Google Professional Cloud Network Engineer Exam Questions Instant Access

Question 1

Your company recently migrated to Google Cloud in a Single region. You configured separate Virtual Private Cloud (VPC) networks for two departments. Department A and Department B. Department A has requested access to resources that are part Of Department Bis VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMS) to meet security requirements Your configuration also must

* Support both TCP and UDP protocols

* Provide fully automated failover

* Include health-checks

Require minimal manual Intervention In the client VMS

Which approach should you take?

ACreate the VMS In the same zone, and configure static routes With IP addresses as next hops.

BCreate the VMS in different zones, and configure static routes with instance names as next hops

CCreate an Instance template and a managed instance group. Configure a Single internal load balancer, and define a custom static route with the Internal TCP/UDP load balancer as the next hop

DCreate an instance template and a managed instance group. Configure two separate internal TCP/IJDP load balancers for each protocol (TCP!UDP), and configure the client VIVIS to use the internal load balancers' virtual IP addresses

Answer : D

The correct answer is D. Create an instance template and a managed instance group. Configure two separate internal TCP/UDP load balancers for each protocol (TCP/UDP), and configure the client VMs to use the internal load balancers' virtual IP addresses.

This answer is based on the following facts:

Using multi-NIC VMs as network virtual appliances (NVAs) allows you to route traffic between different VPC networks1. You can use NVAs to implement custom network policies and security requirements.

Using an instance template and a managed instance group allows you to create and manage multiple identical NVAs2. You can also use health checks and autoscaling policies to ensure high availability and reliability of your NVAs.

Using internal TCP/UDP load balancers allows you to distribute traffic from client VMs to NVAs based on the protocol and port3. You can also use health checks and failover policies to ensure that only healthy NVAs receive traffic.

Configuring the client VMs to use the internal load balancers' virtual IP addresses allows you to simplify the routing configuration and avoid manual intervention4. You do not need to create static routes or update them when NVAs are added or removed.

The other options are not correct because:

Option A is not suitable. Creating the VMs in the same zone does not provide high availability or failover. Using static routes with IP addresses as next hops requires manual intervention when NVAs are added or removed.

Option B is not optimal. Creating the VMs in different zones provides high availability, but not failover. Using static routes with instance names as next hops requires manual intervention when NVAs are added or removed.

Option C is not feasible. Creating an instance template and a managed instance group provides high availability and reliability, but using a single internal load balancer does not support both TCP and UDP protocols. You cannot define a custom static route with an internal load balancer as the next hop.

Question 2

Your company's on-premises office is connected to Google Cloud using HA VPN. The security team will soon enable VPC Service Controls. You need to create a plan with minimal configuration adjustments, so clients at the office will still be able to privately call the Google APIs and be protected by VPC Service Controls. What should you do?

ACreate a design with a DNS configuration that resolves the Google APIs to 199.36.153.4/30; advertise 199.36.153.4/30 from Google Cloud to the onpremises routers; add an access level to authorize the on-premises network to access the APIs.

BCreate a design with a DNS configuration that resolves the Google APIs to 199.36.153.8/30; advertise 199.36.153.8/30 from Google Cloud to the onpremises routers.

CCreate a design with a DNS configuration that resolves the Google APIs to 199.36.153.8/30; advertise 199.36.153.8/30 from Google Cloud to the onpremise routers: add an access level to authorize the on-premises network to access the APIs.

DCreate a design with a DNS configuration that resolves the Google APIs to 199.36.153.4/30; advertise 199.36.153.4/30 from Google Cloud to the onpremises routers.

Answer : C

When integrating on-premises networks with VPC Service Controls for private access to Google APIs, the recommended approach involves using Private Google Access for Hybrid Connectivity and configuring DNS resolution to the restricted.googleapis.com domain. This domain resolves to the 199.36.153.8/30 IP address range. It's crucial to advertise this range from Google Cloud to your on-premises routers so that on-premises clients can route traffic to the Google APIs privately. Additionally, to allow your on-premises network to access the APIs within the VPC Service Controls perimeter, you must define an access level that includes the IP address range of your on-premises network.

