Google Professional Cloud Network Engineer Exam Questions

Page: 1 / 14
Total 233 questions

Want more questions? Get Premium Access.
()

Question 1

You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

AConfigure a custom route advertisement on the Cloud Router.

BEnable IP forwarding in the asia-southeast1 region.

CChange the VPC dynamic routing mode to Global.

DAdd a second Border Gateway Protocol (BGP) session to the Cloud Router.

Answer : C

Question 2

Recently, your networking team enabled Cloud CDN for one of the external-facing services that is exposed through an external Application Load Balancer. The application team has already defined which content should be cached within the responses. Upon testing the load balancer, you did not observe any change in performance after the Cloud CDN enablement. You need to resolve the issue. What should you do?

AConfigure the CACHE_MAX_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches content depending on responses from the backends.

BConfigure the USE_ORIGIN_HEADERS caching mode on Cloud CDN to ensure Cloud CDN caches content based on response headers from the backends.

CConfigure the CACHE_ALL_STATIC caching mode on Cloud CDN to ensure Cloud CDN caches all static content as well as content defined by the backends.

DConfigure the FORCE_CACHE_ALL caching mode on Cloud CDN to ensure all appropriate content is cached.

Answer : B

When enabling Cloud CDN, for caching behavior to follow the application-defined caching headers, you need to configure the USE_ORIGIN_HEADERS caching mode. This setting ensures that the Cloud CDN respects the cache control headers specified by the backend, allowing the application-defined caching rules to dictate what content gets cached. This is often required when specific caching directives are already set by the application.

Question 3

You are deploying GKE clusters in your organization's Google Cloud environment. The pods in these clusters need to egress directly to the internet for a majority of their communications. You need to deploy the clusters and associated networking features using the most cost-efficient approach, and following Google-recommended practices. What should you do?

AQ Deploy the GKE cluster with public cluster nodes. Do not deploy Cloud NAT or Secure Web Proxy for the cluster.

BQ Deploy the GKE cluster with private cluster nodes. Deploy Secure Web Proxy, and configure the pods to use Secure Web Proxy as an HTTP(S) proxy.

CQ Deploy the GKE cluster with public cluster nodes. Deploy Secure Web Proxy, and configure the pods to use Secure Web Proxy as an HTTP(S) proxy.

DQ Deploy the GKE cluster with private cluster nodes. Deploy Cloud NAT for the primary subnet of the cluster.

Answer : A

For GKE pods that need to egress directly to the internet for most of their communications, the most cost-efficient and straightforward approach is to deploy a GKE cluster with public cluster nodes. Public nodes have external IP addresses, allowing pods to directly reach the internet. This eliminates the need for additional services like Cloud NAT or Secure Web Proxy for outbound internet access, which would incur extra costs and management overhead.

Exact Extract:

'Public clusters have nodes with external IP addresses, allowing them to directly initiate connections to the internet. This is the simplest configuration for clusters that require direct internet egress for their workloads.'

'When using public clusters, Cloud NAT is not required for outbound internet connectivity from the nodes or pods, as they can use their external IP addresses. This can reduce operational overhead and cost compared to private clusters that need NAT.'Reference: Google Kubernetes Engine Documentation - Cluster network configuration, Public clusters vs Private clusters

Question 4

You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

You need to update the firewall rule to add the following rule to the ruleset:

You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

AAssign the compute.securityAdmin and logging.viewer rule to the new user account. Apply the new firewall rule with a priority of 50.

BAssign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

CAssign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.

DAssign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.

Answer : A

Question 5

After a network change window one of your company's applications stops working. The application uses an on-premises database server that no longer receives any traffic from the application. The database server IP address is 10.2.1.25. You examine the change request, and the only change is that 3 additional VPC subnets were created. The new VPC subnets created are 10.1.0.0/16, 10.2.0.0/16, and 10.3.1.0/24/ The on-premises router is advertising 10.0.0.0/8.

What is the most likely cause of this problem?

AThe less specific VPC subnet route is taking priority.

BThe more specific VPC subnet route is taking priority.

CThe on-premises router is not advertising a route for the database server.

DA cloud firewall rule that blocks traffic to the on-premises database server was created during the change.

Answer : B

Question 6

You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.

What should you do?

AConfigure a policy-based route rule to prioritize the traffic.

BConfigure an HTTP load balancer, and direct the traffic to it.

CConfigure Dynamic Routing for the subnet hosting the application.

DConfigure the TTL for the DNS zone to decrease the time between updates.

Answer : B

Question 7

You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.

Which connectivity model should you use?

ADirect Peering

BDedicated Interconnect

CPartner Interconnect with a layer 2 partner

DPartner Interconnect with a layer 3 partner

Answer : D

https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview

For Layer 3 connections, your service provider establishes a BGP session between your Cloud Routers and their edge routers for each VLAN attachment. You don't need to configure BGP on your on-premises router. Google and your service provider automatically set the correct configurations.

https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview#connectivity-type

Question 8

You are configuring the final elements of a migration effort where resources have been moved from on-premises to Google Cloud. While reviewing the deployed architecture, you noticed that DNS resolution is failing when queries are being sent to the on-premises environment. You log in to a Compute Engine instance, try to resolve an on-premises hostname, and the query fails. DNS queries are not arriving at the on-premises DNS server. You need to use managed services to reconfigure Cloud DNS to resolve the DNS error. What should you do?

AValidate that the Compute Engine instances are using the Metadata Service IP address as their resolver. Configure an outbound forwarding zone for the on-premises domain pointing to the on-premises DNS server. Configure Cloud Router to advertise the Cloud DNS proxy range to the on-premises network.

BValidate that there is network connectivity to the on-premises environment and that the Compute Engine instances can reach other on-premises resources. If errors persist, remove the VPC Network Peerings and recreate the peerings after validating the routes.

