Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 321:
You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem.
Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC.
Which firewall rule should you configure to allow only this communication path?
A. Firewall rule direction: ingress Action: allow Target: VM B service account Source ranges: VM A service account Priority: 1000 B. Firewall rule direction: ingress Action: allow Target: specific VM B tag Source ranges: VM A tag and VM A source IP address Priority: 1000 C. Firewall rule direction: ingress Action: allow Target: VM A service account Source ranges: VM B service account and VM B source IP address Priority: 100 D. Firewall rule direction: ingress Action: allow Target: specific VM A tag Source ranges: VM B tag and VM B source IP address Priority: 100
A. Firewall rule direction: ingress Action: allow Target: VM B service account Source ranges: VM A service account Priority: 1000
Question 323:
You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?
A. Carrier Peering B. Direct Peering C. Dedicated Interconnect D. Partner Interconnect
You are integrating your company's on-premises SD-WAN fabric with Google Cloud to route traffic from application VPCs to your on-premises network. The SD-WAN appliance is already deployed as a virtual machine in a central hub VPC.
You want to minimize operational complexity by using the SD-WAN virtual appliance for policy enforcement and dynamic route exchange.
What should you do?
A. Place the SD-WAN appliance that is in the hub VPC in a backend service behind an internal passthrough Network Load Balancer. Create a custom route in the spoke VPC that uses the load balancer as the next hop. B. Establish a direct HA VPN connection from the application VPCs to the on-premises data center, and configure BGP to exchange dynamic routes directly. C. Create a Network Connectivity Center hub in the hub VPC, and register the SD-WAN virtual machine as a router appliance hybrid spoke. Add the application networks to the hub as VPC spokes. D. Peer the central hub and application VPCs. Create a static route in the application VPCs for the on-premises CIDR range with the next-hop set to the internal IP address of the SD-WAN appliance.
C. Create a Network Connectivity Center hub in the hub VPC, and register the SD-WAN virtual machine as a router appliance hybrid spoke. Add the application networks to the hub as VPC spokes.
Explanation
Network Connectivity Center supports integrating third-party routing appliances by registering the SD-WAN VM as a router appliance spoke and attaching application VPCs as VPC spokes. This centralizes policy enforcement on the SD-WAN appliance and enables dynamic route exchange through NCC with minimal operational overhead compared to managing multiple direct VPNs or static routing across peerings.
Question 325:
You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use Cloud Run and Cloud Functions to access the microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to communicate with any of your microservices. You want to implement a solution that minimizes cost.
What should you do?
A. Deploy your serverless services to the serverless VPC. Peer the serverless service VPC to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices. B. Create a serverless VPC access connector for each serverless service. Configure the connectors to allow traffic between the serverless services and your existing microservices. C. Deploy your serverless services to the existing VPC. Configure firewall rules to allow traffic between the serverless services and your existing microservices. D. Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices.
D. Create a serverless VPC access connector. Configure the serverless service to use the connector for communication to the microservices.
Question 326:
You create multiple Compute Engine virtual machine instances to be used as TFTP servers.
Which type of load balancer should you use?
A. HTTP(S) load balancer B. SSL proxy load balancer C. TCP proxy load balancer D. Network load balancer
D. Network load balancer
Question 327:
Your company's current network deployment consists of:
- One physical branch office in CITY_A.
- One physical branch office in CITY_B.
- One VPC with two compute instances (SDWAN_ONE, SDWAN_TWO) that act as SDWAN hubs for the two branch offices and provide applications running in the branch offices access to the databases deployed in the VPC. The databases are deployed on compute instances. The CITY_A branch office has an SDWAN tunnel to the SDWAN_ONE compute instance.
The CITY_B branch office has an SDWAN tunnel to the SDWAN_TWO compute instance. All tunnels run over the public internet. You are notified that the applications in the CITY_A branch office are excessively slow. You need to determine if this behavior is network related. You must leverage a procedure that requires the least amount of setup effort and cost.
What should you do?
A. Enable VPC Flow Logs on the SDWAN_ONE compute instance and the compute instances of the databases. Investigate the rtt_msec metadata in the VPC Flow Logs. B. SSH into the SDWAN_ONE compute instance and analyze the situation using the troubleshooting commands provided within the SDWAN_ONE operating system. C. Use Network Intelligence Center to run a connectivity test between the SDWAN_ONE compute instance and the public IP address of the SDWAN hub that is located in the CITY_A branch. D. Review the Performance Dashboard in Network Intelligence Center. Analyze packet loss and latency between the SDWAN_ONE compute instance and the databases' compute instances. Analyze latency over the internet between CITY_A and the SDWAN_ONE compute instance.
