google professional-cloud-network-engineer online test

Professional Cloud Network Engineer

What students need to know about the professional-cloud-network-engineer exam

  • Total 80 Questions & Answers

Question 1

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be
able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular
instance across both services.
Which session affinity should you choose?

  • A. None
  • B. Client IP
  • C. Client IP and protocol
  • D. Client IP, port and protocol
Answer:

B

Discussions

Question 2

All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block
project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been
configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?

  • A. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
  • B. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
  • C. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
  • D. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
Answer:

B

Explanation:
Reference: https://cloud.google.com/compute/docs/storing-retrieving-metadata

Discussions

Question 3

You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the
cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?

  • A. Add an appropriate lifecycle rule on the storage bucket.
  • B. Issue a cache invalidation command with pattern /folder-a/*.
  • C. Make sure that all the objects with prefix folder-a are not shared publicly.
  • D. Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.
Answer:

C

Discussions

Question 4

Your organization is deploying a single project for 3 separate departments. Two of these departments require network
connectivity between each other, but the third department should remain in isolation. Your design should create separate
network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?

  • A. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
  • B. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
  • C. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
  • D. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
Answer:

A

Explanation:
Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other
securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as
subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies
across the projects.
With Shared VPC and IAM controls, you can separate network administration from project administration. This separation
helps you implement the principle of least privilege. For example, a centralized network team can administer the network
without having any permissions into the participating projects. Similarly, the project admins can manage their project
resources without any permissions to manipulate the shared network.
Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

Discussions

Question 5

You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
gcloud compute routes create no-ip-internet-route \
--network custom-network1 \
--destination-range 0.0.0.0/0 \
--next-hop instance nat-gateway \
--next-hop instance-zone us-central1-a \
--tags no-ip --priority 800
You want existing instances to use the new NAT gateway.
Which command should you execute?

  • A. sudo sysctl -w net.ipv4.ip_forward=1
  • B. gcloud compute instances add-tags [existing-instance] --tags no-ip
  • C. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip
  • D. gcloud compute instances create example-instance --network custom-network1 \ --subnet subnet-us-central \ --no-address \ --zone us-central1-a \ --image-family debian-9 \ --image-project debian-cloud \ --tags no-ip
Answer:

D

Explanation:
Reference: https://cloud.google.com/vpc/docs/special-configurations

Discussions

Question 6

You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?

  • A. Cloud NAT
  • B. An instance with IP forwarding enabled
  • C. An instance configured with iptables DNAT rules
  • D. An instance configured with iptables SNAT rules
Answer:

A

Explanation:
Reference: https://cloud.google.com/nat/docs/overview

Discussions

Question 7

Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with
each other. You want to minimize cost and increase network efficiency.
How should you design this topology?

  • A. Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.
  • B. Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.
  • C. Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.
  • D. Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.
Answer:

D

Explanation:
VPC Network Peering enables you to peer VPC networks so that workloads in different VPC networks can communicate in
private RFC 1918 space. Traffic stays within Google's network and doesn't traverse the public internet.
Reference: https://cloud.google.com/vpc/docs/vpc-peering

Discussions

Question 8

You are designing a shared VPC architecture. Your network and security team has strict controls over which routes are
exposed between departments. Your Production and Staging departments can communicate with each other, but only via
specific networks. You want to follow Google-recommended practices.
How should you design this topology?

  • A. Create 2 shared VPCs within the shared VPC Host Project, and enable VPC peering between them. Use firewall rules to filter access between the specific networks.
  • B. Create 2 shared VPCs within the shared VPC Host Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
  • C. Create 2 shared VPCs within the shared VPC Service Project, and create a Cloud VPN/Cloud Router between them. Use Flexible Route Advertisement (FRA) to filter access between the specific networks.
  • D. Create 1 VPC within the shared VPC Host Project, and share individual subnets with the Service Projects to filter access between the specific networks.
Answer:

D

Explanation:
Reference: https://cloud.google.com/vpc/docs/shared-vpc

Discussions

Question 9

You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team
as efficiently as possible.
What should you do?

  • A. Create a Google Group for the WebServices Team.
  • B. Create a G Suite Domain for the WebServices Team.
  • C. Create a new Cloud Identity Domain for the WebServices Team.
  • D. Create a new Custom Role for all members of the WebServices Team.
Answer:

A

Discussions

Question 10

You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-
premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device
supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

  • A. • Create a Cloud VPN instance. • Create a policy-based VPN tunnel per subnet. • Configure the appropriate local and remote traffic selectors to match your local and remote networks. • Create the appropriate static routes.
  • B. • Create a Cloud VPN instance. • Create a policy-based VPN tunnel. • Configure the appropriate local and remote traffic selectors to match your local and remote networks. • Configure the appropriate static routes.
  • C. • Create a Cloud VPN instance. • Create a route-based VPN tunnel. • Configure the appropriate local and remote traffic selectors to match your local and remote networks. • Configure the appropriate static routes.
  • D. • Create a Cloud VPN instance. • Create a route-based VPN tunnel. • Configure the appropriate local and remote traffic selectors to 0.0.0.0/0. • Configure the appropriate static routes.
Answer:

D

Explanation:
Reference: https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

Discussions
To page 2