CReview the existing Cloud DNS zones, and validate that there is a route in the VPC directing traffic destined to the IP address of the DNS servers. Recreate the existing DNS forwarding zones to forward all queries to the on-premises DNS servers.

DEnsure that the operating systems of the Compute Engine instances are configured to send DNS queries to the on-premises DNS servers directly.

Answer : A

To resolve DNS resolution issues for on-premises domains from Google Cloud, you should use Cloud DNS outbound forwarding zones. This setup forwards DNS requests for specific domains to on-premises DNS servers. Cloud Router is needed to advertise the range for the DNS proxy service back to the on-premises environment, ensuring that DNS queries from Compute Engine instances reach the on-premises DNS servers.

Question 9

You have configured a Compute Engine virtual machine instance as a NAT gateway. You execute the following command:

gcloud compute routes create no-ip-internet-route \

--network custom-network1 \

--destination-range 0.0.0.0/0 \

--next-hop instance nat-gateway \

--next-hop instance-zone us-central1-a \

--tags no-ip --priority 800

You want existing instances to use the new NAT gateway. Which command should you execute?

Asudo sysctl -w net.ipv4.ip_forward=1

Bgcloud compute instances add-tags [existing-instance] --tags no-ip

Cgcloud builds submit --config=cloudbuild.waml --substitutions=TAG_NAME=no-ip

Dgcloud compute instances create example-instance --network custom-network1 \
--subnet subnet-us-central \
--no-address \
--zone us-central1-a \
--image-family debian-9 \
--image-project debian-cloud \
--tags no-ip

Answer : B

https://cloud.google.com/sdk/gcloud/reference/compute/routes/create

In order to apply a route to an existing instance we should use a tag to bind the route to it.

Question 10

Your company's current network architecture has two VPCs that are connected by a dual-NIC instance that acts as a bump-in-the-wire firewall between the two VPCs. Flows between pairs of subnets across the two VPCs are working correctly. Suddenly, you receive an alert that none of the flows between the two VPCs are working anymore. You need to troubleshoot the problem. What should you do? (Choose 2 answers)

AVerify that the dual-NIC instance has not been added to a backend service.

BVerify that a public IP address has not been assigned to any network interface of the dual-NIC instance.

CUse Cloud Logging to verify that there were no modifications to the VPC firewall rules or policies that were applied to the two network interfaces of the dual-NIC instance.

DVerify that a VPC Service Controls perimeter has not been enabled for the project that contains the two VPCs and the dual-NIC instance.

EVerify that the dual-NIC instance has the --can-ip-forward attribute enabled.

Answer : C, E

You should check Cloud Logging to see if any firewall rules or policies were modified, as these could block traffic between the VPCs. Additionally, the --can-ip-forward attribute must be enabled for the dual-NIC instance to allow forwarding traffic between the interfaces.

Question 11

You have the networking configuration shown. In the diagram Two VLAN attachments associated With two Dedicated Interconnect connections terminate on the same Cloud Router (mycloudrouter). The Interconnect connections terminate on two separate on-premises routers. You advertise the same prefixes from the Border Gateway Protocol (BOP) sessions associated with each Of the VLAN attachments.

You notice an asymmetric traffic flow between the two Interconnect connections. Which of the following actions should you take to troubleshoot the asymmetric traffic flow?

AFrom the Google Cloud console, navigate to the Hybrid Connectivity select the Cloud Router, and view BGP sessions.

BFrom the Cloud CLI, run gcloud compute --protect_ID router get---status mycloudrouter ----region REGION and review the results.

CFrom the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results

DFrom the Cloud CLI. run gcloud compute routers describe mycloudrouter
--region REGION and review the results

Answer : A

The correct answer is B. From the Cloud CLI, run gcloud compute --project_ID router get-status mycloudrouter --region REGION and review the results.

This command will show you the BGP session status, the advertised and learned routes, and the last error for each VLAN attachment. You can use this information to troubleshoot the asymmetric traffic flow and identify any issues with the BGP configuration or the Interconnect connections.

The other options are not correct because:

Option A will only show you the BGP session status, but not the advertised and learned routes or the last error for each VLAN attachment.

Option C will only show you the VPC Flow Logs, which are useful for monitoring and troubleshooting network performance and security issues within your VPC network, but not for your Interconnect connections.

Option D will only show you the basic information about the Cloud Router, such as its name, region, network, and BGP settings, but not the detailed status of each VLAN attachment.

Question 12

One instance in your VPC is configured to run with a private IP address only. You want to ensure that even if this instance is deleted, its current private IP address will not be automatically assigned to a different instance.

In the GCP Console, what should you do?

AAssign a public IP address to the instance.

BAssign a new reserved internal IP address to the instance.

CChange the instance's current internal IP address to static.

DAdd custom metadata to the instance with key internal-address and value reserved.

Answer : C

https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address#reservenewip Since here https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address#reservenewip it is written that 'automatically allocated or an unused address from an existing subnet'.

Question 13

Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.

Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

AVPC peering

BShared VPC

CCloud VPN

DDedicated Interconnect

ECloud NAT

Answer : A, C

Google Cloud VPC Network Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.

Question 14

You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem. Which commands should you run?

Agcloud compute instances add-access-config instance-1

Bgcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

Cgcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

Dgcloud compute health-checks update http health-check --unhealthy-threshold 10

Answer : A

Question 15

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet. What should you do?

AUse the default public domains for all Google APIs and services.

BUse Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.

CUse Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.

DUse Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.

Answer : B

Question 16

Your company's web server administrator is migrating on-premises backend servers for an application to GCP. Libraries and configurations differ significantly across these backend servers. The migration to GCP will be lift-and-shift, and all requests to the servers will be served by a single network load balancer frontend. You want to use a GCP-native solution when possible.

How should you deploy this service in GCP?

ACreate a managed instance group from one of the images of the on-premises servers, and link this instance group to a target pool behind your load balancer.

