Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 11:
You are designing a Google Kubernetes Engine (GKE) cluster for a highly sensitive application that processes confidential financial data in a single shared VPC. Your developers need to be able to securely access the Kubernetes API endpoint from their corporate network, which is connected to Google Cloud through Cloud VPN. You need to design the highest level of network security and ensure that the GKE control plane is not exposed to the internet.
What should you do?
A. Create a GKE cluster with a public endpoint. Implement VPC Service Controls to prevent any unauthorized access to the Kubernetes API from the internet. B. Deploy a private GKE cluster with the public endpoint disabled. Enable Private Service Connect to the control plane, allowing access only from within the VPC network or on-premises networks through Cloud VPN. C. Deploy a private GKE cluster with a public endpoint disabled. Use an internal TCP/UDP load balancer with identity proxy as a backend to connect to the Kubernetes API within the VPC network. D. Create a public GKE cluster, and configure authorized networks on the control plane to restrict access to the corporate network's external IP address.
B. Deploy a private GKE cluster with the public endpoint disabled. Enable Private Service Connect to the control plane, allowing access only from within the VPC network or on-premises networks through Cloud VPN.
Explanation
A private GKE cluster with the public control plane endpoint disabled prevents the Kubernetes API from being exposed to the internet. Using Private Service Connect to the control plane provides a private, VPC-internal access path that can be reached from your corporate network over Cloud VPN (through the shared VPC), keeping control plane access confined to private connectivity only.
Question 12:
You are configuring your Google Cloud environment to connect to your on-premises network. Your configuration must be able to reach Cloud Storage APIs and your Google Kubernetes Engine nodes across your private Cloud Interconnect network. You have already configured a Cloud Router with your Interconnect VLAN attachments. You now need to set up the appropriate router advertisement configuration on the Cloud Router.
What should you do?
A. Configure the route advertisement to the default setting. B. On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address. C. Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings. D. Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.
D. Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.
Question 13:
You are deploying a new internal application on Google Kubernetes Engine (GKE). This application will be accessed by other internal services within the same Google Cloud VPC network. The application will need to communicate with a database service running within this VPC. You need the GKE cluster's Pods to be allocated IP addresses directly from a range within the VPC.
What should you do?
A. Create a GKE cluster with a primary IP address range for Pods that is separate from the Node's primary IP range. B. Create a routes-based GKE cluster, and rely on the automatically generated custom static routes in the VPC for Pod IP address connectivity. C. Enable VPC-native traffic routing by creating a cluster that uses alias IP ranges for its Pods and Services. D. Implement a public GKE cluster so that the Pods can communicate to the databases through public or private IP addresses.
C. Enable VPC-native traffic routing by creating a cluster that uses alias IP ranges for its Pods and Services.
Explanation
A VPC-native (alias IP) GKE cluster allocates Pod and Service IPs from secondary IP ranges on the VPC subnets, so Pods receive IP addresses that are part of your VPC's IP space and can communicate directly with other VPC resources like the database.
Question 14:
Your organization has over 250 autonomous business units that currently operate in a decentralized manner. Due to the organization's maturity, there is limited routable private IP address space, which is insufficient to accommodate all of the necessary workloads. You need to create a cloud-first network design that uses the same IP address space across business unit workloads where possible. These business units require communication between units, and access to their on-premises data center.
What should you do?
A. Create a hub and spoke model that incorporates VPC Network Peering with hybrid connectivity centralized within the hub. B. Create a Network Connectivity Center design that incorporates Private NAT to facilitate communication between VPC spokes, and a Routing VPC to exchange dynamic routes from the on-premises environment. C. Create a Network Connectivity Center design that incorporates Private Service Connect to provide bidirectional communication between VPC spokes, and a Routing VPC to exchange dynamic routes from the on-premises environment. D. Create a hub and spoke design that incorporates a centralized network virtual appliance (NVA) in the hub to perform routing and NAT between spokes.
B. Create a Network Connectivity Center design that incorporates Private NAT to facilitate communication between VPC spokes, and a Routing VPC to exchange dynamic routes from the on-premises environment.
Explanation
Using Network Connectivity Center (NCC) with Private NAT allows overlapping IP address spaces across business units while ensuring communication between VPC spokes. Private NAT translates overlapping IP ranges to non-conflicting ranges, enabling seamless inter-VPC communication. Additionally, a Routing VPC centralizes dynamic route exchanges with the on-premises environment through Cloud Router, ensuring scalable and efficient hybrid connectivity.
Question 15:
Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it is a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.
Which two steps should you take? (Choose two.)
A. Use Cloud Armor to blacklist the attacker's IP addresses. B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic. C. Create a global HTTP(s) load balancer and move your application backend to this load balancer. D. Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline. E. SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.
A. Use Cloud Armor to blacklist the attacker's IP addresses. B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic.
Question 16:
Your company uses Compute Engine instances that are exposed to the public internet. Each compute instance has a single network interface with a single public IP address. You need to block any connection attempt that originates from internet clients with IP addresses that belong to the BGP_ASN_TOBLOCK BGP ASN.
What should you do?