Exact Extract:

'To enable private access to Google APIs and services from on-premises networks protected by a VPC Service Controls perimeter, you must configure Private Google Access for Hybrid Connectivity.'

'For on-premises hosts, configure your DNS to resolve *.googleapis.com to restricted.googleapis.com. The restricted.googleapis.com domain resolves to the IP address range 199.36.153.8/30.'

'You must advertise the 199.36.153.8/30 range from your Cloud Routers to your on-premises routers through BGP.'

Question 3

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.

What should you do?

AEnable logging on the default Deny Any Firewall Rule.

BEnable logging on the VM Instances that receive traffic.

CCreate a logging sink forwarding all firewall logs with no filters.

DCreate an explicit Deny Any rule and enable logging on the new rule.

Answer : D

https://cloud.google.com/vpc/docs/firewall-rules-logging#egress_deny_example

You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported. Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections. You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules. Log entries are written from the perspective of virtual machine (VM) instances. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created according to the connection logging limits on a best effort basis. The number of connections that can be logged in a given interval is based on the machine type. Changes to firewall rules can be viewed in VPC audit logs. https://cloud.google.com/vpc/docs/firewall-rules-logging#specifications

Question 4

You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

AConfigure Private Google Access to privately access the Cloud Storage service using private IP addresses.

BConfigure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

CConfigure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

DConfigure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

Answer : C

Question 5

You have applications running in the us-west1 and us-east1 regions. You want to build a highly available VPN that provides 99.99% availability to connect your applications from your project to the cloud services provided by your partner's project while minimizing the amount of infrastructure required. Your partner's services are also in the us-west1 and us-east1 regions. You want to implement the simplest solution. What should you do?

ACreate one Cloud Router and one HA VPN gateway in each region of your VPC and your partner's VPC. Connect your VPN gateways to the partner's gateways. Enable global dynamic routing in each VPC.

BCreate one Cloud Router and one HA VPN gateway in the us-west1 region of your VPC. Create one OpenVPN Access Server in each region of your partner's VPC. Connect your VPN gateway to your partner's servers.

CCreate one OpenVPN Access Server in each region of your VPC and your partner's VPC. Connect your servers to the partner's servers.

DCreate one Cloud Router and one HA VPN gateway in the us-west1 region of your VPC and your partner's VPC. Connect your VPN gateways to the partner's gateways with a pair of tunnels. Enable global dynamic routing in each VPC.

Answer : A

Question 6

You are designing the network architecture for your organization. Your organization has three developer teams: Web, App, and Database. All of the developer teams require access to Compute Engine instances to perform their critical tasks. You are part of a small network and security team that needs to provide network access to the developers. You need to maintain centralized control over network resources, including subnets, routes, and firewalls. You want to minimize operational overhead. How should you design this topology?

AConfigure a host project with a Shared VPC. Create service projects for Web, App, and Database.

BConfigure one VPC for Web, one VPC for App, and one VPC for Database. Configure HA VPN between each VPC.

CConfigure three Shared VPC host projects, each with a service project: one for Web, one for App, and one for Database.

DConfigure one VPC for Web, one VPC for App, and one VPC for Database. Use VPC Network Peering to connect all VPCs in a full mesh.

Answer : C

Question 7

You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.

During troubleshooting you find:

* Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.

* The subnetwork logs are not excluded from Stackdriver.

* The instance that is hosting the application can communicate outside the subnet.

* Other instances within the subnet can communicate outside the subnet.

* The external resource initiates communication.

What is the most likely cause of the missing log lines?

AThe traffic is matching the expected ingress rule.

BThe traffic is matching the expected egress rule.

CThe traffic is not matching the expected ingress rule.

DThe traffic is not matching the expected egress rule.

Answer : C