BCreate a target pool, add all backend instances to this target pool, and deploy the target pool behind your load balancer.

CDeploy a third-party virtual appliance as frontend to these servers that will accommodate the significant differences between these backend servers.

DUse GCP's ECMP capability to load-balance traffic to the backend servers by installing multiple equal-priority static routes to the backend servers.

Answer : B

Question 17

You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do?

AEnable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.

BEnable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.

CEnable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.

DEnable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

Answer : B

Question 18

Your company has recently expanded their EMEA-based operations into APAC. Globally distributed users report that their SMTP and IMAP services are slow. Your company requires end-to-end encryption, but you do not have access to the SSL certificates.

Which Google Cloud load balancer should you use?

ASSL proxy load balancer

BNetwork load balancer

CHTTPS load balancer

DTCP proxy load balancer

Answer : D

https://cloud.google.com/security/encryption-in-transit/ Automatic encryption between GFEs and backends For the following load balancer types, Google automatically encrypts traffic between Google Front Ends (GFEs) and your backends that reside within Google Cloud VPC networks: HTTP(S) Load Balancing TCP Proxy Load Balancing SSL Proxy Load Balancing

Question 19

You are creating an instance group and need to create a new health check for HTTP(s) load balancing.

Which two methods can you use to accomplish this? (Choose two.)

ACreate a new health check using the gcloud command line tool.

BCreate a new health check using the VPC Network section in the GCP Console.

CCreate a new health check, or select an existing one, when you complete the load balancer's backend configuration in the GCP Console.

DCreate a new legacy health check using the gcloud command line tool.

ECreate a new legacy health check using the Health checks section in the GCP Console.

Answer : A, C

https://cloud.google.com/load-balancing/docs/health-checks#creating_and_modifying_health_checks

Question 20

You have the following Shared VPC design VPC Flow Logs is configured for Subnet-1 In the host VPC. You also want to monitor flow logs for Subnet-2. What should you do?

AConfigure a firewall rule to permit Subnet-2 IP addresses outbound in the host protect VPC.

BConfigure Packet Mirroring in both the host and service project VPCs.

CConfigure a VPC Flow Logs filter for Subnet-2 in the host project VPC.

DConfigure VPC Flow Logs in the service project VPC for Subnet-2.

Answer : D

Understanding VPC Flow Logs:

VPC Flow Logs is a feature that captures information about the IP traffic going to and from network interfaces in a VPC. It helps in monitoring and analyzing network traffic, ensuring security, and optimizing network performance.

Current Configuration:

According to the diagram, VPC Flow Logs is already configured for Subnet-1 in the host VPC. This means that traffic information for Subnet-1 is being captured and logged.

Requirement for Subnet-2:

The goal is to monitor flow logs for Subnet-2, which is in the service project VPC.

Correct Configuration for Subnet-2:

To monitor the flow logs for Subnet-2, you need to configure VPC Flow Logs within the service project VPC where Subnet-2 resides. This is because VPC Flow Logs must be configured in the same project and VPC where the subnet is located.

Implementation Steps:

Go to the Google Cloud Console.

Navigate to the service project where Subnet-2 is located.

Select the VPC network containing Subnet-2.

Enable VPC Flow Logs for Subnet-2 by editing the subnet settings and enabling the flow logs option.

Cost and Performance Considerations:

Enabling VPC Flow Logs may incur additional costs based on the volume of data logged. Ensure to review and understand the pricing implications.

Analyze and manage the data collected to avoid unnecessary logging and costs.

References:

Google Cloud VPC Flow Logs Documentation

Configuring VPC Flow Logs

Shared VPC Overview

By configuring VPC Flow Logs in the service project VPC for Subnet-2, you ensure that traffic data is correctly captured and monitored, adhering to Google Cloud's best practices.

Question 21

You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs?

Aresource.type= ''gce_router''

Bresource.type= ''gce_network_region''

Cresource.type= ''vpn_tunnel''

Dresource.type= ''vpn_gateway''

Answer : C

Question 22

Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.

Which two products should you incorporate into the solution? (Choose two.)

AVPC flow logs

BFirewall logs

CCloud Audit logs

DStackdriver Trace

ECompute Engine instance system logs

Answer : A, B

A: Using VPC Flow Logs VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes. These logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization. https://cloud.google.com/vpc/docs/using-flow-logs (B): Firewall Rules Logging overview Firewall Rules Logging allows you to audit, verify, and analyze the effects of your firewall rules. For example, you can determine if a firewall rule designed to deny traffic is functioning as intended. Firewall Rules Logging is also useful if you need to determine how many connections are affected by a given firewall rule. You enable Firewall Rules Logging individually for each firewall rule whose connections you need to log. Firewall Rules Logging is an option for any firewall rule, regardless of the action (allow or deny) or direction (ingress or egress) of the rule. https://cloud.google.com/vpc/docs/firewall-rules-logging

Question 23

All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.

What should you do?

AOpen the Cloud Shell SSH into the instance using gcloud compute ssh.

BSet the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.

CGenerate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.

DGenerate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.

Answer : A

Question 24

Your organization is running out of private IPv4 IP addresses. You need to create a new design pattern to reduce IP usage in your Google Kubernetes Engine clusters. Each new GKE cluster should have a unique /24 range of routable RFC1918 IP addresses. What should you do?

AQ Configure NAT by using the IP masquerading agent in the GKE cluster.

BQ Share the primary and secondary ranges between multiple clusters.

CQ Use dual stack IPv4/IPv6 clusters, and assign IPv6 ranges for Pods and Services.

DQ Configure the secondary ranges outside the RFC1918 space, or use privately used public IPs.

Answer : C

The most effective long-term solution to address IPv4 address exhaustion in GKE clusters, while still ensuring routability and unique ranges per cluster, is to transition to dual-stack IPv4/IPv6 clusters and leverage IPv6 for Pods and Services. This allows you to conserve IPv4 addresses for critical use cases while providing a vast address space with IPv6 for pods and services, significantly reducing the pressure on your private IPv4 ranges. Google Cloud GKE fully supports dual-stack networking.

