Google - Prep4sure - Professional Cloud Network Engineer - Vce.download.2023 Aug 04.by - Clyde.62q.vce

Recommend!!
Get the Full Professional-Cloud-Network-Engineer dumps in VCE and PDF From SurePassExam
https://www.surepassexam.com/Professional-Cloud-Network-Engineer-exam-dumps.html (153 New Questions)
Google
Exam Questions Professional-Cloud-Network-Engineer
Google Cloud Certified - Professional Cloud Network Engineer
Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Recommend!! Get the Full Professional-Cloud-Network-Engineer dumps in VCE and PDF From SurePassExam
NEW QUESTION 1
You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple
Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?
A. None
B. Client IP
C. Client IP and protocol
D. Client IP, port and protocol
Answer: B
NEW QUESTION 2
You are designing a new application that has backends internally exposed on port 800. The application will be exposed externally using both IPv4 and IPv6 via
TCP on port 700. You want to ensure high availability for this application. What should you do?
A. Create a network load balancer that used backend services containing one instance group with two instances.
B. Create a network load balancer that uses a target pool backend with two instances.
C. Create a TCP proxy that uses a zonal network endpoint group containing one instance.
D. Create a TCP proxy that uses backend services containing an instance group with two instances.
Answer: D
NEW QUESTION 3
You need to define an address plan for a future new Google Kubernetes Engine (GKE) cluster in your Virtual Private Cloud (VPC). This will be a VPC-native
cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before
cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum
number of Pod IP addresses. Which subnet mask should you use for the Pod IP address range?
A. /21
B. /22
C. /23
D. /25
Answer: A
NEW QUESTION 4
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not
responding, even though the cluster is up and running.
What should you do to solve the problem?
A. Assign a public IP address to the instance.

B. Create a route to reach the Master, pointing to the default internet gateway.
C. Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.
D. Create the appropriate master authorized network entries to allow the instance to communicate to the master.
Answer: D
Explanation:
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#cant_reach_cluster https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-
networks
NEW QUESTION 5
You want to configure load balancing for an internet-facing, standard voice-over-IP (VOIP) application. Which type of load balancer should you use?
A. HTTP(S) load balancer

B. Network load balancer
C. Internal TCP/UDP load balancer
D. TCP/SSL proxy load balancer
Answer: B
NEW QUESTION 6
You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?
A. Carrier Peering
B. Direct Peering
C. Dedicated Interconnect
D. Partner Interconnect
Answer: B
Explanation:
When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed

through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC
networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct
Peering with Google. For more information, see Pricing.
NEW QUESTION 7
You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity
issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?
A. Use the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.
B. Use Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.
C. Configure VPC Flow Log
D. Review the logs by filtering on the source and destination.
E. Configure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.
Answer: B
NEW QUESTION 8
You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none
of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)
A. Enable Private Google Access on all the subnets.

B. Enable Private Google Access on the VPC.
C. Enable Private Services Access on the VPC.
D. Create network peering between your VPC and BigQuery.
E. Create a Cloud NAT, and route the application traffic via NAT gateway.
Answer: AE
Explanation:
https://cloud.google.com/nat/docs/overview#interaction-pga Specifications https://cloud.google.com/vpc/docs/configure-private-google-access#specifications
NEW QUESTION 9
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The
networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?
A. Assign members of the networking team the compute.networkUser role.

B. Assign members of the networking team the compute.networkAdmin role.
C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
D. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
Answer: B
NEW QUESTION 10
Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect connections in two different regions: us-west1 and us-east1. Each Dedicated
Interconnect connection is attached to a Cloud Router in its respective region by a VLAN attachment. You need to configure a high availability failover path. By
default, all ingress traffic from the on-premises environment should flow to the VPC using the us-west1 connection. If us-west1 is unavailable, you want traffic to be
rerouted to us-east1. How should you configure the multi-exit discriminator (MED) values to enable this failover path?
A. Use regional routin

B. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 CloudRouter to a base priority of 1
C. Use global routin
D. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1
E. Use regional routin
F. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1
G. Use global routin
H. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1
Answer: A
NEW QUESTION 10
You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?
A. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
B. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.
C. Create a single firewall rule to allow port 22 with priority 1000.
D. Create a single firewall rule to allow port 3389 with priority 1000.
Answer: C
NEW QUESTION 12
You need to configure the Border Gateway Protocol (BGP) session for a VPN tunnel you just created between two Google Cloud VPCs, 10.1.0.0/16 and
172.16.0.0/16. You have a Cloud Router (router-1) in the 10.1.0.0/16 network and a second Cloud Router (router-2) in the 172.16.0.0/16 network. Which
configuration should you use for the BGP session?

