google PROFESSIONAL CLOUD NETWORK ENGINEER Exam Questions
Questions for the PROFESSIONAL CLOUD NETWORK ENGINEER were updated on : Nov 14 ,2024
Page 1 out of 6. Viewing questions 1-15 out of 80
Question 1
You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be
able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular
instance across both services.
Which session affinity should you choose?
- A. None
- B. Client IP
- C. Client IP and protocol
- D. Client IP, port and protocol
Answer:
B
Question 2
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block
project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been
configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?
- A. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
- B. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
- C. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
- D. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
Answer:
B
Explanation:
Reference: https://cloud.google.com/compute/docs/storing-retrieving-metadata
Question 3
You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the
cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?
- A. Add an appropriate lifecycle rule on the storage bucket.
- B. Issue a cache invalidation command with pattern /folder-a/*.
- C. Make sure that all the objects with prefix folder-a are not shared publicly.
- D. Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.
Answer:
C
Question 4
Your organization is deploying a single project for 3 separate departments. Two of these departments require network
connectivity between each other, but the third department should remain in isolation. Your design should create separate
network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?
- A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
- B. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
- C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
- D. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
Answer:
A
Explanation:
Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other
securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as
subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies
across the projects.
With Shared VPC and IAM controls, you can separate network administration from project administration. This separation
helps you implement the principle of least privilege. For example, a centralized network team can administer the network
without having any permissions into the participating projects. Similarly, the project admins can manage their project
resources without any permissions to manipulate the shared network.
Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations
Question 5
You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
gcloud compute routes create no-ip-internet-route \
--network custom-network1 \
--destination-range 0.0.0.0/0 \
--next-hop instance nat-gateway \
--next-hop instance-zone us-central1-a \
--tags no-ip --priority 800
You want existing instances to use the new NAT gateway.
Which command should you execute?
- A. sudo sysctl -w net.ipv4.ip_forward=1
- B. gcloud compute instances add-tags [existing-instance] --tags no-ip
- C. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip
- D. gcloud compute instances create example-instance --network custom-network1 \ --subnet subnet-us-central \ --no-address \ --zone us-central1-a \ --image-family debian-9 \ --image-project debian-cloud \ --tags no-ip
Answer:
D
Explanation:
Reference: https://cloud.google.com/vpc/docs/special-configurations
Question 6
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?
- A. Cloud NAT
- B. An instance with IP forwarding enabled
- C. An instance configured with iptables DNAT rules
- D. An instance configured with iptables SNAT rules
Answer:
A
Explanation:
Reference: https://cloud.google.com/nat/docs/overview
Question 7
Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with
each other. You want to minimize cost and increase network efficiency.
How should you design this topology?
- A. Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.
- B. Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.
- C. Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.
- D. Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.
Answer:
D
Explanation:
VPC Network Peering enables you to peer VPC networks so that workloads in different VPC networks can communicate in
private RFC 1918 space. Traffic stays within Google's network and doesn't traverse the public internet.
Reference: https://cloud.google.com/vpc/docs/vpc-peering
Question 8
You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are
exposed between departments. Your Production and Staging departments can communicate with each other, but only via
specific networks. You want to follow Google-recommended practices.
How should you design this topology?
- A. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.
- B. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
- C. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
- D. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
Answer:
D
Explanation:
Reference: https://cloud.google.com/vpc/docs/shared-vpc
Question 9
You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team
as efficiently as possible.
What should you do?
- A. Create a Google Group for the WebServices Team.
- B. Create a G Suite Domain for the WebServices Team.
- C. Create a new Cloud Identity Domain for the WebServices Team.
- D. Create a new Custom Role for all members of the WebServices Team.
Answer:
A
Question 10
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-
premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device
supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?
- A. • Create a Cloud VPN instance. • Create a policy-based VPN tunnel per subnet. • Configure the appropriate local and remote traffic selectors to match your local and remote networks. • Create the appropriate static routes.
- B. • Create a Cloud VPN instance. • Create a policy-based VPN tunnel. • Configure the appropriate local and remote traffic selectors to match your local and remote networks. • Configure the appropriate static routes.
- C. • Create a Cloud VPN instance. • Create a route-based VPN tunnel. • Configure the appropriate local and remote traffic selectors to match your local and remote networks. • Configure the appropriate static routes.
- D. • Create a Cloud VPN instance. • Create a route-based VPN tunnel. • Configure the appropriate local and remote traffic selectors to 0.0.0.0/0. • Configure the appropriate static routes.
Answer:
D
Explanation:
Reference: https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing
Question 11
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine
Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises
environment to GCP, given these specifications:
Your ISP is a Google Partner Interconnect provider.
Your on-premises VPN devices internet uplink and downlink speeds are 10 Gbps.
A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due
to packet losses. Most of the data transfer will be from GCP to the on-premises environment.
The application can burst up to 1.5 Gbps during peak transfers over the Interconnect. Cost and the complexity of the
solution should be minimal.
How should you provision the connectivity solution?
- A. Provision a Partner Interconnect through your ISP.
- B. Provision a Dedicated Interconnect instead of a VPN.
- C. Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.
- D. Use network compression over your VPN to increase the amount of data you can send over your VPN.
Answer:
C
Question 12
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud
Interconnect VLAN attachments.
What should you do?
- A. Assign each user the editor role.
- B. Assign each user the compute.networkAdmin role.
- C. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
- D. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
Answer:
C
Question 13
You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud
Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)
- A. Enable Private Google Access on all the subnets.
- B. Enable Private Google Access on the VPC.
- C. Enable Private Services Access on the VPC.
- D. Create network peering between your VPC and BigQuery.
- E. Create a Cloud NAT, and route the application traffic via NAT gateway.
Answer:
B E
Question 14
You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the
172.16.45.0/24 network.
What should you do?
- A. Configure global load balancing to point 172.16.45.0/24 to the correct instance.
- B. Create unique DNS records for each service that sends traffic to the desired IP address.
- C. Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.
- D. Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.
Answer:
B
Question 15
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage
buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You
notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth
utilization of the connection.
What should you do on your on-premises servers?
- A. Tune TCP parameters on the on-premises servers.
- B. Compress files using utilities like tar to reduce the size of data being sent.
- C. Remove the -m flag from the gsutil command to enable single-threaded transfers.
- D. Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].
Answer:
A