Certified Google Professional-Cloud-Network-Engineer Free Practice Questions Online

NEW QUESTION 1
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)

• A. GetIamPolicy() via REST API
• B. setIamPolicy() via REST API
• C. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
• D. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
• E. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

Answer: DE

NEW QUESTION 2
You are designing a new global application using Compute Engine instances that will be exposed by a global HTTP(S) load balancer. You need to secure your application from distributed denial-of-service and application layer (layer 7) attacks. What should you do?

• A. Configure VPC Service Controls and create a secure perimete
• B. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.
• C. Configure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.
• D. Configure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.
• E. Configure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.

Answer: C

NEW QUESTION 3
You successfully provisioned a single Dedicated Interconnect. The physical connection is at a colocation facility closest to us-west2. Seventy-five percent of your workloads are in us-east4, and the remaining twenty-five percent of your workloads are in us-central1. All workloads have the same network traffic profile. You need to minimize data transfer costs when deploying VLAN attachments. What should you do?

• A. Keep the existing Dedicated interconnec
• B. Deploy a VLAN attachment to a Cloud Router in us-west2, and use VPC global routing to access workloads in us-east4 and us-central1.
• C. Keep the existing Dedicated Interconnec
• D. Deploy a VLAN attachment to a Cloud Router in us-east4, and deploy another VLAN attachment to a Cloud Router in us-central1.
• E. Order a new Dedicated Interconnect for a colocation facility closest to us-east4, and use VPC globalrouting to access workloads in us-central1.
• F. Order a new Dedicated Interconnect for a colocation facility closest to us-central1, and use VPC global routing to access workloads in us-east4.

Answer: C

NEW QUESTION 4
You recently noticed a recurring daily spike in network usage in your Google Cloud project. You need to identify the virtual machine (VM) instances and type of traffic causing the spike in traffic utilization while minimizing the cost and management overhead required. What should you do?

• A. Enable VPC Flow Logs and send the output to BigQuery for analysis.
• B. Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for analysis.
• C. Configure Packet Mirroring to send all traffic to a V
• D. Use Wireshark on the VM to identity traffic utilization for each VM in the VPC.
• E. Deploy a third-party network appliance and configure it as the default gatewa
• F. Use the third-party network appliance to identify users with high network traffic.

Answer: C

NEW QUESTION 5
You are designing a Partner Interconnect hybrid cloud connectivity solution with geo-redundancy across two metropolitan areas. You want to follow Google-recommended practices to set up the following region/metro pairs:
(region 1/metro 1)
(region 2/metro 2) What should you do?

• A. Create a Cloud Router in region 1 with two VLAN attachments connected to metro1-zone1-x.Create a Cloud Router in region 2 with two VLAN attachments connected to metro1-zone2-x.
• B. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x.Create a Cloud Router in region 2 with two VLAN attachments connected to metro2-zone2-x.
• C. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone2-x.Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone2-x.
• D. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x and one VLAN attachment connected to metro1-zone2-x.Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone1-x and one VLAN attachment to metro2-zone2-x.

Answer: B

NEW QUESTION 6
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?

• A. Cloud NAT
• B. An instance with IP forwarding enabled
• C. An instance configured with iptables DNAT rules
• D. An instance configured with iptables SNAT rules

Answer: A

NEW QUESTION 7
You are responsible for designing a new connectivity solution for your organization's enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider's internet access. You want to set up a direct connection between your network and Google. What should you do?

• A. Order a Dedicated Interconnect connection in the same metropolitan are
• B. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.
• C. Order a Direct Peering connection in the same metropolitan are
• D. Configure a Border Gateway Protocol (BGP) session between Google and your router.
• E. Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.
• F. Order a Carrier Peering connection in the same metropolitan are
• G. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Answer: B

NEW QUESTION 8
You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?

• A. Carrier Peering
• B. Direct Peering
• C. Dedicated Interconnect
• D. Partner Interconnect

Answer: B

Explanation:
When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct Peering with Google. For more information, see Pricing.

NEW QUESTION 9
You are migrating to Cloud DNS and want to import your BIND zone file. Which command should you use?

• A. gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
• B. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE
• C. gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE
• D. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE

Answer: C

Explanation:
https://cloud.google.com/sdk/gcloud/reference/dns/record-sets/import

NEW QUESTION 10
You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs?

• A. resource.type= “gce_router”
• B. resource.type= “gce_network_region”
• C. resource.type= “vpn_tunnel”
• D. resource.type= “vpn_gateway”

Answer: C

NEW QUESTION 11
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do?

• A. Configure a policy-based route rule to prioritize the traffic.
• B. Configure an HTTP load balancer, and direct the traffic to it.
• C. Configure Dynamic Routing for the subnet hosting the application.
• D. Configure the TTL for the DNS zone to decrease the time between updates.

Answer: B

NEW QUESTION 12
Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from your on-premises network using Cloud Interconnect. You must configure access only to Google APIs and services that are supported by VPC Service Controls through hybrid connectivity with a service level agreement (SLA) in place. What should you do?

• A. Configure the existing Cloud Routers to advertise the Google API's public virtual IP addresses.
• B. Use Private Google Access for on-premises hosts with restricted.googleapis.com virtual IP addresses.
• C. Configure the existing Cloud Routers to advertise a default route, and use Cloud NAT to translate traffic from your on-premises network.
• D. Add Direct Peering links, and use them for connectivity to Google APIs that use public virtual IP addresses.

