Google Google Certifications PROFESSIONAL-CLOUD-NETWORK-ENGINEER Questions & Answers

• Question 21:

  You work for a multinational enterprise that is moving to GCP.

  These are the cloud requirements:

  1.

  An on-premises data center located in the United States in Oregon and New York with Dedicated Interconnects connected to Cloud regions us-west1 (primary HQ) and us-east4 (backup)

  2.

  Multiple regional offices in Europe and APAC

  3.

  Regional data processing is required in europe-west1 and australia-southeast1

  4.

  Centralized Network Administration Team

  Your security and compliance team requires a virtual inline security appliance to perform L7 inspection for URL filtering. You want to deploy the appliance in us-west1.

  What should you do?

  A. Create 2 VPCs in a Shared VPC Host Project. Configure a 2-NIC instance in zone us-west1-a in the Host Project. Attach NIC0 in VPC #1 us-west1 subnet of the Host Project. Attach NIC1 in VPC #2 us-west1 subnet of the Host Project. Deploy the instance. Configure the necessary routes and firewall rules to pass traffic through the instance.

  B. Create 2 VPCs in a Shared VPC Host Project. Configure a 2-NIC instance in zone us-west1-a in the Service Project. Attach NIC0 in VPC #1 us-west1 subnet of the Host Project. Attach NIC1 in VPC #2 us-west1 subnet of the Host Project. Deploy the instance. Configure the necessary routes and firewall rules to pass traffic through the instance.

  C. Create 1 VPC in a Shared VPC Host Project. Configure a 2-NIC instance in zone us-west1-a in the Host Project. Attach NIC0 in us-west1 subnet of the Host Project. Attach NIC1 in us-west1 subnet of the Host Project Deploy the instance. Configure the necessary routes and firewall rules to pass traffic through the instance.

  D. Create 1 VPC in a Shared VPC Service Project. Configure a 2-NIC instance in zone us-west1-a in the Service Project. Attach NIC0 in us-west1 subnet of the Service Project. Attach NIC1 in us-west1 subnet of the Service Project Deploy the instance. Configure the necessary routes and firewall rules to pass traffic through the instance.

  Correct Answer: B

  https://cloud.google.com/vpc/docs/shared-vpc

• Question 22:

  You are planning to use Terraform to deploy the Google Cloud infrastructure for your company The design must meet the following requirements

  1.

  Each Google Cloud project must represent an Internal project that your team Will work on

  2.

  After an internal project is finished, the infrastructure must be deleted

  3.

  Each Internal project must have Its own Google Cloud project owner to manage the Google Cloud resources

  4.

  You have 10-100 projects deployed at a time,

  While you are writing the Terraform code, you need to ensure that the deployment IS Simple, and the code IS reusable

  With centralized management What should you doo

  A. Create a Single pt0Ject and additional VPCs for each Internal project

  B. Create a Single Project and Single VPC for each internal project

  C. Create a single Shared VPC and attach each Google Cloud project as a service project

  D. Create a Shared VPC and service project for each Internal project

  Correct Answer: C

  The correct answer is C. Create a single Shared VPC and attach each Google Cloud project as a service project.

  This answer is based on the following facts:

  A Shared VPC allows you to share one or more VPC networks across multiple Google Cloud projects1. This simplifies the deployment and management of the network infrastructure, as you only need to create and maintain one VPC network

  for all your internal projects.

  A Shared VPC consists of a host project that owns the VPC network and one or more service projects that use the VPC network2. You can attach and detach service projects as needed, depending on the lifecycle of your internal projects.

  You can also delete service projects without affecting the host project or other service projects.

  A Shared VPC allows you to delegate administrative roles to different project owners3. You can grant the Shared VPC Admin role to the owner of the host project, who can manage the VPC network and its subnets. You can also grant the

  Service Project Admin role to the owners of the service projects, who can manage the Google Cloud resources in their own projects.

  The other options are not correct because:

• Question 23:

  You are designing a hybrid cloud environment. Your Google Cloud environment is interconnected with your on-premises network using HA VPN and Cloud Router in a central transit hub VPC. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88. You need to ensure that your Compute Engine resources in multiple spoke VPCs can resolve on-premises private hostnames using the domain corp.altostrat.com while also resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

  A. Create a private forwarding zone in Cloud DNS for `corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for `corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19. Configure VPC peering in the spoke VPCs to peer with the hub VPC.

