New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Google > Google Cloud Platform > Professional-Cloud-Network-Engineer

Professional-Cloud-Network-Engineer Google Cloud Certified - Professional Cloud Network Engineer Question and Answers

Question # 4

You have two Google Cloud projects in a perimeter to prevent data exfiltration. You need to move a third project inside the perimeter; however, the move could negatively impact the existing environment. You need to validate the impact of the change. What should you do?

A.

Enable Firewall Rules Logging inside the third project.

B.

Modify the existing VPC Service Controls policy to include the new project in dry run mode.

C.

Monitor the Resource Manager audit logs inside the perimeter.

D.

Enable VPC Flow Logs inside the third project, and monitor the logs for negative impact.

Full Access
Question # 5

Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.

How should you set up permissions for the networking team?

A.

Assign members of the networking team the compute.networkUser role.

B.

Assign members of the networking team the compute.networkAdmin role.

C.

Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.

D.

Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.

Full Access
Question # 6

You are deploying an HA VPN within Google Cloud. You need to exchange routes dynamically between your on-premises gateway and Google Cloud. You have already created an HA VPN gateway and a peer VPN gateway resource. What should you do?

A.

Create a Cloud Router, add VPN tunnels, and then configure BGP sessions.

B.

Create a second HA VPN gateway, add VPN tunnels, and enable global dynamic routing.

C.

Create a Cloud Router, add VPN tunnels, and enable global dynamic routing.

D.

Create a Cloud Router, add VPN tunnels, and then configure static routes to your subnet ranges.

Full Access
Question # 7

Question:

Your organization's security team recently discovered that there is a high risk of malicious activities originating from some of your VMs connected to the internet. These malicious activities are currently undetected when TLS communication is used. You must ensure that encrypted traffic to the internet is inspected. What should you do?

A.

Enable Cloud Armor TLS inspection policy, and associate the policy with the backend VMs.

B.

Use Cloud NGFW Enterprise. Create a firewall rule for egress traffic with the tls-inspect flag and associate the firewall rules with the VMs.

C.

Configure a TLS agent on every VM to intercept TLS traffic before it reaches the internet. Configure Sensitive Data Protection to analyze and allow/deny the content.

D.

Use Cloud NGFW Essentials. Create a firewall rule for egress traffic and enable VPC Flow Logs with the TLS inspect option. Analyze the output logs content and block the outputs that have malicious activities.

Full Access
Question # 8

Your organization has Compute Engine instances in us-east1, us-west2, and us-central1. Your organization also has an existing Cloud Interconnect physical connection in the East Coast of the United States with a single VLAN attachment and Cloud Router in us-east1. You need to provide a design with high availability and ensure that if a region goes down, you still have access to all your other Virtual Private Cloud (VPC) subnets. You need to accomplish this in the most cost-effective manner possible. What should you do?

A.

Configure your VPC routing in regional mode.

Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

B.

Configure your VPC routing in global mode.

Add an additional Cloud Interconnect VLAN attachment in the us-east1 region, and configure a Cloud Router in us-east1.

C.

Configure your VPC routing in global mode.

Add an additional Cloud Interconnect VLAN attachment in the us-west2 region, and configure a Cloud Router in us-west2.

D.

Configure your VPC routing in regional mode.

Add additional Cloud Interconnect VLAN attachments in the us-west2 and us-central1 regions, and configure Cloud Routers in us-west2 and us-central1.

Full Access
Question # 9

You want to create a service in GCP using IPv6.

What should you do?

A.

Create the instance with the designated IPv6 address.

B.

Configure a TCP Proxy with the designated IPv6 address.

C.

Configure a global load balancer with the designated IPv6 address.

D.

Configure an internal load balancer with the designated IPv6 address.

Full Access
Question # 10

Your organization has a new security policy that requires you to monitor all egress traffic payloads from your virtual machines in region us-west2. You deployed an intrusion detection system (IDS) virtual appliance in the same region to meet the new policy. You now need to integrate the IDS into the environment to monitor all egress traffic payloads from us-west2. What should you do?

A.

Enable firewall logging, and forward all filtered egress firewall logs to the IDS.

B.

Enable VPC Flow Logs. Create a sink in Cloud Logging to send filtered egress VPC Flow Logs to the IDS.

C.

Create an internal TCP/UDP load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

D.

