PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :333 Q&As
  • Last Updated
    :Jul 12, 2026

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

  • Question 21:

    You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.

    How should you configure the Distribution VPC?

    A. Create the Distribution VPC in auto mode. Peer both the VPCs via network peering.
    B. Create the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.
    C. Create the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.
    D. Rename the default VPC as "Distribution" and peer it via network peering.

  • Question 22:

    Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.

    How should you set up permissions for the networking team?

    A. Assign members of the networking team the compute.networkUser role.
    B. Assign members of the networking team the compute.networkAdmin role.
    C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
    D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

  • Question 23:

    Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet.

    What should you do?

    A. Use the default public domains for all Google APIs and services.
    B. Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.
    C. Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.
    D. Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.

  • Question 24:

    Your organization has a subset of applications in multiple regions that require internet access. You need to control internet access from applications to URLs, including hostnames and paths. The compute instances that run these applications have an associated secure tag.

    What should you do?

    A. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match a service account.
    B. Deploy a Cloud NAT gateway. Use fully qualified domain name (FQDN) objects in the firewall policy rules to filter outgoing traffic to specific domains from machines that match the secure tag.
    C. Deploy a single Secure Web Proxy instance with global access enabled. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.
    D. Deploy a Secure Web Proxy instance in each region. Apply a Secure Web Proxy policy to allow access from machines that match the secure tag to the URLs defined in a URL list.

  • Question 25:

    Users in one subnet cannot connect to an internal application in another subnet. You need to determine whether the failure is caused by routes, firewall rules, or other Google Cloud network configuration.

    What should you use first?

    A. Connectivity Tests in Network Intelligence Center.
    B. Cloud Billing export.
    C. Cloud DNS DNSSEC validation.
    D. Object change notifications on the application bucket.

  • Question 26:

    As part of your organization's modernization efforts, the application teams are migrating services to GKE on Google Cloud (GKE). The GKE clusters will live in service projects. The teams have validated the applications and configurations in their sandbox projects.

    When moving to production, you noticed that GKE nodes were not being created. Users were able to create Compute Engine instances, but the operation failed when they tried to create a GKE cluster. You need to enable the application teams so they can create said GKE clusters.

    What should you do?

    A. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostServiceAgentUser and compute.networkUser IAM permissions in the host project.
    B. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostserviceAgentUser and compute.networkUser IAM permissions in the service project.
    C. Ensure that the service project's GKE service account has the compute.networkUser IAM permission in the service project.
    D. Review the firewall rules configuration in the VPC. Identify what rule is blocking node creation.

  • Question 27:

    You recently deployed two network virtual appliances in us-central1. Your network appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to configure the routing for your Virtual Private Cloud (VPC). Your design must meet the following requirements: All access to your on-premises network must go through the network virtual appliances. Allow on-premises access in the event of a single network virtual appliance failure. Both network virtual appliances must be used simultaneously.

    Which method should you use to accomplish this?

    A. Configure two routes for 10.0.0.0/8 with different priorities, each pointing to separate network virtual appliances.
    B. Configure an internal HTTP(S) load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal HTTP(S) load balancer as the next hop.
    C. Configure a network load balancer for the two network virtual appliances. Configure a route for 10.0.0.0/8 with the network load balancer as the next hop.
    D. Configure an internal TCP/UDP load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.

  • Question 28:

    You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules. Always allow Secure Shell (SSH) from your corporate IP address. Restrict SSH access from all other IP addresses.

    There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team's requirements.

    What should you do?

    A. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority0.2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.
    B. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority0.2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.
    C. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority1.2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.
    D. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 12. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

  • Question 29:

    Your organization uses a Shared VPC host project for production workloads. A service project team needs to deploy virtual machine instances into only one subnet in the Shared VPC. The team must not be able to modify routes, firewall policies, or other subnetworks. You need to follow the principle of least privilege.

    What should you do?

    A. Grant the team the Compute Network Admin role on the host project.
    B. Grant the team the Compute Network User role on the required subnet in the host project.
    C. Grant the team the Shared VPC Admin role on the organization.
    D. Grant the team the Compute Security Admin role on the service project.

  • Question 30:

    Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks.

    What should you do?

    A. Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.
    B. Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.
    C. Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.
    D. Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.