Google Professional Cloud Network Engineer Exam Dumps For Brilliant Exam Study 2023

Jonnie Karnath2023-04-11T08:34:33+00:00

If you’re preparing for the Professional Cloud Network Engineer exam, then Google Professional Cloud Network Engineer exam dumps are an excellent resource to help you pass with ease. These questions are designed to align with the latest exam syllabus and pattern, ensuring that you receive the most up-to-date information possible. One of the most significant advantages of Google Professional Cloud Network Engineer exam dumps is their ability to provide regular updates to reflect the latest changes in the exam. This ensures that you have access to the most recent information and are fully prepared for the exam.

Page 1 of 5

1. You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.

Which GKE resource should you use?

GKE Node

GKE Pod

GKE Cluster

GKE Ingress

2. You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.

What should you do?

Ensure that the object you don’t want to be cached anymore is not shared publicly.

Create a new storage bucket, and move the object you don’t want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.

Add an appropriate lifecycle rule on the storage bucket containing the two objects.

Add a Cache-Control entry with value private to the metadata of the object you don’t want to be cached anymore. Invalidate all the previously cached copies.

3. In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.

What should you do?

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.

Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-

Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-

Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-

4. You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.

Which session affinity should you choose?

None

Client IP

Client IP and protocol

Client IP, port and protocol

5. Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks.

What should you do?

Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.

Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.

Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.

Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

6. You have a storage bucket that contains the following objects:

- folder-a/image-a-1.jpg

- folder-a/image-a-2.jpg

- folder-b/image-b-1.jpg

- folder-b/image-b-2.jpg

Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.

What should you do?

Add an appropriate lifecycle rule on the storage bucket.

Issue a cache invalidation command with pattern /folder-a/*.

Make sure that all the objects with prefix folder-a are not shared publicly.

Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.

7. You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.

Which next hop should you choose?

The default internet gateway

The IP address of the Cloud VPN gateway

The name and region of the Cloud VPN tunnel

The IP address of the instance on the remote side of the VPN tunnel

8. Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2.

What should you do?

Enable firewall logging, and forward all filtered egress firewall logs to the ID

Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the ID

Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

9. Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows.

What should you do?

Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.

Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.

10. You are designing a hub-and-spoke network architecture for your company’s cloud-based environment. You need to make sure that all spokes are peered with the hub. The spokes must use the hub's virtual appliance for internet access.

The virtual appliance is configured in high-availability mode with two instances using an internal load balancer with IP address 10.0.0.5.

What should you do?

Create a default route in the hub VPC that points to IP address 10.0.0.5. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway. Export the custom routes in the hub. Import the custom routes in the spokes.

Create two default routes in the hub VPC that point to the next hop instances of the virtual appliances. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway. Export the custom routes in the hub. Import the custom routes in the spokes.

Create a default route in the hub VPC that points to IP address 10.0.0.5. Delete the default internet gateway route in the hub VPC, and create a new higher-priority route that is tagged only to the appliances with a next hop of the default internet gateway. Create a new route in the spoke VPC that points to IP address 10.0.0.5.

Page 2 of 5

11. You converted an auto mode VPC network to custom mode. Since the conversion, some of your Cloud Deployment Manager templates are no longer working. You want to resolve the problem.

What should you do?

Apply an additional IAM role to the Google API’s service account to allow custom mode networks.

Update the VPC firewall to allow the Cloud Deployment Manager to access the custom mode networks.

Explicitly reference the custom mode networks in the Cloud Armor whitelist.

Explicitly reference the custom mode networks in the Deployment Manager templates.

12. Your company’s Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead.

They are currently using the following directory structure:

/fr/video

/en/video

/es/video

/../video

/fr/audio

/en/audio

/es/audio

/../audio

Which solution should you recommend?

Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.

Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.

Leave the directory structure as-is, create a URL map and leverage a path rule such as /[a-z]{2}/video and /[a-z]{2}/audio.

Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.

13. You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.

What is the most likely cause of this problem?