Create an internal HTTP(S) load balancer for Packet Mirroring, and add a packet mirroring policy filter for egress traffic.

Full Access
Question # 11

You are deploying a global external TCP load balancing solution and want to preserve the source IP address of the original layer 3 payload.

Which type of load balancer should you use?

A.

HTTP(S) load balancer

B.

Network load balancer

C.

Internal load balancer

D.

TCP/SSL proxy load balancer

Full Access
Question # 12

You have applications running in the us-west1 and us-east1 regions. You want to build a highly available VPN that provides 99.99% availability to connect your applications from your project to the cloud services provided by your partner's project while minimizing the amount of infrastructure required. Your partner's services are also in the us-west1 and us-east1 regions. You want to implement the simplest solution. What should you do?

A.

Create one Cloud Router and one HA VPN gateway in each region of your VPC and your partner's VPC. Connect your VPN gateways to the partner's gateways. Enable global dynamic routing in each VPC.

B.

Create one Cloud Router and one HA VPN gateway in the us-west1 region of your VPC. Create one OpenVPN Access Server in each region of your partner's VPC. Connect your VPN gateway to your partner's servers.

C.

Create one OpenVPN Access Server in each region of your VPC and your partner's VPC. Connect your servers to the partner's servers.

D.

Create one Cloud Router and one HA VPN gateway in the us-west1 region of your VPC and your partner's VPC. Connect your VPN gateways to the partner's gateways with a pair of tunnels. Enable global dynamic routing in each VPC.

Full Access
Question # 13

You have ordered Dedicated Interconnect in the GCP Console and need to give the Letter of Authorization/Connecting Facility Assignment (LOA-CFA) to your cross-connect provider to complete the physical connection.

Which two actions can accomplish this? (Choose two.)

A.

Open a Cloud Support ticket under the Cloud Interconnect category.

B.

Download the LOA-CFA from the Hybrid Connectivity section of the GCP Console.

C.

Run gcloud compute interconnects describe .

D.

Check the email for the account of the NOC contact that you specified during the ordering process.

E.

Contact your cross-connect provider and inform them that Google automatically sent the LOA/CFA to them via email, and to complete the connection.

Full Access
Question # 14

Your company's current network architecture has two VPCs that are connected by a dual-NIC instance that acts as a bump-in-the-wire firewall between the two VPCs. Flows between pairs of subnets across the two VPCs are working correctly. Suddenly, you receive an alert that none of the flows between the two VPCs are working anymore. You need to troubleshoot the problem. What should you do? (Choose 2 answers)

A.

Verify that the dual-NIC instance has not been added to a backend service.

B.

Verify that a public IP address has not been assigned to any network interface of the dual-NIC instance.

C.

Use Cloud Logging to verify that there were no modifications to the VPC firewall rules or policies that were applied to the two network interfaces of the dual-NIC instance.

D.

Verify that a VPC Service Controls perimeter has not been enabled for the project that contains the two VPCs and the dual-NIC instance.

E.

Verify that the dual-NIC instance has the --can-ip-forward attribute enabled.

Full Access
Question # 15

You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.

Which session affinity should you choose?

A.

None

B.

Client IP

C.

Client IP and protocol

D.

Client IP, port and protocol

Full Access
Question # 16

Your company's logo is published as an image file across multiple websites that are hosted by your company You have implemented Cloud CDN, however, you want to improve the performance of the cache hit ratio associated with this image file. What should you do?

A.

Configure custom cache keys for the backend service that holds the image file, and clear the Host and Protocol checkboxes-

B.

Configure Cloud Storage as a custom origin backend to host the image file, and select multi-region as the location type

C.

Configure versioned IJRLs for each domain to serve users the •mage file before the cache entry expires

D.

Configure the default time to live (TTL) as O for the image file.

Full Access
Question # 17

You are designing a new global application using Compute Engine instances that will be exposed by a global HTTP(S) load balancer. You need to secure your application from distributed denial-of-service and application layer (layer 7) attacks. What should you do?

A.

Configure VPC Service Controls and create a secure perimeter. Define fine-grained perimeter controls and enforce that security posture across your Google Cloud services and projects.

B.

Configure a Google Cloud Armor security policy in your project, and attach it to the backend service to secure the application.

C.

Configure VPC firewall rules to protect the Compute Engine instances against distributed denial-of-service attacks.