A. C:\Users\Admin\Desktop\Data\Odt data\Untitled.jpg
B. C:\Users\Admin\Desktop\Data\Odt data\Untitled.jpg
C. C:\Users\Admin\Desktop\Data\Odt data\Untitled.jpg
D. C:\Users\Admin\Desktop\Data\Odt data\Untitled.jpg
Answer: C
NEW QUESTION 14
Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective
project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow
between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments.
What should you do?
A. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0.
B. Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.
C. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to
the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.
D. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to
the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.
Answer: B
NEW QUESTION 15
You are responsible for designing a new connectivity solution for your organization's enterprise network to access and use Google Workspace. You have an
existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider's internet access. You want
to set up a direct connection between your network and Google. What should you do?
A. Order a Dedicated Interconnect connection in the same metropolitan are

B. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.
C. Order a Direct Peering connection in the same metropolitan are
D. Configure a Border Gateway Protocol (BGP) session between Google and your router.
E. Configure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.
F. Order a Carrier Peering connection in the same metropolitan are
G. Configure a Border Gateway Protocol (BGP) session between Google and your router.
Answer: B
NEW QUESTION 16
Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost
and increase network efficiency.
How should you design this topology?
A. Create 2 VPCs, each with their own regions and individual subnet
B. Create 2 VPN gateways to establish connectivity between these regions.
C. Create 2 VPCs, each with their own region and individual subnet
D. Use external IP addresses on the instances to establish connectivity between these regions.
E. Create 1 VPC with 2 regional subnet
F. Create a global load balancer to establish connectivity between the regions.
G. Create 1 VPC with 2 regional subnet
H. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.
Answer: D
Explanation:
https://cloud.google.com/vpc/docs/using-vpc#create-auto-network
We create one VPC network in auto mode that creates one subnet in each Google Cloud region automatically. So, region us-east1 and europe-west1 are in the
same network and they can communicate using their internal IP address even though they are in different Regions. They take advantage of Google's global fiber
network.
NEW QUESTION 17
You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all
three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the
Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the
problem.

What should you do?
A. Configure VPC peering in a full mesh.

B. Alter the routing table to resolve the asymmetric route.
C. Create network tags to allow connectivity between all three VPCs.
D. Delete the legacy network and recreate it to allow transitive peering.
Answer: A
Explanation:
https://cloud.google.com/vpc/docs/using-vpc-peering
NEW QUESTION 21
You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are exposed between departments. Your
Production and Staging departments can communicate with each other, but only via specific networks. You want to follow Google-recommended practices.
A. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between the
B. Use firewall rules to filter access between the specific networks.
C. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between the
D. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
E. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between the
F. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
G. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
Answer: D
NEW QUESTION 25
You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer
for the web servers. You need to configure load balancing for the application tier of servers. What should you do?
A. Configure a forwarding rule on the existing load balancer for the application tier.
B. Configure equal cost multi-path routing on the application servers.
C. Configure a new internal HTTP(S) load balancer for the application tier.
D. Configure a URL map on the existing load balancer to route traffic to the application tier.
Answer: A
NEW QUESTION 26
Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an
intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all
egress traffic payloads from us-west2. What should you do?
A. Enable firewall logging, and forward all filtered egress firewall logs to the IDS.
B. Enable VPC Flow Log
C. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.
D. Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.
E. Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.
Answer: B
NEW QUESTION 27
You successfully provisioned a single Dedicated Interconnect. The physical connection is at a colocation facility closest to us-west2. Seventy-five percent of your
workloads are in us-east4, and the remaining twenty-five percent of your workloads are in us-central1. All workloads have the same network traffic profile. You
need to minimize data transfer costs when deploying VLAN attachments. What should you do?
A. Keep the existing Dedicated interconnec

B. Deploy a VLAN attachment to a Cloud Router in us-west2, and use VPC global routing to access workloads in us-east4 and us-central1.
C. Keep the existing Dedicated Interconnec
D. Deploy a VLAN attachment to a Cloud Router in us-east4, and deploy another VLAN attachment to a Cloud Router in us-central1.
E. Order a new Dedicated Interconnect for a colocation facility closest to us-east4, and use VPC globalrouting to access workloads in us-central1.
F. Order a new Dedicated Interconnect for a colocation facility closest to us-central1, and use VPC global routing to access workloads in us-east4.
Answer: C
NEW QUESTION 29
You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific
local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?
A. Dynamic routing using Cloud Router

