PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :333 Q&As
  • Last Updated
    :Jul 12, 2026

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

  • Question 271:

    In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.

    Which two steps should you take? (Choose two.)

    A. Connect both projects using Cloud VPN.
    B. Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
    C. Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
    D. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
    E. Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.

  • Question 272:

    You are using Network Connectivity Center and you already have the hub configured. All VPCs in your environment need to have network connectivity to each other. All the subnet ranges are unique. You need to configure your topology accordingly.

    What should you do?

    A. Configure a star topology, add the VPC spokes to the hub, and specify all subnet ranges in the excludeExportRanges filter.
    B. Configure a mesh topology, add the VPC spokes to the hub, and specify all subnet ranges in the excludeExportRanges filter.
    C. Configure a mesh topology, and add the VPC spokes to the hub.
    D. Configure a star topology, and add the VPC spokes to the hub.

  • Question 273:

    Your organization's security team recently discovered that there is a high risk of malicious activities originating from some of your VMs connected to the internet. These malicious activities are currently undetected when TLS communication is used. You must ensure that encrypted traffic to the internet is inspected.

    What should you do?

    A. Enable Cloud Armor TLS inspection policy, and associate the policy with the backend VMs.
    B. Use Cloud NGFW Essentials. Create a firewall rule for egress traffic, and enable VPC Flow Logs with the TLS inspect option. Analyze the output logs content and block the outputs that have malicious activities.
    C. Configure a TLS agent on every VM to intercept TLS traffic before it reaches the internet. Configure Sensitive Data Protection to analyze and allow/deny the content.
    D. Use Cloud NGFW Enterprise. Create a firewall rule for egress traffic with the --tls-inspect flag, and associate the firewall rules with the VMs.

  • Question 274:

    You are attempting to establish a HA VPN to your on-premises network; however, the VPN connection is not establishing successfully. You have full administrative control over the Google Cloud networking environment and the on-premises firewalls that are acting as the VPN devices. The Google Cloud console shows "Negotiation failure" and "BGP is down". You check Cloud Logging by using a query for resource.type="vpn_gateway" and resource.labels.gateway_id="TUNNEL_ID_NUMBER". Logs Explorer shows frequent log entries:

    log name:.../logs/cloud.googleapis.com%2Fipsec_events" type: "vpn_gateway" textPayload: "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built" You need to troubleshoot the VPN failure and take corrective action based on the Cloud Logging entries.

    What should you do?

    A. Update the Google Cloud BGP session configuration to match the BGP peer ASN on the on-premises side.
    B. Compare and review the Phase 2 settings on the on-premises firewall. Make sure the settings match one of the supported cipher suites for HA VPN.
    C. Create a new Cloud VPN gateway in a region closer to the peer VPN gateway.
    D. Compare the Phase 1 settings and recreate the Cloud VPN tunnel by choosing a different IKE version and pre-shared key.

  • Question 275:

    Your organization is migrating workloads from AWS to Google Cloud. Because a particularly critical workload will take longer to migrate, you need to set up Google Cloud CDN and point it to the existing application at AWS.

    What should you do?

    A. - Create an internet NEG that points to the existing FQDN of the application. - Map the NEG to an Application Load Balancer as a backend service. - Enable Cloud CDN on the backend service.
    B. - Create a hybrid NEG that points to the existing IP of the application. - Map the NEG to a passthrough Network Load Balancer as a target pool. - Enable Cloud CDN on the target pool.
    C. - Create an internet NEG that points to the existing FQDN of the application. - Map the NEG to a passthrough Network Load Balancer as a backend service. - Enable Cloud CDN on the backend service.
    D. - Create a hybrid NEG that points to the existing IP of the application. - Map the NEG to an Application Load Balancer as a backend service. - Enable Cloud CDN on the backend service.

  • Question 276:

    You are reviewing and tuning Secure Web Proxy at your organization, Mount Kirk Games. Users have reported that they are unable to reach the documents they need on the Terram Earth website (https://www.terramearth.com/docs/*). The Secure Web Proxy rules configuration is as follows:

    You need to enable access to these documents.

    What should you do?

    A. Delete the updates-limiter rule.
    B. Modify the updates-1 rule to perform the TLS inspection.
    C. Review Cloud Logging for errors with Cloud NAT. If there are no errors, assign the VM a public IP address.
    D. Modify the priority of the updates-limiter rule to 1000.

  • Question 277:

    You are assisting two independent development teams within your organization.

    - The first team manages a project (project-dev-a) with a VPC (vpc-a) hosting a critical backend microservice.

    - The second team manages a separate project (project-dev-b) with a VPC (vpc-b) hosting a frontend application that heavily consumes data from the backend microservice. Both teams require secure, high-bandwidth, bi-directional connectivity, and low-latency communication between their applications, while minimizing operational overhead. Neither team wants to centralize their VPC management under a single Shared VPC host project. You need to implement a decentralized VPC management strategy.

    What should you do?

    A. Configure a VPC Network Peering connection between the two VPCs.
    B. Setup Cloud VPN tunnels between the two VPCs.
    C. Create a Network Connectivity Center hub and register both VPCs as spokes.
    D. Use Private Service Connect endpoints.

  • Question 278:

    You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.

    Which BGP attribute should you use on your on-premises router?

    A. AS-Path
    B. Community
    C. Local Preference
    D. Multi-exit Discriminator

  • Question 279:

    You converted an auto mode VPC network to custom mode. Since the conversion, some of your Cloud Deployment Manager templates are no longer working. You want to resolve the problem.

    What should you do?

    A. Apply an additional IAM role to the Google API's service account to allow custom mode networks.
    B. Update the VPC firewall to allow the Cloud Deployment Manager to access the custom mode networks.
    C. Explicitly reference the custom mode networks in the Cloud Armor whitelist.
    D. Explicitly reference the custom mode networks in the Deployment Manager templates.

  • Question 280:

    You have provisioned a Cloud Interconnect connection with a VLAN attachment. You configured Border Gateway Protocol (BGP) between your on-premises router and your Cloud Router. After deploying and testing the connection, you discover that the BGP session is not established between your on-premises router and the Cloud Router.

    Which two actions should you take to resolve this issue? (Choose two.)

    A. From the Google Cloud console, run gcloud compute routers get-status <CLOUD_ROUTER_NAME> to verify the Address Resolution Protocol (ARP) learned.
    B. Verify that you have configured the on-premises router's subinterface with a subnet mask of /31.
    C. Verify that you have configured the on-premises router's eBGP multihop with a minimum hop length of 4.
    D. Verify that you have configured the on-premises router's BGP security parameters to use MD5 authentication.
    E. From the Google Cloud console, run gcloud compute interconnects get-diagnostics <INTERCONNECT_NAME> to verify the Address Resolution Protocol (ARP) learned.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.