D.

Configure hierarchical firewall rules for the global HTTP(S) load balancer public IP address at the organization level.

Full Access
Question # 18

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters. Due to IP address exhaustion of the RFC 1918 address space In your enterprise, you plan to use privately used public IP space for the new clusters. You want to follow Google-recommended practices. What should you do after designing your IP scheme?

A.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters

B.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters

C.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and

D.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected --disable-default-snat, —enable-ip-alias, and—enable-private-nodes

Full Access
Question # 19

You successfully provisioned a single Dedicated Interconnect. The physical connection is at a colocation facility closest to us-west2. Seventy-five percent of your workloads are in us-east4, and the remaining twenty-five percent of your workloads are in us-central1. All workloads have the same network traffic profile. You need to minimize data transfer costs when deploying VLAN attachments. What should you do?

A.

Keep the existing Dedicated interconnect. Deploy a VLAN attachment to a Cloud Router in us-west2, and use VPC global routing to access workloads in us-east4 and us-central1.

B.

Keep the existing Dedicated Interconnect. Deploy a VLAN attachment to a Cloud Router in us-east4, and deploy another VLAN attachment to a Cloud Router in us-central1.

C.

Order a new Dedicated Interconnect for a colocation facility closest to us-east4, and use VPC global routing to access workloads in us-central1.

D.

Order a new Dedicated Interconnect for a colocation facility closest to us-central1, and use VPC global routing to access workloads in us-east4.

Full Access
Question # 20

Question:

Your organization is deploying a mission-critical application with components in different regions due to strict compliance requirements. There are latency issues between different applications that reside in us-central1 and us-east4. The application team suspects the Google Cloud network as the source of the excessive latency despite using the Premium Network Service Tier. You need to use Google-recommended practices with the least amount of effort to verify the inter-region latency by investigating network performance. What should you do?

A.

Set up the Performance Dashboard in Network Intelligence Center. Select the traffic type (cross-zonal), the metric (latency - RTT), the time period, the desired regions (us-central1 and us-east4), and the network tier.

B.

Enable VPC Flow Logs for the VPC. Identify major bottlenecks from the application level using Flow Analyzer.

C.

Configure two Linux VMs in each zone for each region. Install the application, and run a load test using each zone from different regions.

D.

Configure a VM with a probe in Network Intelligence Center in each zone for each region. Choose the traffic type (cross-zonal), metric (latency - RTT), desired regions (us-central1 and us-east4), and the network tier.

Full Access
Question # 21

You have the networking configuration shown. In the diagram Two VLAN attachments associated With two Dedicated Interconnect connections terminate on the same Cloud Router (mycloudrouter). The Interconnect connections terminate on two separate on-premises routers. You advertise the same prefixes from the Border Gateway Protocol (BOP) sessions associated with each Of the VLAN attachments.

You notice an asymmetric traffic flow between the two Interconnect connections. Which of the following actions should you take to troubleshoot the asymmetric traffic flow?

A.

From the Google Cloud console, navigate to the Hybrid Connectivity select the Cloud Router, and view BGP sessions.

B.

From the Cloud CLI, run gcloud compute –protect_ID router get—status mycloudrouter —-region REGION and review the results.

C.

From the Google Cloud console, navigate to Cloud Logging to view VPC Flow Logs and review the results

D.

From the Cloud CLI. run gcloud compute routers describe mycloudrouter

--region REGION and review the results

Full Access
Question # 22

You are designing an IP address scheme for new private Google Kubernetes Engine (GKE) clusters, Due to IP address exhaustion of the RFC 1918 address space in your enterprise, you plan to use privately used public IP space for the new dusters. You want to follow Google-recommended practices, What should you do after designing your IP scheme?

A.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters. Re-use the secondary address range for the pods across multiple private GKE clusters.

B.

Create the minimum usable RFC 1918 primary and secondary subnet IP ranges for the clusters Re-use the secondary address range for the services across multiple private GKE clusters.

C.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster With the following options selected: --enab1e-ip-a1ias and --enable-private-nodes.

D.

Create privately used public IP primary and secondary subnet ranges for the clusters. Create a private GKE cluster with the following options selected and – siable-default-snat, --enable-ip-alias, and –enable-private-nodes

Full Access
Question # 23

You have configured Cloud CDN using HTTP(S) load balancing as the origin for cacheable content. Compression is configured on the web servers, but responses served by Cloud CDN are not compressed.