The instance has been configured with multiple interfaces.

An external IP address has been configured on the instance.

You have created static routes that use RFC1918 ranges.

The instance is accessible by a load balancer external IP address.

14. You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from.

What should you do?

Enable Data Access audit logs of the VP

Analyze the logs and get the source IP addresses from the subnetworks.get field.

Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.

Enable VPC Flow Logs for the VP

Analyze the logs and get the source IP addresses from the src_location field.

Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

15. You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket.

What should you do?

Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XY

16. Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.

Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

VPC peering

Shared VPC

Cloud VPN

Dedicated Interconnect

Cloud NAT

17. You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.

What should you do?

Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.

Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.

18. Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.

What should you do?

Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.

Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.

Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.

Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.

19. You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection.

Which two actions can accomplish this? (Choose two.)

Open a Cloud Support ticket under the Cloud Interconnect category.

Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.

Run gcloud compute interconnects describe <interconnect>.

Check the email for the account of the NOC contact that you specified during the ordering process.

Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.

20. You recently configured Google Cloud Armor security policies to manage traffic to your application. You discover that Google Cloud Armor is incorrectly blocking some traffic to your application. You need to identity the web application firewall (WAF) rule that is incorrectly blocking traffic.

What should you do?

Enable firewall logs, and view the logs in Firewall Insights.

Enable HTTP(S) Load Balancing logging with sampling rate equal to 1, and view the logs in Cloud Logging.

Enable VPC Flow Logs, and view the logs in Cloud Logging.

Enable Google Cloud Armor audit logs, and view the logs on the Activity page in the Google Cloud Console.

Page 3 of 5

21. You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps.

What should you do?

Configure the remote autonomous system number (ASN) to 4096.

Configure a second Cloud Router to scale bandwidth in and out of the VP

Configure the maximum transmission unit (MTU) to its highest supported value.

Configure a second set of active/passive VPN tunnels.

22. You recently noticed a recurring daily spike in network usage in your Google Cloud project. You need to identify the virtual machine (VM) instances and type of traffic causing the spike in traffic utilization while minimizing the cost and management overhead required.

What should you do?

Enable VPC Flow Logs and send the output to BigQuery for analysis.

Enable Firewall Rules Logging for all allowed traffic and send the output to BigQuery for analysis.

Configure Packet Mirroring to send all traffic to a V

Use Wireshark on the VM to identity traffic utilization for each VM in the VP

Deploy a third-party network appliance and configure it as the default gateway. Use the third-party network appliance to identify users with high network traffic.

23. You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.

Which two methods can you use to accomplish this? (Choose two.)

GetIamPolicy() via REST API

setIamPolicy() via REST API

gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

24. You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.

Which two methods can you use to accomplish this? (Choose two.)

Enable Private Google Access on all the subnets.

Enable Private Google Access on the VP

Enable Private Services Access on the VP

Create network peering between your VPC and BigQuery.

Create a Cloud NAT, and route the application traffic via NAT gateway.

25. You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.

What should you do on your on-premises servers?

Tune TCP parameters on the on-premises servers.

Compress files using utilities like tar to reduce the size of data being sent.

Remove the -m flag from the gsutil command to enable single-threaded transfers.

Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

26. You built a web application with several containerized microservices. You want to run those microservices on Cloud Run. You must also ensure that the services are highly available to your customers with low latency.

What should you do?

Deploy the Cloud Run services to multiple availability zones. Create a global TCP load balancer. Add the Cloud Run endpoints to its backend service.

Deploy the Cloud Run services to multiple regions. Create serverless network endpoint groups (NEGs) that point to the services. Create a global HTTPS load balancer, and attach the serverless NEGs as backend services of the load balancer.

Deploy the Cloud Run services to multiple availability zones. Create Cloud Endpoints that point to the services. Create a global HTTPS load balancer, and attach the Cloud Endpoints to its backend

Deploy the Cloud Run services to multiple regions. Configure a round-robin A record in Cloud DN

27. You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.

Always allow Secure Shell (SSH) from your corporate IP address.

