Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

• Question 211:

  You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps.

  What should you do?

  A. Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.
  B. Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.
  C. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.
  D. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.
  B. Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.

• Question 212:

  You are designing a Partner Interconnect hybrid cloud connectivity solution with geo-redundancy across two metropolitan areas. You want to follow Google-recommended practices to set up the following region/metro pairs:

  (region 1/metro 1) (region 2/metro 2)

  What should you do?

  A. Create a Cloud Router in region 1 with two VLAN attachments connected to metro1-zone1-x. Create a Cloud Router in region 2 with two VLAN attachments connected to metro1-zone2-x.
  B. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x. Create a Cloud Router in region 2 with two VLAN attachments connected to metro2-zone2-x.
  C. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone2-x. Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone2-x.
  D. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x and one VLAN attachment connected to metro1-zone2-x. Create a Cloud Router in region 2 with one VLAN attachment connected to metro2- zone1-x and one VLAN attachment to metro2-zone2-x.
  D. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x and one VLAN attachment connected to metro1-zone2-x. Create a Cloud Router in region 2 with one VLAN attachment connected to metro2- zone1-x and one VLAN attachment to metro2-zone2-x.

• Question 213:

  You need to configure a Google Kubernetes Engine (GKE) cluster. The initial deployment should have 5 nodes with the potential to scale to 10 nodes. The maximum number of Pods per node is 8. The number of services could grow from 100 to up to 1024.

  How should you design the IP schema to optimally meet this requirement?

  A. Configure a /28 primary IP address range for the node IP addresses. Configure a (25 secondary IP range for the Pods. Configure a /22 secondary IP range for the Services.
  B. Configure a /28 primary IP address range for the node IP addresses. Configure a /25 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.
  C. Configure a /28 primary IP address range for the node IP addresses. Configure a /28 secondary IP range for the Pods. Configure a /21 secondary IP range for the Services.
  D. Configure a /28 primary IP address range for the node IP addresses. Configure a /24 secondary IP range for the Pads. Configure a /22 secondary IP range for the Services.
  D. Configure a /28 primary IP address range for the node IP addresses. Configure a /24 secondary IP range for the Pads. Configure a /22 secondary IP range for the Services.

• Question 214:

  You are designing a highly resilient and secure connection between an on-premises data center and Google Cloud for a financial services company. The company requires 10 Gbps of bandwidth and mandates that all traffic be encrypted end-to-end between their on-premises network and their Google Cloud VPC. You have already provisioned two 10 Gbps Dedicated Interconnect connections. You need to determine an encryption strategy that meets these requirements and provides redundancy.

  What should you do?

  A. Deploy four HA VPN gateways on each Dedicated Interconnect connection.
  B. Deploy two HA VPN gateways on each Dedicated Interconnect connection.
  C. Configure MACsec on each of the Dedicated Interconnect connections.
  D. Use one Dedicated Interconnect for traffic and an HA VPN over the internet for backup.
  B. Deploy two HA VPN gateways on each Dedicated Interconnect connection.

  ---

  Explanation

  To meet the requirement for end-to-end encryption between the on-premises network and the VPC, use HA VPN over Cloud Interconnect rather than MACsec. Google documents that MACsec protects traffic only between your router and Google's edge, while HA VPN over Cloud Interconnect provides IPsec encryption for the traffic carried by the VLAN attachments. For a 10 Gbps encrypted design with failover across two Dedicated Interconnect attachments, Google recommends 4 tunnels per 10 Gbps attachment, or 8 tunnels total, and its 10 Gbps reference design uses four HA VPN gateways across the two encrypted attachments.

• Question 215:

  You are configuring a Cross-Cloud Interconnect connection for your Google Cloud organization with two public cloud service providers (CSPs)-CSP 1 and CSP 2. The CSP 1 and CSP 2 environments are closest to Frankfurt, Germany. You can choose between two common colocation locations, Frankfurt and Munich. Your organization's Google Cloud infrastructure is deployed in the North American region, us-east4, which is located in Virginia, USA. The VPC dynamic routing mode has been set to GLOBAL. Your organization requires 20 Gbps of protected bandwidth with a 99.9% Google Cloud SLA. You want to minimize costs where possible.

  What should you do?

