PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details

  • Exam Code
    :PROFESSIONAL-CLOUD-NETWORK-ENGINEER
  • Exam Name
    :Professional Cloud Network Engineer
  • Certification
    :Google Certifications
  • Vendor
    :Google
  • Total Questions
    :333 Q&As
  • Last Updated
    :Jul 12, 2026

Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions & Answers

  • Question 71:

    Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the

    SSL certificates.

    Which Google Cloud load balancer should you use?

    A. SSL proxy load balancer
    B. Network load balancer
    C. HTTPS load balancer
    D. TCP proxy load balancer

  • Question 72:

    You are monitoring a fleet of production VMs that handle sensitive user data. Your security team requires a full copy of all inbound and outbound network traffic from these VMs for deep packet inspection by a third-party Intrusion Detection System (IDS). The IDS appliances are deployed as a managed instance group (MIG) and are served by an internal passthrough Network Load Balancer. You need to configure a monitoring solution that does not introduce any latency to the production traffic path.

    What should you do?

    A. Deploy a Cloud IDS endpoint in the production VPC, and configure the endpoint to inspect traffic from the specified VMs.
    B. Configure VPC Flow Logs for the production subnet, set the sampling rate to maximum, and stream the logs to the IDS appliances for analysis.
    C. Configure a Cloud Private NAT gateway for the production VMs, and route all egress traffic through the gateway to the IDS appliances.
    D. Create a Packet Mirroring policy that selects the production VMs as mirrored sources and sets the internal passthrough Network Load Balancer as the collector destination.

  • Question 73:

    You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private

    hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices.

    What should you do?

    A. 1. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88.2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24.3. Set a custom route advertisement on the Cloud Router for 10.204.0.0/24.
    B. 1. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168 20.88.2. Configure your on-premises firewall to accept traffic from 35.199.192.0/19.3. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
    C. 1. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88.2. Configure your on-premises firewall to accept traffic from 10.204.0.0/24.3. Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88.
    D. 1. Create a private zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com.2. Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88.3. Configure your on-premises firewall to accept traffic from 35.199.192.0/19.4. Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

  • Question 74:

    Your organization has a Google Cloud Virtual Private Cloud (VPC) with subnets in us-east1, us-west4, and europe-west4 that use the default VPC configuration. Employees in a branch office in Europe need to access the resources in the VPC using HA VPN. You configured the HA VPN associated with the Google Cloud VPC for your organization with a Cloud Router deployed in europe-west4. You need to ensure that the users in the branch office can quickly and easily access all resources in the VPC.

    What should you do?

    A. Create custom advertised routes for each subnet.
    B. Configure each subnet's VPN connections to use Cloud VPN to connect to the branch office.
    C. Configure the VPC dynamic routing mode to Global.
    D. Set the advertised routes to Global for the Cloud Router.

  • Question 75:

    Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.

    What should you do?

    A. Create a Cloud Armor Policy rule that denies traffic and review necessary logs.
    B. Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
    C. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
    D. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

  • Question 76:

    Your company's security team tends to use managed services when possible. You need to build a dashboard to show the number of deny hits that occur against configured firewall rules without increasing operational overhead.

    What should you do?

    A. Configure Firewall Rules Logging. Use Firewall Insights to display the number of hits.
    B. Configure Firewall Rules Logging. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.
    C. Configure a firewall appliance from the Google Cloud Marketplace. Route all traffic through this appliance, and apply the firewall rules at this layer. Use the firewall appliance to display the number of hits.
    D. Configure Packet Mirroring on the VPC. Apply a filter with an IP address list of the Denied Firewall rules. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.

  • Question 77:

    You manage a large, VPC-native Google Kubernetes Engine (GKE) cluster that is running out of IP addresses in its primary Pod CIDR range of 10.100.0.0/16. You have identified an available, non-contiguous CIDR block, 10.200.0.0/16, to use for new Pods. You need to expand the cluster's Pod address space with this new range.

    You also need to ensure that all traffic from Pods, regardless of which CIDR range they belong to, have its source address translated to the node's IP address when communicating with an on-premises legacy monitoring system located at 192.168.10.0/24 while minimizing operational overhead.

    What should you do?

    A. Create a new node pool, and assign the 10.200.0.0/16 range as a secondary IP range to the underlying subnet.
    B. - Create a new secondary IP address range in the cluster's subnet with the range 10.200.0.0/16. - Update the GKE cluster to use this new secondary range for Pods. - Ensure the ip-masq-agent ConfigMap's nonMasqueradeCIDRs list does not include 192.168.10.0/24.
    C. - Create a new secondary IP address range in the cluster's subnet with the range 10.200.0.0/16. - Update the GKE cluster to use this new secondary range for Pods. - Modify the ip-masq-agent ConfigMap to add 192.168.10.0/24 to the nonMasqueradeCIDRs list.
    D. Create a new GKE cluster with the new Pod range, and use VPC Network Peering to connect it to the old cluster.

  • Question 78:

    You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from.

    What should you do?

    A. Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.
    B. Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.
    C. Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.
    D. Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

  • Question 79:

    You are deploying your infrastructure in the us-central1 region. Your on-premises data center is located in New York City, and the Google Cloud region closest to New York City is us-east4. Your Cloud Interconnect is located in Ashburn, Virginia (VA), United States. You need to use Cloud Interconnect to connect your application infrastructure with backend systems in your data center location. You do not expect the application bandwidth to exceed 500 Mbps. You want to minimize latency and cost.

    What should you do?

    A. Create a Cloud Router and VLAN attachments in the us-east4 region attached to your physical Interconnect in Ashburn, VA. Enable global routing in your VPC. Set the bandwidth on the VLAN attachments to 500 Mbps.
    B. Create a Cloud Router and VLAN attachments in the us-east4 region attached to your physical Interconnect in Ashburn, VA. Enable global routing in your VPC.
    C. Create a Cloud Router in the us-central1 region and VLAN attachments in the us-east4 region attached to your physical Interconnect in Ashburn, VA. Enable global routing in your VPC.
    D. Create a Cloud Router and VLAN attachments in the us-central1 region attached to your physical Interconnect in Ashburn, VA.

  • Question 80:

    You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps.

    What should you do?

    A. Configure the remote autonomous system number (ASN) to 4096.
    B. Configure a second Cloud Router to scale bandwidth in and out of the VPC.
    C. Configure the maximum transmission unit (MTU) to its highest supported value.
    D. Configure a second set of active/passive VPN tunnels.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Google exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations and Google certification application, do not hesitate to visit our Vcedump.com to find your solutions here.