D. Review the Performance Dashboard in Network Intelligence Center. Analyze packet loss and latency between the SDWAN_ONE compute instance and the databases' compute instances. Analyze latency over the internet between CITY_A and the SDWAN_ONE compute instance.
Explanation
Performance Dashboard in Network Intelligence Center is the lowest-effort and lowest-cost option because it provides built-in visibility into packet loss and latency without requiring you to log in to the SD-WAN VM or deploy extra tooling.
Google documents that Performance Dashboard shows latency and packet loss for Google Cloud network paths, and it also includes latency metrics between VMs and internet endpoints, which fits this scenario where the branch tunnels terminate on public-facing SD-WAN hub instances. That lets you check both the path from SDWAN_ONE to the database VMs inside Google Cloud and the internet-facing path relevant to CITY_A traffic.
Your company uses web application firewall (WAF) capabilities from a third-party cloud WAF provider. This WAF provider proxies all the HTTPS connections from internet clients, applies security policies, and then opens a new HTTPS connection to the public IP address of your global Application Load Balancer in Google Cloud. Your Google Cloud workloads are the backend of this global Application Load Balancer. Currently, Cloud Am1or is not configured. You need to
create a Cloud Armor security policy that blocks sessions that originate from internet clients with source IP addresses that belong to the IP_RANGE_BLOCK IP range. The block must be executed by the Cloud Armor security policy; it will not
be done by the third-party cloud WAF provider.
What should you do?
A. 1. Create a new Cloud Armor network edge security policy. In the policy, set the userIpRequestHeaders[] attribute.2. Add a policy rule that denies traffic that matches inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads. B. 1. Create a new Cloud Armor network edge security policy. In the policy, set the userIpRequestHeaders[] attribute.2. Add a policy rule that denies traffic that matches the inIpRange(origin.ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads. C. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders [] attribute.2. Add a policy rule that denies traffic that matches the inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads. D. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders [] attribute.2. Add a policy rule that denies traffic that matches the inIpRange(origin.ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads.
C. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders [] attribute.2. Add a policy rule that denies traffic that matches the inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement.3. Apply the policy to the backend service that includes all your Google Cloud workloads.
Explanation
A backend security policy is required because the Cloud Armor rules must apply to traffic after it passes through the third-party WAF and reaches the backend service. The userIpRequestHeaders[] attribute extracts the original client IP from headers inserted by the WAF (e.g., X-Forwarded-For). The rule checks if the client's IP falls within the IP_RANGE_BLOCK range and denies the traffic. This ensures Cloud Armor blocks traffic based on the actual client IP, as the third-party WAF creates a new connection using its IP for proxied traffic.
Question 329:
You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.
Which connectivity model should you use?
A. Direct Peering B. Dedicated Interconnect C. Partner Interconnect with a layer 2 partner D. Partner Interconnect with a layer 3 partner
D. Partner Interconnect with a layer 3 partner
Question 330:
Recently, your networking team enabled Cloud CDN for one of the external-facing services that is exposed through an external Application Load Balancer. The application team has already defined which content should be cached within the responses. Upon testing the load balancer, you did not observe any change in performance after the Cloud CDN enablement. You need to resolve the issue.
What should you do?
A. Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches all static content as well as content defined by the backends. B. Configure the FORCE_CACHE_ALL caching mode on Cloud CDN to ensure all appropriate content is cached. C. Configure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses to requests from the backends. D. Configure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN cache content depending on responses to requests from the backends.
C. Configure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses to requests from the backends.
Explanation
For Cloud CDN to cache content effectively, the backend application must include appropriate HTTP caching headers, such as Cache-Control or Expires, in its responses. By configuring the USE_ORIGIN_HEADERS caching mode, Cloud CDN will honor these headers, ensuring that the defined content is cached and served correctly.
If the backend has already defined the caching behavior through headers, this configuration ensures that the CDN respects the backend's caching rules, avoiding unnecessary caching or bypassing the application's control over cache behavior. This resolves the issue while aligning with the application's defined behavior.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.