Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Practice
Questions and Exam Preparation
PROFESSIONAL-CLOUD-NETWORK-ENGINEER Exam Details
Exam Code
:PROFESSIONAL-CLOUD-NETWORK-ENGINEER
Exam Name
:Professional Cloud Network Engineer
Certification
:Google Certifications
Vendor
:Google
Total Questions
:333 Q&As
Last Updated
:Jul 12, 2026
Google PROFESSIONAL-CLOUD-NETWORK-ENGINEER Online Questions &
Answers
Question 81:
You are implementing a Shared VPC network for your organization, which has distributed teams. One of the application developers works across several teams and notices that they can deploy applications in subnets that are reserved for another application's service projects. You want to ensure that developers can only deploy resources in the subnets that are reserved for their respective service project.
What should you do?
A. Specify which Shared VPC subnets each application's service projects can access by using the constraints/compute.restrictSharedVpcSubnetworks organizational constraint. B. Grant the compute.NetworkViewer role to the developer in the Shared VPC host project. C. Restrict another application's project from accessing specific subnets in the host project by using the constraints/compute.restrictSharedVpcHostProject organizational constraint. D. Grant the compute.NetworkUser role to the developer in the specific Shared VPC service project.
A. Specify which Shared VPC subnets each application's service projects can access by using the constraints/compute.restrictSharedVpcSubnetworks organizational constraint.
Explanation
Use the constraints/compute.restrictSharedVpcSubnetworks organizational constraint: This constraint allows you to define which Shared VPC subnets are accessible to specific service projects. By applying this constraint, you can limit a service project's access to only the subnets designated for its applications. Apply the constraint to each service project: This ensures that developers working in a specific service project can deploy resources only in the allowed subnets and not in subnets reserved for other service projects.
Question 82:
You recently reviewed the user behavior for your main application, which uses an external global Application Load Balancer, and found that the backend servers were overloaded due to erratic spikes in the rate of client requests. You need to limit the concurrent sessions and return an HTTP 429 Too Many Requests response back to the client while following Google-recommended practices.
What should you do?
A. Create a Cloud Armor security policy, and associate the policy with the load balancer. Configure the security policy's settings as follows: action: throttle; conform action: allow; exceed action: deny-429. B. Configure the load balancer to accept only the defined amount of requests per client IP address, increase the backend servers to support more traffic, and redirect traffic to a different backend to burst traffic. C. Create a Cloud Armor security policy, and apply the predefined Open Worldwide Security Application Project (OWASP) rules to automatically implement the rate limit per client IP address. D. Configure a VM with Linux, implement the rate limit through iptables, and use a firewall rule to send an HTTP 429 response to the client application.
A. Create a Cloud Armor security policy, and associate the policy with the load balancer. Configure the security policy's settings as follows: action: throttle; conform action: allow; exceed action: deny-429.
Explanation
Using Google Cloud Armor, you can create a security policy to implement rate limiting on an external global Application Load Balancer. This is a Google-recommended practice for handling erratic spikes in traffic and limiting concurrent sessions to prevent backend server overload. Cloud Armor rate limiting: The action: throttle setting enables rate limiting based on client behavior, such as the number of requests from a specific IP address. The exceed action: deny-429 returns an HTTP 429 (Too Many Requests) response to clients exceeding the configured rate, signaling them to reduce their request rate. This approach ensures the backend servers are protected from being overloaded while providing proper feedback to clients.
Question 83:
Your organization recently re-architected your cloud environment to use Network Connectivity Center. However, an error occurred when you tried to add a new VPC, named vpc-dev, as a spoke. The error indicated that there was an issue with an existing spoke and the IP space of a VPC, named vpc-pre-prod.
You must complete the migration quickly and efficiently.
What should you do?
A. Delete the VMs associated with the conflicting subnets, then delete the conflicting subnets in vpc-dev. Recreate the subnets with a new IP range and redeploy the previously-deleted VMs in the new subnets. Add the VPC spoke for vpc-dev. B. Exclude the conflicting IP range by using the --exclude-export-ranges flag when creating the VPC spoke for vpc-dev. C. Exclude the conflicting IP range by using the --exclude-export-ranges flag in the hub when attaching the VPC spoke for vpc-dev. D. Remove the conflicting VPC spoke for vpc-pre-prod from the set of VPC spokes in Network Connectivity Center. Add the VPC spoke for vpc-dev. Add the previously removed vpc-pre-prod as a VPC spoke.
