Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

• Question 191:

  You have several VMs across multiple VPCs in your cloud environment, which require access to internet endpoints. These VMs cannot have public IP addresses due to security policies, so you plan to use Cloud NAT to provide outbound internet access. Within your VPCs, you have several subnets in each region. You want to ensure that only specific subnets have access to the internet through Cloud NAT. You want to avoid any unintentional configuration issues caused by other administrators, and align to Google-recommended practices.

  What should you do?

  A. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure all primary and secondary subnet source ranges.
  B. Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.
  C. Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet, 0.0.0.0/0. Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet, 0.0.0.0/0. Deploy Cloud NAT, and configure a custom source range that includes the allowed subnets.
  D. Deploy Cloud NAT in each VPC, and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.
  D. Deploy Cloud NAT in each VPC, and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.

  ---

  Explanation

  Cloud NAT with Custom Source Ranges: Cloud NAT allows you to configure a custom source range that limits which subnets can use it for outbound internet access. By specifying the allowed subnets only, you can ensure that no unauthorized subnet can unintentionally or maliciously use Cloud NAT for egress.

  Cloud NAT Rules for Subnet-Specific Control: Configuring rules in Cloud NAT allows fine-grained control over which subnets have access to the internet. This aligns with Google-recommended practices for securing internet access and avoiding configuration errors.

  Avoiding Unintentional Configuration Issues: By using Cloud NAT's built-in configuration options (custom source ranges and NAT rules), you eliminate the need for additional firewall rules or complex organizational policies, reducing the likelihood of misconfiguration by administrators.

• Question 192:

  You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual Private Cloud (VPC). You want clients to be able to get the IP address of the service.

  What should you do?

  A. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Clients should use this IP address to connect to the service.
  B. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/.
  C. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Then, define an A record in Cloud DNS. Clients should use the name of the A record to connect to the service.
  D. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION]/.
  B. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/.

• Question 193:

  You need to create the technical architecture for hybrid connectivity from your data center to Google Cloud. This will be managed by a partner. You want to follow Google-recommended practices for production-level applications.

  What should you do?

  A. Ask the partner to install two security appliances in the data center. Configure one VPN connection from each of these devices to Google Cloud, and ensure that the VPN devices on-premises are in separate racks on separate power and cooling systems.
  B. Configure two Partner Interconnect connections in one metropolitan area (metro). Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in a single region, and configure regional dynamic routing on the VPC.
  C. Configure two Partner Interconnect connections in one metro and two connections in another metro. Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN attachments in another region, and configure global dynamic routing on the VPC.
  D. Configure two Partner Interconnect connections in one metro and two connections in another metro. Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN attachments in another region, and configure regional dynamic routing on the VPC.
  C. Configure two Partner Interconnect connections in one metro and two connections in another metro. Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN attachments in another region, and configure global dynamic routing on the VPC.

  ---

  Explanation

  To create a highly available and production-ready hybrid connectivity architecture managed by a partner, follow these Google-recommended practices:

  Redundancy in Partner Interconnect Connections: Deploy two Partner Interconnect connections in each metro (one metro as the primary, another as the backup). Place the connections in different metro edge availability domains to ensure fault tolerance and avoid single points of failure.

  VLAN Attachments Across Multiple Regions: Use two VLAN attachments per region (in two regions) to provide additional redundancy at the regional level.

  Global Dynamic Routing: Configure global dynamic routing on the VPC to enable seamless failover between regions and metros. This ensures optimal routing of traffic regardless of failures in specific regions or metros.

• Question 194:

  Your multi-region VPC has had a long-standing HA VPN configured in "region 1" connected to your corporate network. You are planning to add two 10 Gbps Dedicated Interconnect connections and VLAN attachments in "region 2" to connect to the same corporate network. You need to plan for connectivity between your VPC and corporate network to ensure that traffic uses the Dedicated Interconnect connections as the primary path and the HA VPN as the secondary path.

  What should you do?

  A. 100. Configure BGP associated with the VAN attachments to use a base priority of20000. Configure your on-premises routers to use similar multi exit discriminator (MED) values.
  B. 20000. Configure BGP associated with the VLAN attachments to use a base priority of100. Configure your on-premises routers to use similar multi exit discriminator (MED) values.
  C. 20000. Configure BGP associated with the VLAN attachments to use a base priority of100. Configure your on-premises routers to use similar multi exit discriminator (MED) values.
  D. 100. Configure BGP associated with the VLAN attachments to use a base priority of20000. Configure your on-premises routers to use similar multi exit discriminator (MED) values.
  C. 20000. Configure BGP associated with the VLAN attachments to use a base priority of100. Configure your on-premises routers to use similar multi exit discriminator (MED) values.

  ---

  Explanation

  Global Dynamic Routing Mode: Enables seamless routing across regions within the VPC, ensuring that the routes from both "region 1" (HA VPN) and "region 2" (Dedicated Interconnect) are propagated globally to all VPC subnets. This is necessary to support the traffic flow between your corporate network and the VPC across multiple regions.

  Priority for BGP Routes: Lower BGP priority (base priority value) indicates a preferred path. Assign priority 100 to the BGP sessions associated with the VLAN attachments in "region 2" (Dedicated Interconnect), making this the primary path for traffic. Assign priority 20000 to the BGP sessions associated with the HA VPN in "region 1," ensuring that this acts as the secondary path.