Answer: B

NEW QUESTION 13
You work for a university that is migrating to GCP. These are the cloud requirements:
• On-premises connectivity with 10 Gbps
• Lowest latency access to the cloud
• Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?

• A. Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
• B. Use Shared VPC, and deploy the VLAN attachments in the service project
• C. Connect the VLAN attachment to the Shared VPC's host project.
• D. Use standalone projects, and deploy the VLAN attachments in the individual project
• E. Connect the VLAN attachment to the standalone projects' Interconnects.
• F. Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

Answer: A

Explanation:
https://cloud.google.com/interconnect/docs/how-to/dedicated/using-interconnects-other-projects
Using Cloud Interconnect with Shared VPC You can use Shared VPC to share your VLAN attachment in a project with other VPC networks. Choosing Shared VPC is preferable if you need to create many projects and would like to prevent individual project owners from managing their connectivity back to your on-premises network. In this scenario, the host project contains a common Shared VPC network usable by VMs in service projects. Because VMs in the service projects use this network, Service Project Admins don't need to create other VLAN attachments or Cloud Routers in the service projects. In this scenario, you must create VLAN attachments and Cloud Routers for a Cloud Interconnect connection only in the Shared VPC host project. The combination of a VLAN attachment and its associated Cloud Router are unique to a given Shared VPC network.
https://cloud.google.com/network-connectivity/docs/interconnect/how-to/enabling-multiple-networks-access-sa
https://cloud.google.com/vpc/docs/shared-vpc

NEW QUESTION 14
In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers. What should you do?

• A. Create network tag app-server and service account sa-db@my-project.iam.gserviceaccount.co
• B. Add the tag to the application servers, and associate the service account with the database server
• C. Run the following command:gcloud compute firewall-rules create app-db-firewall-rule \--action allow \--direction ingress \--rules top:3306 \--source-tags app-server \--target-service-accounts sa-db@my- project.iam.gserviceaccount.com
• D. Create service accounts sa-app@my-project.iam.gserviceaccount.com andsa-db@my-project.iam.gserviceaccount.co
• E. Associate service account sa-app with the application servers, and associate theservice account sa-db with the database server
• F. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru--allow TCP:3306 \--source-service-accounts sa-app@democloud-idp- demo.iam.gserviceaccount.com \--target-service-accounts sa-db@my- project.iam.gserviceaccount.com
• G. Create service accounts sa-app@my-project.iam.gserviceaccount.com andsa-db@my-project.iam.gserviceaccount.co
• H. Associate the service account sa-app with the application servers, and associatethe service account sa-db with the database server
• I. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru--allow TCP:3306 \--source-ranges 10.128.0.0/20 \--source-service-accounts sa-app@my- project.iam.gserviceaccount.com \--target-service-accounts sa-db@my- project.iam.gserviceaccount.com
• J. Create network tags app-server and db-serve
• K. Add the app-server tag to the application servers, and add the db-server tag to the database server
• L. Run the following command:gcloud compute firewall-rules create app-db-firewall-rule \--action allow \--direction ingress \--rules tcp:3306 \--source-ranges 10.128.0.0/20 \--source-tags app-server \--target-tags db-server

Answer: D

NEW QUESTION 15
You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is
configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?

• A. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.Configure your on-premises firewall to accept traffic from 10.204.0.0/24. Set a custom route advertisement on the Cloud Router for 10.204.0.0/24
• B. Create a private forwarding zone in Cloud DNS for ‘corp.altostrat.com’ called corp-altostrat-com that points to 192.168 20.88.Configure your on-premises firewall to accept traffic from 35.199.192.0/19 Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
• C. Create a private forwarding zone in Cloud DNS for ‘corp .altostrat.com’ called corp-altostrat-com that points to 192.168.20.88.Configure your on-premises firewall to accept traffic from 10.204.0.0/24.Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88
• D. Create a private zone in Cloud DNS for ‘corp altostrat.com’ called corp-altostrat-com.Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88. Configure your on-premises firewall to accept traffic from 35.199.192.0/19.Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.

Answer: D

NEW QUESTION 16
You are the Organization Admin for your company. One of your engineers is responsible for setting up multiple host projects across multiple folders and sharing subnets with service projects. You need to enable the engineer's Identity and Access Management (IAM) configuration to complete their task in the fewest number of steps. What should you do?

• A. Set up the engineer with Compute Shared VPC Admin IAM role at the folder level.
• B. Set up the engineer with Compute Shared VPC Admin IAM role at the organization level.
• C. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level.
• D. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the organization level.

Answer: B

NEW QUESTION 17
You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.
How should you configure the Distribution VPC?

• A. Create the Distribution VPC in auto mod
• B. Peer both the VPCs via network peering.
• C. Create the Distribution VPC in custom mod
• D. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.
• E. Create the Distribution VPC in custom mod
• F. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.
• G. Rename the default VPC as "Distribution" and peer it via network peering.

Answer: B

Explanation:
https://cloud.google.com/vpc/docs/vpc#ip-ranges

NEW QUESTION 18
......