What is the most likely cause of the problem?

A.

You have not configured compression in Cloud CDN.

B.

You have configured the web servers and Cloud CDN with different compression types.

C.

The web servers behind the load balancer are configured with different compression types.

D.

You have to configure the web servers to compress responses even if the request has a Via header.

Full Access
Question # 24

Your company has 10 separate Virtual Private Cloud (VPC) networks, with one VPC per project in a single region in Google Cloud. Your security team requires each VPC network to have private connectivity to the main on-premises location via a Partner Interconnect connection in the same region. To optimize cost and operations, the same connectivity must be shared with all projects. You must ensure that all traffic between different projects, on-premises locations, and the internet can be inspected using the same third-party appliances. What should you do?

A.

Configure the third-party appliances with multiple interfaces and specific Partner Interconnect VLAN attachments per project. Create the relevant routes on the third-party appliances and VPC networks.

B.

Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create separate VPC networks for on- premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks.

C.

Consolidate all existing projects’ subnetworks into a single VPC. Create separate VPC networks for on-premises and internet connectivity. Configure the third-party appliances with multiple interfaces, with each interface connected to a separate VPC network. Create the relevant routes on the third-party appliances and VPC networks.

D.

Configure the third-party appliances with multiple interfaces. Create a hub VPC network for all projects, and create separate VPC networks for on-premises and internet connectivity. Create the relevant routes on the third-party appliances and VPC networks. Use VPC Network Peering to connect all projects’ VPC networks to the hub VPC. Export custom routes from the hub VPC and import on all projects’ VPC networks.

Full Access
Question # 25

Question:

You are designing the architecture for your organization so that clients can connect to certain Google APIs. Your plan must include a way to connect to Cloud Storage and BigQuery. You also need to ensure the traffic does not traverse the internet. You want your solution to be cloud-first and require the least amount of configuration steps. What should you do?

A.

Configure Private Google Access on the VPC resource. Create a default route to the internet.

B.

Configure Private Google Access on the subnet resource. Create a default route to the internet.

C.

Configure Cloud NAT and remove the default route to the internet.

D.

Configure a global Secure Web Proxy and remove the default route to the internet.

Full Access
Question # 26

Your organization's security policy requires that all internet-bound traffic return to your on-premises data center through HA VPN tunnels before egressing to the internet, while allowing virtual machines (VMs) to leverage private Google APIs using private virtual IP addresses 199.36.153.4/30. You need to configure the routes to enable these traffic flows. What should you do?

A.

Configure a custom route 0.0.0.0/0 with a priority of 500 whose next hop is the default internet gateway. Configure another custom route 199.36.153.4/30 with priority of 1000 whose next hop is the VPN tunnel back to the on-premises data center.

B.

Configure a custom route 0.0.0.0/0 with a priority of 1000 whose next hop is the internet gateway. Configure another custom route 199.36.153.4/30 with a priority of 500 whose next hop is the VPN tunnel back to the on-premises data center.

C.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 1000. Configure a custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the default internet gateway.

D.

Announce a 0.0.0.0/0 route from your on-premises router with a MED of 500. Configure another custom route 199.36.153.4/30 with a priority of 1000 whose next hop is the VPN tunnel back to the on-

premises data center.

Full Access
Question # 27

Question:

You are configuring the firewall endpoints as part of the Cloud Next Generation Firewall (Cloud NGFW) intrusion prevention service in Google Cloud. You have configured a threat prevention security profile, and you now need to create an endpoint for traffic inspection. What should you do?

A.

Attach the profile to the VPC network, create a firewall endpoint within the zone, and use a firewall policy rule to apply the L7 inspection.

B.

Create a firewall endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

C.

Create a firewall endpoint within the region, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

D.

Create a Private Service Connect endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

Full Access
Question # 28

You recently deployed Compute Engine instances in regions us-west1 and us-east1 in a Virtual Private Cloud (VPC) with default routing configurations. Your company security policy mandates that virtual machines (VMs) must not have public IP addresses attached to them. You need to allow your instances to fetch updates from the internet while preventing external access. What should you do?

A.

Create a Cloud NAT gateway and Cloud Router in both us-west1 and us-east1.

B.

