Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 51:
You are designing the networking infrastructure for your company on Google Cloud. Your design must connect three separate VPC networks for development, testing, and production to two on-premises data centers while remaining isolated from each other. Each data center is connected to Google Cloud via Cloud VPN.
Additionally, your design must incorporate a user-published security service that is hosted in another Google Cloud organization and made available for private consumption. You need to create a scalable and centrally managed solution.
What should you do?
A. Use VPC Network Peering to create a full mesh between the development, testing, and production VPCs and the Cloud VPN network. B. Create a Network Connectivity Center hub, and configure each of the three VPCs and the two Cloud VPN spokes. Use Private Service Connect to access the third-party service. C. Create a Shared VPC, and migrate the resources from the development, testing, and production VPCs into service projects. D. Use Network Connectivity Center to establish a full-mesh topology between the three VPCs. Use VPC Network Peering to connect to the Cloud VPN and Private Service Connect to access the third-party service.
B. Create a Network Connectivity Center hub, and configure each of the three VPCs and the two Cloud VPN spokes. Use Private Service Connect to access the third-party service.
Explanation
Network Connectivity Center is the scalable, centrally managed option for connecting multiple isolated VPCs and multiple on-premises sites through Cloud VPN using a hub-and-spoke model. That fits the requirement to keep development, testing, and production as separate VPCs while centrally managing connectivity to the two data centers. For the user-published security service hosted in another Google Cloud organization and consumed privately, the correct pattern is Private Service Connect, which is designed for private consumption of published services across organizational boundaries.
You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.
What is the most likely cause of this problem?
A. The instance has been configured with multiple interfaces. B. An external IP address has been configured on the instance. C. You have created static routes that use RFC1918 ranges. D. The instance is accessible by a load balancer external IP address.
B. An external IP address has been configured on the instance.
You are deploying an application on a fleet of Compute Engine virtual machines (VMs) that must process sensitive, financial data by communicating with the Cloud Storage API. The VMs currently have internal IP addresses. You need to enable this communication using the most secure method available.
What should you do? (Choose two.)
A. Keep the VMs configured with only internal IP addresses. On the subnet, enable Private Google Access and configure the necessary private DNS records for private.googleapis.com. B. Create a Cloud DNS private zone for googleapis.com that resolves to the restricted.googleapis.com IP addresses, and associate the private zone with the VMs' VPC network. C. Modify the VMs to each have an external IP address. Create a restrictive egress firewall rule that only allows outbound traffic to the public IP ranges for Google APIs. D. Create a Cloud NAT gateway, and configure it for the subnet housing the VMs. Remove the 0.0.0.0/0 route to the default internet gateway. E. Create a regional Private Service Connect endpoint in your VPC that targets the Cloud Storage service. Configure the application on the VMs to send API requests to this endpoint.
A. Keep the VMs configured with only internal IP addresses. On the subnet, enable Private Google Access and configure the necessary private DNS records for private.googleapis.com. B. Create a Cloud DNS private zone for googleapis.com that resolves to the restricted.googleapis.com IP addresses, and associate the private zone with the VMs' VPC network.
Explanation
Enabling Private Google Access allows Compute Engine VMs that have only internal IP addresses to reach Google APIs privately without needing external IPs. Using private DNS to direct Google API names to the restricted Google APIs VIPs ensures the VMs reach the Cloud Storage API over Google-controlled endpoints while reducing exposure to the public internet path for API access.
Question 54:
Your company runs its applications on Google Kubernetes Engine (GKE), and your team recently created a private Cloud DNS zone, corp.internal, to host records for internal services, such as a managed database at db.corp.internal. You verified that a Compute Engine VM in the same VPC as your GKE cluster can successfully resolve db.corp.internal. However, when you access a Pod inside your GKE cluster, you can resolve in-cluster services (for example, kubernetes.default.svc.cluster.local), but any attempt to resolve db.corp.internal fails.
Upon inspecting the coredns ConfigMap in the kube-system namespace, you discovered the default forward plugin has been modified to point directly to a public DNS provider's IP address, bypassing the node's local resolver. You need to enable Pods in the cluster to resolve records in the existing corp.internal private zone as well as other zones under.internal.
A. Modify the coredns ConfigMap in the kube-system namespace, and add corp.internal to a stubDomains entry that points to the VPC's DNS resolver. B. Create a Kubernetes service and endpoint of type ExternalName for db.corp.internal. C. Enable Cloud DNS for GKE for the GKE cluster. D. Modify the coredns ConfigMap in the kube-system namespace. In the Corefile configuration, change the forward plugin to point to /etc/resolv.conf.
D. Modify the coredns ConfigMap in the kube-system namespace. In the Corefile configuration, change the forward plugin to point to /etc/resolv.conf.
Explanation
The failure is caused by CoreDNS forwarding queries directly to a public DNS provider instead of using the node's local resolver. In GKE, using the node resolver lets Pods reach the VPC DNS path that resolves private Cloud DNS zones.
