Google Cloud Platform Professional-Cloud-Network-Engineer Exam Dumps and Certification Test Engine [Q12-Q37]

(PDF) Google Cloud Platform Professional-Cloud-Network-Engineer Exam and Certification Test Engine

Use Professional-Cloud-Network-Engineer Exam Dumps (2023 PDF Dumps) To Have Reliable Professional-Cloud-Network-Engineer Test Engine

NEW QUESTION # 12
Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with the same ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
* BGP session is not established between one on-premises router and the Cloud Router.
What is the most likely cause of this problem?

• A. One of the VPN sessions is configured incorrectly.
• B. A firewall is blocking the traffic across the second VPN connection.
• C. You do not have a load balancer to load-balance the network traffic.
• D. BGP sessions are not established between both on-premises routers and the Cloud Router.

Answer: A

Explanation:
If the VPN logs show a no-proposal-chosen error, this error indicates that Cloud VPN and your peer VPN gateway were unable to agree on a set of ciphers. For IKEv1, the set of ciphers must match exactly. For IKEv2, there must be at least one common cipher proposed by each gateway. Make sure that you use supported ciphers to configure your peer VPN gateway. https://cloud.google.com/network-connectivity/docs/vpn/support/troubleshooting#:~:text=If%20the%20VPN%20logs%20show,of%20ciphers%20must%20match%20exactly.&text=Make%20sure%20that%20you%20use,configure%20your%20peer%20VPN%20gateway.

NEW QUESTION # 13
You decide to set up Cloud NAT. After completing the configuration, you find that one of your instances is not using the Cloud NAT for outbound NAT.
What is the most likely cause of this problem?

• A. The instance is accessible by a load balancer external IP address.
• B. An external IP address has been configured on the instance.
• C. The instance has been configured with multiple interfaces.
• D. You have created static routes that use RFC1918 ranges.

Answer: B

NEW QUESTION # 14
You need to enable Cloud CDN for all the objects inside a storage bucket. You want to ensure that all the object in the storage bucket can be served by the CDN.
What should you do in the GCP Console?

• A. Create a new TCP load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.
• B. Create a new cloud storage bucket, and then enable Cloud CDN on it.
• C. Create a new HTTP load balancer, select the storage bucket as a backend, enable Cloud CDN on the backend, and make sure each object inside the storage bucket is shared publicly.
• D. Create a new SSL proxy load balancer, select the storage bucket as a backend, and then enable Cloud CDN on the backend.

Answer: B

NEW QUESTION # 15
Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.
How should you design this topology?

• A. Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.
• B. Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.
• C. Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.
• D. Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.

Answer: D

Explanation:
VPC Network Peering enables you to peer VPC networks so that workloads in different VPC networks can communicate in private RFC 1918 space. Traffic stays within Google's network and doesn't traverse the public internet.
Reference: https://cloud.google.com/vpc/docs/vpc-peering

NEW QUESTION # 16
Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with the same ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
* BGP session is not established between one on-premises router and the Cloud Router.
What is the most likely cause of this problem?

• A. A firewall is blocking the traffic across the second VPN connection.
• B. One of the VPN sessions is configured incorrectly.
• C. BGP sessions are not established between both on-premises routers and the Cloud Router.
• D. You do not have a load balancer to load-balance the network traffic.

Answer: D

NEW QUESTION # 17
You have deployed a proof-of-concept application by manually placing instances in a single Compute Engine zone. You are now moving the application to production, so you need to increase your application availability and ensure it can autoscale.
How should you provision your instances?

• A. Create a single managed instance group, specify the desired region, and select Multiple zones for the location.
• B. Create an unmanaged instance group for each zone, and manually distribute the instances across the desired zones.
• C. Create an unmanaged instance group in a single zone, and then create an HTTP load balancer for the instance group.
• D. Create a managed instance group for each region, select Single zone for the location, and manually distribute instances across the zones in that region.

Answer: D

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance- groups

NEW QUESTION # 18
Refer to the exhibit.
You have the following firewall ruleset applied to all instances in your Virtual Private Cloud (VPC):

You need to update the firewall rule to add the following rule to the ruleset:

You are using a new user account. You must assign the appropriate identity and Access Management (IAM) user roles to this new user account before updating the firewall rule. The new user account must be able to apply the update and view firewall logs. What should you do?

• A. Assign the compute.orgSecurityPolicyAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.
• B. Assign the compute.securityAdmin and logging.bucketWriter role to the new user account. Apply the new firewall rule with a priority of 150.
• C. Assign the compute.orgSecurityPolicyAdmin and logging.viewer role to the new user account. Apply the new firewall rule with a priority of 50.
• D. Assign the compute.securityAdmin and logging.viewer rule to the new user account. Apply the new firewall rule with a priority of 50.

Answer: D

NEW QUESTION # 19
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

• A. Turn on Private Google Access at the VPC level.
• B. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
• C. Turn on Private Services Access at the VPC level.
• D. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
• E. Turn on Private Google Access at the subnet level.

Answer: C,D

Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/private-access-options

NEW QUESTION # 20
You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?