B. Route-based routing using default traffic selectors
C. Policy-based routing using a custom local traffic selector
D. Policy-based routing using the default local traffic selector
Answer: C

NEW QUESTION 30
Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the
design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name
resolution from your hub-and-spoke VPC design. What should you do?
A. Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.Configure DNS peering from the spoke VPCs to the
hub VPC.
B. Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.Configure the spoke VPCs with a private zone, and set up DNS
peering to the hub VPC.
C. Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.Configure the hub VPC with a private zone, and
set up DNS peering to each of the spoke VPCs.
D. Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.Configure the spoke VPCs with a private zone, and set
up DNS peering to the hub VPC.
Answer: C
NEW QUESTION 33
Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires
each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and
operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the
internet can be inspected using the same third-party appliances. What should you do?
A. Configure the third-party appliances with multiple interfaces and specific Partner Interconnect VLAN attachments per projec
B. Create the relevant routes on the third-party appliances and VPC networks.
C. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC networ
D. Create separate VPC networks for on- premises and internet connectivit
E. Create the relevant routes on the third-party appliances and VPC networks.
F. Consolidate all existing projects’ subnetworks into a single VP
G. Create separate VPC networks for on-premises and internet connectivit
H. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC networ
I. Create the relevant routes on the third-party appliances and VPC networks.
J. Configure the third-party appliances with multiple interface
K. Create a hub VPC network for all projects, and create separate VPC networks for on-premises and internet connectivit
L. Create the relevant routes on the third-party appliances and VPC network
M. Use VPC Network Peering to connect all projects’ VPC networks to the hub VP
N. Export custom routes from the hub VPC and import on all projects’ VPC networks.
Answer: D
NEW QUESTION 36
You are designing a Partner Interconnect hybrid cloud connectivity solution with geo-redundancy across two metropolitan areas. You want to follow Google-
recommended practices to set up the following region/metro pairs:
(region 1/metro 1)
(region 2/metro 2) What should you do?
A. Create a Cloud Router in region 1 with two VLAN attachments connected to metro1-zone1-x.Create a Cloud Router in region 2 with two VLAN attachments
connected to metro1-zone2-x.
B. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x.Create a Cloud Router in region 2 with two VLAN attachments
C. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone2-x.Create a Cloud Router in region 2 with one VLAN attachment
D. Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x and one VLAN attachment connected to metro1-zone2-x.Create a
Cloud Router in region 2 with one VLAN attachment connected to metro2-zone1-x and one VLAN attachment to metro2-zone2-x.
Answer: B
NEW QUESTION 37
You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud
command.
Which next hop should you choose?
A. The default internet gateway

B. The IP address of the Cloud VPN gateway
C. The name and region of the Cloud VPN tunnel
D. The IP address of the instance on the remote side of the VPN tunnel
Answer: C
Explanation:
When you create a route based tunnel using the Cloud Console, Classic VPN performs both of the following tasks: Sets the tunnel's local and remote traffic
selectors to any IP address (0.0.0.0/0) For each range in Remote network IP ranges, Google Cloud creates a custom static route whose destination (prefix) is the
range's CIDR, and whose next hop is the tunnel.
https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-static-vpns
NEW QUESTION 40
You have several microservices running in a private subnet in an existing Virtual Private Cloud (VPC). You need to create additional serverless services that use
Cloud Run and Cloud Functions to access the
microservices. The network traffic volume between your serverless services and private microservices is low. However, each serverless service must be able to
communicate with any of your microservices. You want to implement a solution that minimizes cost. What should you do?

