Start your Professional-Cloud-Network-Engineer Exam Questions Preparation with Updated 213 Questions [Q45-Q64]

Start your Professional-Cloud-Network-Engineer Exam Questions Preparation with Updated 213 Questions

A Fully Updated 2025 Professional-Cloud-Network-Engineer Exam Dumps - PDF Questions and Testing Engine

Introduction to Google Professional Cloud Network Engineer Exam

Google Professional Cloud Network Engineer Exam is a certification exam that is conducted by Google to validates candidate knowledge and skills of working as a Professional Cloud network engineer in the IT industry.

After passing this exam, candidates get a certificate from Google that helps them to demonstrate their proficiency in Google Professional Cloud Network Engineer to their clients and employers.

 

NEW QUESTION # 45
You are responsible for enabling Private Google Access for the virtual machine (VM) instances in your Virtual Private Cloud (VPC) to access Google APIs. All VM instances have only a private IP address and need to access Cloud Storage. You need to ensure that all VM traffic is routed back to your on-premises data center for traffic scrubbing via your existing Cloud Interconnect connection. However, VM traffic to Google APIs should remain in the VPC. What should you do?

• A. Delete the default route in your VPC.
  Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to restricted googleapis.com, and create an A record for restricted googleapis com that resolves to the addresses in 199.36.153.4/30.
  Create a static route in your VPC for the range 199.36.153.4/30 with the default internet gateway as the next hop.
• B. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
  Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30.
  Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.
• C. Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
  Create a public Cloud DNS zone with a CNAME for *.google.com to private googleapis com, create a CNAME for * googleapis.com to private googleapis com, and create an A record for Private googleapis.com that resolves to the addresses in 199.36.153 8/30.
  Create a static route in your VPC for the range 199 .36.153.8/30 with the default internet gateway as the next hop.
• D. Configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP) with a lower priority (MED) than the default VPC route.
  Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to private googleapis com, and create an A record for private.googleapis.com that resolves to the addresses in 199 .36.153.8/30.
  Create a static route in your VPC for the range 199.36. 153.8/30 with the default internet gateway as the next hop.

Answer: D

NEW QUESTION # 46
Your company's Google Cloud-deployed, streaming application supports multiple languages. The application development team has asked you how they should support splitting audio and video traffic to different backend Google Cloud storage buckets. They want to use URL maps and minimize operational overhead. They are currently using the following directory structure:
/fr/video
/en/video
/es/video
/../video
/fr/audio
/en/audio
/es/audio
/../audio
Which solution should you recommend?

• A. Leave the directory structure as-is, create a URL map and leverage a path rule such as \/[a-z]{2}\/video and
  \/[a-z]{2}\/audio.
• B. Rearrange the directory structure, create a URL map and leverage a path rule such as /video/* and /audio/*.
• C. Leave the directory structure as-is, create a URL map and leverage a path rule such as /*/video and /*/ audio.
• D. Rearrange the directory structure, create DNS hostname entries for video and audio and leverage a path rule such as /video/* and /audio/*.

Answer: B

Explanation:
https://cloud.google.com/load-balancing/docs/url-map#configuring_url_maps Path matcher constraints Path matchers and path rules have the following constraints: A path rule can only include a wildcard character (*) after a forward slash character (/). For example, /videos/* and /videos/hd/* are valid for path rules, but /videos* and /videos/hd* are not. Path rules do not use regular expression or substring matching. For example, path rules for either /videos/hd or /videos/hd/* do not apply to a URL with the path /video/hd-abcd. However, a path rule for /video/* does apply to that path. https://cloud.google.com/load-balancing/docs/url-map-concepts#pm-constraints

NEW QUESTION # 47
Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the internet can be inspected using the same third-party appliances. What should you do?

• A. Configure the third-party appliances with multiple interfaces and specific Partner Interconnect VLAN attachments per project. Create the relevant routes on the third-party appliances and VPC networks.
• B. Configure the third-party appliances with multiple interfaces. Create a hub VPC network for all projects, and create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks. Use VPC Network Peering to connect all projects' VPC networks to the hub VPC. Export custom routes from the hub VPC and import on all projects' VPC networks.
• C. Consolidate all existing projects' subnetworks into a single VPC. Create separate VPC networks for on-premises and internet connectivity. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create the relevant routes on the third-party appliances and VPC networks.
• D. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create separate VPC networks for on- premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks.

