Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 61:
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)
A. Turn on Private Google Access at the subnet level. B. Turn on Private Google Access at the VPC level. C. Turn on Private Services Access at the VPC level. D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway. E. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
A. Turn on Private Google Access at the subnet level. D. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
Question 62:
Your product team has web servers running on both us-east1 and us-west1 regions in the prod-servers project. Your security team plans to install an intrusion detection system (IDS) in their own Google Cloud project to inspect the incoming network traffic.
What should you do?
A. Create a new project and a VPC for the security team. Peer the new VPC with the web servers' VPC in the prod-servers project. Create an internal load balancer and the IDS system in both us-east1 and us-west1. Enable Packet Mirroring, and create packet mirroring policies inside the new project. B. Create a host project and a Sharad VPC for the security team. Make prod-servers a service project, and relocate the web servers to shared subnets in both regions. Enable IP forwarding on all the web servers. Create the IDS system in a non-shared subnet of us-east1 or us-west1. Configure the web servers to forward the packets to the IDS system. C. Create a new project and a VPC for the security team. Peer the new VPC with the web servers' VPC in the prod-servers project. Enable IP forwarding on all the web servers. Install the IDS system in both us-east1 and us-west1. Configure the web servers to forward the packets to the IDS system. D. Create a host project and a Shared VPC for the security team. Make prod-servers a service project, and relocate the web servers to shared subnets in both regions. Create an internal load balancer and the IDS system in a subnet in either us-east1 or us-west1. Enable Packet Mirroring, and create a packet mirroring policy inside the host project.
A. Create a new project and a VPC for the security team. Peer the new VPC with the web servers' VPC in the prod-servers project. Create an internal load balancer and the IDS system in both us-east1 and us-west1. Enable Packet Mirroring, and create packet mirroring policies inside the new project.
Question 63:
Your company is modernizing its infrastructure by expanding its services. You are concerned about the long-term scalability of your network due to IPv4 address exhaustion. You need to design and deploy a new Google Kubernetes Engine (GKE) cluster that allows Pods and Services to communicate over IPv6 while maintaining IPv4 connectivity for backward compatibility with existing systems.
What should you do?
A. Create a new standard GKE cluster, and enable an IPv6-only address range for Pods. B. Create a new GKE cluster, and enable an IPv6-only node pool. C. Deploy a Cloud NAT gateway within your VPC to translate traffic between your existing IPv4-only GKE cluster and external IPv6 clients. D. Create a new dual-stack subnet within your VPC, and then create a new GKE cluster within that subnet and specify dual-stack networking mode.
D. Create a new dual-stack subnet within your VPC, and then create a new GKE cluster within that subnet and specify dual-stack networking mode.
Explanation
To support both IPv6 and IPv4 for Pods and Services in GKE, you need a dual-stack VPC-native cluster. Google Cloud requires the cluster to be created in a dual-stack subnet and configured for dual-stack networking so nodes, Pods, and Services can receive both IPv4 and IPv6 connectivity for backward compatibility and future scalability.
You are designing a security-focused network architecture on Google Cloud. Your company has deployed a central inspection VPC that contains a fleet of Cloud Next Generation Firewall (NGFW) appliances. The inspection VPC has a default route with next hop pointing to the passthrough Network Load Balancer with NGFW appliances as backends.
You also have two application VPCs (App-A and App-B) that are not allowed to directly communicate with each other, nor do they have a default route in their VPC. You need to ensure that all traffic originating from App-A and App-B are forced through the inspection VPC to be analyzed by the Cloud NGFW appliances.
What should you do?
A. Use VPC Network Peering to create a full mesh by peering all three VPCs with each other, and then use firewall rules to deny all traffic between App-A and App-B. B. Create a Network Connectivity Center hub in mesh topology, connect all three VPCs as spokes, and configure the inspection VPC to advertise the default route. C. Create a Network Connectivity Center hub in star topology. Configure the inspection VPC spoke as a center group that advertises a default route, and configure the application VPCs as edge spokes to use that route for inter-VPC traffic. D. Create two separate VPC Network Peering connections: One between the inspection VPC and App-A, and another between the inspection VPC and App-B.
C. Create a Network Connectivity Center hub in star topology. Configure the inspection VPC spoke as a center group that advertises a default route, and configure the application VPCs as edge spokes to use that route for inter-VPC traffic.
Explanation
Use Network Connectivity Center in a star topology, with the inspection VPC as the center group and the application VPCs as edge spokes. In NCC, a star topology is specifically used to prevent direct communication between spoke VPCs while still allowing them to reach shared services through the center. By having the inspection VPC advertise the default route, traffic from App-A and App-B can be forced toward the inspection VPC, where the Cloud NGFW appliances sit behind the passthrough Network Load Balancer. This matches the requirement to block direct App-A to App-B communication and steer all outbound traffic through centralized inspection.
Question 65:
You need to define an address plan for a future new Google Kubernetes Engine (GKE) cluster in your Virtual Private Cloud (VPC). This will be a VPC-native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?
Your company is moving to a hybrid cloud environment and needs to connect two on-premises data centers to Google Cloud. Your company has opted for no service level agreement (SLA) on the Dedicated Interconnect ports. You set up a single Dedicated Interconnect to connect each on-premises data center to Google Cloud: one Dedicated Interconnect in us-east1 and another Dedicated Interconnect in us-west1. You also configured a Cloud Router for each Dedicated Interconnect in each respective region. You now need to configure the Interconnect attachments to provide as much high availability diversity as possible based on this design.
What should you do?
