Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 271:
In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.
Which two steps should you take? (Choose two.)
A. Connect both projects using Cloud VPN. B. Connect the VPCs in project code-dev and data-dev using VPC Network Peering. C. Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project. D. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa. E. Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
B. Connect the VPCs in project code-dev and data-dev using VPC Network Peering. D. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
Question 272:
You are using Network Connectivity Center and you already have the hub configured. All VPCs in your environment need to have network connectivity to each other. All the subnet ranges are unique. You need to configure your topology accordingly.
What should you do?
A. Configure a star topology, add the VPC spokes to the hub, and specify all subnet ranges in the excludeExportRanges filter. B. Configure a mesh topology, add the VPC spokes to the hub, and specify all subnet ranges in the excludeExportRanges filter. C. Configure a mesh topology, and add the VPC spokes to the hub. D. Configure a star topology, and add the VPC spokes to the hub.
D. Configure a star topology, and add the VPC spokes to the hub.
Explanation
In a Network Connectivity Center (NCC) setup where all VPCs in your environment need connectivity to each other, and the subnet ranges are unique, the recommended approach is to configure a star topology Star topology with a central hub: In a star topology, all VPC spokes are connected to a central hub. This simplifies network management and ensures that all VPCs can communicate with each other by routing traffic through the hub. NCC's hub-and-spoke model is designed for this kind of centralized connectivity. Unique subnet ranges: Since all subnet ranges are unique, there are no IP conflicts, and route exchange between VPCs via the hub works seamlessly. There is no need to filter or exclude subnets using excludeExportRanges. Simplifies routing: In a star topology, routes are automatically propagated between VPCs through the hub, making it easier to manage and scale the network. Why not mesh topology? A mesh topology involves direct connections between all VPCs, which becomes complex and harder to manage as the number of VPCs grows. In this case, a star topology provides a simpler and more scalable solution. By adding all VPC spokes to the hub, you enable full connectivity between the VPCs while maintaining a manageable and scalable network design.
Question 273:
Your organization's security team recently discovered that there is a high risk of malicious activities originating from some of your VMs connected to the internet. These malicious activities are currently undetected when TLS communication is used. You must ensure that encrypted traffic to the internet is inspected.
What should you do?
A. Enable Cloud Armor TLS inspection policy, and associate the policy with the backend VMs. B. Use Cloud NGFW Essentials. Create a firewall rule for egress traffic, and enable VPC Flow Logs with the TLS inspect option. Analyze the output logs content and block the outputs that have malicious activities. C. Configure a TLS agent on every VM to intercept TLS traffic before it reaches the internet. Configure Sensitive Data Protection to analyze and allow/deny the content. D. Use Cloud NGFW Enterprise. Create a firewall rule for egress traffic with the --tls-inspect flag, and associate the firewall rules with the VMs.
D. Use Cloud NGFW Enterprise. Create a firewall rule for egress traffic with the --tls-inspect flag, and associate the firewall rules with the VMs.
Explanation
To inspect encrypted TLS traffic, Google Cloud's Cloud NGFW Enterprise is the appropriate solution. Cloud NGFW (Next-Generation Firewall) offers TLS inspection capabilities, allowing you to inspect outbound TLS traffic from VMs. By creating a firewall rule for egress traffic with the --tls-inspect flag, you ensure that TLS traffic is decrypted and analyzed for potential malicious activity before it reaches external destinations.
Question 274:
You are attempting to establish a HA VPN to your on-premises network; however, the VPN connection is not establishing successfully. You have full administrative control over the Google Cloud networking environment and the on-premises firewalls that are acting as the VPN devices. The Google Cloud console shows "Negotiation failure" and "BGP is down". You check Cloud Logging by using a query for resource.type="vpn_gateway" and resource.labels.gateway_id="TUNNEL_ID_NUMBER". Logs Explorer shows frequent log entries:
log name:.../logs/cloud.googleapis.com%2Fipsec_events" type: "vpn_gateway" textPayload: "received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built" You need to troubleshoot the VPN failure and take corrective action based on the Cloud Logging entries.