Answer: B

NEW QUESTION # 48
Your company's logo is published as an image file across multiple websites that are hosted by your company You have implemented Cloud CDN, however, you want to improve the performance of the cache hit ratio associated with this image file. What should you do?

• A. Configure Cloud Storage as a custom origin backend to host the image file, and select multi-region as the location type
• B. Configure the default time to live (TTL) as O for the image file.
• C. Configure custom cache keys for the backend service that holds the image file, and clear the Host and Protocol checkboxes-
• D. Configure versioned IJRLs for each domain to serve users the *mage file before the cache entry expires

Answer: C

Explanation:
This answer meets the requirement of improving the performance of the cache hit ratio associated with the image file. The reason is:
Custom cache keys allow you to control which parts of the request URL are used to build the cache key. The cache key is a unique identifier that Cloud CDN uses to store and retrieve cached content1.
By default, Cloud CDN uses the complete request URL, including the protocol (http or https) and the host (the domain name), to build the cache key. This means that if the same image file is requested from different domains or protocols, Cloud CDN will cache multiple copies of it, which reduces the cache hit ratio1.
By clearing the Host and Protocol checkboxes, you can tell Cloud CDN to ignore these parts of the request URL when building the cache key. This way, Cloud CDN will cache only one copy of the image file, regardless of which domain or protocol it is requested from, which improves the cache hit ratio1.
Option B is incorrect because configuring Cloud Storage as a custom origin backend does not affect the cache hit ratio. It only affects how Cloud CDN retrieves the content from the origin if it is not cached. Option C is incorrect because configuring versioned URLs for each domain does not improve the cache hit ratio. It actually worsens it, because it creates more variations of the request URL that Cloud CDN has to cache separately. Option D is incorrect because configuring the default TTL as 0 for the image file means that Cloud CDN will not cache it at all, which defeats the purpose of using Cloud CDN.
Reference:
Custom cache keys | Cloud CDN | Google Cloud

NEW QUESTION # 49
You have the following private Google Kubernetes Engine (GKE) cluster deployment:

You have a virtual machine (VM) deployed in the same VPC in the subnetwork kubernetes-management with internal IP address 192.168.40 2/24 and no external IP address assigned. You need to communicate with the cluster master using kubectl. What should you do?

• A. Add the network 192.168.40.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2.
• B. Add the network 192.168.38.0/28 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2
• C. Add an external IP address to the VM, and add this IP address in the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 35.224.37.17.
• D. Add the network 192.168.36.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

Answer: A

NEW QUESTION # 50
You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:
gcloud compute routes create no-ip-internet-route \
--network custom-network1 \
--destination-range 0.0.0.0/0 \
--next-hop instance nat-gateway \
--next-hop instance-zone us-central1-a \
--tags no-ip --priority 800
You want existing instances to use the new NAT gateway. Which command should you execute?

• A. gcloud compute instances create example-instance --network custom-network1 \
  --subnet subnet-us-central \
  --no-address \
  --zone us-central1-a \
  --image-family debian-9 \
  --image-project debian-cloud \
  --tags no-ip
• B. sudo sysctl -w net.ipv4.ip_forward=1
• C. gcloud compute instances add-tags [existing-instance] --tags no-ip
• D. gcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip

Answer: A

Explanation:
Reference:
https://cloud.google.com/vpc/docs/special-configurations

NEW QUESTION # 51
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?

• A. AS-Path
• B. Community
• C. Multi-exit Discriminator
• D. Local Preference

Answer: C

Explanation:
Explanation/Reference: https://cloud.google.com/router/docs/concepts/overview

NEW QUESTION # 52
You want to create a service in GCP using IPv6.
What should you do?

