Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 21:
You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.
How should you configure the Distribution VPC?
A. Create the Distribution VPC in auto mode. Peer both the VPCs via network peering. B. Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering. C. Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering. D. Rename the default VPC as "Distribution" and peer it via network peering.
B. Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.
Explanation
References:
https://cloud.google.com/vpc/docs/using-vpc
Question 22:
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?
A. Assign members of the networking team the compute.networkUser role. B. Assign members of the networking team the compute.networkAdmin role. C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions. D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
B. Assign members of the networking team the compute.networkAdmin role.
Explanation
References:
https://cloud.google.com/compute/docs/access/iam
Question 23:
Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet.
What should you do?
A. Use the default public domains for all Google APIs and services. B. Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services. C. Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services. D. Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.
B. Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.
Question 24:
Your organization has a subset of applications in multiple regions that require internet access. You need to control internet access from applications to URLs, including hostnames and paths. The compute instances that run these applications have an associated secure tag.
What should you do?
A. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match a service account. B. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match the secure tag. C. Deploy a single Secure Web Proxy instance with global access enabled. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list. D. Deploy a Secure Web Proxy instance in each region. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.
D. Deploy a Secure Web Proxy instance in each region. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.
Explanation
Secure Web Proxy (SWP) is the appropriate solution for controlling internet access from applications based on specific URLs, including hostnames and paths. Since the applications are in multiple regions, you need to deploy an SWP instance in each region to ensure low latency and efficient routing of traffic to the internet.
The secure tag associated with the compute instances allows you to apply the SWP policy only to the desired instances. The SWP policy can define URL lists that specify which URLs the applications are allowed to access, providing granular control over outbound internet access. This approach ensures compliance with organizational requirements while maintaining security and performance across multiple regions.
Question 25:
Users in one subnet cannot connect to an internal application in another subnet. You need to determine whether the failure is caused by routes, firewall rules, or other Google Cloud network configuration.
What should you use first?
A. Connectivity Tests in Network Intelligence Center. B. Cloud Billing export. C. Cloud DNS DNSSEC validation. D. Object change notifications on the application bucket.
A. Connectivity Tests in Network Intelligence Center.
Explanation
Connectivity Tests can analyze reachability between endpoints and identify issues such as route, firewall, and configuration problems. It is designed for diagnosing common network connectivity failures in Google Cloud. Cloud Billing export does not diagnose packet reachability. DNSSEC validation protects DNS integrity and does not determine whether firewall or route configuration blocks a connection. Object change notifications are unrelated to VPC connectivity.
Question 26:
As part of your organization's modernization efforts, the application teams are migrating services to GKE on Google Cloud (GKE). The GKE clusters will live in service projects. The teams have validated the applications and configurations in their sandbox projects.
When moving to production, you noticed that GKE nodes were not being created. Users were able to create Compute Engine instances, but the operation failed when they tried to create a GKE cluster. You need to enable the application teams so they can create said GKE clusters.
What should you do?
A. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostServiceAgentUser and compute.networkUser IAM permissions in the host project. B. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostserviceAgentUser and compute.networkUser IAM permissions in the service project. C. Ensure that the service project's GKE service account has the compute.networkUser IAM permission in the service project. D. Review the firewall rules configuration in the VPC. Identify what rule is blocking node creation.
A. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostServiceAgentUser and compute.networkUser IAM permissions in the host project.
Explanation
When using a shared VPC architecture in Google Cloud, GKE clusters in service projects depend on permissions in the host project for networking and other resources. The GKE service account requires specific permissions in the host project to successfully create nodes for the cluster. compute.securityAdmin Allows the GKE service account to manage security-related configurations, such as creating firewall rules in the host project's VPC. container.hostServiceAgentUser Grants the GKE service account access to the GKE-managed service account, enabling cluster management in the shared VPC setup. compute.networkUser Allows the GKE service account to use subnets in the host project's VPC for creating cluster nodes.
These permissions must be assigned in the host project because the shared VPC resides there, and the GKE cluster in the service project interacts with the host project's network resources. Without these permissions, node creation will fail, even if Compute Engine instances are being successfully created.
Question 27:
You recently deployed two network virtual appliances in us-central1. Your network appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to configure the routing for your Virtual Private Cloud (VPC). Your design must meet the following requirements: All access to your on-premises network must go through the network virtual appliances. Allow on-premises access in the event of a single network virtual appliance failure. Both network virtual appliances must be used simultaneously.
Which method should you use to accomplish this?
A. Configure two routes for 10.0.0.0/8 with different priorities, each pointing to separate network virtual appliances. B. Configure an internal HTTP(S) load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal HTTP(S) load balancer as the next hop. C. Configure a network load balancer for the two network virtual appliances. Configure a route for 10.0.0.0/8 with the network load balancer as the next hop. D. Configure an internal TCP/UDP load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.
D. Configure an internal TCP/UDP load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.
Question 28:
You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules. Always allow Secure Shell (SSH) from your corporate IP address. Restrict SSH access from all other IP addresses.
There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team's requirements.
What should you do?
A. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority0.2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1. B. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority0.2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1. C. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority1.2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0. D. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 12. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.
A. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority0.2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.
Question 29:
Your organization uses a Shared VPC host project for production workloads. A service project team needs to deploy virtual machine instances into only one subnet in the Shared VPC. The team must not be able to modify routes, firewall policies, or other subnetworks. You need to follow the principle of least privilege.
What should you do?
A. Grant the team the Compute Network Admin role on the host project. B. Grant the team the Compute Network User role on the required subnet in the host project. C. Grant the team the Shared VPC Admin role on the organization. D. Grant the team the Compute Security Admin role on the service project.
B. Grant the team the Compute Network User role on the required subnet in the host project.
Explanation
The Compute Network User role can be granted at the subnet level in a Shared VPC host project so that principals in a service project can attach resources to that subnet. This provides the required ability without allowing route, firewall, or network administration. Compute Network Admin and Shared VPC Admin provide broader permissions than required. Compute Security Admin is used for security resources such as firewall rules and does not grant the subnet attachment permission needed by the workload team.
Question 30:
Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks.
What should you do?
A. Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery. B. Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges. C. Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks. D. Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.
B. Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.