What should you do?
A. Update the Google Cloud BGP session configuration to match the BGP peer ASN on the on-premises side. B. Compare and review the Phase 2 settings on the on-premises firewall. Make sure the settings match one of the supported cipher suites for HA VPN. C. Create a new Cloud VPN gateway in a region closer to the peer VPN gateway. D. Compare the Phase 1 settings and recreate the Cloud VPN tunnel by choosing a different IKE version and pre-shared key.
B. Compare and review the Phase 2 settings on the on-premises firewall. Make sure the settings match one of the supported cipher suites for HA VPN.
Explanation
The error received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built indicates a mismatch in Phase 2 settings during IPsec negotiation. This happens when the encryption or hashing algorithms, Diffie-Hellman groups, or other Phase 2 parameters configured on the on-premises firewall do not match those configured for the HA VPN on Google Cloud.
1. Phase 2 Settings (Child SA): These settings determine the parameters for securing the actual traffic. They must match on both sides of the VPN (on-premises and Google Cloud) for the connection to establish successfully.
2. Supported Cipher Suites: HA VPN has specific supported cipher suites for Phase 2, which must be adhered to when configuring the on-premises firewall.
3. Action: Review and update the Phase 2 settings on the on-premises firewall to ensure they match Google Cloud's HA VPN requirements.
Question 275:
Your organization is migrating workloads from AWS to Google Cloud. Because a particularly critical workload will take longer to migrate, you need to set up Google Cloud CDN and point it to the existing application at AWS.
What should you do?
A. - Create an internet NEG that points to the existing FQDN of the application. - Map the NEG to an Application Load Balancer as a backend service. - Enable Cloud CDN on the backend service. B. - Create a hybrid NEG that points to the existing IP of the application. - Map the NEG to a passthrough Network Load Balancer as a target pool. - Enable Cloud CDN on the target pool. C. - Create an internet NEG that points to the existing FQDN of the application. - Map the NEG to a passthrough Network Load Balancer as a backend service. - Enable Cloud CDN on the backend service. D. - Create a hybrid NEG that points to the existing IP of the application. - Map the NEG to an Application Load Balancer as a backend service. - Enable Cloud CDN on the backend service.
A. - Create an internet NEG that points to the existing FQDN of the application. - Map the NEG to an Application Load Balancer as a backend service. - Enable Cloud CDN on the backend service.
Explanation
An internet NEG allows Google Cloud to use an external FQDN as a backend, making it ideal for pointing to an application still running in AWS. Mapping the internet NEG to an Application Load Balancer enables HTTP(S) traffic handling, and Cloud CDN can be enabled directly on the backend service to cache and accelerate content served from the AWS-hosted application.
Question 276:
You are reviewing and tuning Secure Web Proxy at your organization, Mount Kirk Games. Users have reported that they are unable to reach the documents they need on the Terram Earth website (https://www.terramearth.com/docs/*). The Secure Web Proxy rules configuration is as follows:
You need to enable access to these documents.
What should you do?
A. Delete the updates-limiter rule. B. Modify the updates-1 rule to perform the TLS inspection. C. Review Cloud Logging for errors with Cloud NAT. If there are no errors, assign the VM a public IP address. D. Modify the priority of the updates-limiter rule to 1000.
A. Delete the updates-limiter rule.
Explanation
The updates-limiter rule has a Deny action and matches the host
https://www.terramearth.com/docs/,
which includes the /docs/* path. This rule is preventing users from accessing the necessary documents on
https://www.terramearth.com/docs/*.
Since the updates-1 rule already explicitly allows access to the
https://www.terramearth.com/docs/host
with a path matching /docs/*, the updates-limiter rule is unnecessary and creates a conflict. By deleting the updates-limiter rule, the traffic will be allowed by the updates-1 rule, resolving the issue without affecting other rules in the Secure Web Proxy configuration.
