Pass Your Google Professional-Cloud-Network-Engineer Exam with Correct 172 Questions and Answers
Latest [Dec 31, 2023] 2023 Realistic Verified Professional-Cloud-Network-Engineer Dumps
The Google Professional Cloud Network Engineer exam helps the specialists use the Google Cloud Platform for managing and implementing network architectures.
NEW QUESTION # 15
You have the networking configuration shown In the diagram Two VLAN attachments associated With two Dedicated Interconnect connections terminate on the same Cloud Router (mycloudrouter). The Interconnect connections terminate on two separate on-premises routers. You advertise the same prefixes from the Border Gateway Protocol (BOP) sessions associated With each Of the VLAN attachments.
You notice an asymmetric traffic flow between the two Interconnect connections. Which of the following actions should you take to troubleshoot the asymmetric traffic flow?
- A. From the Google Cloud console, navigate to the Hybrid Connectivity select the Cloud Router, and view BGP sessions.
- B. From the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results
- C. From the Cloud CLI, run gcloud compute -protect_ID router get-status mycloudrouter --region REGION and review the results.
- D. From the Cloud CLI. run gcloud compute routers describe mycloudrouter --region REGION and review the results
Answer: C
Explanation:
The correct answer is B. From the Cloud CLI, run gcloud compute --project_ID router get-status mycloudrouter --region REGION and review the results.
This command will show you the BGP session status, the advertised and learned routes, and the last error for each VLAN attachment. You can use this information to troubleshoot the asymmetric traffic flow and identify any issues with the BGP configuration or the Interconnect connections.
The other options are not correct because:
Option A will only show you the BGP session status, but not the advertised and learned routes or the last error for each VLAN attachment.
Option C will only show you the VPC Flow Logs, which are useful for monitoring and troubleshooting network performance and security issues within your VPC network, but not for your Interconnect connections.
Option D will only show you the basic information about the Cloud Router, such as its name, region, network, and BGP settings, but not the detailed status of each VLAN attachment.
NEW QUESTION # 16
Your company's web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers.
The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend. You want to use a GCP-native solution when possible.
How should you deploy this service in GCP?
- A. Deploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.
- B. Create a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.
- C. Use GCP's ECMP capability to load-balance traffic to the backend servers by installing multiple equal- priority static routes to the backend servers.
- D. Create a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.
Answer: B
Explanation:
https://cloud.google.com/compute/docs/instance-groups/adding-an-instance-group-to-a-load-balancer
NEW QUESTION # 17
You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?
- A. Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.
- B. Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.
- C. Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.
- D. Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.
Answer: C
NEW QUESTION # 18
In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost.
Which two steps should you take? (Choose two.)
- A. Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
- B. Connect both projects using Cloud VPN.
- C. Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
- D. Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
- E. Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
Answer: A,C
NEW QUESTION # 19
In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet- a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers. What should you do?
- A. Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command:
gcloud compute firewall-rules create app-db-firewall-rule \
--action allow \
--direction ingress \
--rules tcp:3306 \
--source-ranges 10.128.0.0/20 \
--source-tags app-server \
--target-tags db-server - B. Create service accounts [email protected] and [email protected]. Associate the service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command:
gcloud compute firewall-rules create app-db-firewall-ru
--allow TCP:3306 \
--source-ranges 10.128.0.0/20 \
--source-service-accounts sa-app@my-
project.iam.gserviceaccount.com \
--target-service-accounts sa-db@my-
project.iam.gserviceaccount.com - C. Create network tag app-server and service account [email protected]. Add the tag to the application servers, and associate the service account with the database servers. Run the following command:
gcloud compute firewall-rules create app-db-firewall-rule \
--action allow \
--direction ingress \
--rules top:3306 \
--source-tags app-server \
--target-service-accounts sa-db@my-
project.iam.gserviceaccount.com - D. Create service accounts [email protected] and [email protected]. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command:
gcloud compute firewall-rules create app-db-firewall-ru
--allow TCP:3306 \
--source-service-accounts sa-app@democloud-idp-
demo.iam.gserviceaccount.com \
--target-service-accounts sa-db@my-
project.iam.gserviceaccount.com
Answer: A
NEW QUESTION # 20
You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible.
What should you do?
- A. Upload your public ssh key to the project Metadata.
- B. Use gcloud compute ssh to automatically copy your public ssh key to the instance.