  A. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone2. in a common co-location facility located in Frankfurt, Germany.2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone2. in a common co-location facility located in Frankfurt, Germany.3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.
  B. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 20 Gbps of total bandwidth (10 Gbps in zone 1 and 10 Gbps in zone2. in a common co-location facility located in Frankfurt, Germany.2. Create two Cross-Cloud Interconnect connections to CSP 2, with 20 Gbps of total bandwidth (10 Gbps in zone 1 and 10 Gbps in zone2. in a common co-location facility located in Frankfurt, Germany.3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.
  C. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone1. in a common co-location facility located in Frankfurt, Germany and (20 Gbps in zone2. in a common co-location facility located in Munich, Germany.2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone1. in a common co-location facility located in Frankfurt, Germany and (20 Gbps in zone2. in a common co-location facility located in Munich, Germany.3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.
  D. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone2. in a common co-location facility located in Frankfurt, Germany.2. Create two Cross-Cloud Interconnect connections to CSP 2, with 40 Gbps of total bandwidth (20 Gbps in zone 1 and 20 Gbps in zone2. in a common co-location facility located in Frankfurt, Germany.3. Create a Cloud Router in us-east4 (Ashburn, Virginia, USA), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.
  B. 1. Create two Cross-Cloud Interconnect connections to CSP 1, with 20 Gbps of total bandwidth (10 Gbps in zone 1 and 10 Gbps in zone2. in a common co-location facility located in Frankfurt, Germany.2. Create two Cross-Cloud Interconnect connections to CSP 2, with 20 Gbps of total bandwidth (10 Gbps in zone 1 and 10 Gbps in zone2. in a common co-location facility located in Frankfurt, Germany.3. Create a Cloud Router in europe-west3 (Frankfurt), and configure two VLAN attachments for CSP 1 and two VLAN attachments for CSP 2.

  ---

  Explanation

  This setup satisfies the organization's requirements while minimizing costs:

  1. Bandwidth and SLA: A total of 20 Gbps of protected bandwidth is required, which means you need redundant Cross-Cloud Interconnects. Each interconnect in a zone is provisioned for 10 Gbps, ensuring that both zone 1 and zone 2 connections in Frankfurt together provide the required bandwidth while meeting the 99.9% SLA with redundancy.

  2. Cost-efficiency: Deploying the Cross-Cloud Interconnect connections in Frankfurt (the closest location to the CSPs) minimizes latency and avoids unnecessary costs associated with using additional colocation facilities like Munich. Using 10 Gbps connections in two zones for each CSP balances performance and cost.

  2. Cloud Router configuration: Deploying the Cloud Router in europe-west3 (Frankfurt) ensures the routes for VLAN attachments are appropriately managed within the region close to the CSPs. The global dynamic routing mode allows connectivity between the us-east4 resources and the CSPs without requiring Cloud Router placement in the us-east4 region.

• Question 216:

  You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.

  What should you do?

  A. Assign each user the editor role.
  B. Assign each user the compute.networkAdmin role.
  C. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
  D. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
  B. Assign each user the compute.networkAdmin role.

• Question 217:

  You are managing a hybrid cloud environment connecting your on-premises data center to a Google Cloud VPC via Cloud VPN. Your on-premises DNS servers are authoritative for the corp.example.com zone, and a Cloud DNS private zone is authoritative for the gcp.example.com zone. You need to configure a Google-recommended solution that allows Google Cloud VMs to resolve on-premises hostnames and, conversely, allows on-premises hosts to resolve hostnames in your Google Cloud VPC.

  What should you do?

  A. Create a Cloud DNS outbound server policy that forwards all DNS queries from the VPC to your on-premises DNS servers. Configure your on-premises servers to handle resolution for gcp.example.com and public domains on behalf of the VPC.
  B. Configure your on-premises DNS servers to use Google Cloud's public DNS (8.8.8.8) for all queries. Update your Google Cloud instances to use Cloud DNS for internal resolution.
  C. Deploy a Compute Engine VM in the VPC to run a DNS forwarder, such as BIND or Unbound. Configure this VM to handle bi-directional forwarding between the on-premises DNS servers and Cloud DNS.
  D. Create a Cloud DNS forwarding zone for corp.example.com that points to your on-premises DNS servers. Configure a private Cloud DNS zone for gcp.example.com. Create a Cloud DNS inbound server policy, and configure on-premises DNS servers to forward queries for gcp.example.com to it.
  D. Create a Cloud DNS forwarding zone for corp.example.com that points to your on-premises DNS servers. Configure a private Cloud DNS zone for gcp.example.com. Create a Cloud DNS inbound server policy, and configure on-premises DNS servers to forward queries for gcp.example.com to it.

