[UPDATED Nov-2023] Best Value Available Preparation Guide for Professional-Cloud-Network-Engineer Exam
1 Full Professional-Cloud-Network-Engineer Practice Test and 162 Unique Questions, Get it Now!
NEW QUESTION # 16
You want to configure a NAT to perform address translation between your on-premises network blocks and GCP.
Which NAT solution should you use?
- A. Cloud NAT
- B. An instance with IP forwarding enabled
- C. An instance configured with iptables DNAT rules
- D. An instance configured with iptables SNAT rules
Answer: A
Explanation:
https://cloud.google.com/nat/docs/overview
NEW QUESTION # 17
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?
- A. Assign members of the networking team the compute.networkUser role.
- B. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
- C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
- D. Assign members of the networking team the compute.networkAdmin role.
Answer: D
NEW QUESTION # 18
You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible.
What should you do?
- A. Use gcloud compute ssh to automatically copy your public ssh key to the instance.
- B. Upload your public ssh key to each instance Metadata.
- C. Upload your public ssh key to the project Metadata.
- D. Create a custom Google Compute Engine image with your public ssh key embedded.
Answer: C
Explanation:
https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
NEW QUESTION # 19
Your company is running out of network capacity to run a critical application in the on-premises data center.
You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)
- A. Cloud Audit logs
- B. Stackdriver Trace
- C. VPC flow logs
- D. Compute Engine instance system logs
- E. Firewall logs
Answer: A,B
Explanation:
Explanation/Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations
NEW QUESTION # 20
Your organization requires that metrics from all applications be retained for 5 years for future analysis in possible legal proceedings. Which approach should you use?
- A. Configure Stackdriver Monitoring for all Projects, and export to Google Cloud Storage.
- B. Configure Stackdriver Monitoring for all Projects, and export to BigQuery.
- C. Configure Stackdriver Monitoring for all Projects with the default retention policies.
- D. Grant the security team access to the logs in each Project.
Answer: A
Explanation:
B and D can be quickly ruled out because none of them is good solution for the requirements
"retained for 5 years"
Between A and C, the different is where to store, BigQuery or Cloud Storage. Since the main concern is extended storing period, C (Correct Answer) is better answer, and the "retained for 5 years for future analysis" further qualifies it, for example, using Coldline storage class.
With regards of BigQuery, while it is also a low-cost storage, but the main purpose is for analysis.
Also, logs in Cloud Storage is easy to transport to BigQuery whenever needed.
NEW QUESTION # 21
You are designing a hybrid cloud environment for your organization. Your Google Cloud environment is interconnected with your on-premises network using Cloud HA VPN and Cloud Router. The Cloud Router is configured with the default settings. Your on-premises DNS server is located at 192.168.20.88 and is protected by a firewall, and your Compute Engine resources are located at 10.204.0.0/24. Your Compute Engine resources need to resolve on-premises private hostnames using the domain corp.altostrat.com while still resolving Google Cloud hostnames. You want to follow Google-recommended practices. What should you do?
- A. Create a private forwarding zone in Cloud DNS for 'corp .altostrat.com' called corp-altostrat-com that points to 192.168.20.88.
Configure your on-premises firewall to accept traffic from 10.204.0.0/24.
Modify the /etc/resolv conf file on your Compute Engine instances to point to 192.168.20 88 - B. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168 20.88.
Configure your on-premises firewall to accept traffic from 35.199.192.0/19 Set a custom route advertisement on the Cloud Router for 35.199.192.0/19. - C. Create a private forwarding zone in Cloud DNS for 'corp.altostrat.com' called corp-altostrat-com that points to 192.168.20.88.
Configure your on-premises firewall to accept traffic from 10.204.0.0/24.
Set a custom route advertisement on the Cloud Router for 10.204.0.0/24 - D. Create a private zone in Cloud DNS for 'corp altostrat.com' called corp-altostrat-com.
Configure DNS Server Policies and create a policy with Alternate DNS servers to 192.168.20.88.
Configure your on-premises firewall to accept traffic from 35.199.192.0/19.
Set a custom route advertisement on the Cloud Router for 35.199.192.0/19.