- C. Upload your public ssh key to each instance Metadata.
- D. Create a custom Google Compute Engine image with your public ssh key embedded.
Answer: A
Explanation:
Overview By creating and managing SSH keys, you can let users access a Linux instance through third-party tools. An SSH key consists of the following files: A public SSH key file that is applied to instance-level metadata or project-wide metadata. A private SSH key file that the user stores on their local devices. If a user presents their private SSH key, they can use a third-party tool to connect to any instance that is configured with the matching public SSH key file, even if they aren't a member of your Google Cloud project. Therefore, you can control which instances a user can access by changing the public SSH key metadata for one or more instances. https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys#addkey
NEW QUESTION # 21
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do?
- A. Configure an HTTP load balancer, and direct the traffic to it.
- B. Configure the TTL for the DNS zone to decrease the time between updates.
- C. Configure a policy-based route rule to prioritize the traffic.
- D. Configure Dynamic Routing for the subnet hosting the application.
Answer: A
Explanation:
https://cloud.google.com/load-balancing/docs/tutorials/optimize-app-latency
NEW QUESTION # 22
Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that the caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it as a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.
Which two steps should you take? (Choose two.)
- A. Create a global HTTP(s) load balancer and move your application backend to this load balancer.
- B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic.
- C. Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.
- D. Use Cloud Armor to blacklist the attacker's IP addresses.
- E. SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.
Answer: B,E
NEW QUESTION # 23
You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.
How should you provision your instances?
- A. Create a single managed instance group, specify the desired region, and select Multiple zones for the location.
- B. Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.
- C. Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.
- D. Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.
Answer: D
Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance- groups
NEW QUESTION # 24
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?
- A. Multi-exit Discriminator
- B. Local Preference
- C. Community
- D. AS-Path
Answer: A
Explanation:
Explanation/Reference: https://cloud.google.com/router/docs/concepts/overview
NEW QUESTION # 25
You need to enable Private Google Access for use by some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on- premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls in the environment for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team's requirements?
- A. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record painting to Google's private AP address range.
Change the custom route that points the default route (0/0) to the default internet gateway as the next hop. - B. Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google's private API address range.
Create a custom route that points Google's private API address range to the default internet gateway as the next hop. - C. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.
Change the custom route that points the default route (0/0) to the default internet gateway as the next hop. - D. Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google's restricted API address range.
Create a custom route that points Google's restricted API address range to the default internet gateway as the next hop.
Answer: A
NEW QUESTION # 26
Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows. What should you do?
- A. Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.
- B. Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway.
- C. Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-
- D. Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center.
Answer: A
Explanation:
premises data center.
NEW QUESTION # 27
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods.
In one of your instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?
- A. Create a route to reach the Master, pointing to the default internet gateway.
- B. Assign a public IP address to the instance.
- C. Create the appropriate master authorized network entries to allow the instance to communicate to the master.
- D. Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
Answer: D
NEW QUESTION # 28
You are the network administrator responsible for hybrid connectivity at your organization. Your developer team wants to use Cloud SQL in the us-west1 region in your Shared VPC. You configured a Dedicated Interconnect connection and a Cloud Router in us-west1, and the connectivity between your Shared VPC and on-premises data center is working as expected. You just created the private services access connection required for Cloud SQL using the reserved IP address range and default settings. However, your developers cannot access the Cloud SQL instance from on-premises. You want to resolve the issue. What should you do?
- A. Change the VPC routing mode to global.
Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range. - B. Change the VPC routing mode to global.
Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes. - C. Create an additional Cloud Router in us-west2.
Create a new Border Gateway Protocol (BGP) peering connection to your on-premises data center.
Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes. - D. Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.
Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.
Answer: D
NEW QUESTION # 29
You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic. What should you do?
- A. Enable firewall logs, and view the logs in Firewall Insights.
- B. Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.
- C. Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.
- D. Enable VPC Flow Logs, and view the logs in Cloud Logging.
Answer: A
NEW QUESTION # 30
You work for a organization called cloudtech5 . Your organization has decided to implement continuous integration and delivery (CI/CD) pipeline on Google Cloud Platform using only hosted products and the popular GitOps methodology . The architecture includes many microservices that are updated frequently and rolled back . Please select the products that should be used.
- A. Cloud Source repositories, Jenkins on Compute Engine , Container Registry , Google Kubernetes Engine.