Create a single global Cloud NAT gateway and global Cloud Router in the VPC.

C.

Change the instances’ network interface external IP address from None to Ephemeral.

D.

Create a firewall rule that allows egress to destination 0.0.0.0/0.

Full Access
Question # 29

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with on-premises connectivity already in place. You are deploying a new application using Google Kubernetes Engine (GKE), which must be accessible only from the same VPC network and on-premises locations. You must ensure that the GKE control plane is exposed to a predefined list of on-premises subnets through private connectivity only. What should you do?

A.

Create a GKE private cluster with a private endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers. Configure authorized networks to specify the desired on-premises subnets.

B.

Create a GKE private cluster with a public endpoint for the control plane. Configure VPC Networking Peering export/import routes and custom route advertisements on the Cloud Routers.

C.

Create a GKE private cluster with a private endpoint for the control plane. Configure authorized networks to specify the desired on-premises subnets.

D.

Create a GKE public cluster. Configure authorized networks to specify the desired on-premises subnets.

Full Access
Question # 30

You have the following Shared VPC design VPC Flow Logs is configured for Subnet-1 In the host VPC. You also want to monitor flow logs for Subnet-2. What should you do?

A.

Configure a firewall rule to permit Subnet-2 IP addresses outbound in the host protect VPC.

B.

Configure Packet Mirroring in both the host and service project VPCs.

C.

Configure a VPC Flow Logs filter for Subnet-2 in the host project VPC.

D.

Configure VPC Flow Logs in the service project VPC for Subnet-2.

Full Access
Question # 31

You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.

How should you provision your instances?

A.

Create a single managed instance group, specify the desired region, and select Multiple zones for the location.

B.

Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.

C.

Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.

D.

Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.

Full Access
Question # 32

You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.

What should you do?

A.

Create a Google Group for the WebServices Team.

B.

Create a G Suite Domain for the WebServices Team.

C.

Create a new Cloud Identity Domain for the WebServices Team.

D.

Create a new Custom Role for all members of the WebServices Team.

Full Access
Question # 33

You are configuring a new application that will be exposed behind an external load balancer with both IPv4 and IPv6 addresses and support TCP pass-through on port 443. You will have backends in two regions: us-west1 and us-east1. You want to serve the content with the lowest possible latency while ensuring high availability and autoscaling. Which configuration should you use?

A.

Use global SSL Proxy Load Balancing with backends in both regions.

B.

Use global TCP Proxy Load Balancing with backends in both regions.

C.

Use global external HTTP(S) Load Balancing with backends in both regions.

D.

Use Network Load Balancing in both regions, and use DNS-based load balancing to direct traffic to the closest region.

Full Access
Question # 34

You have the following routing design. You discover that Compute Engine instances in Subnet-2 in the asia-southeast1 region cannot communicate with compute resources on-premises. What should you do?

A.

Configure a custom route advertisement on the Cloud Router.

B.

Enable IP forwarding in the asia-southeast1 region.

C.

Change the VPC dynamic routing mode to Global.

D.

Add a second Border Gateway Protocol (BGP) session to the Cloud Router.

Full Access
Question # 35

You are designing a Partner Interconnect hybrid cloud connectivity solution with geo-redundancy across two metropolitan areas. You want to follow Google-recommended practices to set up the following region/metro pairs:

(region 1/metro 1)

(region 2/metro 2)

What should you do?

A.

Create a Cloud Router in region 1 with two VLAN attachments connected to metro1-zone1-x.

Create a Cloud Router in region 2 with two VLAN attachments connected to metro1-zone2-x.

B.

Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x.

Create a Cloud Router in region 2 with two VLAN attachments connected to metro2-zone2-x.

C.

Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone2-x.

Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone2-x.

D.

Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x and one VLAN attachment connected to metro1-zone2-x.

Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone1-x and one VLAN attachment to metro2-zone2-x.

Full Access
Question # 36

Your company has separate Virtual Private Cloud (VPC) networks in a single region for two departments: Sales and Finance. The Sales department's VPC network already has connectivity to on-premises locations using HA VPN, and you have confirmed that the subnet ranges do not overlap. You plan to peer both VPC networks to use the same HA tunnels for on-premises connectivity, while providing internet connectivity for the Google Cloud workloads through Cloud NAT. Internet access from the on-premises locations should not flow through Google Cloud. You need to propagate all routes between the Finance department and on-premises locations. What should you do?