Exact Extract:

'Dual-stack clusters enable you to assign both IPv4 and IPv6 addresses to Pods and Services. This approach helps conserve IPv4 address space by shifting a significant portion of the network communication to IPv6, particularly for internal cluster communication or communication with other IPv6-enabled services.'

Question 25

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters, Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new dusters. You want to follow Google-recommended practices, What should you do after designing your IP scheme?

ACreate the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.

BCreate the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters.

CCreate privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected: --enab1e-ip-a1ias and --enable-private-nodes.

DCreate privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and -- siable-default-snat, --enable-ip-alias, and --enable-private-nodes

Answer : D

The correct answer is D. Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected: --disable-default-snat, --enable-ip-alias, and --enable-private-nodes.

This answer is based on the following facts:

Privately used public IP (PUPI) addresses are any public IP addresses not owned by Google that a customer can use privately on Google Cloud1. You can use PUPI addresses for GKE pods and services in private clusters to mitigate address exhaustion.

A private GKE cluster is a cluster that has no public IP addresses on the nodes2. You can use private clusters to isolate your workloads from the public internet and enhance security.

The --disable-default-snat option disables source network address translation (SNAT) for the cluster3. This option allows you to use PUPI addresses without conflicting with other public IP addresses on the internet.

The --enable-ip-alias option enables alias IP ranges for the cluster4. This option allows you to use separate subnet ranges for nodes, pods, and services, and to specify the size of those ranges.

The --enable-private-nodes option enables private nodes for the cluster5. This option ensures that the nodes have no public IP addresses and can only communicate with other Google Cloud resources in the same VPC network or peered networks.

The other options are not correct because:

Option A is not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for pods across multiple private GKE clusters can cause IP conflicts and routing issues.

Option B is also not suitable. Creating RFC 1918 primary and secondary subnet IP ranges for the clusters does not solve the problem of address exhaustion. Re-using the secondary address range for services across multiple private GKE clusters can cause IP conflicts and routing issues.

Option C is not feasible. Creating privately used public IP primary and secondary subnet ranges for the clusters is a valid step, but creating a private GKE cluster with only --enable-ip-alias and --enable-private-nodes options is not enough. You also need to disable default SNAT to avoid IP conflicts with other public IP addresses on the internet.

Question 26

Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

ACreate an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.

BCreate a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.

CCreate a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.

DCreate a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.

Answer : B

Question 27

Your company runs an enterprise platform on-premises using virtual machines (VMS). Your internet customers have created tens of thousands of DNS domains panting to your public IP addresses allocated to the Vtvls Typically, your customers hard-code your IP addresses In their DNS records You are now planning to migrate the platform to Compute Engine and you want to use Bring your Own IP you want to minimize disruption to the Platform What Should you d0?

ACreate a VPC and request static external IP addresses from Google Cloud Assagn the IP addresses to the Compute Engine instances. Notify your customers of the new IP addresses so they can update their DNS

BVerify ownership of your IP addresses. After the verification, Google Cloud advertises and provisions the IP prefix for you_ Assign the IP addresses to the Compute Engine Instances

CCreate a VPC With the same IP address range as your on-premises network Asson the IP addresses to the Compute Engine Instances.

DVerify ownership of your IP addresses. Use live migration to import the prefix Assign the IP addresses to Compute Engine instances.

Answer : D

The correct answer is D because it allows you to use your own public IP addresses in Google Cloud without disrupting the platform or requiring your customers to update their DNS records. Option A is incorrect because it involves changing the IP addresses and notifying the customers, which can cause disruption and errors. Option B is incorrect because it does not use live migration, which is a feature that lets you control when Google starts advertising routes for your prefix. Option C is incorrect because it does not involve bringing your own IP addresses, but rather using Google-provided IP addresses.

References:

Bring your own IP addresses

Professional Cloud Network Engineer Exam Guide

Bring your own IP addresses (BYOIP) to Azure with Custom IP Prefix

Question 28

You need to enable Cloud CDN for all the objects inside a storage bucket. You want to ensure that all the object in the storage bucket can be served by the CDN.

What should you do in the GCP Console?

ACreate a new cloud storage bucket, and then enable Cloud CDN on it.

BCreate a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.

CCreate a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.

DCreate a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.

Answer : D

https://cloud.google.com/load-balancing/docs/https/adding-backend-buckets-to-load-balancers#using_cloud_cdn_with_cloud_storage_buckets

Cloud CDN needs HTTP(S) Load Balancers and Cloud Storage bucket has to be shared publicly. https://cloud.google.com/cdn/docs/setting-up-cdn-with-bucket

Question 29

Your multi-region VPC has had a long-standing HA VPN configured in "region 1" connected to your corporate network. You are planning to add two 10 Gbps Dedicated Interconnect connections and VLAN attachments in "region 2" to connect to the same corporate network. You need to plan for connectivity between your VPC and corporate network to ensure that traffic uses the Dedicated Interconnect connections as the primary path and the HA VPN as the secondary path. What should you do?

AEnable regional dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in 'region 1' to use a base priority value of 100. Configure BGP associated with the VLAN attachments to use a base priority of 20000. Configure your on-premises routers to use similar multi-exit discriminator (MED) values.

BEnable global dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in 'region 1' to use a base priority value of 100. Configure BGP associated with the VLAN attachments to use a base priority of 20000. Configure your on-premises routers to use similar multi-exit discriminator (MED) values.

CEnable regional dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in 'region 1' to use a base priority value of 20000. Configure BGP associated with the VLAN attachments to use a base priority of 100. Configure your on-premises routers to use similar multi-exit discriminator (MED) values.

