Google Google Certifications PROFESSIONAL-CLOUD-NETWORK-ENGINEER Questions & Answers

• Question 31:

  You have provisioned a Partner Interconnect connection to extend connectivity from your on-premises data center to Google Cloud. You need to configure a Cloud Router and create a VLAN attachment to connect to resources inside your VPC. You need to configure an Autonomous System number (ASN) to use with the associated Cloud Router and create the VLAN attachment.

  What should you do?

  A. Use a 4-byte private ASN 4200000000-4294967294.

  B. Use a 2-byte private ASN 64512-65535.

  C. Use a public Google ASN 15169.

  D. Use a public Google ASN 16550.

  Correct Answer: B

• Question 32:

  You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.

  How should you configure the health check?

  A. Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.

  B. Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.

  C. Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.

  D. Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.

  Correct Answer: C

  https://cloud.google.com/load-balancing/docs/health-check-concepts#content-based_health_checks

• Question 33:

  Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design. What should you do?

  A. Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server. Configure DNS peering from the spoke VPCs to the hub VPC.

  B. Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

  C. Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server. Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.

  D. Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server. Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.

  Correct Answer: C

• Question 34:

  You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters, Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new dusters. You want to follow Google-recommended practices, What should you do after designing your IP scheme?

  A. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.

  B. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters.

  C. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected: --enab1e-ip-a1ias and --enable-private-nodes.

  D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and ?siable-default-snat, --enable-ip-alias, and 璭nable-private-nodes

  Correct Answer: D

  The correct answer is D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --disable-default-snat, --enable-ip-alias, and --enable-privatenodes.

  This answer is based on the following facts:

  Privately used public IP (PUPI) addresses are any public IP addresses not owned by Google that a customer can use privately on Google Cloud1. You can use PUPI addresses for GKE pods and services in private clusters to mitigate

  address exhaustion.

  A private GKE cluster is a cluster that has no public IP addresses on the nodes2. You can use private clusters to isolate your workloads from the public internet and enhance security.

  The --disable-default-snat option disables source network address translation (SNAT) for the cluster3. This option allows you to use PUPI addresses without conflicting with other public IP addresses on the internet. The --enable-ip-alias

  option enables alias IP ranges for the cluster4. This option allows you to use separate subnet ranges for nodes, pods, and services, and to specify the size of those ranges.

  The --enable-private-nodes option enables private nodes for the cluster5. This option ensures that the nodes have no public IP addresses and can only communicate with other Google Cloud resources in the same VPC network or peered

  networks.

  The other options are not correct because:

  Option A is not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for pods across multiple private GKE clusters

  can cause IP conflicts and routing issues.

  Option B is also not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for services across multiple private GKE

  clusters can cause IP conflicts and routing issues. Option C is not feasible. Creating privately used public IP primary and secondary subnet ranges for the clusters is a valid step, but creating a private GKE cluster with only --enable-ip-alias

  and --enable-private-nodes options is not enough. You also need to disable default SNAT to avoid IP conflicts with other public IP addresses on the internet.

• Question 35:

  Your company has provisioned 2000 virtual machines (VMs) in the private subnet of your Virtual Private Cloud (VPC) in the us-east1 region. You need to configure each VM to have a minimum of 128 TCP connections to a public repository so that users can download software updates and packages over the internet. You need to implement a Cloud NAT gateway so that the VMs are able to perform outbound NAT to the internet. You must ensure that all VMs can simultaneously connect to the public repository and download software updates and packages. Which two methods can you use to accomplish this? (Choose two.)

  A. Configure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.

  B. Create a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.

  C. Use the default Cloud NAT gateway's NAT proxy to dynamically scale using a single NAT IP address.

  D. Use the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.

  E. Configure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.

  Correct Answer: AB

• Question 36:

  Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP environments.

  1.

  Each organization has enabled full connectivity between all of its projects by using Shared VPC.

  2.

  Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.

  3.

  There are no prefix overlaps between the two organizations.

  4.

  Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.

  5.

  Neither organization has Interconnects to their on-premises environment.

  You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.

  Which two steps should you take? (Choose two.)

  A. Provision Cloud Interconnect to connect both organizations together.

  B. Set up some variant of DNS forwarding and zone transfers in each organization.

  C. Connect VPCs in both organizations using Cloud VPN together with Cloud Router.

  D. Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.

  E. Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.

  Correct Answer: BC

  https://cloud.google.com/dns/docs/best-practices

• Question 37:

  You are configuring a new instance of Cloud Router in your Organization's Google Cloud environment to allow connection across a new Dedicated Interconnect to your data center Sales, Marketing, and IT each have a service project attached to the Organization's host project.

  Where should you create the Cloud Router instance?

  A. VPC network in all projects

  B. VPC network in the IT Project

  C. VPC network in the Host Project

  D. VPC network in the Sales, Marketing, and IT Projects

  Correct Answer: C

  Reference: https://cloud.google.com/interconnect/docs/how-to/dedicated/using-interconnects-other-projects

• Question 38:

  Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.

  How should you set up permissions for the networking team?

  A. Assign members of the networking team the compute.networkUser role.

  B. Assign members of the networking team the compute.networkAdmin role.

  C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

  D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

  Correct Answer: B

• Question 39:

  You have the networking configuration shown. In the diagram Two VLAN attachments associated With two Dedicated Interconnect connections terminate on the same Cloud Router (mycloudrouter). The Interconnect connections terminate on two separate on-premises routers. You advertise the same prefixes from the Border Gateway Protocol (BOP) sessions associated with each Of the VLAN attachments.

  You notice an asymmetric traffic flow between the two Interconnect connections. Which of the following actions should you take to troubleshoot the asymmetric traffic flow?

  

  A. From the Google Cloud console, navigate to the Hybrid Connectivity select the Cloud Router, and view BGP sessions.

  B. From the Cloud CLI, run gcloud compute -Protect_ID router get--status mycloudrouter ---region REGION and review the results.

  C. From the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results

  D. From the Cloud CLI. run gcloud compute routers describe mycloudrouter --region REGION and review the results

  Correct Answer: A

  The correct answer is B. From the Cloud CLI, run gcloud compute --project_ID router get-status mycloudrouter --region REGION and review the results. This command will show you the BGP session status, the advertised and learned routes,

  and the last error for each VLAN attachment. You can use this information to troubleshoot the asymmetric traffic flow and identify any issues with the BGP configuration or the Interconnect connections.

  The other options are not correct because:

  Option A will only show you the BGP session status, but not the advertised and learned routes or the last error for each VLAN attachment. Option C will only show you the VPC Flow Logs, which are useful for monitoring and troubleshooting

  network performance and security issues within your VPC network, but not for your Interconnect connections. Option D will only show you the basic information about the Cloud Router, such as its name, region, network, and BGP settings, but

  not the detailed status of each VLAN attachment.

• Question 40:

  In your Google Cloud organization, you have two folders: Dev and Prod. You want a scalable and consistent way to enforce the following firewall rules for all virtual machines (VMs) with minimal cost:

  Port 8080 should always be open for VMs in the projects in the Dev folder.

  Any traffic to port 8080 should be denied for all VMs in your projects in the Prod folder.

  What should you do?

  A. Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.

  B. Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects. Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared VPCs.

  C. In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080.

  D. Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev VMs and deny traffic to port 8080 on the Prod VMs.

  Correct Answer: A