Google Professional-Cloud-Network-Engineer Exam Practice Test Instant Access

Question 1

Your company is planning a migration to Google Kubernetes Engine. Your application team informed you that they require a minimum of 60 Pods per node and a maximum of 100 Pods per node Which Pod per node CIDR range should you use?

A/24

B/25

C/26

D/28

Answer : B

To determine the Pod per node CIDR range, you need to calculate how many IP addresses are required for each node, and then choose the smallest CIDR range that can accommodate that number. A CIDR range of /n means that there are 2^(32-n) IP addresses available in that range. For example, a /24 range has 2^(32-24) = 256 IP addresses.

According to the question, the application team requires a minimum of 60 Pods per node and a maximum of 100 Pods per node. Therefore, you need to choose a CIDR range that can provide at least 100 IP addresses per node, but not more than necessary. A /25 range has 2^(32-25) = 128 IP addresses, which is enough for 100 Pods per node. A /26 range has 2^(32-26) = 64 IP addresses, which is not enough for 60 Pods per node. A /24 range has 256 IP addresses, which is more than needed and wastes IP address space. A /28 range has 2^(32-28) = 16 IP addresses, which is far too small for any node.

Therefore, the best option is B. /25.This is also consistent with the Google Kubernetes Engine documentation, which states that each node is allocated a /24 range of IP addresses for Pods by default, but the maximum number of Pods per node is 1101. This means that there are approximately twice as many available IP addresses as possible Pods, which is similar to the ratio of 128 to 100 in the /25 range.

1:Configure maximum Pods per node | Google Kubernetes Engine (GKE) | Google Cloud

Question 2

You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.

Always allow Secure Shell (SSH) from your corporate IP address.

Restrict SSH access from all other IP addresses.

There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team's requirements. What should you do?

AConfigure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0.
Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.

BConfigure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0.
Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.

CConfigure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1.
Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.

DConfigure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1
Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.

Answer : A

Question 3

You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do?

AEnable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.

BEnable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.

CEnable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.

DEnable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.

Answer : B

Question 4

You are responsible for designing a new connectivity solution for your organization's enterprise network to access and use Google Workspace. You have an existing Shared VPC with Compute Engine instances in us-west1. Currently, you access Google Workspace via your service provider's internet access. You want to set up a direct connection between your network and Google. What should you do?

AOrder a Dedicated Interconnect connection in the same metropolitan area. Create a VLAN attachment, a Cloud Router in us-west1, and a Border Gateway Protocol (BGP) session between your Cloud Router and your router.

BOrder a Direct Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

CConfigure HA VPN in us-west1. Configure a Border Gateway Protocol (BGP) session between your Cloud Router and your on-premises data center.

DOrder a Carrier Peering connection in the same metropolitan area. Configure a Border Gateway Protocol (BGP) session between Google and your router.

Answer : B

Question 5

You need to define an address plan for a future new Google Kubernetes Engine (GKE) cluster in your Virtual Private Cloud (VPC). This will be a VPC-native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses. Which subnet mask should you use for the Pod IP address range?

A/21

B/22

C/23

D/25

Answer : A

Question 6

You are configuring a new HTTP application that will be exposed externally behind both IPv4 and IPv6 virtual IP addresses, using ports 80, 8080, and 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest-possible latency while ensuring high availability and autoscaling, and create native content-based rules using the HTTP hostname and request path. The IP addresses of the clients that connect to the load balancer need to be visible to the backends. Which configuration should you use?

AUse Network Load Balancing

BUse TCP Proxy Load Balancing with PROXY protocol enabled

CUse External HTTP(S) Load Balancing with URL Maps and custom headers

DUse External HTTP(S) Load Balancing with URL Maps and an X-Forwarded-For header

Answer : D

Question 7

You have configured a service on Google Cloud that connects to an on-premises service via a Dedicated Interconnect. Users are reporting recent connectivity issues. You need to determine whether the traffic is being dropped because of firewall rules or a routing decision. What should you do?

AUse the Network Intelligence Center Connectivity Tests to test the connectivity between the VPC and the on-premises network.

BUse Network Intelligence Center Network Topology to check the traffic flow, and replay the traffic from the time period when the connectivity issue occurred.

CConfigure VPC Flow Logs. Review the logs by filtering on the source and destination.

DConfigure a Compute Engine instance on the same VPC as the service running on Google Cloud to run a traceroute targeted at the on-premises service.

Answer : B

Google Professional Cloud Network Engineer Exam Practice Test