DEnable global dynamic routing mode on the VPC. Configure BGP associated with the HA VPN in 'region 1' to use a base priority value of 20000. Configure BGP associated with the VLAN attachments to use a base priority of 100. Configure your on-premises routers to use similar multi-exit discriminator (MED) values.

Answer : B

For the Dedicated Interconnect to be the primary connection over the HA VPN, you should:

Enable global dynamic routing mode to allow the VPC to distribute routes dynamically across regions.

Set the BGP priority for the VLAN attachments associated with the Dedicated Interconnect to a lower base priority (e.g., 100) than the HA VPN's priority (e.g., 20000) to ensure it is preferred.

Setting up global dynamic routing with adjusted BGP priorities on both Interconnect and VPN will allow dynamic routing of traffic based on set preferences and path attributes, such as MED and priority levels. This setup ensures the Dedicated Interconnect, with a lower priority value, becomes the primary path for traffic, while the HA VPN, with a higher priority, serves as a backup.

Question 30

Your company recently migrated to Google Cloud in a Single region. You configured separate Virtual Private Cloud (VPC) networks for two departments. Department A and Department B. Department A has requested access to resources that are part Of Department Bis VPC. You need to configure the traffic from private IP addresses to flow between the VPCs using multi-NIC virtual machines (VMS) to meet security requirements Your configuration also must

* Support both TCP and UDP protocols

* Provide fully automated failover

* Include health-checks

Require minimal manual Intervention In the client VMS

Which approach should you take?

ACreate the VMS In the same zone, and configure static routes With IP addresses as next hops.

BCreate the VMS in different zones, and configure static routes with instance names as next hops

CCreate an Instance template and a managed instance group. Configure a Single internal load balancer, and define a custom static route with the Internal TCP/UDP load balancer as the next hop

DCreate an instance template and a managed instance group. Configure two separate internal TCP/IJDP load balancers for each protocol (TCP!UDP), and configure the client VIVIS to use the internal load balancers' virtual IP addresses

Answer : D

The correct answer is D. Create an instance template and a managed instance group. Configure two separate internal TCP/UDP load balancers for each protocol (TCP/UDP), and configure the client VMs to use the internal load balancers' virtual IP addresses.

This answer is based on the following facts:

Using multi-NIC VMs as network virtual appliances (NVAs) allows you to route traffic between different VPC networks1. You can use NVAs to implement custom network policies and security requirements.

Using an instance template and a managed instance group allows you to create and manage multiple identical NVAs2. You can also use health checks and autoscaling policies to ensure high availability and reliability of your NVAs.

Using internal TCP/UDP load balancers allows you to distribute traffic from client VMs to NVAs based on the protocol and port3. You can also use health checks and failover policies to ensure that only healthy NVAs receive traffic.

Configuring the client VMs to use the internal load balancers' virtual IP addresses allows you to simplify the routing configuration and avoid manual intervention4. You do not need to create static routes or update them when NVAs are added or removed.

The other options are not correct because:

Option A is not suitable. Creating the VMs in the same zone does not provide high availability or failover. Using static routes with IP addresses as next hops requires manual intervention when NVAs are added or removed.

Option B is not optimal. Creating the VMs in different zones provides high availability, but not failover. Using static routes with instance names as next hops requires manual intervention when NVAs are added or removed.

Option C is not feasible. Creating an instance template and a managed instance group provides high availability and reliability, but using a single internal load balancer does not support both TCP and UDP protocols. You cannot define a custom static route with an internal load balancer as the next hop.

Question 31

Your team deployed two applications in GKE that are exposed through an external Application Load Balancer. When queries are sent to www.mountkirkgames.com/sales and www.mountkirkgames.com/get-an-analysis, the correct pages are displayed. However, you have received complaints that www.mountkirkgames.com yields a 404 error. You need to resolve this error. What should you do?

AReview the Ingress YAML file. Define the default backend. Reapply the YAML.

BReview the Ingress YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML.

CReview the Service YAML file. Define a default backend. Reapply the YAML.

DReview the Service YAML file. Add a new path rule for the * character that directs to the base service. Reapply the YAML.

Answer : A

The 404 error is occurring because there is no default backend defined for requests to the root URL. Defining the default backend in the Ingress YAML file ensures that requests to www.mountkirkgames.com are routed to the correct service.

Question 32

You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.

How should you update your instances?

AManually patch some of the instances, and then perform a rolling restart on the instance group.

BUsing the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.

CDeploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.

DPerform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.

Answer : D

https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups#starting_a_canary_update

https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups

Question 33

Your company has defined a resource hierarchy that includes a parent folder with subfolders for each department. Each department defines their respective project and VPC in the assigned folder and has the appropriate permissions to create Google Cloud firewall rules. The VPCs should not allow traffic to flow between them. You need to block all traffic from any source, including other VPCs, and delegate only the intra-VPC firewall rules to the respective departments. What should you do?

ACreate a VPC firewall rule in each VPC to block traffic from any source, with priority 0.

BCreate a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.

CCreate two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.

DCreate two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.

Answer : B

Question 34

Agcloud compute instances add-access-config instance-1

Bgcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

Cgcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

Dgcloud compute health-checks update http health-check --unhealthy-threshold 10

Answer : A

Question 35

You have the following Shared VPC design VPC Flow Logs is configured for Subnet-1 In the host VPC. You also want to monitor flow logs for Subnet-2. What should you do?

AConfigure a firewall rule to permit Subnet-2 IP addresses outbound in the host protect VPC.

BConfigure Packet Mirroring in both the host and service project VPCs.

CConfigure a VPC Flow Logs filter for Subnet-2 in the host project VPC.

DConfigure VPC Flow Logs in the service project VPC for Subnet-2.

Answer : D

Understanding VPC Flow Logs:

Current Configuration:

According to the diagram, VPC Flow Logs is already configured for Subnet-1 in the host VPC. This means that traffic information for Subnet-1 is being captured and logged.

