Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 31:
Your company runs an enterprise platform on-premises using virtual machines (VMs). Your internet customers have created tens of thousands of DNS domains pointing to your public IP addresses allocated to the VMs. Typically, your customers hard-code your IP addresses in their DNS records. You are now planning to migrate the platform to Compute Engine and you want to use Bring Your Own IP. You want to minimize disruption to the platform.
What should you do?
A. Create a VPC and request static external IP addresses from Google Cloud. Assign the IP addresses to the Compute Engine instances. Notify your customers of the new IP addresses so they can update their DNS records. B. Verify ownership of your IP addresses. After the verification, Google Cloud advertises and provisions the IP prefix for you. Assign the IP addresses to the Compute Engine instances. C. Create a VPC with the same IP address range as your on-premises network. Assign the IP addresses to the Compute Engine instances. D. Verify ownership of your IP addresses. Use live migration to import the prefix. Assign the IP addresses to the Compute Engine instances.
B. Verify ownership of your IP addresses. After the verification, Google Cloud advertises and provisions the IP prefix for you. Assign the IP addresses to the Compute Engine instances.
Explanation
To minimize disruption and ensure continuity of service when migrating to Google Cloud using
Bring Your Own IP (BYOIP):
Verify Ownership: Google Cloud requires you to verify that you own the public IP addresses before they can advertise them on behalf of your organization. This process involves proving that you control the IP prefix through mechanisms like WHOIS registration. Google Advertises the IP Prefix: Once ownership is verified, Google Cloud advertises your IP range globally, ensuring your existing customers' DNS records pointing to these IPs remain functional.
Assign IPs to Compute Engine Instances: After the prefix is provisioned, you can assign the IPs to the Compute Engine instances, maintaining continuity without requiring your customers to update their DNS records.
Question 32:
Your organization has a web-based application that is going to be migrated to Google Cloud from an on-premises environment. You need to set up Cloud CDN for the application migration. The application previously used a different CDN provider and is configured to respond with Cache-Control headers. You want to keep this configuration.
What should you do?
A. Don't configure Cloud CDN at all since the backend is already configured for caching. B. Use the automatic caching mechanism in Cloud CDN by configuring CACHE_ALL_STATIC cache mode. C. Migrate the website to a Cloud Storage bucket, and use its built-in caching. D. Configure USE_ORIGIN_HEADERS to honor the cache headers delivered by the origin.
D. Configure USE_ORIGIN_HEADERS to honor the cache headers delivered by the origin.
Explanation
Using USE_ORIGIN_HEADERS makes Cloud CDN respect the existing Cache-Control headers from the application, preserving the current caching behavior during migration and avoiding the need to change application-side caching logic.
Question 33:
Your on-premises applications connect to Google Cloud over Cloud Interconnect. They must access only Google APIs supported by VPC Service Controls, and the access path must use the restricted Google APIs VIP.
What should you configure?
A. DNS to resolve supported Google API names to restricted.googleapis.com, and routing that sends 199.36.153.4/30 through the Cloud Interconnect path. B. Cloud NAT on the on-premises router with an automatically allocated Google external IP address. C. A public forwarding rule for every Google API used by the on-premises applications. D. A VPC firewall rule that allows tcp:443 to 0.0.0.0/0 from the on-premises CIDR.
A. DNS to resolve supported Google API names to restricted.googleapis.com, and routing that sends 199.36.153.4/30 through the Cloud Interconnect path.
Explanation
Private access to supported Google APIs from on-premises with VPC Service Controls commonly uses DNS that maps API names to restricted.googleapis.com and routing for the restricted VIP range 199.36.153.4/30 over the hybrid connection. Cloud NAT is a Google Cloud VPC service for outbound NAT from private resources and does not run on the on-premises router. Creating public forwarding rules for Google APIs is not how Google API access is provided. A broad firewall allow rule does not restrict access to the VPC Service Controls-supported API VIP.
Question 34:
You are designing a Google Kubernetes Engine (GKE) cluster for a rapidly scaling microservices application. The application will have thousands of pods and hundreds of services. The application requires internal pod-to-pod communication and exposure of services internally. You want to follow Google's recommended approach to ensure efficient IP address utilization within your existing Virtual Private Cloud (VPC) subnet while leveraging Google Cloud's native networking capabilities.
What should you do?
A. Deploy a route-based GKE cluster and rely on GKE-managed routing tables for all pod and service communication. B. Allocate a primary IP address range for the entire cluster to encompass both node, pod, and service IP addresses. C. Configure the GKE cluster to use a VPC-native mode with the main subnets primary IP range for nodes, and separate secondary IP ranges for pods and services. D. Implement a mesh of Istio service proxies on every pod to manage all internal pod-to-pod communication and service discovery.
C. Configure the GKE cluster to use a VPC-native mode with the main subnets primary IP range for nodes, and separate secondary IP ranges for pods and services.
Explanation
Google's recommended model is a VPC-native GKE cluster. In this design, node IPs come from the subnet's primary range, while Pods and Services use separate secondary IP ranges implemented with alias IPs. This provides efficient IP address utilization and uses Google Cloud's native networking model for large-scale Pod and Service networking.
Question 35:
You are designing the networking for a Google Kubernetes Engine (GKE) cluster that will host an internal, employee-facing application. This application needs to be accessible from your on-premises corporate network and from specific internal VPC networks in Google Cloud. You need to design a highly available and scalable load balancing solution for ingress traffic with a cookie-based session affinity without exposing the application to the public internet.
What should you do?