Answer: D
NEW QUESTION # 22
All the instances in your project are configured with the custom metadata enable-osloginvalue set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project- wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?
- A. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
- B. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
- C. Open the Cloud Shell SSH into the instance using gcloud compute ssh.
- D. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
Answer: D
Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/storing-retrieving-metadata
NEW QUESTION # 23
Your company recently migrated to Google Cloud in a Single region. You configured separate Virtual Private Cloud (VPC) networks for two departments. Department A and Department B. Department A has requested access to resources that are part Of Department Bis VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMS) to meet security requirements Your configuration also must
* Support both TCP and UDP protocols
* Provide fully automated failover
* Include health-checks
Require minimal manual Intervention In the client VMS
Which approach should you take?
- A. Create an instance template and a managed instance group. Configure two separate internal TCP/IJDP load balancers for each protocol (TCP!UDP), and configure the client VIVIS to use the internal load balancers' virtual IP addresses
- B. Create the VMS in different zones, and configure static routes with instance names as next hops
- C. Create the VMS In the same zone, and configure static routes With IP addresses as next hops.
- D. Create an Instance template and a managed instance group. Configure a Single internal load balancer, and define a custom static route with the Internal TCP/UDP load balancer as the next hop
Answer: A
Explanation:
The correct answer is D. Create an instance template and a managed instance group. Configure two separate internal TCP/UDP load balancers for each protocol (TCP/UDP), and configure the client VMs to use the internal load balancers' virtual IP addresses.
This answer is based on the following facts:
Using multi-NIC VMs as network virtual appliances (NVAs) allows you to route traffic between different VPC networks1. You can use NVAs to implement custom network policies and security requirements.
Using an instance template and a managed instance group allows you to create and manage multiple identical NVAs2. You can also use health checks and autoscaling policies to ensure high availability and reliability of your NVAs.
Using internal TCP/UDP load balancers allows you to distribute traffic from client VMs to NVAs based on the protocol and port3. You can also use health checks and failover policies to ensure that only healthy NVAs receive traffic.
Configuring the client VMs to use the internal load balancers' virtual IP addresses allows you to simplify the routing configuration and avoid manual intervention4. You do not need to create static routes or update them when NVAs are added or removed.
The other options are not correct because:
Option A is not suitable. Creating the VMs in the same zone does not provide high availability or failover. Using static routes with IP addresses as next hops requires manual intervention when NVAs are added or removed.
Option B is not optimal. Creating the VMs in different zones provides high availability, but not failover. Using static routes with instance names as next hops requires manual intervention when NVAs are added or removed.
Option C is not feasible. Creating an instance template and a managed instance group provides high availability and reliability, but using a single internal load balancer does not support both TCP and UDP protocols. You cannot define a custom static route with an internal load balancer as the next hop.
NEW QUESTION # 24
You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters, Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new dusters. You want to follow Google-recommended practices, What should you do after designing your IP scheme?
- A. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected: --enab1e-ip-a1ias and --enable-private-nodes.
- B. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.
- C. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected and - siable-default-snat,--enable-ip-alias, and -enable-private-nodes
- D. Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters.
Answer: C
Explanation:
The correct answer is D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --disable-default-snat, --enable-ip-alias, and --enable-private-nodes.
This answer is based on the following facts:
Privately used public IP (PUPI) addresses are any public IP addresses not owned by Google that a customer can use privately on Google Cloud1. You can use PUPI addresses for GKE pods and services in private clusters to mitigate address exhaustion.
A private GKE cluster is a cluster that has no public IP addresses on the nodes2. You can use private clusters to isolate your workloads from the public internet and enhance security.
The --disable-default-snat option disables source network address translation (SNAT) for the cluster3. This option allows you to use PUPI addresses without conflicting with other public IP addresses on the internet.
The --enable-ip-alias option enables alias IP ranges for the cluster4. This option allows you to use separate subnet ranges for nodes, pods, and services, and to specify the size of those ranges.
The --enable-private-nodes option enables private nodes for the cluster5. This option ensures that the nodes have no public IP addresses and can only communicate with other Google Cloud resources in the same VPC network or peered networks.
