Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 41:
You are designing a Google Kubernetes Engine cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 Services. Because of the migration of new Services over the next two years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 Services. You want to use VPC-native clusters with alias IP address ranges, while minimizing address consumption.
How should you design this topology?
A. Create a subnet of size /28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the Services are ready to be deployed, resize the subnets. B. Use gcloud container clusters create [CLUSTER_NAME]--enable-ip-alias to create a VPC-native Cluster. C. Create a subnet of size /25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges. D. Use gcloud container clusters create [CLUSTER_NAME] to create a VPC-native Cluster.
C. Create a subnet of size /25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.
Explanation
Provision a VPC subnet with a primary range large enough for your nodes (a /25 gives you 128 IPs, covering your planned 100-node cluster) and define two secondary alias-IP ranges sized for pods and services at full scale:
Pods: a /17 (32,766 addresses) easily accommodates 100 nodes x 200 pods = 20,000
Pods Services: a /21 (2,046 addresses) covers 1,500 Services.
Then create your VPC-native GKE cluster with --enable-ip-alias, pointing at those two secondary ranges. This setup minimizes wasted space while supporting both today's needs and two-year growth.
Question 42:
You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?
A. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000. B. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000. C. Create a single firewall rule to allow port 22 with priority 1000. D. Create a single firewall rule to allow port 3389 with priority 1000.
C. Create a single firewall rule to allow port 22 with priority 1000.
Explanation
References:
https://geekflare.com/gcp-firewall-configuration/
Question 43:
You are adding steps to a working automation that uses a service account to authenticate. You need to give the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?
A. Grant the compute.instanceAdmin to your user account. B. Grant the iam.serviceAccountUser to your user account. C. Grant the read-only privilege to the service account for the Cloud Storage bucket. D. Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.
C. Grant the read-only privilege to the service account for the Cloud Storage bucket.
Question 44:
You are troubleshooting connectivity issues between Google Cloud and a public SaaS provider. Connectivity between the two environments is through the public internet. Your users are reporting intermittent connection errors when using
TCP to connect; however, ICMP tests show no failures. According to users, errors occur around the same time every day. You want to troubleshoot and gather information by using Google Cloud tools that are most likely to provide insights to what is occurring within Google Cloud.
What should you do?
A. Enable and review Cloud Logging for Cloud Armor. Look for logs with errors matching the destination IP address of the public SaaS provider. B. Enable and review Cloud Logging on your Cloud NAT gateway. Look for logs with errors matching the destination IP address of the public SaaS provider. C. Enable the Firewall Insights API. Set the deny rule insights observation period to one day. Review the insights to assure there are no firewall rules denying traffic. D. Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.
D. Create a Connectivity Test by using TCP, the source IP address of your test VM, and the destination IP address of the public SaaS provider. Review the live data plane analysis and take the next steps based on the test results.
Explanation
Google Cloud's Connectivity Tests tool provides detailed insights into network paths and issues between Google Cloud resources and external endpoints. By creating a TCP-based connectivity test to the destination IP address of the SaaS provider, the engineer can: Analyze the full network path, including routing and firewall rules within Google Cloud. Identify issues such as misconfigured routes, firewalls, or NAT gateways. Gain insights into live traffic flows, which can help diagnose intermittent connectivity errors. Since ICMP is working, the issue may be protocol-specific (TCP). Connectivity Tests allow you to specifically test TCP connections and analyze the results, providing the most actionable insights for troubleshooting. This approach directly targets the problem and helps narrow down the root cause.
Question 45:
Your company's public domain, example.com, is managed using a public Cloud DNS zone. You need to enhance security and protect your users from DNS spoofing and cache poisoning attacks.
What should you do?
A. Request DNSSEC be enabled at your domain registrar, and then import the provided key-signing keys (KSKs) into the Cloud DNS zone. B. Attach a Google Cloud Armor security policy to the DNS zone to filter malicious queries and protect against DNS protocol-level attacks. C. Use Cloud NGFW network policies to allow only specific DNS domains into the VPC. D. Enable DNSSEC on the public Cloud DNS zone, and add the provided DS records to your domain registrar.
D. Enable DNSSEC on the public Cloud DNS zone, and add the provided DS records to your domain registrar.
Explanation
Enabling DNSSEC on the public Cloud DNS zone signs DNS responses so resolvers can validate authenticity and integrity, protecting against spoofing and cache poisoning. Publishing the DS records at the domain registrar establishes the chain of trust from the parent zone to your signed zone so clients can perform DNSSEC validation end-to-end.
Question 46:
Your team deployed two applications in GKE that are exposed through an external Application Load Balancer.
When queries are sent to www.mountkirkgames.com/sales and www.mountkirkgames.com/get-an-analysis, the correct pages are displayed. However, you have received complaints that www.mountkirkgames.com yields a 404 error. You need to resolve this error.
What should you do?
A. Review the Service YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML. B. Review the Ingress YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML. C. Review the Ingress YAML file. Define the default backend. Reapply the YAML. D. Review the Service YAML file. Define a default backend. Reapply the YAML.
C. Review the Ingress YAML file. Define the default backend. Reapply the YAML.
Explanation
Default Backend for Ingress: The 404 error occurs because there is no default backend configured in the Ingress resource to handle requests to the root path (www.mountkirkgames.com). Without a default backend, any requests that do not match specific path rules (e.g., /sales or /get-an-analysis) will result in a 404 error.
