Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice Questions and Exam Preparation

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

• Question 221:

  You recently deployed Cloud VPN to connect your on-premises data center to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect.

  What should you do?

  A. In the Network Intelligence Center, check for the number of packet drops on the VPN.
  B. In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.
  C. In the Monitoring section of the Google Cloud Console, use the Dashboard section to select a default dashboard for VPN usage.
  D. In the VPN section of the Google Cloud Console, select the VPN under hybrid connectivity, and then select monitoring to display utilization on the dashboard.
  B. In the Google Cloud Console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

• Question 222:

  Your organization has multiple VMs running on Google Cloud within a VPC. The VMs require connectivity to certain Google APIs. You need to enable Private Google Access for VM connectivity to Cloud Storage.

  What should you do?

  A. Enable Private Google Access on the project, remove the default route that points to the default internet gateway, and enable the Cloud Storage API.
  B. Enable Private Google Access on the VM, remove the default route that points to the default internet gateway, and enable the Cloud Storage API.
  C. Enable Private Google Access on the VPC, create a default route that points to the default internet gateway, and enable the Cloud Storage API.
  D. Enable Private Google Access on the subnet, create a default route that points to the default internet gateway, and enable the Cloud Storage API.
  D. Enable Private Google Access on the subnet, create a default route that points to the default internet gateway, and enable the Cloud Storage API.

  ---

  Explanation

  Private Google Access allows VMs in a VPC subnet to access Google APIs and services (such as Cloud Storage) without requiring an external IP address. The key steps to enable Private Google Access for VM connectivity to Cloud Storage are as follows: Enable Private Google Access on the subnet: Private Google Access is configured at the subnet level, not at the project or VM level. This ensures that VMs within the subnet can access Google APIs privately through internal IPs. Create a default route to the default internet gateway: While the VMs use Private Google Access for Google APIs, they still need the default route for any other internet-bound traffic. This ensures proper routing for all other traffic. Enable the Cloud Storage API: Enabling the Cloud Storage API ensures that the required service is available for your project and accessible to your VMs.

• Question 223:

  You manage a Google Cloud VPC network that has multiple Cloud VPN tunnels connecting to a single branch office for redundancy. One tunnel is a new, high-performance link, while the other is an older, less reliable link. You need to configure dynamic routing to influence how your on-premises network routes traffic, ensuring it prefers sending traffic to Google Cloud over the new, high-performance tunnel. The older tunnel must remain available as a backup.

  What should you do?

  A. Adjust the Border Gateway Protocol (BGP) Multi-Exit Discriminator (MED) attribute advertised by the Cloud Router for the preferred VPN tunnel to a lower value.
  B. Configure static routes with different priorities on your on-premises router to point to the two different Cloud VPN tunnel interfaces in Google Cloud.
  C. On the Cloud Router, configure custom route advertisements to send a shorter prefix route over the new, high-performance tunnel.
  D. For the BGP session associated with the new tunnel, configure a higher advertised route priority (a lower numerical value) on the Cloud Router.
  D. For the BGP session associated with the new tunnel, configure a higher advertised route priority (a lower numerical value) on the Cloud Router.

  ---

  Explanation

  Cloud Router lets you influence inbound traffic from on-premises by setting the advertised route priority per BGP session. Advertising routes with a more preferred priority on the BGP session over the new tunnel causes the on-premises side to select that path for traffic to Google Cloud, while the older tunnel remains available to take over if the preferred session or tunnel fails.

• Question 224:

  You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.

  What should you do?

  A. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
  B. Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.
  C. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
  D. Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.
  C. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

  ---

  Explanation

  References:

  https://link.springer.com/chapter/10.1007/978-1-4842-1004-8_4

• Question 225:

  Your company uses VPC firewall rules and denies all egress traffic. You need to allow some VMs to contact external websites based on their fully qualified domain name (FQDN). You apply the new configuration, but the traffic is still denied.

  You need to adjust your setup to apply the new configuration.

  What would you do?

  A. Raise the priority of the network firewall policy rules.
  B. Lower the priority of the network firewall policy rules.
  C. Update the default policy and rule evaluation order to BEFORE_CLASSIC_FIREWALL.
  D. Update the default policy and rule evaluation order to AFTER_CLASSIC_FIREWALL.
  C. Update the default policy and rule evaluation order to BEFORE_CLASSIC_FIREWALL.

  ---

  Explanation

  Network firewall policies that use FQDN-based rules are, by default, evaluated after the classic VPC firewall rules. Your "deny all egress" VPC rule takes effect first and blocks the traffic before your FQDN allow rules are ever reached.

  Switching the policy evaluation order to BEFORE_CLASSIC_FIREWALL ensures your FQDN-based allow rules run first, letting the designated VMs reach external sites, while still preserving your broader deny-all egress rule.

• Question 226:

  Your company's on-premises network is connected to a VPC using a Cloud VPN tunnel. You have a static route of 0.0.0.0/0 with the VPN tunnel as its next hop defined in the VPC. All internet bound traffic currently passes through the on-premises network. You configured Cloud NAT to translate the primary IP addresses of Compute Engine instances in one region. Traffic from those instances will now reach the internet directly from their VPC and not from the on-premises network. Traffic from the virtual machines (VMs) is not translating addresses as expected.