Requirement for Subnet-2:

The goal is to monitor flow logs for Subnet-2, which is in the service project VPC.

Correct Configuration for Subnet-2:

Implementation Steps:

Go to the Google Cloud Console.

Navigate to the service project where Subnet-2 is located.

Select the VPC network containing Subnet-2.

Enable VPC Flow Logs for Subnet-2 by editing the subnet settings and enabling the flow logs option.

Cost and Performance Considerations:

Enabling VPC Flow Logs may incur additional costs based on the volume of data logged. Ensure to review and understand the pricing implications.

Analyze and manage the data collected to avoid unnecessary logging and costs.

References:

Google Cloud VPC Flow Logs Documentation

Configuring VPC Flow Logs

Shared VPC Overview

By configuring VPC Flow Logs in the service project VPC for Subnet-2, you ensure that traffic data is correctly captured and monitored, adhering to Google Cloud's best practices.

Question 36

You are implementing a VPC architecture for your organization by using a Network Connectivity Center hub and spoke topology:

* There is one Network Connectivity Center hybrid spoke to receive on-premises routes.

* There is one VPC spoke that needs to be added as a Network Connectivity Center spoke.

Your organization has limited routable IP space fortheir cloud environment (192.168.0.0/20). The Network Connectivity Center spoke VPC is connected to on-premises with a Cloud Interconnect connection in the us-east4 region. The on-premises IP range is 172.16.0.0/16. You need to reach on-premises resources from multiple Google Cloud regions (us-westl, europe-centrall, and asia-southeastl) and minimize the IP addresses being used. What should you do?

AO 1. Configure a Private NAT gateway and NAT subnet in us-westl (192.168.1.0/24), europe-centrall (192.168.2.0/24) and asia-southeastl (192.168.3.0/24).
2. Add the VPC as a spoke and configure an export include policy to advertise only 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-westl, us-centrall and asia-southeastl to reach the on-premises location through us-east4.

BQ 1. Configure a Private NAT gateway instance in us-westl (192.168.1.0/24), europe-centrall (192.168.2.0/24), and asia-southeastl (192.168.3.0/24).
2. Add the VPC as a spoke and configure an export exclude policy on the VPC spoke to advertise only the NAT subnets 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-westl, us-centrall, and asia-southeastl to reach the on-premises location through us-east4.

CQ 1. Configure a Private NAT gateway instance in us-east4 (192.168.1.0/24).
2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise 192.168.1.0/24 to the hub.
3. Enable global dynamic routing to allow resources in us-westl, us-centrall and asia-southeast l to reach the on-premises location through us-east 4.

DO 1- Configure a Private NAT gateway instance in us-westl (172.16.1.0/24), europe-centrall (172.16.2.0/24), and asia-southeastl (172.16.3.0/24).
2. Add the VPC as a spoke and configure an export include policy on the VPC spoke to advertise only the NAT subnets 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24 to the hub.
3. Enable global dynamic to allow resources in us-westl, us-centrall, and asia-southeastl to reach the on-premises location through us-east4.

Answer : C

The key requirements are: limited IP space (192.168.0.0/20), reaching on-premises (172.16.0.0/16) from multiple Google Cloud regions (us-west1, europe-central1, asia-southeast1), and minimizing IP addresses used. The Cloud Interconnect connection to on-premises is in us-east4.

Minimize IP addresses and centralized NAT: Since all traffic to on-premises will traverse the Cloud Interconnect in us-east4, it's most efficient to configure a single Private NAT gateway instance in us-east4. This allows resources from other regions to egress to on-premises through this single NAT gateway, using a minimal NAT subnet (192.168.1.0/24 in this case), thus conserving the limited 192.168.0.0/20 IP space.

Network Connectivity Center Spoke Export Policy: The VPC spoke needs to advertise the NAT subnet to the Network Connectivity Center hub. An export include policy is used to specify which routes (in this case, the 192.168.1.0/24 NAT subnet) should be advertised to the hub.

Global Dynamic Routing: To allow resources in us-west1, europe-central1, and asia-southeast1 to reach the on-premises location through the us-east4 Cloud Interconnect and NAT gateway, the VPC containing these resources (the spoke VPC) must have global dynamic routing enabled. This ensures that routes learned in one region (like the on-premises routes via us-east4) are available to VMs in all other regions of that VPC.

Options A and B configure Private NAT gateways in multiple regions, which consumes more IP addresses than necessary given that the Cloud Interconnect is only in us-east4. Option D uses 172.16.x.x for NAT subnets, which clashes with the on-premises IP range and the requirement to use the 192.168.0.0/20 space for cloud.

Exact Extract:

'Private NAT allows instances with private IP addresses in one VPC network to connect to on-premises or other cloud networks through a NAT IP address in a different region or network.'

'To allow VMs in multiple regions to reach a central destination through a NAT gateway located in a specific region, you must configure global dynamic routing on the VPC network. This ensures that routes to the NAT gateway's subnet are propagated across all regions.'

Question 37

Your company acquired a new division. The new division's network team requires complete control over their networking infrastructure. You need to extend your existing Google Cloud network infrastructure, that consists of a single VPC, to allow workloads from all divisions to communicate with each other. You want to avoid incurring extra costs and granting unnecessary permissions to the new division's networking team. What should you do?

AQ * Create a new project for the new division's network team.
* Create a new VPC within the new project.
* Establish a VPC peering between your existing VPC and the new division's VPC.
* Grant roles/compute. networkAdmin on the newly created project to the new division's network team group.

BO * Create a new project for the new division's network team.
* Create a new VPC within the new project.
* Establish a VPC peering between your existing VPC and the new division's VPC.
* Create a new subnet dedicated to the new division's workloads.
* Grant roles/compute .networkuser on the new project to the new division's network team group.

CO * Create a new project for the new division's network team.
* Create a new VPC within the new project.
* Establish a VPN connection between your existing VPC and the new division's VPC.
* Grant roles/compute .networkAdmin on the newly created project to the new division's network team group.