Restrict SSH access from all other IP addresses.

There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements.

What should you do?

Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.

Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.

Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.

Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1 Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

28. You successfully provisioned a single Dedicated Interconnect. The physical connection is at a colocation facility closest to us-west2. Seventy-five percent of your workloads are in us-east4, and the remaining twenty-five percent of your workloads are in us-central1. All workloads have the same network traffic profile. You need to minimize data transfer costs when deploying VLAN attachments.

What should you do?

Keep the existing Dedicated interconnect. Deploy a VLAN attachment to a Cloud Router in us-west2, and use VPC global routing to access workloads in us-east4 and us-central1.

Keep the existing Dedicated Interconnect. Deploy a VLAN attachment to a Cloud Router in us-east4, and deploy another VLAN attachment to a Cloud Router in us-central1.

Order a new Dedicated Interconnect for a colocation facility closest to us-east4, and use VPC global routing to access workloads in us-central1.

Order a new Dedicated Interconnect for a colocation facility closest to us-central1, and use VPC global routing to access workloads in us-east4.

29. You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.

What should you do?

Configure VPC peering in a full mesh.

Alter the routing table to resolve the asymmetric route.

Create network tags to allow connectivity between all three VPCs.

Delete the legacy network and recreate it to allow transitive peering.

30. You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the 172.16.45.0/24 network.

What should you do?

Configure global load balancing to point 172.16.45.0/24 to the correct instance.

Create unique DNS records for each service that sends traffic to the desired IP address.

Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.

Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.

Page 4 of 5

31. You are configuring a new instance of Cloud Router in your Organization’s Google Cloud environment to allow connection across a new Dedicated Interconnect to your data center Sales, Marketing, and IT each have a service project attached to the Organization’s host project.

Where should you create the Cloud Router instance?

VPC network in all projects

VPC network in the IT Project

VPC network in the Host Project

VPC network in the Sales, Marketing, and IT Projects

32. After a network change window one of your company’s applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.

What is the most likely cause of this problem?

The less specific VPC subnet route is taking priority.

The more specific VPC subnet route is taking priority.

The on-premises router is not advertising a route for the database server.

A cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

33. You are designing the network architecture for your organization. Your organization has three developer teams: Web, App, and Database. All of the developer teams require access to Compute Engine instances to perform their critical tasks. You are part of a small network and security team that needs to provide network access to the developers. You need to maintain centralized control over network resources, including subnets, routes, and firewalls. You want to minimize operational overhead.

How should you design this topology?

Configure a host project with a Shared VP

Create service projects for Web, App, and Database.

Configure one VPC for Web, one VPC for App, and one VPC for Database. Configure HA VPN between each VP

Configure three Shared VPC host projects, each with a service project: one for Web, one for App, and one for Database.

Configure one VPC for Web, one VPC for App, and one VPC for Database. Use VPC Network Peering to connect all VPCs in a full mesh.

34. You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role.

You receive this error message:

INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid

What should you do?

Add the resourcemanager.projects.get permission, and try again.

Try again with a different role with a new name but the same permissions.

Remove the resourcemanager.projects.list permission, and try again.

Add the resourcemanager.projects.setIamPolicy permission, and try again.

35. In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers.

What should you do?

Create network tag app-server and service account [email protected]. Add the tag to the application servers, and associate the service account with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule --action allow --direction ingress --rules top:3306 --source-tags app-server --target-service-accounts sa-db@my- project.iam.gserviceaccount.com

Create service accounts [email protected] and [email protected]. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 --source-service-accounts sa-app@democloud-idp- demo.iam.gserviceaccount.com --target-service-accounts sa-db@my- project.iam.gserviceaccount.com

Create service accounts [email protected] and [email protected]. Associate the service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 --source-ranges 10.128.0.0/20 --source-service-accounts sa-app@my- project.iam.gserviceaccount.com --target-service-accounts sa-db@my- project.iam.gserviceaccount.com

Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule --action allow --direction ingress --rules tcp:3306 --source-ranges 10.128.0.0/20 --source-tags app-server --target-tags db-server

36. You are in the early stages of planning a migration to GCP. You want to test the functionality of your hybrid cloud design before you start to implement it in production. The design includes services running on a Compute Engine Virtual Machine instance that need to communicate to on-premises servers using private IP addresses. The on-premises servers have connectivity to the internet, but you have not yet established any Cloud Interconnect connections. You want to choose the lowest cost method of enabling connectivity between your instance and on-premises servers and complete the test in 24 hours.

Which connectivity method should you choose?

Cloud VPN

50-Mbps Partner VLAN attachment

Dedicated Interconnect with a single VLAN attachment

Dedicated Interconnect, but don’t provision any VLAN attachments

37. You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.

What should you do?

Check the VPC flow logs for the instance.

Try connecting to the instance via SSH, and check the logs.

Create a new firewall rule to allow traffic from port 22, and enable logs.

Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

38. Your company's security team tends to use managed services when possible. You need to build a dashboard to show the number of deny hits that occur against configured firewall rules without increasing operational overhead.

What should you do?

Configure Firewall Rules Logging. Use Firewall Insights to display the number of hits.

Configure Firewall Rules Logging. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.

Configure a firewall appliance from the Google Cloud Marketplace. Route all traffic through this appliance, and apply the firewall rules at this layer. Use the firewall appliance to display the number of hits.

Configure Packet Mirroring on the VP

Apply a filter with an IP address list of the Denied Firewall rules. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.

39. Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with on-premises connectivity already in place. You are deploying a new application using Google Kubernetes Engine (GKE), which must be accessible only from the same VPC network and on-premises locations. You must ensure that the GKE control plane is exposed to a predefined list of on-premises subnets through private connectivity only.

What should you do?

Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.

Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.

Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.

Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.

40. You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.

How should you design this topology?

Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.

Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.

Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.

Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.

Page 5 of 5

41. Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.

During troubleshooting you find:

• Each on-premises router is configured with a unique ASN.

• Each on-premises router is configured with the same routes and priorities.

• Both on-premises routers are configured with a VPN connected to a single Cloud Router.

• BGP sessions are established between both on-premises routers and the Cloud Router.

• Only 1 of the on-premises router’s routes are being added to the routing table.

What is the most likely cause of this problem?

The on-premises routers are configured with the same routes.

A firewall is blocking the traffic across the second VPN connection.

You do not have a load balancer to load-balance the network traffic.

The ASNs being used on the on-premises routers are different.

42. You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.

Which level of permissions should you request?

Security Admin privileges from the Shared VPC Admin.

Service Project Admin privileges from the Shared VPC Admin.

Shared VPC Admin privileges from the Organization Admin.

Organization Admin privileges from the Organization Admin.

43. Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.

Which two products should you incorporate into the solution? (Choose two.)

VPC flow logs

Firewall logs

Cloud Audit logs

Stackdriver Trace

Compute Engine instance system logs

44. You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.

Which BGP attribute should you use on your on-premises router?

AS-Path

Community

Local Preference

Multi-exit Discriminator

45. Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.

How should you set up permissions for the networking team?

Assign members of the networking team the compute.networkUser role.

Assign members of the networking team the compute.networkAdmin role.

Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

46. You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest possible latency while ensuring high availability and autoscaling.

Which configuration should you use?

Use global SSL Proxy Load Balancing with backends in both regions.

Use global TCP Proxy Load Balancing with backends in both regions.

Use global external HTTP(S) Load Balancing with backends in both regions.

Use Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.

Facebook Twitter LinkedIn Google + Email

Google Professional Cloud Network Engineer Exam Dumps For Brilliant Exam Study 2023

Google Professional Cloud Network Engineer Exam Dumps For Brilliant Exam Study 2023

Author

LEAVE A COMMENT Cancel reply

Related Posts