Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

Professional-Cloud-Network-Engineer Exam Dumps - Google Cloud Platform Questions and Answers

Question # 4

You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?

Options:

A.

Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.

B.

Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.

C.

Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.

D.

Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.

Buy Now
Question # 5

You recently deployed Cloud VPN to connect your on-premises data center to Google Cloud. You need to monitor the usage of this VPN and set up alerts in case traffic exceeds the maximum allowed. You need to be able to quickly decide whether to add extra links or move to a Dedicated Interconnect. What should you do?

Options:

A.

In the Monitoring section of the Google Cloud console, use the Dashboard section to select a default dashboard for VPN usage.

B.

In Network Intelligence Center, check for the number of packet drops on the VPN.

C.

In the VPN section of the Google Cloud console, select the VPN under hybrid connectivity and then select monitoring to display utilization on the dashboard.

D.

In the Google Cloud console, use Monitoring Query Language to create a custom alert for bandwidth utilization.

Buy Now
Question # 6

Question:

You need to enable Private Google Access for some subnets within your Virtual Private Cloud (VPC). Your security team set up the VPC to send all internet-bound traffic back to the on-premises data center for inspection before egressing to the internet, and is also implementing VPC Service Controls for API-level security control. You have already enabled the subnets for Private Google Access. What configuration changes should you make to enable Private Google Access while adhering to your security team's requirements?

Options:

A.

Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google’s private API address range.

Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

B.

Create a private DNS zone with a CNAME record for *.googleapis.com to private.googleapis.com, with an A record pointing to Google’s private API address range.

Create a custom route that points Google’s private API address range to the default internet gateway as the next hop.

C.

Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google’s restricted API address range.

Create a custom route that points Google’s restricted API address range to the default internet gateway as the next hop.

D.

Create a private DNS zone with a CNAME record for *.googleapis.com to restricted.googleapis.com, with an A record pointing to Google’s restricted API address range.

Change the custom route that points the default route (0/0) to the default internet gateway as the next hop.

Buy Now
Question # 7

You are in the early stages of planning a migration to GCP. You want to test the functionality of your hybrid cloud design before you start to implement it in production. The design includes services running on a Compute Engine Virtual Machine instance that need to communicate to on-premises servers using private IP addresses. The on-premises servers have connectivity to the internet, but you have not yet established any Cloud Interconnect connections. You want to choose the lowest cost method of enabling connectivity between your instance and on-premises servers and complete the test in 24 hours.

Which connectivity method should you choose?

Options:

A.

Cloud VPN

B.

50-Mbps Partner VLAN attachment

C.

Dedicated Interconnect with a single VLAN attachment

D.

Dedicated Interconnect, but don’t provision any VLAN attachments

Buy Now
Question # 8

Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

Options:

A.

Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.

B.

Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.

C.

Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.

D.

Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

Buy Now
Question # 9

Question:

Your organization has a hub and spoke architecture with VPC Network Peering, and hybrid connectivity is centralized at the hub. The Cloud Router in the hub VPC is advertising subnet routes, but the on-premises router does not appear to be receiving any subnet routes from the VPC spokes. You need to resolve this issue. What should you do?

Options:

A.

Create custom learned routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

B.

Create custom routes at the Cloud Router in the spokes to advertise the subnets of the VPC spokes.

C.

Create a BGP route policy at the Cloud Router, and ensure the subnets of the VPC spokes are being announced towards the on-premises environment.

D.

Create custom routes at the Cloud Router in the hub to advertise the subnets of the VPC spokes.

Buy Now
Question # 10

You work for a university that is migrating to Google Cloud.

These are the cloud requirements:

On-premises connectivity with 10 Gbps

Lowest latency access to the cloud

Centralized Networking Administration Team

New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.

What should you do?

Options:

A.

Use Shared VPC, and deploy the VLAN attachments and Dedicated Interconnect in the host project.

B.

Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.

C.

Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Dedicated Interconnects.

D.

Use standalone projects and deploy the VLAN attachments and Dedicated Interconnects in each of the individual projects.

Buy Now
Question # 11

Your company has separate Virtual Private Cloud (VPC) networks in a single region for two departments: Sales and Finance. The Sales department's VPC network already has connectivity to on-premises locations using HA VPN, and you have confirmed that the subnet ranges do not overlap. You plan to peer both VPC networks to use the same HA tunnels for on-premises connectivity, while providing internet connectivity for the Google Cloud workloads through Cloud NAT. Internet access from the on-premises locations should not flow through Google Cloud. You need to propagate all routes between the Finance department and on-premises locations. What should you do?

Options:

A.

Peer the two VPCs, and use the default configuration for the Cloud Routers.

B.

Peer the two VPCs, and use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

C.

Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router’s custom route advertisements to announce a default route to the on-premises locations.

D.

Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

Buy Now
Question # 12

Question:

You reviewed the user behavior for your main application, which uses an external global Application Load Balancer, and found that the backend servers were overloaded due to erratic spikes in client requests. You need to limit concurrent sessions and return an HTTP 429 "Too Many Requests" response back to the client while following Google-recommended practices. What should you do?

Options:

A.

Create a Cloud Armor security policy, and apply the predefined Open Worldwide Application Security Project (OWASP) rules to automatically implement the rate limit per client IP address.

B.

Configure the load balancer to accept only the defined amount of requests per client IP address, increase the backend servers to support more traffic, and redirect traffic to a different backend to burst traffic.

C.

Configure a VM with Linux, implement the rate limit through iptables, and use a firewall rule to send an HTTP 429 response to the client application.

D.

Create a Cloud Armor security policy, and associate the policy with the load balancer. Configure the security policy's settings as follows: action: throttle, conform-action: allow, exceed-action: deny-429.

Buy Now
Question # 13

You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.

What should you do?

Options:

A.

Check the VPC flow logs for the instance.

B.

Try connecting to the instance via SSH, and check the logs.

C.

Create a new firewall rule to allow traffic from port 22, and enable logs.

D.

Create a new firewall rule with priority 65500 to deny all traffic, and enable logs.

Buy Now
Exam Code: Professional-Cloud-Network-Engineer
Exam Name: Google Cloud Certified - Professional Cloud Network Engineer
Last Update: Apr 3, 2025
Questions: 215
Professional-Cloud-Network-Engineer pdf

Professional-Cloud-Network-Engineer PDF

$25.5  $84.99
 Add to Cart
Professional-Cloud-Network-Engineer Engine

Professional-Cloud-Network-Engineer Testing Engine

$28.5  $94.99
 Add to Cart
Professional-Cloud-Network-Engineer PDF + Engine

Professional-Cloud-Network-Engineer PDF + Testing Engine

$40.5  $134.99
 Add to Cart