Changing the CoreDNS forward plugin back to /etc/resolv.conf restores that behavior, so Pods can resolve corp.internal and other.internal names available through the VPC resolver. Cloud DNS for GKE is a separate DNS provider option, but the immediate issue here is the incorrect CoreDNS forwarding configuration.
Your organization has separate folders for production and development projects. You must enforce a deny rule for TCP port 22 across all production projects, while allowing project teams to manage their own lower-priority VPC firewall rules for other traffic. The policy must apply consistently to new production projects.
What should you do?
A. Create a VPC firewall rule in each production VPC network with priority 1000 to deny tcp:22. B. Create a hierarchical firewall policy associated with the production folder that denies tcp:22 at a high priority. C. Create a Cloud Armor security policy that denies tcp:22 and attach it to each production backend service. D. Create an organization policy that disables external IP addresses for all production virtual machines.
B. Create a hierarchical firewall policy associated with the production folder that denies tcp:22 at a high priority.
Explanation
Hierarchical firewall policies can be associated with folders or organizations and apply consistently to projects under that resource hierarchy. A high-priority deny rule for tcp:22 at the production folder enforces the requirement while allowing teams to manage lower-priority VPC firewall rules for other traffic. Per-VPC firewall rules are harder to keep consistent for new projects. Cloud Armor protects supported load balancer backends and is not a general VM SSH firewall. Disabling external IP addresses can reduce exposure but does not enforce the requested tcp:22 deny rule.
Question 56:
Your VPC is configured with regional dynamic routing mode. You have deployed VMs and VLAN attachments in the europe-west2 region, and regional internal Application Load Balancers in us-east1. You need to ensure the VMs in the europe-west2 region have connectivity to the regional internal Application Load Balancers in the us-east1 region.
What should you do?
A. Create the backend in us-east1, create multiple forwarding rules in each region, and then enable regional access. B. Create the backend service in europe-west2, create the forwarding rule in us-east1, and then enable regional access. C. Create the backend service in us-east1, create the forwarding rule in europe-west2, and then enable global access. D. Create the backend service in us-east1, create the forwarding rule in us-east1, and then enable global access.
D. Create the backend service in us-east1, create the forwarding rule in us-east1, and then enable global access.
Explanation
Internal regional Application Load Balancers live entirely in the region where you create them, so both your backend service and your forwarding rule belong in us-east 1. To let clients in europe-west2 reach that us-east1 load balancer, you then simply enable global access on the internal forwarding rule. This preserves your regional deployment while transparently routing traffic over Google's backbone.
Question 57:
You need private IP connectivity from Compute Engine instances to Cloud SQL without assigning public IP addresses to the database. The configuration must use Google-managed service producer networking.
Which two actions should you take? (Choose two.)
A. Enable the Service Networking API. B. Allocate an IP range for private services access and create a private connection to the service producer. C. Create a Cloud NAT gateway for the subnet that contains the Compute Engine instances. D. Configure a VPC Network Peering connection directly to the Cloud SQL instance project by using the Google Cloud console. E. Enable DNS peering from the VPC network to the Cloud SQL producer network.
A. Enable the Service Networking API. B. Allocate an IP range for private services access and create a private connection to the service producer.
Explanation
Cloud SQL private IP connectivity uses private services access, which requires the Service Networking API and an allocated range that is connected to the service producer network. Cloud NAT provides outbound internet NAT and is not required for private IP access to Cloud SQL. The underlying producer connection is managed through private services access rather than by manually peering directly to a Cloud SQL instance project. DNS peering is not the required setup step for establishing the private service producer connection.
Question 58:
You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
B. gcloud compute instances add-tags [existing-instance] --tags no-ip
Question 59:
You have the following Shared VPC design. VPC Flow Logs is configured for Subnet-1 in the host VPC.
You also want to monitor flow logs for Subnet-2.
What should you do?
A. Configure a VPC Flow Logs filter for Subnet-2 in the host project VPC. B. Configure VPC Flow Logs in the service project VPC for Subnet-2. C. Configure Packet Mirroring in both the host and service project VPCs. D. Configure a firewall rule to permit Subnet-2 IP addresses outbound in the host project VPC.
B. Configure VPC Flow Logs in the service project VPC for Subnet-2.
Question 60:
You are responsible for designing a new connectivity solution between your organization's on-premises data center and your Google Cloud Virtual Private Cloud (VPC) network. Currently, there is no end-to-end connectivity. You must ensure a service level agreement (SLA) of 99.99% availability.
What should you do?
A. Use one Dedicated Interconnect connection in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC. B. Use a Direct Peering connection between your on-premises data center and Google Cloud. Configure Classic VPN with two tunnels and one Cloud Router. C. Use two Dedicated Interconnect connections in a single metropolitan area. Configure one Cloud Router and enable global routing in the VPC. D. Use HA VPN. Configure one tunnel from each interface of the VPN gateway to connect to the corresponding interfaces on the peer gateway on-premises. Configure one Cloud Router and enable global routing in the VPC.
D. Use HA VPN. Configure one tunnel from each interface of the VPN gateway to connect to the corresponding interfaces on the peer gateway on-premises. Configure one Cloud Router and enable global routing in the VPC.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.