B. Exclude the conflicting IP range by using the --exclude-export-ranges flag when creating the VPC spoke for vpc-dev.
Explanation
When adding a new VPC as a spoke to Network Connectivity Center, conflicts in IP ranges between VPCs can arise. This is because the hub exchanges routes between VPCs, and overlapping IP ranges cannot coexist without specific configuration.
The --exclude-export-ranges flag allows you to specify IP ranges that should be excluded from being exported to the hub. By excluding the conflicting IP range of vpc-dev when creating its VPC spoke, you can resolve the issue without making disruptive changes to existing resources, such as deleting or re-architecting the subnets in either VPC. This approach is efficient and minimizes downtime.
Question 84:
Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect connections in two different regions: us-west1 and us-east1. Each Dedicated Interconnect connection is attached to a Cloud Router in its respective region by a VLAN attachment. You need to configure a high availability failover path. By default, all ingress traffic from the on-premises environment should flow to the VPC using the us-west1 connection. If us-west1 is unavailable, you want traffic to be rerouted to us-east1.
How should you configure the multi-exit discriminator (MED) values to enable this failover path?
A. Use regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1 B. Use global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1 C. Use regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1 D. Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1
D. Use global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1
Question 85:
Your organization deployed a mission critical application that is expected to be a new revenue source. As part of the planning and deployment process, you have recently implemented a security profile with the default set of threat signatures provided by Cloud Next Generation Firewall (Cloud NGFW). This application is the only application running on this project. You need to increase the security posture of the application to log the threat and drop the related packets.
What should you do?
A. Configure a new default threat signature with Deny All to all severity options. Review the logs to understand the impact. B. Set up a Linux VM as the frontend gateway for the application. Create iptables rules to drop all packets, excluding the application port. C. For all severity options (critical, high, medium, low and informational) in the security profile, change the default override action to Deny. D. Configure Cloud Scheduler to run a task that checks the Cloud NGFW logs to verify the threats. Configure the task to create a security profile with each signature ID set to override the default action.
C. For all severity options (critical, high, medium, low and informational) in the security profile, change the default override action to Deny.
Explanation
To enhance the security posture of your mission-critical application and ensure that threats are logged and the related packets are dropped, you need to configure the security profile in Cloud NGFW to take a more aggressive action for all detected threats:
1. Override default actions in the security profile: By changing the default action for all severity levels (critical, high, medium, low, and informational) to Deny, you ensure that any threat matching a Cloud NGFW threat signature is logged and that the associated packets are dropped.
2. Threat logging: Cloud NGFW automatically logs all detected threats, including dropped packets. This provides visibility into potential attacks and allows you to monitor and analyze threats effectively. This approach ensures that your application is protected from known threats while providing detailed logs for auditing and further analysis, which aligns with the organization's goal of maintaining a high-security posture for a mission-critical application.
Question 86:
You are managing a containerized application environment on Google Kubernetes Engine (GKE). You deployed a microservice with a Kubernetes service manifest that defines a named port, http-api, for its main endpoint. You are now configuring an external http(s) load balancer to expose this microservice. You need to ensure the configuration is independent of the actual port number and follows best practices.
What should you do?
A. Create a backend service that uses the GKE node instance group as its backend, and configure the named port http-api in the backend service. B. Reference the GCE_VM_IP_PORT network endpoint group (NEG) in the backend configuration that was automatically created for your Kubernetes service, and specify http-api named port for traffic. C. Add an annotation to your Kubernetes service manifest to create a GCE_VM_IP network endpoint group (NEG), and configure the backend service to use this NEG. D. Add an annotation in your Kubernetes ingress manifest to specify the http-api port number directly, and configure the backend service to use this hardcoded port number.
A. Create a backend service that uses the GKE node instance group as its backend, and configure the named port http-api in the backend service.