  ---

  Explanation

  A Cloud DNS forwarding zone for corp.example.com lets Google Cloud VMs resolve on-premises names by forwarding those queries to the on-premises authoritative DNS servers. An inbound server policy exposes Cloud DNS private resolution for gcp.example.com to your on-premises resolvers, so on-premises hosts can resolve Google Cloud private names by conditionally forwarding gcp.example.com queries into Cloud DNS over the VPN.

• Question 218:

  You are responsible for enabling Private Google Access for the virtual machine (VM) instances in your Virtual Private Cloud (VPC) to access Google APIs. All VM instances have only a private IP address and need to access Cloud Storage.

  You need to ensure that all VM traffic is routed back to your on-premises data center for traffic scrubbing via your existing Cloud Interconnect connection. However, VM traffic to Google APIs should remain in the VPC.

  What should you do?

  A. 1. Delete the default route in your VPC.2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to restricted googleapis.com, and create an A record for restricted googleapis.com that resolves to the addresses in 199.36.153.4/30.3. Create a static route in your VPC for the range 199.36.153.4/30 with the default internet gateway as the next hop.
  B. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).2. Create a public Cloud DNS zone with a CNAME for *.google.com to private googleapis.com, create a CNAME for * googleapis.com to private googleapis.com, and create an A record for Private googleapis.com that resolves to the addresses in 199.36.153 8/30.3. Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.
  C. 1. Configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP) with a lower priority (MED) than the default VPC route.2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30.3. Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.
  D. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30.3. Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.
  D. 1. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).2. Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30.3. Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.

• Question 219:

  You are securing a newly provisioned 10 Gbps Dedicated Interconnect that connects your on-premises data center to your Google Cloud VPC. Your company mandated that all IP traffic between your private on-premises network and the VPC must be secured with strong, end-to-end encryption at layer 3 in the Open Systems Interconnection (OSI) model. You need to implement the most direct and effective solution.

  What should you do?

  A. Configure BGP sessions over the Dedicated Interconnect, and enable MD5 authentication.
  B. Enable MACsec for Cloud Interconnect to encrypt all data frames between your on-premises router and Google's edge device.
  C. Deploy HA VPN tunnels over the Dedicated Interconnect connections, and configure BGP sessions with on-premises routers to exchange routes.
  D. Migrate your connection from Dedicated Interconnect to Partner Interconnect, and select a service provider that offers a private, encrypted connection.
  C. Deploy HA VPN tunnels over the Dedicated Interconnect connections, and configure BGP sessions with on-premises routers to exchange routes.

  ---

  Explanation

  The requirement is strong end-to-end encryption at layer 3. Running Cloud HA VPN over Dedicated Interconnect provides IPsec encryption for all IP traffic between on-premises and the VPC while still using Interconnect for high throughput and reliability. Using BGP over the VPN tunnels enables dynamic route exchange across the encrypted layer-3 tunnels.

• Question 220:

  Your company recently migrated to Google Cloud in a single region. You configured separate Virtual Private Cloud (VPC) networks for two departments: Department A and Department B. Department A has requested access to resources that are part of Department B's VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMs) to meet security requirements. Your configuration also must: Support both TCP and UDP protocols Provide fully automated failover Include health-checks Require minimal manual intervention in the client VMs.

  Which approach should you take?

  A. Create the VMs in the same zone, and configure static routes with IP addresses as next hops.
  B. Create the VMs in different zones, and configure static routes with instance names as next hops.
  C. Create an instance template and a managed instance group. Configure a single internal load balancer, and define a custom static route with the internal TCP/UDP load balancer as the next hop.
  D. Create an instance template and a managed instance group. Configure two separate internal TCP/UDP load balancers for each protocol (TCP/UDP), and configure the client VMs to use the internal load balancers' virtual IP addresses.
  C. Create an instance template and a managed instance group. Configure a single internal load balancer, and define a custom static route with the internal TCP/UDP load balancer as the next hop.