A.

Peer the two VPCs, and use the default configuration for the Cloud Routers.

B.

Peer the two VPCs, and use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

C.

Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router’s custom route advertisements to announce a default route to the on-premises locations.

D.

Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router’s custom route advertisements to announce the peered VPC network ranges to the on-premises locations.

Full Access
Question # 37

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.

What should you do?

A.

Create a Cloud Armor Policy rule that denies traffic and review necessary logs.

B.

Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.

C.

Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.

D.

Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

Full Access
Question # 38

You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.

Which two methods can you use to accomplish this? (Choose two.)

A.

GetIamPolicy() via REST API

B.

setIamPolicy() via REST API

C.

gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

D.

gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor

E.

Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

Full Access
Question # 39

You are the network administrator responsible for hybrid connectivity at your organization. Your developer team wants to use Cloud SQL in the us-west1 region in your Shared VPC. You configured a Dedicated Interconnect connection and a Cloud Router in us-west1, and the connectivity between your Shared VPC and on-premises data center is working as expected. You just created the private services access connection required for Cloud SQL using the reserved IP address range and default settings. However, your developers cannot access the Cloud SQL instance from on-premises. You want to resolve the issue. What should you do?

A.

Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.

B.

Change the VPC routing mode to global.

Create a custom route advertisement in your Cloud Router to advertise the Cloud SQL IP address range.

C.

Create an additional Cloud Router in us-west2.

Create a new Border Gateway Protocol (BGP) peering connection to your on-premises data center.

Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

D.

Change the VPC routing mode to global.

Modify the VPC Network Peering connection used for Cloud SQL, and enable the import and export of routes.

Full Access
Question # 40

Your team is developing an application that will be used by consumers all over the world. Currently, the application sits behind a global external application load balancer You need to protect the application from potential application-level attacks. What should you do?

A.

Enable Cloud CDN on the backend service.

B.

Create multiple firewall deny rules to block malicious users, and apply them to the global external application load balancer

C.

Create a Google Cloud Armor security policy with web application firewall rules, and apply the security policy to the backend service.

D.

Create a VPC Service Controls perimeter with the global external application load balancer as the protected service, and apply it to the backend service

Full Access
Question # 41

You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.

What should you do on your on-premises servers?

A.

Tune TCP parameters on the on-premises servers.

B.

Compress files using utilities like tar to reduce the size of data being sent.

C.

Remove the -m flag from the gsutil command to enable single-threaded transfers.

D.

Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

Full Access
Question # 42

You are configuring an HA VPN connection between your Virtual Private Cloud (VPC) and on-premises network. The VPN gateway is named VPN_GATEWAY_1. You need to restrict VPN tunnels created in the project to only connect to your on-premises VPN public IP address: 203.0.113.1/32. What should you do?

A.

Configure a firewall rule accepting 203.0.113.1/32, and set a target tag equal to VPN_GATEWAY_1.

B.

Configure the Resource Manager constraint constraints/compute.restrictVpnPeerIPs to use an allowList consisting of only the 203.0.113.1/32 address.

C.

Configure a Google Cloud Armor security policy, and create a policy rule to allow 203.0.113.1/32.

D.

Configure an access control list on the peer VPN gateway to deny all traffic except 203.0.113.1/32, and attach it to the primary external interface.

Full Access
Question # 43

Your company just completed the acquisition of Altostrat (a current GCP customer). Each company has a separate organization in GCP and has implemented a custom DNS solution. Each organization will retain its current domain and host names until after a full transition and architectural review is done in one year. These are the assumptions for both GCP environments.

• Each organization has enabled full connectivity between all of its projects by using Shared VPC.

• Both organizations strictly use the 10.0.0.0/8 address space for their instances, except for bastion hosts (for accessing the instances) and load balancers for serving web traffic.

• There are no prefix overlaps between the two organizations.

• Both organizations already have firewall rules that allow all inbound and outbound traffic from the 10.0.0.0/8 address space.

• Neither organization has Interconnects to their on-premises environment.

You want to integrate networking and DNS infrastructure of both organizations as quickly as possible and with minimal downtime.

Which two steps should you take? (Choose two.)

A.

Provision Cloud Interconnect to connect both organizations together.

B.

Set up some variant of DNS forwarding and zone transfers in each organization.