- B. Cloud Source repositories, Cloud Build ,Container Registry,Google Kubernetes Engine
- C. BitBucket , Cloud Build , Container Registry , Google Kubernetes Engine.
- D. Cloud Storage , Cloud Dataflow,Compute Engine.
Answer: B
Explanation:
Option A is the Correct choice because , Cloud Source repositories is a a fully featured, scalable, private Git repository hosted on Google Cloud . Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure. Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives. Container Registry is a private container image registry that runs on Google Cloud Platform. Google Kuberenetes Engine is ideal for deploying small services that can be updated and rolled back quickly.
Option B is Incorrect because , BitBucket isn't Google Cloud hosted service but it can be used to achieve the same results .
Option C is Incorrect because Jenkins on Compute Engine isn't Google hosted product , Cloud build is the right choice because it is a service managed by Google Cloud .
Option D is Incorrect because , the objective is to implement CI/CD pipeline not data processing pipeline .
NEW QUESTION # 31
You are designing the network architecture for your organization. Your organization has three developer teams: Web, App, and Database. All of the developer teams require access to Compute Engine instances to perform their critical tasks. You are part of a small network and security team that needs to provide network access to the developers. You need to maintain centralized control over network resources, including subnets, routes, and firewalls. You want to minimize operational overhead. How should you design this topology?
- A. Configure three Shared VPC host projects, each with a service project: one for Web, one for App, and one for Database.
- B. Configure one VPC for Web, one VPC for App, and one VPC for Database. Configure HA VPN between each VPC.
- C. Configure a host project with a Shared VPC. Create service projects for Web, App, and Database.
- D. Configure one VPC for Web, one VPC for App, and one VPC for Database. Use VPC Network Peering to connect all VPCs in a full mesh.
Answer: A
NEW QUESTION # 32
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)
- A. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
- B. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
- C. GetIamPolicy() via REST API
- D. setIamPolicy() via REST API
- E. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
Answer: A,B
NEW QUESTION # 33
Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments. What should you do?
- A. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.
- B. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.
- C. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.
- D. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0.
Answer: B
NEW QUESTION # 34
Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP environments.
* Each organization has enabled full connectivity between all of its projects by using Shared VPC.
* Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.
* There are no prefix overlaps between the two organizations.
* Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.
* Neither organization has Interconnects to their on-premises environment.
You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.
Which two steps should you take? (Choose two.)
- A. Connect VPCs in both organizations using Cloud VPN together with Cloud Router.
- B. Set up some variant of DNS forwarding and zone transfers in each organization.
- C. Provision Cloud Interconnect to connect both organizations together.
- D. Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.
- E. Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.
Answer: A,B
Explanation:
https://cloud.google.com/dns/docs/best-practices
NEW QUESTION # 35
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?
- A. Multi-exit Discriminator
- B. Local Preference
- C. Community
- D. AS-Path
Answer: A
NEW QUESTION # 36
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)
GetIamPolicy() via REST API
- A. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.
- B. role roles/editor
- C. role roles/editor
gcloud projects add-iam-policy-binding $projectname --member user:$username -- - D. setIamPolicy() via REST API
- E. gcloud pubsub add-iam-policy-binding $projectname --member user:$username --
Answer: A,B
Explanation:
Explanation/Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access
NEW QUESTION # 37
You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?
gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
- A. MANAGED_ZONE
gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE - B. MANAGED_ZONE
- C. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone
- D. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone
Answer: D
Explanation:
Once you have the exported file from your other provider, you can use the gcloud dns record-sets import command to import it into your managed zone.
To import record-sets, you use the dns record-sets import command. The --zone-file-format flag tells importto expect a BIND zone formatted file. If you omit this flag, import expects a YAML-formatted records file.
Reference: https://medium.com/@prashantapaudel/gcp-certification-series-2-4-planning-and-configuring- network-resources-8045ac2cc2ac
NEW QUESTION # 38
......
Get 2023 Updated Free Google Professional-Cloud-Network-Engineer Exam Questions and Answer: https://www.actual4test.com/Professional-Cloud-Network-Engineer_examcollection.html
Pass Professional-Cloud-Network-Engineer Exam Updated 172 Questions: https://drive.google.com/open?id=1gt3vzpUs6GznPPLP8hVRIADm4lCN9GrF