Explanation
Named ports are used by external HTTP(S) load balancers when the backend is an instance group. The backend service refers to the named port instead of a fixed port number, which keeps the configuration independent of the actual port value. In contrast, GCE_VM_IP_PORT NEGs use endpoint IP:port pairs directly rather than backend-service named ports, so they do not match the requirement in this question.
Your organization has deployed Google Kubernetes Engine (GKE) clusters in several different Virtual Private Clouds (VPCs) for the past year, one GKE cluster per VPC. While the GKE nodes leverage unique IP space between each cluster, the Pod IP ranges have been reused across VPCs. The VPCs are spokes of a Network Connectivity Center hub configured in mesh topology. The Pod IP ranges have been excluded from the Network Connectivity Center VPC spokes. While this process seems to work and Compute Engine instances in the VPCs can reach services, you notice that the Pods are unable to access services in other VPCs. You need to enable communication between Pods in different VPCs.
What should you do?
A. Ensure that the IP masquerade agent is installed correctly and performing source NAT for Pod traffic destined to services outside of the cluster. B. Delete the GKE clusters, create a new pair of VMs in the subnets used by the GKE clusters, and test the connectivity. Recreate the GKE clusters. C. Delete the Network Connectivity Center hub and VPC spokes. Connect all VPCs by using Cloud VPNs. D. Delete the Network Connectivity Center hub and VPC spokes. Peer all VPCs by using VPC Network Peering.
A. Ensure that the IP masquerade agent is installed correctly and performing source NAT for Pod traffic destined to services outside of the cluster.
Explanation
Because Pod IP ranges are reused across VPCs and excluded from export, remote VPCs cannot route back to the originating Pod CIDRs. Enabling source NAT for Pod egress to destinations outside the cluster makes Pod-to-service traffic use node IPs (which are unique and routable across the NCC mesh), allowing return traffic to follow valid routes and restoring cross-VPC connectivity for Pods.
Question 88:
You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to increase the available bandwidth using Cloud VPN.
What should you do?
A. Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes. B. Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address. C. Add a second on-premises VPN gateway with a different public IP address. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP. D. Add a second Cloud VPN gateway in a different region than the existing VPN gateway. Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.
C. Add a second on-premises VPN gateway with a different public IP address. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
Question 89:
Your company's web application was just deployed on Compute Engine VMS in multiple Google Cloud regions. You have created multiple instance groups and you need to distribute traffic between these VMs. You want your users to automatically connect to the backend that is located in the closest region while following Google-recommended practices.
What should you do?
A. Create one global external Application Load Balancer and multiple backend services. Ensure that each backend service contains one backend. Point each backend to a different instance group. B. Create one global external Application Load Balancer and one backend service with multiple backends. Point each backend to a different instance group. C. Create two global external Application Load Balancers with one backend service and one backend. Point each back end to a different instance group. D. Create two global external Application Load Balancers with multiple backend services. Ensure that each backend service contains one backend. Point each backend to a different instance group.
B. Create one global external Application Load Balancer and one backend service with multiple backends. Point each backend to a different instance group.
Explanation
A single global external Application (HTTP(S)) Load Balancer with one backend service that includes all regional instance groups lets Google's global anycast frontend automatically steer each user to the closest healthy backend. This setup follows Google's best practice for multi-region Compute Engine deployments with minimal configuration.
Question 90:
You want Cloud CDN to serve the https://www.example.com/images/spacetime.png static image file that is hosted in a private Cloud Storage bucket. You are using the USE_ORIGIN_HEADERS cache mode. You receive an HTTP 403 error when opening the file in your browser, and you see that the HTTP response has a Cache-Control: private, max-age=0 header.
How should you correct this issue?
A. Enable negative caching for the backend bucket. B. Change the cache mode to Force cache all content. C. Configure a Cloud Storage bucket permission that gives allUsers the Storage Legacy Object Reader role. D. Increase the default time-to-live (TTL) for the backend service.
C. Configure a Cloud Storage bucket permission that gives allUsers the Storage Legacy Object Reader role.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Google exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PROFESSIONAL-CLOUD-NETWORK-ENGINEER exam preparations
and Google certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.