A. Build one VLAN attachment from each Dedicated Interconnect corresponding to the Cloud Router in that region. Enable global routing at the VPC layer. B. Build one VLAN attachment from each Dedicated Interconnect corresponding to the Cloud Router in that region. Enable regional routing at the VPC layer. C. Build two VLAN attachments from each Dedicated Interconnect: one connecting to the Cloud Router in us-east1, and one connecting to the Cloud Router in us-west1. Enable regional routing at the VPC layer. D. Build two VLAN attachments from each Dedicated Interconnect: one connecting to the Cloud Router in us-east1, and one connecting to the Cloud Router in us-west1. Enable global routing at the VPC layer.
D. Build two VLAN attachments from each Dedicated Interconnect: one connecting to the Cloud Router in us-east1, and one connecting to the Cloud Router in us-west1. Enable global routing at the VPC layer.
Explanation
Two VLAN Attachments Per Dedicated Interconnect: By creating two VLAN attachments per Dedicated Interconnect, each attachment connects to a Cloud Router in different regions (us-east1 and us-west1). This setup ensures that traffic can failover between regions if there is an issue in one region.
Global Routing: Enabling global routing at the VPC level allows the routing information from both regions (us-east1 and us-west1) to propagate globally across the VPC network.
This provides the necessary redundancy and ensures high availability for the hybrid cloud environment.
Question 67:
You are designing a new network infrastructure for your customer in Google Cloud. Your customer requires a connection between two Google Cloud VPCs that must include a VPN tunnel. You want to follow Google-recommended practices while ensuring maximum availability of the connection.
Which VPN configuration should you choose?
A. Policy-based VPN using Classic VPN between the two Google Cloud VPCs B. Border Gateway Protocol (BGP)-based VPN using Classic VPN between the two Google Cloud VPCs C. Route-based VPN using Classic VPN between the two Google Cloud VPCs D. Border Gateway Protocol (BGP)-based VPN using HA VPN between the two Google Cloud VPCs
A. Policy-based VPN using Classic VPN between the two Google Cloud VPCs
Question 68:
You recently noticed a recurring daily spike in network usage in your Google Cloud project. You need to identify the virtual machine (VM) instances and type of traffic causing the spike in traffic utilization while minimizing the cost and management overhead required.
What should you do?
A. Enable VPC Flow Logs and send the output to BigQuery for analysis. B. Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for analysis. C. Configure Packet Mirroring to send all traffic to a VM. Use Wireshark on the VM to identity traffic utilization for each VM in the VPC. D. Deploy a third-party network appliance and configure it as the default gateway. Use the third-party network appliance to identify users with high network traffic.
A. Enable VPC Flow Logs and send the output to BigQuery for analysis.
Question 69:
Your organization is connecting their Shared VPC network to their on-premises data center by using Dedicated Interconnect to provide connectivity to all of its service projects. You need to create a design to configure your VLAN attachments and Cloud Routers. You also want to achieve a 99.9% Cloud Interconnect SLA based on Google Cloud s reference design.
What should you do?
A. Create two Cloud Interconnect connections in different edge availability domains of two different co-location facilities in a project that will contain your connections. Create one VLAN attachment and Cloud Router for each physical interconnect in the Shared VPC host project. B. Create two Interconnect connections in different edge availability domains of the co-location facility in a project that will contain your connections. Create one VLAN attachment for each physical Cloud Interconnect connection and a single Cloud Router in the Shared VPC host project. C. Create two Cloud Interconnect connections in different edge availability domains of the co-location facility in a project that will contain your connections. Create one VLAN attachment for each physical interconnect and a single Cloud Router in the service projects. D. Create two Cloud Interconnect connections in different edge availability domains of the co-location facility in a project that will contain your connections. Create a Cloud Router in the Shared VPC host project and the VLAN attachments in the Shared VPC service projects.
A. Create two Cloud Interconnect connections in different edge availability domains of two different co-location facilities in a project that will contain your connections. Create one VLAN attachment and Cloud Router for each physical interconnect in the Shared VPC host project.
Explanation
To achieve a 99.9% SLA for Cloud Interconnect, you must deploy two connections in separate edge availability domains in different co-location facilities. This design ensures redundancy and eliminates single points of failure. By creating separate VLAN attachments and Cloud Routers in the Shared VPC host project, the centralized network can manage routing and connectivity effectively, while providing high availability and seamless failover for all service projects. This approach aligns with Google's recommended practices for achieving the required SLA.
Question 70:
You are configuring the intrusion prevention service (IPS) feature on Cloud Next Generation Firewall Enterprise. You deployed your firewall endpoints and you need to inspect the traffic of the VMs.
What should you do?
A. Configure Packet Mirroring to match the source/destination IP addresses of the VMs. B. Configure a firewall rule to match the source/destination IP addresses of the VMs, and use the goto_next action. C. Configure a firewall rule to match the hostnames of the VMs, and use the apply_security_profile_group action. D. Configure a firewall rule to match the source/destination IP addresses of the VMs, and use the apply_security_profile_group action.
D. Configure a firewall rule to match the source/destination IP addresses of the VMs, and use the apply_security_profile_group action.
Explanation
To inspect traffic using the Intrusion Prevention Service (IPS) feature in Cloud Next Generation Firewall Enterprise, you need to configure firewall rules that specify the traffic to be inspected. The rules should match the source and/or destination IP addresses of the VMs, as this is how traffic is identified. The apply_security_profile_group action is then used to attach the security profile that enables IPS inspection for the matched traffic. This configuration ensures that the IPS feature actively analyzes the traffic for potential threats and takes appropriate actions as defined in the security profile.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.