  Multi-Exit Discriminator (MED): Configuring similar MED values on your on-premises routers ensures that the routing preferences are consistent and honored when selecting between the Dedicated Interconnect and HA VPN paths.

• Question 195:

  Your organization has an on-premises data center. You need to provide connectivity from the on-premises data center to Google Cloud. Bandwidth must be at least 1 Gbps, and the traffic must not traverse the internet.

  What should you do?

  A. Configure HA VPN by using high availability gateways and tunnels.
  B. Configure Cross-Cloud Interconnect by creating a VLAN attachment, activate the connection, and then submit the pairing key to your service provider.
  C. Configure Dedicated Interconnect by creating a VLAN attachment, activate the connection, and submit the pairing key to your service provider.
  D. Configure Partner Interconnect by creating a VLAN attachment, submit the pairing key to your service provider, and activate the connection.
  D. Configure Partner Interconnect by creating a VLAN attachment, submit the pairing key to your service provider, and activate the connection.

  ---

  Explanation

  Partner Interconnect delivers private connectivity over a service provider's network (no internet traversal) and supports capacity starting at 50 Mbps up to 10 Gbps, including the 1 Gbps you need, without the need for colocating gear in a Google facility. Simply create your VLAN attachment, exchange the pairing key with the provider, and activate the connection.

• Question 196:

  Your security team wants to reduce the risk of data exfiltration from projects that store sensitive Cloud Storage and BigQuery data. Access to these services must be limited to requests from approved networks and identities.

  What should you configure?

  A. A VPC Service Controls service perimeter with an appropriate access level for the approved sources.
  B. A VPC firewall rule that denies egress traffic to storage.googleapis.com and bigquery.googleapis.com.
  C. Cloud NAT with manually allocated IP addresses for all subnets.
  D. A private Cloud DNS zone that removes public records for Cloud Storage and BigQuery APIs.
  A. A VPC Service Controls service perimeter with an appropriate access level for the approved sources.

  ---

  Explanation

  VPC Service Controls service perimeters help protect supported Google services such as Cloud Storage and BigQuery by reducing data exfiltration risk. Access levels can define approved sources such as networks, IP ranges, or identities.

  VPC firewall rules do not directly control access to Google API service methods and are not sufficient for service perimeter enforcement. Cloud NAT only controls outbound NAT behavior. DNS changes alone do not enforce access controls on supported Google services.

• Question 197:

  You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest possible latency while ensuring high availability and autoscaling.

  Which configuration should you use?

  A. Use global SSL Proxy Load Balancing with backends in both regions.
  B. Use global TCP Proxy Load Balancing with backends in both regions.
  C. Use global external HTTP(S) Load Balancing with backends in both regions.
  D. Use Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.
  D. Use Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.

• Question 198:

  You built a web application with several containerized microservices. You want to run those microservices on Cloud Run. You must also ensure that the services are highly available to your customers with low latency.

  What should you do?

  A. Deploy the Cloud Run services to multiple availability zones. Create a global TCP load balancer. Add the Cloud Run endpoints to its backend service.
  B. Deploy the Cloud Run services to multiple regions. Create serverless network endpoint groups (NEGs) that point to the services. Create a global HTTPS load balancer, and attach the serverless NEGs as backend services of the load balancer.
  C. Deploy the Cloud Run services to multiple availability zones. Create Cloud Endpoints that point to the services. Create a global HTTPS load balancer, and attach the Cloud Endpoints to its backend.
  D. Deploy the Cloud Run services to multiple regions. Configure a round-robin A record in Cloud DNS.
  B. Deploy the Cloud Run services to multiple regions. Create serverless network endpoint groups (NEGs) that point to the services. Create a global HTTPS load balancer, and attach the serverless NEGs as backend services of the load balancer.

• Question 199:

  You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running.

  What should you do to solve the problem?

  A. Assign a public IP address to the instance.
  B. Create a route to reach the Master, pointing to the default internet gateway.
  C. Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
  D. Create the appropriate master authorized network entries to allow the instance to communicate to the master.
  D. Create the appropriate master authorized network entries to allow the instance to communicate to the master.

• Question 200:

  Your company uses Network Connectivity Center to connect its VPCs in Google Cloud. They plan to connect their on-premises data center to one of these VPCs by using HA VPN. The CIDR range of your on-premises network overlaps with the IP addresses in Google Cloud. You want your VMs in Google Cloud to connect directly to the IP address of the on-premises hosts.

  What should you do?

  A. Configure a subnet of purpose REGIONAL_MANAGED_PROXY and use a Google Cloud application load balancer.
  B. Configure a subnet of purpose REGIONAL_MANAGED_PROXY and use a Google Cloud TCP proxy load balancer.
  C. Configure a subnet of purpose PRIVATE_NAT and use Private NAT for the Network Connectivity Center spokes.
  D. Configure a subnet of purpose PRIVATE_NAT and use Hybrid NAT.
  D. Configure a subnet of purpose PRIVATE_NAT and use Hybrid NAT.

  ---

  Explanation

  When your on-prem network CIDR overlaps with your Google Cloud CIDR, you need to translate one side's addresses so that routes don't clash. Network Connectivity Center's Private NAT lets you perform destination NAT on traffic between your spoke VPCs and the on-prem network. By configuring a PRIVATE_NAT subnet in your NCC hub and applying a Private NAT policy to your spoke, you can rewrite the on-prem host IPs into a non-overlapping range, allowing your GCE VMs to connect directly to the (translated) on-prem IPs over HA VPN.