  B. Create a private forwarding zone in Cloud DNS for `corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for `corp.altostrat.com' called corp-altostrat-com associated with the spoke PCs, with the hub VPC as the target. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

  C. Create a private forwarding zone in Cloud DNS for `corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for `corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

  Create a hub-and-spoke VPN deployment in each spoke VPC to connect back to the on-premises network directly.

  D. Create a private forwarding zone in Cloud DNS for `corp altostrat.com' called corp-altostrat-com that points to 192. 168.20.88. Associate the zone with the hub VPC. Create a private peering zone in Cloud DNS for `corp.altostrat.com' called corp-altostrat-com associated with the spoke VPCs, with the hub VPC as the target. Sat a custom route advertisement on the Cloud Router for 35.199.192.0/19. Create a hub and spoke VPN deployment in each spoke VPC to connect back to the hub VPC.

  Correct Answer: A

• Question 24:

  You want to use Partner Interconnect to connect your on-premises network with your VPC. You already have an Interconnect partner.

  What should you first?

  A. Log in to your partner's portal and request the VLAN attachment there.

  B. Ask your Interconnect partner to provision a physical connection to Google.

  C. Create a Partner Interconnect type VLAN attachment in the GCP Console and retrieve the pairing key.

  D. Run gcloud compute interconnect attachments partner update / --region --admin-enabled.

  Correct Answer: B

  https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview?hl=En#provisioning "To provision a Partner Interconnect connection with a service provider, you start by connecting your on-premises network to a supported service provider. Work with the service provider to establish connectivity.

• Question 25:

  You are in the process of deploying an internal HTTP(S) load balancer for your web server virtual machine (VM) Instances What two prerequisite tasks must be completed before creating the load balancer?

  Choose 2 answers

  A. Choose a region.

  B. Create firewall rules for health checks

  C. Reserve a static IP address for the load balancer

  D. Determine the subnet mask for a proxy-only subnet.

  E. Determine the subnet mask for Serverless VPC Access.

  Correct Answer: BC

  The correct answer is B and C. You must create firewall rules for health checks and reserve a static IP address for the load balancer before creating the internal HTTP(S) load balancer.

  The other options are not correct because:

  Option A is not a prerequisite task. You can choose a region when you create the load balancer, but you do not need to do it beforehand. Option D is not a prerequisite task. You can determine the subnet mask for a proxy-only subnet when

  you create the subnet, but you do not need to do it beforehand.

  Option E is not related to the internal HTTP(S) load balancer. Serverless VPC Access is a feature that allows you to connect your serverless applications to your VPC network, but it is not required for the load balancer.

• Question 26:

  You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.

  What should you do?

  A. Assign each user the editor role.

  B. Assign each user the compute.networkAdmin role.

  C. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.

  D. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

  Correct Answer: D

  https://cloud.google.com/interconnect/docs/how-to/dedicated/creating-vlan-attachments

• Question 27:

  In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.

  What should you do?

  A. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

  B. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.

  C. Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.

  D. Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A

  Correct Answer: B

• Question 28:

  You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?

  A. Enable firewall logs, and view the logs in Firewall Insights.

  B. Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.

  C. Enable VPC Flow Logs, and view the logs in Cloud Logging.

  D. Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.

  Correct Answer: A

• Question 29:

  You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

  

  You need to update the firewall rule to add the following rule to the ruleset:

  

  You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

  A. Assign the compute.securityAdmin and logging.viewer rule to the new user account.Apply the new firewall rule with a priority of 50.

  B. Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

  C. Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.

  D. Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

  Correct Answer: A

• Question 30:

  You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via TCP on port 700. You want to ensure high availability for this application. What should you do?

  A. Create a network load balancer that used backend services containing one instance group with two instances.

  B. Create a network load balancer that uses a target pool backend with two instances.

  C. Create a TCP proxy that uses a zonal network endpoint group containing one instance.

  D. Create a TCP proxy that uses backend services containing an instance group with two instances.

  Correct Answer: D