DQ * Ensure that the project hosting the existing network infrastructure is enabled as a host project.
* Create a new subnet dedicated to the new division's workloads in the existing VPC.
* Grant roles/compute. networkuser on the newly created subnet to the new division's network team group.

Answer : A

The requirement for the new division's network team to have 'complete control over their networking infrastructure' while allowing communication between divisions and avoiding unnecessary permissions points directly to VPC Network Peering. This approach allows each division to manage its own VPC independently (in its own project), provides full control to the new division's network team within their project, and enables secure, private communication between the VPCs without traversing the public internet. Granting roles/compute.networkAdmin on their newly created project ensures they have the necessary control over their dedicated VPC. Using Shared VPC (option D) would centralize network administration under your existing project, which goes against the requirement of the new division having 'complete control.' VPN (option C) would incur additional costs and introduce more complexity than VPC peering for intra-Google Cloud connectivity. Option B is flawed because creating a subnet in the new VPC isn't directly relevant to granting permissions on the new project for VPC peering setup, and networkuser role on the new project alone wouldn't give complete network control.

Exact Extract:

'VPC Network Peering allows you to connect two VPC networks so that resources in each network can communicate with each other using internal IP addresses. Traffic stays within Google's network.'

'Each side of a VPC Network Peering connection is configured independently. This means that each network administrator retains full control over their own network, including routes, firewalls, and network services.'

Question 38

Your company's security team tends to use managed services when possible. You need to build a dashboard to show the number of deny hits that occur against configured firewall rules without increasing operational overhead. What should you do?

AConfigure Firewall Rules Logging. Use Firewall Insights to display the number of hits.

BConfigure Firewall Rules Logging. View the logs in Cloud Logging, and create a custom dashboard in Cloud Monitoring to display the number of hits.

CConfigure a firewall appliance from the Google Cloud Marketplace. Route all traffic through this appliance, and apply the firewall rules at this layer. Use the firewall appliance to display the number of hits.

DConfigure Packet Mirroring on the VPC. Apply a filter with an IP address list of the Denied Firewall rules. Configure an intrusion detection system (IDS) appliance as the receiver to display the number of hits.

Answer : A

Question 39

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.

What should you do?

ACreate a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.

BCreate a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.

CCreate a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.

DCreate IPTables firewall rules that block all traffic except for the traffic-scrubbing service.

Answer : A

Global load balancer will proxy the connection . thus no trace of session origin IP. you should use Cloud Armor to geofence your service.

https://cloud.google.com/load-balancing/docs/https

Question 40

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.

Which connection type should you choose?

ACarrier Peering

BDirect Peering

CDedicated Interconnect

DPartner Interconnect

Answer : B

When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct Peering with Google. For more information, see Pricing.

Question 41

You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest possible latency while ensuring high availability and autoscaling. Which configuration should you use?

AUse global SSL Proxy Load Balancing with backends in both regions.

BUse global TCP Proxy Load Balancing with backends in both regions.

CUse global external HTTP(S) Load Balancing with backends in both regions.

DUse Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.

Answer : D

Question 42

Your company has provisioned 2000 virtual machines (VMs) in the private subnet of your Virtual Private Cloud (VPC) in the us-east1 region. You need to configure each VM to have a minimum of 128 TCP connections to a public repository so that users can download software updates and packages over the internet. You need to implement a Cloud NAT gateway so that the VMs are able to perform outbound NAT to the internet. You must ensure that all VMs can simultaneously connect to the public repository and download software updates and packages. Which two methods can you use to accomplish this? (Choose two.)

AConfigure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.

BCreate a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.

CUse the default Cloud NAT gateway's NAT proxy to dynamically scale using a single NAT IP address.

DUse the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.

EConfigure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.

Answer : A, B

Question 43

You are designing a new global application using Compute Engine instances that will be exposed by a global HTTP(S) load balancer. You need to secure your application from distributed denial-of-service and application layer (layer 7) attacks. What should you do?

AConfigure VPC Service Controls and create a secure perimeter. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.

BConfigure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.

CConfigure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.

DConfigure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.

Answer : C

Question 44

You created a new VPC network named Dev with a single subnet. You added a firewall rule for the network Dev to allow HTTP traffic only and enabled logging. When you try to log in to an instance in the subnet via Remote Desktop Protocol, the login fails. You look for the Firewall rules logs in Stackdriver Logging, but you do not see any entries for blocked traffic. You want to see the logs for blocked traffic.

What should you do?

ACheck the VPC flow logs for the instance.

BTry connecting to the instance via SSH, and check the logs.

CCreate a new firewall rule to allow traffic from port 22, and enable logs.

DCreate a new firewall rule with priority 65500 to deny all traffic, and enable logs.

Answer : D

Ingress packets in VPC Flow Logs are sampled after ingress firewall rules. If an ingress firewall rule denies inbound packets, those packets are not sampled by VPC Flow Logs. We want to see the logs for blocked traffic so we have to look for them in firewall logs. https://cloud.google.com/vpc/docs/flow-logs#key_properties

Question 45

You need to ensure your personal SSH key works on every instance in your project. You want to accomplish this as efficiently as possible.

What should you do?

AUpload your public ssh key to the project Metadata.

BUpload your public ssh key to each instance Metadata.

CCreate a custom Google Compute Engine image with your public ssh key embedded.

DUse gcloud compute ssh to automatically copy your public ssh key to the instance.

Answer : A

Overview By creating and managing SSH keys, you can let users access a Linux instance through third-party tools. An SSH key consists of the following files: A public SSH key file that is applied to instance-level metadata or project-wide metadata. A private SSH key file that the user stores on their local devices. If a user presents their private SSH key, they can use a third-party tool to connect to any instance that is configured with the matching public SSH key file, even if they aren't a member of your Google Cloud project. Therefore, you can control which instances a user can access by changing the public SSH key metadata for one or more instances. https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys#addkey

Question 46

You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?