A. Use a GKE Gateway controller with an internal HTTPS load balancer. Configure DNS records to point to the load balancer's internal IP address from your on-premises network and peered internal VPCs. B. Implement a GKE Service of type LoadBalancer to provision an internal TCP/UDP load balancer. Configure its forwarding rule to accept traffic from your internal VPC and on-premises IP ranges. C. Expose the application using a Service of type NodePort, and configure an on-premises load balancer to target all the GKE node IPs as its backend. D. Implement a GKE Service of type LoadBalancer to provision a regional TCP proxy load balancer. Apply firewall rules to restrict traffic to your internal source IP ranges.
A. Use a GKE Gateway controller with an internal HTTPS load balancer. Configure DNS records to point to the load balancer's internal IP address from your on-premises network and peered internal VPCs.
Explanation
An internal HTTPS Application Load Balancer via the GKE Gateway controller provides a scalable, highly available Layer 7 ingress for internal applications, supports HTTP cookie-based session affinity, and is not exposed to the public internet. Using an internal VIP allows controlled access from on-premises over private connectivity and from selected internal VPC networks.
Question 36:
You receive a report that several VPC firewall rules might never be used and one broad allow rule might be shadowing more specific deny rules.
Which tool should you use to identify these issues?
A. Firewall Insights. B. Cloud Trace. C. Cloud CDN logs. D. Cloud NAT port usage metrics only.
A. Firewall Insights.
Explanation
Firewall Insights is part of Network Intelligence Center and helps analyze firewall rule usage, including hit counts and shadowed rules. Cloud Trace is used for application latency tracing and does not analyze VPC firewall rule effectiveness.
Cloud CDN logs apply to cached content delivery. Cloud NAT metrics can show NAT behavior but do not identify unused or shadowed firewall rules.
Question 37:
Your organization uses Google Cloud's Network Connectivity Center. One of the VPC spokes contains subnet-corp-prod (10.10.1.0/24) and subnet-corp-test (192.168.1.0/24). You need to ensure that only the subnet-corp-prod range is advertised to the Network Connectivity Center hub, even if new subnets are created in the VPC. You want to use the most direct and precise method to control route advertisements from this spoke.
What should you do?
A. Create a custom static route in the Network Connectivity Center hub with the next hop as the VPC spoke for the 10.10.1.0/24 range. B. Add 192.168.1.0/24 to the exclude export ranges filter in the VPC spoke configuration. C. Set the include export ranges filter to 10.10.1.0/24 in the VPC Spoke configuration, and ensure no other ranges are included. D. Create a VPC firewall rule with a DENY action for the 192.168.1.0/24 range.
C. Set the include export ranges filter to 10.10.1.0/24 in the VPC Spoke configuration, and ensure no other ranges are included.
Explanation
Using the VPC spoke's include export ranges filter to specify 10.10.1.0/24 precisely controls which subnet prefixes are exported to the Network Connectivity Center hub. This approach ensures that only the intended production range is advertised, and any newly created subnets in the VPC are not exported unless explicitly added to the include list.
Question 38:
Your organization, TerramEarth, is launching a global application to manage credit card payments. There are some client VMs inside the same VPC as the application that need to access this application privately. Due to compliance requirements, the internal clients cannot use the global external IP address of the application. Currently, Cloud DNS only resolves myglobalapp.terramearth.com to the public IP address with a public zone. The clients will need to reach myglobalapp.example.com, without using its external IP address. You need to configure Cloud DNS to follow this requirement while following Google-recommended practices.
What should you do?
A. Create a sub-domain named internal.terramearth.com. Add the new DNS entry (myglobalapp.internal.terramearth.com) to the sub-domain pointing to the internal IP address from the application VM. B. Configure a query logic script inside Cloud DNS to check the source IP address from the VPC, and respond with a modified DNS record to include the internal IP address from the application VM. C. Configure a private zone for the application record (myglobalapp.terramearth.com) and point to the internal IP address of the application VM. Bind this zone to the VPC. D. Promote the ephemeral IP address from the application VM to static, add this static ip address to each internal client's host file, and change the myglobalapp.terramearth.com DNS record to this new static IP address.
C. Configure a private zone for the application record (myglobalapp.terramearth.com) and point to the internal IP address of the application VM. Bind this zone to the VPC.
Explanation
To meet the compliance requirement of using private connectivity for internal clients while adhering to Google-recommended practices: Create a private DNS zone in Cloud DNS for myglobalapp.terramearth.com and define an A record that resolves to the internal IP address of the application VM. Bind the private zone to the VPC where the internal clients and the application reside. This ensures that DNS queries from VMs in the VPC resolve myglobalapp.terramearth.com to the private IP address instead of the public IP address. With this setup, internal clients can access the application privately using its domain name while the public zone remains untouched for external users.
Question 39:
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.
Which level of permissions should you request?
A. Security Admin privileges from the Shared VPC Admin. B. Service Project Admin privileges from the Shared VPC Admin. C. Shared VPC Admin privileges from the Organization Admin. D. Organization Admin privileges from the Organization Admin.
A. Security Admin privileges from the Shared VPC Admin.
Explanation
References:
https://cloud.google.com/vpc/docs/shared-vpc
Question 40:
You are planning a large application deployment in Google Cloud that includes on-premises connectivity. The application requires direct connectivity between workloads in all regions and on-premises locations without address translation, but all RFC 1918 ranges are already in use in the on-premises locations.
What should you do?
A. Use multiple VPC networks with a transit network using VPC Network Peering. B. Use overlapping RFC 1918 ranges with multiple isolated VPC networks. C. Use overlapping RFC 1918 ranges with multiple isolated VPC networks and Cloud NAT. D. Use non-RFC 1918 ranges with a single global VPC.
D. Use non-RFC 1918 ranges with a single global VPC.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.