Question 277:
You are assisting two independent development teams within your organization.
- The first team manages a project (project-dev-a) with a VPC (vpc-a) hosting a critical backend microservice.
- The second team manages a separate project (project-dev-b) with a VPC (vpc-b) hosting a frontend application that heavily consumes data from the backend microservice. Both teams require secure, high-bandwidth, bi-directional connectivity, and low-latency communication between their applications, while minimizing operational overhead. Neither team wants to centralize their VPC management under a single Shared VPC host project. You need to implement a decentralized VPC management strategy.
What should you do?
A. Configure a VPC Network Peering connection between the two VPCs. B. Setup Cloud VPN tunnels between the two VPCs. C. Create a Network Connectivity Center hub and register both VPCs as spokes. D. Use Private Service Connect endpoints.
A. Configure a VPC Network Peering connection between the two VPCs.
Explanation
VPC Network Peering is the recommended option for direct, private communication between two independently managed VPCs in different projects when both sides need low-latency, high-bandwidth, bi-directional connectivity with minimal operational overhead. It works without moving either team to a Shared VPC model and lets resources in both VPCs communicate over Google's private network. Cloud VPN adds unnecessary tunnel and bandwidth overhead, Network Connectivity Center is primarily for connectivity management at larger scale rather than the simplest direct VPC-to-VPC data path, and Private Service Connect is intended for service publishing and consumption rather than general full bi-directional VPC connectivity.
Question 278:
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?
A. AS-Path B. Community C. Local Preference D. Multi-exit Discriminator
You converted an auto mode VPC network to custom mode. Since the conversion, some of your Cloud Deployment Manager templates are no longer working. You want to resolve the problem.
What should you do?
A. Apply an additional IAM role to the Google API's service account to allow custom mode networks. B. Update the VPC firewall to allow the Cloud Deployment Manager to access the custom mode networks. C. Explicitly reference the custom mode networks in the Cloud Armor whitelist. D. Explicitly reference the custom mode networks in the Deployment Manager templates.
D. Explicitly reference the custom mode networks in the Deployment Manager templates.
Question 280:
You have provisioned a Cloud Interconnect connection with a VLAN attachment. You configured Border Gateway Protocol (BGP) between your on-premises router and your Cloud Router. After deploying and testing the connection, you discover that the BGP session is not established between your on-premises router and the Cloud Router.
Which two actions should you take to resolve this issue? (Choose two.)
A. From the Google Cloud console, run gcloud compute routers get-status <CLOUD_ROUTER_NAME> to verify the Address Resolution Protocol (ARP) learned. B. Verify that you have configured the on-premises router's subinterface with a subnet mask of /31. C. Verify that you have configured the on-premises router's eBGP multihop with a minimum hop length of 4. D. Verify that you have configured the on-premises router's BGP security parameters to use MD5 authentication. E. From the Google Cloud console, run gcloud compute interconnects get-diagnostics <INTERCONNECT_NAME> to verify the Address Resolution Protocol (ARP) learned.
A. From the Google Cloud console, run gcloud compute routers get-status <CLOUD_ROUTER_NAME> to verify the Address Resolution Protocol (ARP) learned. B. Verify that you have configured the on-premises router's subinterface with a subnet mask of /31.
Explanation
Verifying ARP with Cloud Router Status The gcloud compute routers get-status command checks the status of the Cloud Router, including its ARP entries. This helps confirm whether the Cloud Router has learned the ARP for the on- premises router, which is essential for establishing the BGP session. Subnet Mask Configuration When configuring the on-premises router's subinterface, a /31 subnet mask is required for point-to-point connectivity between your on-premises router and the Cloud Router. Incorrect subnet mask configurations are a common reason for BGP session failures.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.