag-app-2 to app-2. Configure an ingress VPC firewall rule that allows traffic from secure-tag-app-1 to secure-tag-app-2. Leave the default deny ingress rule and the default allow egress rule.
Explanation
By assigning network tags (e.g. secure-tag-app-1 on the app-1 instances and secure-tag-app-2 on app-2) and then creating a VPC firewall ingress rule in VPC-2 that only allows traffic from tag secure-tag-app-1 to instances with tag secure-tag-app-2, you get fine-grained microsegmentation across the peered VPCs. You leave the implicit default deny ingress rule in place (so no other sources can reach app-2) and keep the default allow-all egress rule. This approach is the simplest and follows Google's best practice for tag-based segmentation in VPC Network Peering.
Question 177:
You recently deployed your application in Google Cloud. You need to verify your Google Cloud network configuration before deploying your on-premises workloads. You want to confirm that your Google Cloud network configuration allows traffic to flow from your cloud resources to your on-premises network. This validation should also analyze and diagnose potential failure points in your Google Cloud network configurations without sending any data plane test traffic.
What should you do?
A. Use Network Intelligence Center's Connectivity Tests. B. Enable Packet Mirroring on your application and send test traffic. C. Use Network Intelligence Center's Network Topology visualizations. D. Enable VPC Flow Logs and send test traffic.
C. Use Network Intelligence Center's Network Topology visualizations.
Question 178:
Your organization hosts example.com publicly, but internal applications in a VPC need different private records for the same domain name. Internet users must continue resolving the public records.
What should you configure?
A. A Cloud DNS private managed zone for example.com associated with the VPC, and keep the public managed zone for internet clients. B. A Cloud DNS forwarding zone for example.com that forwards all internal and external queries to the public authoritative servers. C. A single public Cloud DNS zone for example.com that contains both public and private IP addresses. D. A Cloud NAT gateway so internal clients can resolve public DNS names through the internet.
A. A Cloud DNS private managed zone for example.com associated with the VPC, and keep the public managed zone for internet clients.
Explanation
Split-horizon DNS is implemented by using a private managed zone for the VPC while keeping the public zone for external resolvers. Internal clients associated with the private zone receive the private records, and internet users continue to receive the public records. A forwarding zone sends queries elsewhere and does not create separate authoritative private records. Placing private records in the public zone exposes them externally. Cloud NAT affects outbound connectivity and does not implement split-horizon DNS.
Question 179:
You need to create a GKE cluster in an existing VPC that is accessible from on-premises. You must meet the following requirements: IP ranges for pods and services must be as small as possible. The nodes and the master must not be reachable from the internet. You must be able to use kubectl commands from on-premises subnets to manage the cluster.
How should you create the GKE cluster?
A. - Create a private cluster that uses VPC advanced routes. - Set the pod and service ranges as /24. - Set up a network proxy to access the master. B. - Create a VPC-native GKE cluster using GKE-managed IP ranges. - Set the pod IP range as /21 and service IP range as /24. - Set up a network proxy to access the master. C. - Create a VPC-native GKE cluster using user-managed IP ranges. - Enable a GKE cluster network policy, set the pod and service ranges as /24. - Set up a network proxy to access the master. - Enable master authorized networks. D. - Create a VPC-native GKE cluster using user-managed IP ranges. - Enable privateEndpoint on the cluster master. - Set the pod and service ranges as /24. - Set up a network proxy to access the master. - Enable master authorized networks.
D. - Create a VPC-native GKE cluster using user-managed IP ranges. - Enable privateEndpoint on the cluster master. - Set the pod and service ranges as /24. - Set up a network proxy to access the master. - Enable master authorized networks.
Question 180:
You manage the static assets for your company's global website. Users have been reporting slow load times when they visit the website. You need to develop a scalable solution to improve website load times for users worldwide. You also need to reduce direct access load on the Cloud Storage bucket where the website s static assets are stored.
What should you do?
A. Configure an internal Application HTTPS Load Balancer in front of the Cloud Storage bucket and enable Cloud CDN on the storage bucket. B. Deploy a Global external Application HTTPS Load Balancer, configure a backend bucket pointing to your Cloud Storage bucket, and enable Cloud CDN on the backend bucket. C. Deploy a Global external Application HTTPS Load Balancer with a Private Service Connect backend pointing to the Cloud Storage API. D. Create a new Compute Engine instance, host the static assets on it, frontend the VM with a load balancer and then enable Cloud CDN directly on the backend service of the load balancer.
B. Deploy a Global external Application HTTPS Load Balancer, configure a backend bucket pointing to your Cloud Storage bucket, and enable Cloud CDN on the backend bucket.
Explanation
A global external Application HTTPS Load Balancer with a backend bucket is the managed, scalable pattern for serving Cloud Storage static content. Enabling Cloud CDN on the backend bucket caches content at edge locations worldwide, improving latency for global users and significantly reducing direct request load on the Cloud Storage bucket.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.