AReview the VPC audit logs in Cloud Logging for the affected instances.

BUse Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.

CRun Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.

DEnable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.

Answer : C

Question 47

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.

Which session affinity should you choose?

ANone

BClient IP

CClient IP and protocol

DClient IP, port and protocol

Answer : B

Question 48

You are migrating a three-tier application architecture from on-premises to Google Cloud. As a first step in the migration, you want to create a new Virtual Private Cloud (VPC) with an external HTTP(S) load balancer. This load balancer will forward traffic back to the on-premises compute resources that run the presentation tier. You need to stop malicious traffic from entering your VPC and consuming resources at the edge, so you must configure this policy to filter IP addresses and stop cross-site scripting (XSS) attacks. What should you do?

ACreate a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.

BCreate a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.

CCreate a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.

DCreate a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.

Answer : C

Question 49

Agcloud compute instances add-access-config instance-1

Bgcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

Cgcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

Dgcloud compute health-checks update http health-check --unhealthy-threshold 10

Answer : A

Question 50

You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.

What should you do?

ACreate a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.

BCreate a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

CTag the backend instances 'application,' and create a firewall rule with target tag 'application' and the source IP range of the allowed clients and Google health check IP ranges.

DLabel the backend instances 'application,' and create a firewall rule with the target label 'application' and the source IP range of the allowed clients and Google health check IP ranges.

Answer : C

https://cloud.google.com/load-balancing/docs/https/setting-up-https#sendtraffic

Question 51

You are deploying an application that runs on Compute Engine instances. You need to determine how to expose your application to a new customer You must ensure that your application meets the following requirements

* Maps multiple existing reserved external IP addresses to the Instance

* Processes IP Encapsulating Security Payload (ESP) traffic

What should you do?

AConfigure a target pool, and create protocol forwarding rules for each external IP address.

BConfigure a backend service, and create an external network load balancer for each external IP address

CConfigure a target instance, and create a protocol forwarding rule for each external IP address to be mapped to the instance.

DConfigure the Compute Engine Instances' network Interface external IP address from None to Ephemeral Add as many external IP addresses as required

Answer : C

The correct answer is C. Configure a target instance, and create a protocol forwarding rule for each external IP address to be mapped to the instance.

This answer is based on the following facts:

A target instance is a Compute Engine instance that handles traffic from one or more forwarding rules1. You can use target instances to forward traffic to a single VM instance from one or more external IP addresses2.

A protocol forwarding rule specifies the IP protocol and port range for the traffic that you want to forward3. You can use protocol forwarding rules to forward traffic of any IP protocol, including ESP4.

The other options are not correct because:

Option A is not possible. You cannot create protocol forwarding rules for a target pool. A target pool is a group of instances that receives traffic from a network load balancer5.

Option B is not suitable. You do not need to create an external network load balancer for each external IP address. An external network load balancer distributes traffic among multiple backend instances based on the destination IP address and port. You can use a single load balancer with multiple forwarding rules to map multiple external IP addresses to the same backend service.

Option D is not feasible. You cannot add multiple external IP addresses to a single network interface of a Compute Engine instance. Each network interface can have only one external IP address that is either ephemeral or static. You can use alias IP ranges to assign multiple internal IP addresses to a single network interface, but not external IP addresses.

Question 52

BVerify ownership of your IP addresses. After the verification, Google Cloud advertises and provisions the IP prefix for you_ Assign the IP addresses to the Compute Engine Instances

CCreate a VPC With the same IP address range as your on-premises network Asson the IP addresses to the Compute Engine Instances.

DVerify ownership of your IP addresses. Use live migration to import the prefix Assign the IP addresses to Compute Engine instances.

Answer : D

References:

Bring your own IP addresses

Professional Cloud Network Engineer Exam Guide

Bring your own IP addresses (BYOIP) to Azure with Custom IP Prefix

Question 53

Your company has a Virtual Private Cloud (VPC) with two Dedicated Interconnect connections in two different regions: us-west1 and us-east1. Each Dedicated Interconnect connection is attached to a Cloud Router in its respective region by a VLAN attachment. You need to configure a high availability failover path. By default, all ingress traffic from the on-premises environment should flow to the VPC using the us-west1 connection. If us-west1 is unavailable, you want traffic to be rerouted to us-east1. How should you configure the multi-exit discriminator (MED) values to enable this failover path?

AUse regional routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

BUse global routing. Set the us-east1 Cloud Router to a base priority of 100, and set the us-west1 Cloud Router to a base priority of 1

CUse regional routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

DUse global routing. Set the us-east1 Cloud Router to a base priority of 1000, and set the us-west1 Cloud Router to a base priority of 1

Answer : A

Question 54

Which connectivity model should you use?

ADirect Peering

BDedicated Interconnect

CPartner Interconnect with a layer 2 partner

DPartner Interconnect with a layer 3 partner

Answer : D

https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview

https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview#connectivity-type

Question 55

AConfigure the NAT gateway in manual allocation mode, allocate 2 NAT IP addresses, and update the minimum number of ports per VM to 256.

BCreate a second Cloud NAT gateway with the default minimum number of ports configured per VM to 64.

CUse the default Cloud NAT gateway's NAT proxy to dynamically scale using a single NAT IP address.

DUse the default Cloud NAT gateway to automatically scale to the required number of NAT IP addresses, and update the minimum number of ports per VM to 128.

EConfigure the NAT gateway in manual allocation mode, allocate 4 NAT IP addresses, and update the minimum number of ports per VM to 128.

Answer : A, B

Question 56

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.

How should you set up permissions for the networking team?

AAssign members of the networking team the compute.networkUser role.

BAssign members of the networking team the compute.networkAdmin role.

CAssign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

DAssign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

Answer : B