• A. Configure a TCP Proxy with the designated IPv6 address.
• B. Configure an internal load balancer with the designated IPv6 address.
• C. Configure a global load balancer with the designated IPv6 address.
• D. Create the instance with the designated IPv6 address.

Answer: A

NEW QUESTION # 53
You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual Private Cloud (VPC). You want clients to be able to get the IP address of the service. What should you do?

• A. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Clients should use this IP address to connect to the service.
• B. Reserve a static external IP address and assign it to an HTTP(S) load balancing service's forwarding rule. Then, define an A record in Cloud DNS. Clients should use the name of the A record to connect to the service.
• C. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/.
• D. Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION]/.

Answer: B

NEW QUESTION # 54
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
* Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
* The subnetwork logs are not excluded from Stackdriver.
* The instance that is hosting the application can communicate outside the subnet.
* Other instances within the subnet can communicate outside the subnet.
* The external resource initiates communication.
What is the most likely cause of the missing log lines?

• A. The traffic is matching the expected ingress rule.
• B. The traffic is not matching the expected ingress rule.
• C. The traffic is not matching the expected egress rule.
• D. The traffic is matching the expected egress rule.

Answer: B

NEW QUESTION # 55
Your organization has resources in two different VPCs, each in different Google Cloud projects, and requires connectivity between the resources in the two VPCs. You have already determined that there is no IP address overlap; however, one VPC uses privately used public IP (PUPI) ranges. You would like to enable connectivity between these resources by using a lower cost and higher performance method. What should you do?

• A. Create a VPC Network Peering connection between the two VPCs that allows the export and import of custom routes for public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using service accounts as the source filter.
• B. Create a VPC Network Peering connection between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using network tags as the source filter.
• C. Create an HA VPN between the two VPCs that includes the PUPI ranges in the custom route advertisements of the Cloud Router. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.
• D. Create a VPC Network Peering connection between the two VPCs that allows the export and import of subnet routes with public IP addresses. Create the necessary ingress VPC firewall rules that target the specific resources by using IP ranges as the source filter.

Answer: D

Explanation:
VPC Network Peering is the most cost-effective and high-performance method for connecting two VPCs. Since one VPC uses privately used public IP (PUPI) ranges, you need to configure peering to allow the export and import of subnet routes with public IP addresses. Firewall rules can be used to control traffic between the resources.

NEW QUESTION # 56
Your organization is deploying a mission-critical application with components in different regions due to strict compliance requirements. There are latency issues between different applications that reside in us-central1 and us-east4. The application team suspects the Google Cloud network as the source of the excessive latency despite using the Premium Network Service Tier. You need to use Google-recommended practices with the least amount of effort to verify the inter-region latency by investigating network performance. What should you do?

• A. Configure two Linux VMs in each zone for each region. Install the application, and run a load test using each zone from different regions.
• B. Set up the Performance Dashboard in Network Intelligence Center. Select the traffic type (cross-zonal), the metric (latency - RTT), the time period, the desired regions (us-central1 and us-east4), and the network tier.
• C. Enable VPC Flow Logs for the VPC. Identify major bottlenecks from the application level using Flow Analyzer.
• D. Configure a VM with a probe in Network Intelligence Center in each zone for each region. Choose the traffic type (cross-zonal), metric (latency - RTT), desired regions (us-central1 and us-east4), and the network tier.

Answer: B

Explanation:
The Performance Dashboard in the Network Intelligence Center provides a detailed view of network latency and performance metrics. For inter-region latency issues, you can quickly identify round-trip times (RTT) and latency using this tool by selecting the specific regions and network tiers, which allows you to diagnose any anomalies or patterns impacting performance.

NEW QUESTION # 57
Your organization has an on-premises data center. You need to provide connectivity from the on-premises data center to Google Cloud. Bandwidth must be at least 1 Gbps, and the traffic must not traverse the internet. What should you do?

• A. Configure Partner Interconnect by creating a VLAN attachment, submit the pairing key to your service provider, and activate the connection.
• B. Configure Dedicated Interconnect by creating a VLAN attachment, activate the connection, and submit the pairing key to your service provider.
• C. Configure HA VPN by using high availability gateways and tunnels.
• D. Configure Cross-Cloud Interconnect by creating a VLAN attachment, activate the connection, and then submit the pairing key to your service provider.