  What should you do?

  A. Lower the TCP Established Connection Idle Timeout for the NAT gateway.
  B. Add firewall rules that allow ingress and egress of the external NAT IP address, have a target tag that is on the Compute Engine instances, and have a priority value higher than the priority value of the default route to the VPN gateway.
  C. Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel.
  D. Increase the default min-ports-per-vm setting for the Cloud NAT gateway.
  C. Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a higher priority than the priority of the default route to the VPN tunnel.

• Question 227:

  You have a Cloud Storage bucket configured as the origin for Cloud CDN. The bucket contains the following objects:

  /folder-a/image-a-1.jpg

  /folder-a/image-a-2.jpg

  /folder-b/image-b-1.jpg

  /folder-b/image-b-2.jpg

  All four objects have already been cached by Cloud CDN.

  You want to invalidate the cached copies of only the objects under /folder-a/, while using the minimum number of cache invalidation operations.

  What should you do?

  A. Add an appropriate lifecycle rule to the Cloud Storage bucket.
  B. Issue a Cloud CDN cache invalidation request with the path pattern /folder-a/*.
  C. Remove public access permissions from all objects under folder-a.
  D. Disable Cloud CDN, wait 90 seconds, and then re-enable it.
  B. Issue a Cloud CDN cache invalidation request with the path pattern /folder-a/*.

• Question 228:

  You are deploying HA VPN within Google Cloud. You need to exchange routes dynamically between your on-premises gateway and Google Cloud. You have already created a HA VPN gateway and a peer VPN gateway resource.

  What should you do?

  A. Create a Cloud Router, add VPN tunnels, and configure BGP sessions.
  B. Create a Cloud Router, add VPN tunnels, and configure static routes to your subnet ranges.
  C. Create a second HA VPN gateway, add VPN tunnels, and create firewall rules to allow BGP traffic to the Cloud Router.
  D. Create a second HA VPN gateway, add VPN tunnels, and enable global dynamic routing.
  A. Create a Cloud Router, add VPN tunnels, and configure BGP sessions.

  ---

  Explanation

  Create a Cloud Router: The Cloud Router is responsible for managing the dynamic routing between your on-premises network and Google Cloud. Add VPN Tunnels to the Router: Associate the HA VPN tunnels with the Cloud Router to establish connectivity between the networks.

  Configure BGP Sessions: Configure BGP sessions on the Cloud Router and your on-premises gateway to dynamically advertise and exchange routes.

• Question 229:

  Your organization wants to deploy HA VPN over Cloud Interconnect to ensure encryption-in-transit over the Cloud Interconnect connections. You have created a Cloud Router and two VLAN attachments. The BGP sessions are operational.

  You need to complete the deployment of the HA VPN over Cloud Interconnect.

  What should you do?

  A. Create an HA VPN gateway and associate the gateway with your two VLAN attachments. Use the existing Cloud Router for HA VPN, the peer VPN gateway resources, and the HA VPN tunnels.
  B. Create an HA VPN gateway and associate the gateway with your two VLAN attachments. Create a new Cloud Router for HA VPN, the peer VPN gateway resources, and the HA VPN tunnels.
  C. Enable MACsec on the VLAN attachments.
  D. Enable MACsec on Partner Cloud Interconnect.
  B. Create an HA VPN gateway and associate the gateway with your two VLAN attachments. Create a new Cloud Router for HA VPN, the peer VPN gateway resources, and the HA VPN tunnels.

  ---

  Explanation

  HA VPN over Cloud Interconnect requires two separate Cloud Router instances - one dedicated to the Interconnect VLAN attachments and a second one for the HA VPN tier. To finish your deployment, you must:

  1. Create an HA VPN gateway and associate its two interfaces with your encrypted VLAN attachments.

  2. Provision a new Cloud Router for the HA VPN tier (you cannot reuse the Interconnect-tier router).

  3. Configure the peer VPN gateway resources and HA VPN tunnels against that new router. This separation ensures the Interconnect BGP session remains distinct from your HA VPN BGP session, as documented by Google's HA VPN over Cloud Interconnect architecture.

• Question 230:

  You are designing the VPC network for a large enterprise with many development teams. You need to centralize the management of common network resources while allowing each development team the flexibility to provision and manage their own virtual machines and other compute resources within their respective projects. You also need to ensure that all applications can communicate securely within the corporate environment.

  What should you do?

  A. Designate a host project to contain a Shared VPC network, and then attach each development team's project as a service project to share this network.
  B. Configure Cloud VPN tunnels from each development project's VPC to a central network project that acts as a hub.
  C. Implement a single large VPC for all development teams in one project and grant them specific IAM roles to manage resources within it.
  D. Create individual VPCs in each development project and establish VPC Network Peering connections between all of them.
  A. Designate a host project to contain a Shared VPC network, and then attach each development team's project as a service project to share this network.

  ---

  Explanation

  Shared VPC is the Google Cloud design for centralized network administration with decentralized application ownership. You place the common VPC network in a host project and attach each development team's project as a service project.

  The networking team keeps centralized control over subnets, routes, and firewall rules, while the development teams can create and manage their own compute resources in their own projects using that shared network. This also supports secure internal communication across applications on the shared corporate network.

  References:

  https://docs.cloud.google.com/vpc/docs/shared-vpc