PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :333 Q&As
  • Last Updated
    :Jul 12, 2026

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

  • Question 321:

    You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem.

    Which commands should you run?

    A. gcloud compute instances add-access-config instance-1
    B. gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS
    C. gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS
    D. gcloud compute health-checks update http health-check --unhealthy-threshold 10

  • Question 322:

    Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC.

    Which firewall rule should you configure to allow only this communication path?

    A. Firewall rule direction: ingress Action: allow Target: VM B service account Source ranges: VM A service account Priority: 1000
    B. Firewall rule direction: ingress Action: allow Target: specific VM B tag Source ranges: VM A tag and VM A source IP address Priority: 1000
    C. Firewall rule direction: ingress Action: allow Target: VM A service account Source ranges: VM B service account and VM B source IP address Priority: 100
    D. Firewall rule direction: ingress Action: allow Target: specific VM A tag Source ranges: VM B tag and VM B source IP address Priority: 100

  • Question 323:

    You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.

    Which connection type should you choose?

    A. Carrier Peering
    B. Direct Peering
    C. Dedicated Interconnect
    D. Partner Interconnect

  • Question 324:

    You are integrating your company's on-premises SD-WAN fabric with Google Cloud to route traffic from application VPCs to your on-premises network. The SD-WAN appliance is already deployed as a virtual machine in a central hub VPC.

    You want to minimize operational complexity by using the SD-WAN virtual appliance for policy enforcement and dynamic route exchange.

    What should you do?

    A. Place the SD-WAN appliance that is in the hub VPC in a backend service behind an internal passthrough Network Load Balancer. Create a custom route in the spoke VPC that uses the load balancer as the next hop.
    B. Establish a direct HA VPN connection from the application VPCs to the on-premises data center, and configure BGP to exchange dynamic routes directly.
    C. Create a Network Connectivity Center hub in the hub VPC, and register the SD-WAN virtual machine as a router appliance hybrid spoke. Add the application networks to the hub as VPC spokes.
    D. Peer the central hub and application VPCs. Create a static route in the application VPCs for the on-premises CIDR range with the next-hop set to the internal IP address of the SD-WAN appliance.

  • Question 325:

    You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use Cloud Run and Cloud Functions to access the microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to communicate with any of your microservices. You want to implement a solution that minimizes cost.

    What should you do?

    A. Deploy your serverless services to the serverless VPC. Peer the serverless service VPC to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices.
    B. Create a serverless VPC access connector for each serverless service. Configure the connectors to allow traffic between the serverless services and your existing microservices.
    C. Deploy your serverless services to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices.
    D. Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices.

  • Question 326:

    You create multiple Compute Engine virtual machine instances to be used as TFTP servers.

    Which type of load balancer should you use?

    A. HTTP(S) load balancer
    B. SSL proxy load balancer
    C. TCP proxy load balancer
    D. Network load balancer

  • Question 327:

    Your company's current network deployment consists of:

    - One physical branch office in CITY_A.

    - One physical branch office in CITY_B.

    - One VPC with two compute instances (SDWAN_ONE, SDWAN_TWO) that act as SDWAN hubs for the two branch offices and provide applications running in the branch offices access to the databases deployed in the VPC. The databases are deployed on compute instances. The CITY_A branch office has an SDWAN tunnel to the SDWAN_ONE compute instance.

    The CITY_B branch office has an SDWAN tunnel to the SDWAN_TWO compute instance. All tunnels run over the public internet. You are notified that the applications in the CITY_A branch office are excessively slow. You need to determine if this behavior is network related. You must leverage a procedure that requires the least amount of setup effort and cost.

    What should you do?

    A. Enable VPC Flow Logs on the SDWAN_ONE compute instance and the compute instances of the databases. Investigate the rtt_msec metadata in the VPC Flow Logs.
    B. SSH into the SDWAN_ONE compute instance and analyze the situation using the troubleshooting commands provided within the SDWAN_ONE operating system.
    C. Use Network Intelligence Center to run a connectivity test between the SDWAN_ONE compute instance and the public IP address of the SDWAN hub that is located in the CITY_A branch.
    D. Review the Performance Dashboard in Network Intelligence Center. Analyze packet loss and latency between the SDWAN_ONE compute instance and the databases' compute instances. Analyze latency over the internet between CITY_A and the SDWAN_ONE compute instance.

  • Question 328:

    Your company uses web application firewall (WAF) capabilities from a third-party cloud WAF provider. This WAF provider proxies all the HTTPS connections from internet clients, applies security policies, and then opens a new HTTPS connection to the public IP address of your global Application Load Balancer in Google Cloud. Your Google Cloud workloads are the backend of this global Application Load Balancer. Currently, Cloud Am1or is not configured. You need to

    create a Cloud Armor security policy that blocks sessions that originate from internet clients with source IP addresses that belong to the IP_RANGE_BLOCK IP range. The block must be executed by the Cloud Armor security policy; it will not

    be done by the third-party cloud WAF provider.

    What should you do?

    A. 1. Create a new Cloud Armor network edge security policy. In the policy, set the userIpRequestHeaders[] attribute.2. Add a policy rule that denies traffic that matches inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads.
    B. 1. Create a new Cloud Armor network edge security policy. In the policy, set the userIpRequestHeaders[] attribute.2. Add a policy rule that denies traffic that matches the inIpRange(origin.ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads.
    C. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders [] attribute.2. Add a policy rule that denies traffic that matches the inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads.
    D. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders [] attribute.2. Add a policy rule that denies traffic that matches the inIpRange(origin.ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads.

  • Question 329:

    You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.

    Which connectivity model should you use?

    A. Direct Peering
    B. Dedicated Interconnect
    C. Partner Interconnect with a layer 2 partner
    D. Partner Interconnect with a layer 3 partner

  • Question 330:

    Recently, your networking team enabled Cloud CDN for one of the external-facing services that is exposed through an external Application Load Balancer. The application team has already defined which content should be cached within the responses. Upon testing the load balancer, you did not observe any change in performance after the Cloud CDN enablement. You need to resolve the issue.

    What should you do?

    A. Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches all static content as well as content defined by the backends.
    B. Configure the FORCE_CACHE_ALL caching mode on Cloud CDN to ensure all appropriate content is cached.
    C. Configure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses to requests from the backends.
    D. Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN cache content depending on responses to requests from the backends.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.