Answer: A

Explanation:
For private connectivity with at least 1 Gbps bandwidth and without using the public internet, Partner Interconnect is the suitable choice if you do not require the 10 Gbps minimum of Dedicated Interconnect. With Partner Interconnect, you create a VLAN attachment and work with a service provider that facilitates the connection between your on-premises network and Google Cloud. This solution supports connections as low as 50 Mbps and up to 10 Gbps.

NEW QUESTION # 58
You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.
How should you design this topology?

• A. Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.
• B. Use gcloud container clusters create [CLUSTER NAME]--enable-ip-alias to create a VPC-native cluster.
• C. Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.
• D. Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.

Answer: A

NEW QUESTION # 59
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:
* Your ISP is a Google Partner Interconnect provider.
* Your on-premises VPN device's internet uplink and downlink speeds are 10 Gbps.
* A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses.
* Most of the data transfer will be from GCP to the on-premises environment.
* The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.
* Cost and the complexity of the solution should be minimal.
How should you provision the connectivity solution?

• A. Provision a Partner Interconnect through your ISP.
• B. Use network compression over your VPN to increase the amount of data you can send over your VPN.
• C. Provision a Dedicated Interconnect instead of a VPN.
• D. Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.

Answer: D

NEW QUESTION # 60
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

• A. Create a Cloud VPN instance.
  Create a route-based VPN tunnel.
  Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  Configure the appropriate static routes.
• B. Create a Cloud VPN instance.
  Create a policy-based VPN tunnel.
  Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  Configure the appropriate static routes.
• C. Create a Cloud VPN instance.
  Create a policy-based VPN tunnel per subnet.
  Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  Create the appropriate static routes.
• D. Create a Cloud VPN instance.
  Create a route-based VPN tunnel.
  Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.
  Configure the appropriate static routes.

Answer: D

Explanation:
https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

NEW QUESTION # 61
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)

• A. Firewall logs
• B. Compute Engine instance system logs
• C. VPC flow logs
• D. Cloud Audit logs
• E. Stackdriver Trace

Answer: D,E

NEW QUESTION # 62
You are deploying an HA VPN within Google Cloud. You need to exchange routes dynamically between your on-premises gateway and Google Cloud. You have already created an HA VPN gateway and a peer VPN gateway resource. What should you do?

• A. Create a Cloud Router, add VPN tunnels, and then configure static routes to your subnet ranges.
• B. Create a Cloud Router, add VPN tunnels, and enable global dynamic routing.
• C. Create a Cloud Router, add VPN tunnels, and then configure BGP sessions.
• D. Create a second HA VPN gateway, add VPN tunnels, and enable global dynamic routing.

Answer: C

Explanation:
To dynamically exchange routes between Google Cloud and your on-premises gateway, you need to create a Cloud Router and configure BGP sessions after adding VPN tunnels. BGP allows for dynamic route exchange, which is essential for establishing proper communication between the environments.

NEW QUESTION # 63
Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?

• A. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
• B. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.
• C. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
  Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.
  With Shared VPC and IAM controls, you can separate network administration from project administration. This separation helps you implement the principle of least privilege. For example, a centralized network team can administer the network without having any permissions into the participating projects. Similarly, the project admins can manage their project resources without any permissions to manipulate the shared network.
• D. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.

Answer: D

NEW QUESTION # 64
......

Google Professional-Cloud-Network-Engineer certification exam is a rigorous assessment of a candidate’s skills and knowledge of network engineering on the Google Cloud Platform. Professional-Cloud-Network-Engineer exam consists of multiple-choice and scenario-based questions that require candidates to apply their skills and knowledge to real-world situations. To pass the exam, candidates must score at least 70% on the exam.

 

Easy Success Google Professional-Cloud-Network-Engineer Exam in First Try: https://troytec.itpassleader.com/Google/Professional-Cloud-Network-Engineer-dumps-pass-exam.html