C.

Connect VPCs in both organizations using Cloud VPN together with Cloud Router.

D.

Use Cloud DNS to create A records of all VMs and resources across all projects in both organizations.

E.

Create a third organization with a new host project, and attach all projects from your company and Altostrat to it using shared VPC.

Full Access
Question # 44

You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.

Which connection type should you choose?

A.

Carrier Peering

B.

Direct Peering

C.

Dedicated Interconnect

D.

Partner Interconnect

Full Access
Question # 45

You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.

What should you do?

A.

Assign each user the editor role.

B.

Assign each user the compute.networkAdmin role.

C.

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.

D.

Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.

Full Access
Question # 46

You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.

How should you configure the health check?

A.

Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.

B.

Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.

C.

Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.

D.

Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.

Full Access
Question # 47

You have the networking configuration shown in the diagram. A pair of redundant Dedicated Interconnect connections (int-Igal and int-Iga2) terminate on the same Cloud Router. The Interconnect connections terminate on two separate on-premises routers. You are advertising the same prefixes from the Border Gateway Protocol (BGP) sessions associated with the Dedicated Interconnect connections. You need to configure one connection as Active for both ingress and egress traffic. If the active Interconnect connection fails, you want the passive Interconnect connection to automatically begin routing all traffic Which two actions should you take to meet this requirement? (Choose Two)

A.

Configure the advertised route priority > 10,200 on the active Interconnect connection.

B.

Advertise a lower MED on the passive Interconnect connection from the on-premises router

C.

Configure the advertised route priority as 200 for the BGP session associated with the active Interconnect connection.

D.

Configure the advertised route priority as 200 for the BGP session associated with the passive Interconnect connection.

E.

Advertise a lower MED on the active Interconnect connection from the on-premises router

Full Access
Question # 48

Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.

During troubleshooting you find:

•Each on-premises router is configured with the same ASN.

•Each on-premises router is configured with the same routes and priorities.

•Both on-premises routers are configured with a VPN connected to a single Cloud Router.

•The VPN logs have no-proposal-chosen lines when the VPNs are connecting.

•BGP session is not established between one on-premises router and the Cloud Router.

What is the most likely cause of this problem?

A.

One of the VPN sessions is configured incorrectly.

B.

A firewall is blocking the traffic across the second VPN connection.

C.

You do not have a load balancer to load-balance the network traffic.

D.

BGP sessions are not established between both on-premises routers and the Cloud Router.

Full Access
Question # 49

You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive data. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

A.

Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

B.

Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.

C.

Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.

D.

Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.

Full Access
Question # 50

You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:

INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid

What should you do?

A.

Add the resourcemanager.projects.get permission, and try again.

B.

Try again with a different role with a new name but the same permissions.

C.

Remove the resourcemanager.projects.list permission, and try again.

D.

Add the resourcemanager.projects.setIamPolicy permission, and try again.

Full Access
Question # 51

Your organization has approximately 100 teams that need to manage their own environments. A central team must manage the network. You need to design a landing zone that provides separate projects for each team. You must also make sure the solution can scale. What should you do?

A.

Configure VPC Network Peering, and peer one of the VPCs to the service project.

B.

Configure a Shared VPC, and create a VPC network in the service project.

C.

Configure a Shared VPC, and create a VPC network in the host project.

D.

Configure Policy-based Routing for each team.

Full Access
Question # 52

You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem. Which commands should you run?

A.

gcloud compute instances add-access-config instance-1

B.

gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS

C.

gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

D.

gcloud compute health-checks update http health-check --unhealthy-threshold 10

Full Access
Question # 53

You work for a university that is migrating to Google Cloud.

These are the cloud requirements:

On-premises connectivity with 10 Gbps

Lowest latency access to the cloud

Centralized Networking Administration Team

New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.

What should you do?

A.

Use Shared VPC, and deploy the VLAN attachments and Dedicated Interconnect in the host project.

B.

Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.

C.

Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Dedicated Interconnects.

D.

Use standalone projects and deploy the VLAN attachments and Dedicated Interconnects in each of the individual projects.

Full Access
Question # 54

You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).

Which routing option should you choose?

A.

Dynamic routing using Cloud Router

B.

Route-based routing using default traffic selectors

C.

Policy-based routing using a custom local traffic selector

D.

