Google Professional Cloud Network Engineer Exam Practice Test Instant Access

Question 1

You have a storage bucket that contains two objects. Cloud CDN is enabled on the bucket, and both objects have been successfully cached. Now you want to make sure that one of the two objects will not be cached anymore, and will always be served to the internet directly from the origin.

What should you do?

AEnsure that the object you don't want to be cached anymore is not shared publicly.

BCreate a new storage bucket, and move the object you don't want to be checked anymore inside it. Then edit the bucket setting and enable the private attribute.

CAdd an appropriate lifecycle rule on the storage bucket containing the two objects.

DAdd a Cache-Control entry with value private to the metadata of the object you don't want to be cached anymore. Invalidate all the previously cached copies.

Answer : D

https://cloud.google.com/cdn/docs/invalidating-cached-content

Question 2

There are two established Partner Interconnect connections between your on-premises network and Google Cloud. The VPC that hosts the Partner Interconnect connections is named "vpc-a" and contains three VPC subnets across three regions, Compute Engine instances, and a GKE cluster. Your on-premises users would like to resolve records hosted in a Cloud DNS private zone following Google-recommended practices. You need to implement a solution that allows your on-premises users to resolve records that are hosted in Google Cloud. What should you do?

AAssociate the private zone to 'vpc-a.' Create an outbound forwarding policy and associate the policy to 'vpc-a.' Configure the on-premises DNS servers to forward queries for the private zone to the entry point addresses created when the policy was attached to 'vpc-a.'

BConfigure a DNS proxy service inside one of the GKE clusters. Expose the DNS proxy service in GKE as an internal load balancer. Configure the on-premises DNS servers to forward queries for the private zone to the IP address of the internal load balancer.

CUse custom route advertisements to announce 169.254.169.254 via BGP to the on-premises environment. Configure the on-premises DNS servers to forward DNS requests to 169.254.169.254.

DAssociate the private zone to 'vpc-a.' Create an inbound forwarding policy and associate the policy to 'vpc-a.' Configure the on-premises DNS servers to forward queries for the private zone to the entry point addresses created when the policy was attached to 'vpc-a.'

Answer : A

Associating the private zone to 'vpc-a' and creating an outbound forwarding policy allows DNS queries to be forwarded from on-premises to Google Cloud DNS. The on-premises DNS servers will forward queries to the entry points created when the forwarding policy was applied to 'vpc-a,' enabling proper name resolution.

Question 3

Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.

During troubleshooting you find:

* Each on-premises router is configured with the same ASN.

* Each on-premises router is configured with the same routes and priorities.

* Both on-premises routers are configured with a VPN connected to a single Cloud Router.

* The VPN logs have no-proposal-chosen lines when the VPNs are connecting.

* BGP session is not established between one on-premises router and the Cloud Router.

What is the most likely cause of this problem?

AOne of the VPN sessions is configured incorrectly.

BA firewall is blocking the traffic across the second VPN connection.

CYou do not have a load balancer to load-balance the network traffic.

DBGP sessions are not established between both on-premises routers and the Cloud Router.

Answer : A

If the VPN logs show a no-proposal-chosen error, this error indicates that Cloud VPN and your peer VPN gateway were unable to agree on a set of ciphers. For IKEv1, the set of ciphers must match exactly. For IKEv2, there must be at least one common cipher proposed by each gateway. Make sure that you use supported ciphers to configure your peer VPN gateway. https://cloud.google.com/network-connectivity/docs/vpn/support/troubleshooting#:~:text=If%20the%20VPN%20logs%20show,of%20ciphers%20must%20match%20exactly.&text=Make%20sure%20that%20you%20use,configure%20your%20peer%20VPN%20gateway.

Question 4

You need to create the technical architecture for hybrid connectivity from your data center to Google Cloud This will be managed by a partner. You want to follow Google-recommended practices for production-level applications. What should you do?

AAsk the partner to install two security appliances in the data center. Configure one VPN connection from each of these devices to Google
Cloud, and ensure that the VPN devices on-premises are in separate racks on separate power and cooling systems.

BConfigure two Partner Interconnect connections in one metropolitan area (metro). Make sure the Interconnect connections are placed in
different metro edge availability domains. Configure two VLAN attachments in a single region, and configure regional dynamic routing on
the VPC

CConfigure two Partner Interconnect connections in one metro and two connections in another metro Make sure the Interconnect
connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN
attachments in another region, and configure global dynamic routing on the VPC

DConfigure two Partner Interconnect connections in one metro and two connections in another metro. Make sure the Interconnect connections are placed in different metro edge availability domains. Configure two VLAN attachments in one region and two VLAN attachments in another region, and configure regional dynamic routing on the VPC.

Answer : D

'Google's recommended practices for production-level applications' and then see overview of these 2 pages- https://cloud.google.com/network-connectivity/docs/interconnect/tutorials/production-level-overview and https://cloud.google.com/network-connectivity/docs/interconnect/tutorials/non-critical-overview .

Question 5

Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the internet can be inspected using the same third-party appliances. What should you do?

AConfigure the third-party appliances with multiple interfaces and specific Partner Interconnect VLAN attachments per project. Create the relevant routes on the third-party appliances and VPC networks.

BConfigure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create separate VPC networks for on- premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks.

CConsolidate all existing projects' subnetworks into a single VPC. Create separate VPC networks for on-premises and internet connectivity. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create the relevant routes on the third-party appliances and VPC networks.

DConfigure the third-party appliances with multiple interfaces. Create a hub VPC network for all projects, and create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks. Use VPC Network Peering to connect all projects' VPC networks to the hub VPC. Export custom routes from the hub VPC and import on all projects' VPC networks.

Answer : D

Question 6

You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.

What should you do?

AGrant the compute.instanceAdmin to your user account.

BGrant the iam.serviceAccountUser to your user account.

CGrant the read-only privilege to the service account for the Cloud Storage bucket.

DGrant the cloud-platform privilege to the service account for the Cloud Storage bucket.

Answer : C

Question 7

You have just deployed your infrastructure on Google Cloud. You now need to configure the DNS to meet the following requirements:

Your on-premises resources should resolve your Google Cloud zones.

Your Google Cloud resources should resolve your on-premises zones.

You need the ability to resolve ''. internal'' zones provisioned by Google Cloud.

What should you do?

AConfigure an outbound server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.

BConfigure both an inbound server policy and outbound DNS forwarding zones with the target as the on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver.

CConfigure an outbound DNS server policy, and set your alternative name server to be your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google Cloud's DNS resolver.

DConfigure Cloud DNS to DNS peer with your on-premises DNS resolver. Configure your on-premises DNS resolver to forward Google Cloud zone queries to Google's public DNS 8.8.8.8.

Answer : A