1. Home
  2. Google
  3. PROFESSIONAL-CLOUD-NETWORK-ENGINEER

Professional Cloud Network Engineer

Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :170 Q&As
  • Last Updated
    :May 21, 2025

Google Google Certifications PROFESSIONAL-CLOUD-NETWORK-ENGINEER Questions & Answers

  • Question 51:

    You are responsible for designing a new connectivity solution between your organization's on-premises data center and your Google Cloud Virtual Private Cloud (VPC) network Currently, there Is no end-to-end connectivity. You must ensure a service level agreement (SLA) of 99.99% availability What should you do?

    A. Use one Dedicated Interconnect connection in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.

    B. Use a Direct Peering connection between your on-premises data center and Google Cloud. Configure Classic VPN with two tunnels and one Cloud Router.

    C. Use two Dedicated Interconnect connections in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC.

    D. Use HA VPN. Configure one tunnel from each Interface of the VPN gateway to connect to the corresponding interfaces on the peer gateway on-premises. Configure one Cloud Router and enable global routing in the VPC.

  • Question 52:

    You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.

    How should you design this topology?

    A. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.

    B. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

    C. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.

    D. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.

  • Question 53:

    Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

    A. Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.

    B. Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.

    C. Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.

    D. Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

  • Question 54:

    You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.

    Which level of permissions should you request?

    A. Security Admin privileges from the Shared VPC Admin.

    B. Service Project Admin privileges from the Shared VPC Admin.

    C. Shared VPC Admin privileges from the Organization Admin.

    D. Organization Admin privileges from the Organization Admin.

  • Question 55:

    You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.

    How should you configure your firewall rules?

    A. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.

    B. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.

    C. Create a single firewall rule to allow port 22 with priority 1000.

    D. Create a single firewall rule to allow port 3389 with priority 1000.

  • Question 56:

    You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.

    Which GKE resource should you use?

    A. GKE Node

    B. GKE Pod

    C. GKE Cluster

    D. GKE Ingress

  • Question 57:

    You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

    A. Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

    B. Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

    C. Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

    D. Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

  • Question 58:

    Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with on-premises connectivity already in place. You are deploying a new application using Google Kubernetes Engine (GKE), which must be accessible only from the same VPC network and on-premises locations. You must ensure that the GKE control plane is exposed to a predefined list of on-premises subnets through private connectivity only. What should you do?

    A. Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.

    B. Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.

    C. Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.

    D. Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.

  • Question 59:

    In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers. What should you do?

    A. Create network tag app-server and service account [email protected]. Add the tag to the application servers, and associate the service account with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \ --action allow \ --direction ingress \ --rules top:3306 \ --source-tags app-server \ --target-service-accounts [email protected]

    B. Create service accounts [email protected] and [email protected]. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-service-accounts [email protected] \ --target-service-accounts [email protected]

    C. Create service accounts [email protected] and [email protected]. Associate the service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-ranges 10.128.0.0/20 \ --source-service-accounts [email protected] \ --target-service-accounts [email protected]

    D. Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \ --action allow \ --direction ingress \ --rules tcp:3306 \ --source-ranges 10.128.0.0/20 \ --source-tags app-server \ --target-tags db-server

  • Question 60:

    You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.

    Which BGP attribute should you use on your on-premises router?

    A. AS-Path

    B. Community

    C. Local Preference

    D. Multi-exit Discriminator

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.