The other options are not correct because:
Option A is not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for pods across multiple private GKE clusters can cause IP conflicts and routing issues.
Option B is also not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for services across multiple private GKE clusters can cause IP conflicts and routing issues.
Option C is not feasible. Creating privately used public IP primary and secondary subnet ranges for the clusters is a valid step, but creating a private GKE cluster with only --enable-ip-alias and --enable-private-nodes options is not enough. You also need to disable default SNAT to avoid IP conflicts with other public IP addresses on the internet.
NEW QUESTION # 25
You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?
- A. Make sure that all the objects with prefix folder-a are not shared publicly.
- B. Issue a cache invalidation command with pattern /folder-a/*.
- C. Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.
- D. Add an appropriate lifecycle rule on the storage bucket.
Answer: A
NEW QUESTION # 26
You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.
Which two actions should you take? (Choose two.)
- A. Create a custom static route to allow the traffic to reach the Cloud SQL API.
- B. Enable Private Google Access.
- C. Create a private connection to a service producer.
- D. Activate the Cloud Datastore API in your project.
- E. Activate the Service Networking API in your project.
Answer: B,C
Explanation:
https://cloud.google.com/sql/docs/mysql/configure-private-services-access#console_1 C: If you are using private IP for any of your Cloud SQL instances, you only need to configure private services access one time for every Google Cloud project that has or needs to connect to a Cloud SQL instance. If your Google Cloud project has a Cloud SQL instance, you can either configure it yourself or let Cloud SQL do it for you to use private IP. Cloud SQL configures private services access for you when all the conditions below are true: https://cloud.google.com/sql/docs/postgres/configure-private-services-access#before_you_begin E: You can enable Private Google access on a subnet level and any VMs on that subnet can access Google APIs by using their internal IP address. https://cloud.google.com/vpc/docs/configure-private-google-access
NEW QUESTION # 27
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
* Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
* The subnetwork logs are not excluded from Stackdriver.
* The instance that is hosting the application can communicate outside the subnet.
* Other instances within the subnet can communicate outside the subnet.
* The external resource initiates communication.
What is the most likely cause of the missing log lines?
- A. The traffic is matching the expected egress rule.
- B. The traffic is matching the expected ingress rule.
- C. The traffic is not matching the expected ingress rule.
- D. The traffic is not matching the expected egress rule.
Answer: C
NEW QUESTION # 28
You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?
- A. Configure a custom route advertisement on the Cloud Router.
- B. Add a second Border Gateway Protocol (BGP) session to the Cloud Router.
- C. Enable IP forwarding in the asia-southeast1 region.
- D. Change the VPC dynamic routing mode to Global.
Answer: D
NEW QUESTION # 29
You want to set up two Cloud Routers so that one has an active Border Gateway Protocol (BGP) session, and the other one acts as a standby.
Which BGP attribute should you use on your on-premises router?
- A. Community
- B. Multi-exit Discriminator
- C. AS-Path
- D. Local Preference
Answer: B
NEW QUESTION # 30
You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.
What is the most likely cause of this problem?
- A. The instance has been configured with multiple interfaces.
- B. An external IP address has been configured on the instance.
- C. You have created static routes that use RFC1918 ranges.
- D. The instance is accessible by a load balancer external IP address.
Answer: B
NEW QUESTION # 31
......
Google Professional-Cloud-Network-Engineer certification is an excellent way for IT professionals to demonstrate their expertise in networking technologies and solutions on the Google Cloud Platform. By passing this certification exam, candidates can validate their skills and knowledge in this area, which can help them to advance their careers and open up new opportunities in the rapidly growing cloud computing industry.
Get Instant Access to Professional-Cloud-Network-Engineer Practice Exam Questions: https://www.passexamdumps.com/Professional-Cloud-Network-Engineer-valid-exam-dumps.html
The Best Professional-Cloud-Network-Engineer Exam Study Material Premium Files and Preparation Tool: https://drive.google.com/open?id=1g-BgEKU6FU92wUeVjxaky4ib6kFjpaol