Policy-based routing using the default local traffic selector

Full Access
Question # 55

Question:

Your organization has approximately 100 teams that need to manage their own environments. A central team must manage the network. You need to design a landing zone that provides separate projects for each team and ensure the solution can scale. What should you do?

A.

Configure VPC Network Peering and peer one of the VPCs to the service project.

B.

Configure Policy-based Routing for each team.

C.

Configure a Shared VPC and create a VPC network in the host project.

D.

Configure a Shared VPC, and create a VPC network in the service project.

Full Access
Question # 56

You ate planning to use Terraform to deploy the Google Cloud infrastructure for your company, The design must meet the following requirements

• Each Google Cloud project must represent an Internal project that your team Will work on

• After an Internal project is finished, the infrastructure must be deleted

• Each Internal project must have Its own Google Cloud project owner to manage the Google Cloud resources.

• You have 10—100 projects deployed at a time

While you are writing the Terraform code, you need to ensure that the deployment is simple and the code is reusable With

centralized management What should you do?

A.

Create a Single project and additional VPCs for each internal project

B.

Create a Single Shared VPC and attach each Google Cloud project as a service project

C.

Create a Single project and Single VPC for each internal project

D.

Create a Shared VPC and service project for each internal project

Full Access
Question # 57

You converted an auto mode VPC network to custom mode. Since the conversion, some of your Cloud Deployment Manager templates are no longer working. You want to resolve the problem.

What should you do?

A.

Apply an additional IAM role to the Google API’s service account to allow custom mode networks.

B.

Update the VPC firewall to allow the Cloud Deployment Manager to access the custom mode networks.

C.

Explicitly reference the custom mode networks in the Cloud Armor whitelist.

D.

Explicitly reference the custom mode networks in the Deployment Manager templates.

Full Access
Question # 58

You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.

During troubleshooting you find:

• Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.

• The subnetwork logs are not excluded from Stackdriver.

• The instance that is hosting the application can communicate outside the subnet.

• Other instances within the subnet can communicate outside the subnet.

• The external resource initiates communication.

What is the most likely cause of the missing log lines?

A.

The traffic is matching the expected ingress rule.

B.

The traffic is matching the expected egress rule.

C.

The traffic is not matching the expected ingress rule.

D.

The traffic is not matching the expected egress rule.

Full Access
Question # 59

You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running.

What should you do to solve the problem?

A.

Assign a public IP address to the instance.

B.

Create a route to reach the Master, pointing to the default internet gateway.

C.

Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.

D.

Create the appropriate master authorized network entries to allow the instance to communicate to the master.

Full Access
Question # 60

You are configuring the firewall endpoints as part of the Cloud Next Generation Firewall (Cloud NGFW) intrusion prevention service in Google Cloud. You have configured a threat prevention security profile, and you now need to create an endpoint for traffic inspection. What should you do?

A.

Create a Private Service Connect endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

B.

Create a firewall endpoint within the region, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

C.

Create a firewall endpoint within the zone, associate the endpoint to the VPC network, and use a firewall policy rule to apply the L7 inspection.

D.

Attach the profile to the VPC network, create a firewall endpoint within the zone, and use a firewall policy rule to apply the L7 inspection.

Full Access
Question # 61

Your company has a single Virtual Private Cloud (VPC) network deployed in Google Cloud with access from on-premises locations using Cloud Interconnect connections. Your company must be able to send traffic to Cloud Storage only through the Interconnect links while accessing other Google APIs and services over the public internet. What should you do?

A.

Use the default public domains for all Google APIs and services.

B.

Use Private Service Connect to access Cloud Storage, and use the default public domains for all other Google APIs and services.

C.

Use Private Google Access, with restricted.googleapis.com virtual IP addresses for Cloud Storage and private.googleapis.com for all other Google APIs and services.

D.

Use Private Google Access, with private.googleapis.com virtual IP addresses for Cloud Storage and restricted.googleapis.com virtual IP addresses for all other Google APIs and services.

Full Access
Question # 62

Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:

Certain data must stay in the project where it is stored and not be exfiltrated to other projects.

Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.

All DNS resolution must be done on-premises.

The solution should only provide access to APIs that are compatible with VPC Service Controls.

What should you do?

A.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

B.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

C.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

D.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.

Create a CNAME record for *.googleapis.com that points to the A record.

Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.

Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

Full Access