A. Deploy your serverless services to the serverless VP

B. Peer the serverless service VPC to the existing VP
C. Configure firewall rules to allow traffic between the serverless services and your existing microservices.
D. Create a serverless VPC access connector for each serverless servic
E. Configure the connectors to allow traffic between the serverless services and your existing microservices.
F. Deploy your serverless services to the existing VP
G. Configure firewall rules to allow traffic between the serverless services and your existing microservices.
H. Create a serverless VPC access connecto
I. Configure the serverless service to use the connector for communication to the microservices.
Answer: D
NEW QUESTION 44
You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):
You need to update the firewall rule to add the following rule to the ruleset:
You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating
the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?
A. Assign the compute.securityAdmin and logging.viewer rule to the new user accoun
B. Apply the new firewall rule with a priority of 50.
C. Assign the compute.securityAdmin and logging.bucketWriter role to the new user accoun
D. Apply the new firewall rule with a priority of 150.
E. Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user accoun
F. Apply the new firewall rule with a priority of 50.
G. Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account.Apply the new firewall rule with a priority of 150.
Answer: A
NEW QUESTION 45
Your company's security team tends to use managed services when possible. You need to build a dashboard to show the number of deny hits that occur against
configured firewall rules without increasing operational overhead. What should you do?
A. Configure Firewall Rules Loggin

B. Use Firewall Insights to display the number of hits.
C. Configure Firewall Rules Loggin
D. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.
E. Configure a firewall appliance from the Google Cloud Marketplac
F. Route all traffic through this appliance, and apply the firewall rules at this laye
G. Use the firewall appliance to display the number of hits.
H. Configure Packet Mirroring on the VP
I. Apply a filter with an IP address list of the Denied Firewall rule
J. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.
Answer: A
NEW QUESTION 48
You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node
and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500
services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.
A. Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Service
B. Create a VPC-native cluster and specify those ranges.
C. Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Service
D. Create a VPC-native cluster and specify those range
E. When the services are ready to be deployed, resize the subnets.
F. Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.
G. Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.
Answer: A
Explanation:
The service range setting is permanent and cannot be changed. Please see
https://stackoverflow.com/questions/60957040/how-to-increase-the-service-address-range-of-a-gke-cluster I think the correc tanswer is A since: Grow is expected
to up to 100 nodes (that would be /25), then up to 200 pods per node (100 times 200 = 20000 so /17 is 32768), then 1500 services in a /21 (up to 2048)
https://docs.netgate.com/pfsense/en/latest/book/network/understanding-cidr-subnet-mask-notation.html

NEW QUESTION 49
Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow.
Your company requires end-to-end encryption, but you do not have access to the SSL certificates.
Which Google Cloud load balancer should you use?
A. SSL proxy load balancer

B. Network load balancer
C. HTTPS load balancer
D. TCP proxy load balancer
Answer: D
Explanation:
https://cloud.google.com/security/encryption-in-transit/ Automatic encryption between GFEs and backends For the following load balancer types, Google
automatically encrypts traffic between Google Front Ends (GFEs) and your backends that reside within Google Cloud VPC networks: HTTP(S) Load Balancing
TCP Proxy Load Balancing SSL Proxy Load Balancing
NEW QUESTION 53
You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to
make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.
What should you do?
A. Ensure that the object you don’t want to be cached anymore is not shared publicly.
B. Create a new storage bucket, and move the object you don’t want to be checked anymore inside i
C. Then edit the bucket setting and enable the private attribute.
D. Add an appropriate lifecycle rule on the storage bucket containing the two objects.
E. Add a Cache-Control entry with value private to the metadata of the object you don’t want to be cached anymor
F. Invalidate all the previously cached copies.
Answer: D
Explanation:
https://cloud.google.com/cdn/docs/invalidating-cached-content
NEW QUESTION 56
Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to
configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:
Certain data must stay in the project where it is stored and not be exfiltrated to other projects.
Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.
All DNS resolution must be done on-premises.
The solution should only provide access to APIs that are compatible with VPC Service Controls. What should you do?
A. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.Create a CNAME record for *.googleapis.com that points to the A
record.Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.Remove the default internet
gateway from the VPC where your Cloud VPN tunnel terminates.
B. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.Create a CNAME record for *.googleapis.com that points to the A
record.Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.Configure your on-premises
firewalls to allow traffic to the restricted.googleapis.com addresses.
C. Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.Create a CNAME record for *.googleapis.com that points to the A
record.Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.Remove the default internet
gateway from the VPC where your Cloud VPN tunnel terminates.
D. Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.Create a CNAME record for *.googleapis.com that points to the A
record.Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.Configure your on-premises
firewalls to allow traffic to the private.googleapis.com addresses.
Answer: C
NEW QUESTION 61
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918
address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:
Your ISP is a Google Partner Interconnect provider.
Your on-premises VPN device’s internet uplink and downlink speeds are 10 Gbps.
A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses.
Most of the data transfer will be from GCP to the on-premises environment.
The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.
Cost and the complexity of the solution should be minimal.
How should you provision the connectivity solution?
A. Provision a Partner Interconnect through your ISP.