Solution: In the Ingress YAML file, you need to define a default backend that handles requests to paths that do not match any specified rules. The default backend should point to a Service in your GKE cluster that serves the appropriate content for the root path.
Reapply the YAML: After defining the default backend in the Ingress resource, apply the updated YAML file to resolve the issue and handle requests to the root path.
Question 47:
You need to enable Cloud CDN for all the objects inside a storage bucket. You want to ensure that all the objects in the storage bucket can be served by the CDN.
What should you do in the GCP Console?
A. Create a new cloud storage bucket, and then enable Cloud CDN on it. B. Create a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend. C. Create a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend. D. Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.
D. Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.
Question 48:
Your company's web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers. The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend. You want to use a GCP-native solution when possible.
How should you deploy this service in GCP?
A. Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer. B. Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer. C. Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers. D. Use GCP's ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.
B. Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.
You are implementing a VPC architecture for your organization by using a Network Connectivity Center hub and spoke topology: There is one Network Connectivity Center hybrid spoke to receive on-premises routes. There is one VPC spoke that needs to be added as a Network Connectivity Center spoke. Your organization has limited routable IP space for their cloud environment (192.168.0.0/20). The Network Connectivity Center spoke VPC is connected to on-premises with a Cloud Interconnect connection in the us-east4 region. The on-premises IP range is 172.16.0.0/16. You need to reach on-premises resources from multiple Google Cloud regions (us-west1,europe-central1, and asia-southeast1) and minimize the IP addresses being used.
What should you do?
A. 1. Configure a Private NAT gateway and NAT subnet in us-west1(192.168.1.0/24), europe-central1(192.168.2.0/24) and asia-southeast1(192.168.3.0/24).2. Add the VPC as a spoke and configure an export include policy to advertise only 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub.3. Enable global dynamic routing to allow resources in us-west1, us-central1 and asia-southeast1 to reach the on-premises location through us-east4. B. 1. Configure a Private NAT gateway instance in us-west1(172.16.1.0/24), europe-central1 (172.16.2.0/24), and asia-southeast1(172.16.3.0/24).2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise only the NAT subnets 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24 to the hub.3. Enable global dynamic to allow resources in us-west1, us-central1, and asia-southeast1 to reach the on-premises location through us-east4. C. 1. Configure a Private NAT gateway instance in us-east4(192.168.1.0/24).2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise 192.168.1.0/24 to the hub.3. Enable global dynamic routing to allow resources in us-west1, us-central1 and asia-southeast1 to reach the on-premises location through us-east4. D. 1. Configure a Private NAT gateway instance in us-west1(192.168.1.0/24), europe-central1 (192.168.2.0/24), and asia-southeast1(192.168.3.0/24).2. Add the VPC as a spoke and configure an export exclude policy on the VPC spoke to advertise only the NAT subnets 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub.3. Enable global dynamic routing to allow resources in us-west1, us-central1, and asia-southeast1 to reach the on-premises location through us-east4.
A. 1. Configure a Private NAT gateway and NAT subnet in us-west1(192.168.1.0/24), europe-central1(192.168.2.0/24) and asia-southeast1(192.168.3.0/24).2. Add the VPC as a spoke and configure an export include policy to advertise only 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub.3. Enable global dynamic routing to allow resources in us-west1, us-central1 and asia-southeast1 to reach the on-premises location through us-east4.
Explanation
Private NAT Gateway: Configuring a Private NAT gateway ensures that resources in different Google Cloud regions can use minimal IP address space by routing through region-specific NAT subnets (192.168.x.0/24). This approach conserves the limited routable IP space (192.168.0.0/20) while allowing cross-region communication.
VPC as a Spoke with Export Include Policy: Adding the VPC as a spoke to the Network Connectivity Center hub and using an export include policy ensures that only the NAT subnets (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24) are advertised to the hub. This reduces the amount of IP address space consumed in routing.
Global Dynamic Routing: Enabling global dynamic routing allows resources in us-west1, europe-central1, and asia-southeast1 to access the on-premises environment via the Cloud Interconnect in us-east 4. This minimizes latency and ensures connectivity across regions.
Question 50:
You are planning a new GKE Standard cluster for workloads that need both IPv4 and IPv6 Pod addressing. You must keep the cluster VPC-native and allocate addresses from subnet ranges.
What should you configure?
A. A routes-based cluster with public IPv6 addresses assigned to each node. B. A VPC-native dual-stack cluster on a subnet that has the required IPv4 and IPv6 ranges. C. A private cluster with no secondary ranges and Cloud NAT enabled. D. A Standard Tier network and a manually configured static route for each Pod.
B. A VPC-native dual-stack cluster on a subnet that has the required IPv4 and IPv6 ranges.
Explanation
GKE dual-stack networking is planned with VPC-native clusters and appropriate subnet IP ranges so Pods and Services can receive addresses from the configured ranges. Routes-based clusters and per-Pod static routes are not the correct design for VPC-native alias IP addressing. Cloud NAT can help private workloads reach the internet, but it does not provide the needed Pod IPv4 and IPv6 address allocation. Network tier selection does not create dual-stack GKE Pod addressing.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.