Google Professional Cloud Network Engineer Exam Practice Test Instant Access

Question 1

You created a VPC network named Retail in auto mode. You want to create a VPC network named Distribution and peer it with the Retail VPC.

How should you configure the Distribution VPC?

ACreate the Distribution VPC in auto mode. Peer both the VPCs via network peering.

BCreate the Distribution VPC in custom mode. Use the CIDR range 10.0.0.0/9. Create the necessary subnets, and then peer them via network peering.

CCreate the Distribution VPC in custom mode. Use the CIDR range 10.128.0.0/9. Create the necessary subnets, and then peer them via network peering.

DRename the default VPC as 'Distribution' and peer it via network peering.

Answer : B

https://cloud.google.com/vpc/docs/vpc#ip-ranges

Question 2

You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?

ACreate a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.

BCreate a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.

CCreate a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

DCreate a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.

Answer : C

Question 3

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.

What should you do?

AEnable logging on the default Deny Any Firewall Rule.

BEnable logging on the VM Instances that receive traffic.

CCreate a logging sink forwarding all firewall logs with no filters.

DCreate an explicit Deny Any rule and enable logging on the new rule.

Answer : D

https://cloud.google.com/vpc/docs/firewall-rules-logging#egress_deny_example

You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported. Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections. You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules. Log entries are written from the perspective of virtual machine (VM) instances. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created according to the connection logging limits on a best effort basis. The number of connections that can be logged in a given interval is based on the machine type. Changes to firewall rules can be viewed in VPC audit logs. https://cloud.google.com/vpc/docs/firewall-rules-logging#specifications

Question 4

You have the following Shared VPC design VPC Flow Logs is configured for Subnet-1 In the host VPC. You also want to monitor flow logs for Subnet-2. What should you do?

AConfigure a firewall rule to permit Subnet-2 IP addresses outbound in the host protect VPC.

BConfigure Packet Mirroring in both the host and service project VPCs.

CConfigure a VPC Flow Logs filter for Subnet-2 in the host project VPC.

DConfigure VPC Flow Logs in the service project VPC for Subnet-2.

Answer : D

Understanding VPC Flow Logs:

VPC Flow Logs is a feature that captures information about the IP traffic going to and from network interfaces in a VPC. It helps in monitoring and analyzing network traffic, ensuring security, and optimizing network performance.

Current Configuration:

According to the diagram, VPC Flow Logs is already configured for Subnet-1 in the host VPC. This means that traffic information for Subnet-1 is being captured and logged.

Requirement for Subnet-2:

The goal is to monitor flow logs for Subnet-2, which is in the service project VPC.

Correct Configuration for Subnet-2:

To monitor the flow logs for Subnet-2, you need to configure VPC Flow Logs within the service project VPC where Subnet-2 resides. This is because VPC Flow Logs must be configured in the same project and VPC where the subnet is located.

Implementation Steps:

Go to the Google Cloud Console.

Navigate to the service project where Subnet-2 is located.

Select the VPC network containing Subnet-2.

Enable VPC Flow Logs for Subnet-2 by editing the subnet settings and enabling the flow logs option.

Cost and Performance Considerations:

Enabling VPC Flow Logs may incur additional costs based on the volume of data logged. Ensure to review and understand the pricing implications.

Analyze and manage the data collected to avoid unnecessary logging and costs.

References:

Google Cloud VPC Flow Logs Documentation

Configuring VPC Flow Logs

Shared VPC Overview

By configuring VPC Flow Logs in the service project VPC for Subnet-2, you ensure that traffic data is correctly captured and monitored, adhering to Google Cloud's best practices.

Question 5

You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.

What should you do?

AConfigure a policy-based route rule to prioritize the traffic.

BConfigure an HTTP load balancer, and direct the traffic to it.

CConfigure Dynamic Routing for the subnet hosting the application.

DConfigure the TTL for the DNS zone to decrease the time between updates.

Answer : B

Question 6

You have enabled HTTP(S) load balancing for your application, and your application developers have reported that HTTP(S) requests are not being distributed correctly to your Compute Engine Virtual Machine instances. You want to find data about how the request are being distributed.

Which two methods can accomplish this? (Choose two.)

AOn the Load Balancer details page of the GCP Console, click on the Monitoring tab, select your backend service, and look at the graphs.

BIn Stackdriver Error Reporting, look for any unacknowledged errors for the Cloud Load Balancers service.

CIn Stackdriver Monitoring, select Resources > Metrics Explorer and search for https/request_bytes_count metric.

DIn Stackdriver Monitoring, select Resources > Google Cloud Load Balancers and review the Key Metrics graphs in the dashboard.

EIn Stackdriver Monitoring, create a new dashboard and track the https/backend_request_count metric for the load balancer.

Answer : A, E

Question 7

Your company's security team wants to limit the type of inbound traffic that can reach your web servers to protect against security threats. You need to configure the firewall rules on the web servers within your Virtual Private Cloud (VPC) to handle HTTP and HTTPS web traffic for TCP only. What should you do?

ACreate an allow on match ingress firewall rule with the target tag ''web-server'' to allow all IP addresses for TCP port 80.

BCreate an allow on match egress firewall rule with the target tag ''web-server'' to allow all IP addresses for TCP port 80.

CCreate an allow on match ingress firewall rule with the target tag ''web-server'' to allow all IP addresses for TCP ports 80 and 443.

DCreate an allow on match egress firewall rule with the target tag ''web-server' to allow web server IP addresses for TCP ports 60 and 443.

Answer : C