B. Provision a Dedicated Interconnect instead of a VPN.
C. Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.
D. Use network compression over your VPN to increase the amount of data you can send over your VPN.
Answer: A
Explanation:
Direct Interconnect will be too expensive and also an overkill for this requirement. Managing multiple tunnels that too with packet loss consideration is complex
also. Whereas partner interconnect fits the bill with providing required bandwidth but not super expensive also once setup not too complex too manage.

NEW QUESTION 62
In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24.
You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules
that only allow database traffic from the application servers to the database servers. What should you do?
A. Create network tag app-server and service account sa-db@my-project.iam.gserviceaccount.co

B. Add the tag to the application servers, and associate the service account with the database server
C. Run the following command:gcloud compute firewall-rules create app-db-firewall-rule \--action allow \--direction ingress \--rules top:3306 \--source-tags app-
server \--target-service-accounts sa-db@my- project.iam.gserviceaccount.com
D. Create service accounts sa-app@my-project.iam.gserviceaccount.com andsa-db@my-project.iam.gserviceaccount.co
E. Associate service account sa-app with the application servers, and associate theservice account sa-db with the database server
F. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru--allow TCP:3306 \--source-service-accounts sa-app@democloud-idp-
demo.iam.gserviceaccount.com \--target-service-accounts sa-db@my- project.iam.gserviceaccount.com
G. Create service accounts sa-app@my-project.iam.gserviceaccount.com andsa-db@my-project.iam.gserviceaccount.co
H. Associate the service account sa-app with the application servers, and associatethe service account sa-db with the database server
I. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru--allow TCP:3306 \--source-ranges 10.128.0.0/20 \--source-service-accounts
sa-app@my- project.iam.gserviceaccount.com \--target-service-accounts sa-db@my- project.iam.gserviceaccount.com
J. Create network tags app-server and db-serve
K. Add the app-server tag to the application servers, and add the db-server tag to the database server
L. Run the following command:gcloud compute firewall-rules create app-db-firewall-rule \--action allow \--direction ingress \--rules tcp:3306 \--source-ranges
10.128.0.0/20 \--source-tags app-server \--target-tags db-server
Answer: D
NEW QUESTION 64
You have two Google Cloud projects in a perimeter to prevent data exfiltration. You need to move a third project inside the perimeter; however, the move could
negatively impact the existing environment. You need to validate the impact of the change. What should you do?
A. Enable Firewall Rules Logging inside the third project.

B. Modify the existing VPC Service Controls policy to include the new project in dry run mode.
C. Monitor the Resource Manager audit logs inside the perimeter.
D. Enable VPC Flow Logs inside the third project, and monitor the logs for negative impact.
Answer: B
NEW QUESTION 68
Your company’s on-premises network is connected to a VPC using a Cloud VPN tunnel. You have a static route of 0.0.0.0/0 with the VPN tunnel as its next hop
defined in the VPC. All internet bound traffic currently passes through the on-premises network. You configured Cloud NAT to translate the primary IP addresses of
Compute Engine instances in one region. Traffic from those instances will now reach the internet directly from their VPC and not from the on-premises network.
Traffic from the virtual machines (VMs) is not translating addresses as expected. What should you do?
A. Lower the TCP Established Connection Idle Timeout for the NAT gateway.
B. Add firewall rules that allow ingress and egress of the external NAT IP address, have a target tag that is on the Compute Engine instances, and have a priority
value higher than the priority value of the default route to the VPN gateway.
C. Add a default static route to the VPC with the default internet gateway as the next hop, the network tag associated with the Compute Engine instances, and a
higher priority than the priority of the default route to the VPN tunnel.
D. Increase the default min-ports-per-vm setting for the Cloud NAT gateway.
Answer: A
NEW QUESTION 70
You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual
Private Cloud (VPC). You want clients to be able to get the IP address of the service. What should you do?
A. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rul
B. Clients should use this IP address to connect to the service.
C. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url
https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/.
D. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwardingrul
E. Then, define an A record in Cloud DN
F. Clients should use the name of the A record to connect to the service.
G. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION]/.
Answer: C
NEW QUESTION 74
You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to
increase the available bandwidth using Cloud VPN.
What should you do?
A. Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
B. Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.
C. Add a second on-premises VPN gateway with a different public IP addres
D. Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
E. Add a second Cloud VPN gateway in a different region than the existing VPN gatewa
F. Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.
Answer: C