A. Create a new Cloud Armor backend security policy, and use the --network-src-asns parameter. B. Create a new Cloud Armor network edge security policy, and use the --network-src-asns parameter. C. Create a new Cloud Armor edge security policy, and use the --network-src-asns parameter. D. Create a new firewall policy ingress rule, and use the --network-src-asns parameter.
B. Create a new Cloud Armor network edge security policy, and use the --network-src-asns parameter.
Explanation
Cloud Armor Network Edge Security Policy: A network edge security policy in Cloud Armor allows you to enforce access control at the edge of Google's network, even before traffic reaches your Compute Engine instances. It is ideal for blocking traffic based on specific BGP Autonomous System Numbers (ASNs) at the edge.
Blocking Traffic by ASN: The --network-src-asns parameter in a Cloud Armor network edge security policy enables you to specify the ASNs that you want to block. This effectively stops connection attempts originating from internet clients belonging to the specified ASNs before they reach your resources.
Question 17:
You are creating an instance group and need to create a new health check for HTTP(s) load balancing.
Which two methods can you use to accomplish this? (Choose two.)
A. Create a new health check using the gcloud command-line tool. B. Create a new health check using the VPC Network section in the Google Cloud console. C. Create a new health check, or select an existing one, when you complete the load balancer's backend configuration in the Google Cloud console. D. Create a new legacy health check using the gcloud command-line tool. E. Create a new legacy health check using the Health checks section in the Google Cloud console.
A. Create a new health check using the gcloud command-line tool. C. Create a new health check, or select an existing one, when you complete the load balancer's backend configuration in the Google Cloud console.
Question 18:
Your organization has five different VPCs across different projects in y our Google Cloud organization that need high-throughput connectivity. You have performed an audit of the IP address utilization in each VPC, and there are two overlapping subnets that are used by two of the VPCs: 240.0.0.0/16 and 240.128.0.0/24. You have confirmed that no Class E subnets (240.0.0.0/4) will require inter-VPC connectivity, but all other subnets in the VPCs will need connectivity.
You need to deploy a Google Cloud routing solution to meet the connectivity requirements.
What should you do?
A. Create a full mesh of VPC Network Peering connections between all five VPCs. Make sure not to import or export subnet routes with public IP addresses. Add Cloud network firewall policy rules to allow traffic. B. Create a Network Connectivity Center hub with a mesh topology. Add a VPC spoke for each of the five VPCs and configure an export exclude filter for 240.0.0.0/4. Add Cloud network firewall policy rules to allow traffic. C. Create a series of multiple network interface VMs with an interface in each VPC. Place the VMs in an instance group. Create an internal passthrough Network Load Balancer in each VPC with the backend of the instance group. Configure custom static routes in each VPC with the next hop of the respective load balancer. Add Cloud network firewall policy rules to allow traffic. D. Create a full mesh of VPC Network Peering connections between all five VPCs with an export exclude filter for 240.0.0.0/4 on every side. Add Cloud network firewall policy rules to allow traffic.
B. Create a Network Connectivity Center hub with a mesh topology. Add a VPC spoke for each of the five VPCs and configure an export exclude filter for 240.0.0.0/4. Add Cloud network firewall policy rules to allow traffic.
Explanation
Network Connectivity Center with a Mesh Topology: Network Connectivity Center (NCC) provides a scalable and managed solution for interconnecting multiple VPCs. A mesh topology allows all VPCs to communicate with each other without requiring direct peering connections between every pair of VPCs, simplifying the configuration and management for a high-throughput environment.
Exclusion of Overlapping Subnets: Using an export exclude filter for 240.0.0.0/4, you ensure that overlapping subnets within the Class E address range (240.0.0.0/4) are not included in the routing table, which avoids routing conflicts between the two overlapping subnets. Firewall Policy Rules: Adding appropriate Cloud network
firewall rules ensures that only authorized traffic is allowed between the VPCs, enhancing security and maintaining compliance with organizational policies.
Question 19:
You have two Dedicated Interconnect VLAN attachments that terminate on Cloud Routers. You need BGP sessions to detect link failure more quickly than default BGP hold timers allow.
What should you configure?
A. Bidirectional Forwarding Detection on the Cloud Router BGP sessions. B. A lower priority on all custom advertised routes. C. Regional dynamic routing mode on the VPC network. D. Cloud NAT logging for the subnets that use the VLAN attachments.
A. Bidirectional Forwarding Detection on the Cloud Router BGP sessions.
Explanation
Bidirectional Forwarding Detection (BFD) is used with Cloud Router BGP sessions to detect forwarding path failures more quickly than standard BGP timers. Route priority influences path selection and does not provide fast failure detection.
Regional dynamic routing controls where learned dynamic routes are available in the VPC, not how quickly a failed BGP path is detected. Cloud NAT logging is unrelated to Interconnect BGP session failure detection.
Question 20:
Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible.
What should you do?
A. 1. Configure your VPC routing in regional mode.2. Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1. B. 1. Configure your VPC routing in global mode.2. Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1. C. 1. Configure your VPC routing in global mode.2. Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2. D. 1. Configure your VPC routing in regional mode.2. Add additional Cloud Interconnect VLAN attachments in the us-west2 and us-central1 regions, and configure Cloud Routers in us-west2 and us-central1.
C. 1. Configure your VPC routing in global mode.2. Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.