Explanation:
https://cloud.google.com/network-connectivity/docs/vpn/concepts/classic-topologies#redundancy-options
NEW QUESTION 77
Your company’s Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should
support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They
are currently using the following directory structure:
/fr/video
/en/video
/es/video
/../video
/fr/audio
/en/audio
/es/audio
/../audio
Which solution should you recommend?
A. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and/audio/*.
B. Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.
C. Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and \/[a-z]{2}\/audio.
D. Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.
Answer: A
Explanation:
https://cloud.google.com/load-balancing/docs/url-map#configuring_url_maps
Path matcher constraints Path matchers and path rules have the following constraints: A path rule can only include a wildcard character (*) after a forward slash
character (/). For example, /videos/* and /videos/hd/* are valid for path rules, but /videos* and /videos/hd* are not. Path rules do not use regular expression or
substring matching. For example, path rules for either /videos/hd or /videos/hd/* do not apply to a URL with the path /video/hd-abcd. However, a path rule for
/video/* does apply to that path. https://cloud.google.com/load-balancing/docs/url-map-concepts#pm-constraints
NEW QUESTION 79
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly;
however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
• Each on-premises router is configured with a unique ASN.
• Each on-premises router is configured with the same routes and priorities.
• Both on-premises routers are configured with a VPN connected to a single Cloud Router.
• BGP sessions are established between both on-premises routers and the Cloud Router.
• Only 1 of the on-premises router’s routes are being added to the routing table. What is the most likely cause of this problem?
A. The on-premises routers are configured with the same routes.

B. A firewall is blocking the traffic across the second VPN connection.
C. You do not have a load balancer to load-balance the network traffic.
D. The ASNs being used on the on-premises routers are different.
Answer: D
Explanation:
https://cloud.google.com/network-connectivity/docs/router/support/troubleshooting#ecmp
NEW QUESTION 83
......

Thank You for Trying Our Product
We offer two products:
1st - We have Practice Tests Software with Actual Exam Questions
2nd - Questons and Answers in PDF Format
Professional-Cloud-Network-Engineer Practice Exam Features:
* Professional-Cloud-Network-Engineer Questions and Answers Updated Frequently
* Professional-Cloud-Network-Engineer Practice Questions Verified by Expert Senior Certified Staff
* Professional-Cloud-Network-Engineer Most Realistic Questions that Guarantee you a Pass on Your FirstTry
* Professional-Cloud-Network-Engineer Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year
100% Actual & Verified — Instant Download, Please Click

Order The Professional-Cloud-Network-Engineer Practice Test Here

Powered by TCPDF (www.tcpdf.org)

Google - Prep4sure - Professional Cloud Network Engineer - Vce.download.2023 Aug 04.by - Clyde.62q.vce

Uploaded by

Copyright:

Available Formats

Google - Prep4sure - Professional Cloud Network Engineer - Vce.download.2023 Aug 04.by - Clyde.62q.vce

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Google - Prep4sure - Professional Cloud Network Engineer - Vce.download.2023 Aug 04.by - Clyde.62q.vce

Uploaded by

Copyright:

Available Formats

Recommend!!

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Assign a public IP address to the instance.

A. HTTP(S) load balancer

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Enable Private Google Access on all the subnets.

A. Assign members of the networking team the compute.networkUser role.

A. Use regional routin

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Order a Dedicated Interconnect connection in the same metropolitan are

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

What should you do?

A. Configure VPC peering in a full mesh.

A. Keep the existing Dedicated interconnec

A. Dynamic routing using Cloud Router

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. The default internet gateway

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Deploy your serverless services to the serverless VP

A. Configure Firewall Rules Loggin

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. SSL proxy load balancer

A. Provision a Partner Interconnect through your ISP.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. Create network tag app-server and service account sa-db@my-project.iam.gserviceaccount.co

A. Enable Firewall Rules Logging inside the third project.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

A. The on-premises routers are configured with the same routes.

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

Thank You for Trying Our Product

We offer two products:

1st - We have Practice Tests Software with Actual Exam Questions

2nd - Questons and Answers in PDF Format

Professional-Cloud-Network-Engineer Practice Exam Features:

* Professional-Cloud-Network-Engineer Questions and Answers Updated Frequently

* Professional-Cloud-Network-Engineer Practice Questions Verified by Expert Senior Certified Staff

100% Actual & Verified — Instant Download, Please Click

Passing Certification Exams Made Easy visit - https://www.surepassexam.com

You might also like