• A. Partner Interconnect
• B. Direct Peering
• C. Carrier Peering
• D. Dedicated Interconnect

Answer: B

Explanation:
When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct Peering with Google. For more information, see Pricing.

NEW QUESTION # 21
You have created an HTTP(S) load balanced service. You need to verify that your backend instances are responding properly.
How should you configure the health check?

• A. Set request-path to a specific URL used for health checking, and set response to a string that the backend service will always return in the response body.
• B. Set proxy-header to the default value, and set host to include a custom host header that identifies the health check.
• C. Set request-path to a specific URL used for health checking, and set proxy-header to PROXY_V1.
• D. Set request-path to a specific URL used for health checking, and set host to include a custom host header that identifies the health check.

Answer: D

NEW QUESTION # 22
You are configuring load balancing for a standard three-tier (web, application, and database) application. You have configured an external HTTP(S) load balancer for the web servers. You need to configure load balancing for the application tier of servers. What should you do?

• A. Configure equal cost multi-path routing on the application servers.
• B. Configure a URL map on the existing load balancer to route traffic to the application tier.
• C. Configure a forwarding rule on the existing load balancer for the application tier.
• D. Configure a new internal HTTP(S) load balancer for the application tier.

Answer: C

NEW QUESTION # 23
You suspect that one of the virtual machines (VMs) in your default Virtual Private Cloud (VPC) is under a denial-of-service attack. You need to analyze the incoming traffic for the VM to understand where the traffic is coming from. What should you do?

• A. Enable VPC Flow Logs for the subnet. Analyze the logs and get the source IP addresses from the connection field.
• B. Enable VPC Flow Logs for the VPC. Analyze the logs and get the source IP addresses from the src_location field.
• C. Enable Data Access audit logs of the subnet. Analyze the logs and get the source IP addresses from the networks.get field.
• D. Enable Data Access audit logs of the VPC. Analyze the logs and get the source IP addresses from the subnetworks.get field.

Answer: A

NEW QUESTION # 24
Your organization has a single project that contains multiple Virtual Private Clouds (VPCs). You need to secure API access to your Cloud Storage buckets and BigQuery datasets by allowing API access only from resources in your corporate public networks. What should you do?

• A. Create a VPC Service Controls perimeter for each VPC with an access context policy that allows your corporate public network IP ranges.
• B. Create a VPC Service Controls perimeter for your project with an access context policy that allows your corporate public network IP ranges.
• C. Create an access context policy that allows your VPC and corporate public network IP ranges, and then attach the policy to Cloud Storage and BigQuery.
• D. Create a firewall rule to block API access to Cloud Storage and BigQuery from unauthorized networks.

Answer: B

NEW QUESTION # 25
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP- capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

• A. * Create a Cloud VPN instance.
  * Create a route-based VPN tunnel.
  * Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.
  * Configure the appropriate static routes.
• B. * Create a Cloud VPN instance.
  * Create a policy-based VPN tunnel per subnet.
  * Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  * Create the appropriate static routes.
• C. * Create a Cloud VPN instance.
  * Create a route-based VPN tunnel.
  * Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  * Configure the appropriate static routes.
• D. * Create a Cloud VPN instance.
  * Create a policy-based VPN tunnel.
  * Configure the appropriate local and remote traffic selectors to match your local and remote networks.
  * Configure the appropriate static routes.

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/vpn/docs/concepts/choosing-networks-routing

NEW QUESTION # 26
Your company's logo is published as an image file across multiple websites that are hosted by your company You have implemented Cloud CDN, however, you want to improve the performance of the cache hit ratio associated with this image file. What should you do?

• A. Configure versioned IJRLs for each domain to serve users the *mage file before the cache entry expires
• B. Configure Cloud Storage as a custom origin backend to host the image file, and select multi-region as the location type
• C. Configure the default time to live (TTL) as O for the image file.
• D. Configure custom cache keys for the backend service that holds the image file, and clear the Host and Protocol checkboxes-

Answer: D

Explanation:
This answer meets the requirement of improving the performance of the cache hit ratio associated with the image file. The reason is:
Custom cache keys allow you to control which parts of the request URL are used to build the cache key. The cache key is a unique identifier that Cloud CDN uses to store and retrieve cached content1.
By default, Cloud CDN uses the complete request URL, including the protocol (http or https) and the host (the domain name), to build the cache key. This means that if the same image file is requested from different domains or protocols, Cloud CDN will cache multiple copies of it, which reduces the cache hit ratio1.
By clearing the Host and Protocol checkboxes, you can tell Cloud CDN to ignore these parts of the request URL when building the cache key. This way, Cloud CDN will cache only one copy of the image file, regardless of which domain or protocol it is requested from, which improves the cache hit ratio1.
Option B is incorrect because configuring Cloud Storage as a custom origin backend does not affect the cache hit ratio. It only affects how Cloud CDN retrieves the content from the origin if it is not cached. Option C is incorrect because configuring versioned URLs for each domain does not improve the cache hit ratio. It actually worsens it, because it creates more variations of the request URL that Cloud CDN has to cache separately. Option D is incorrect because configuring the default TTL as 0 for the image file means that Cloud CDN will not cache it at all, which defeats the purpose of using Cloud CDN.
Reference:
Custom cache keys | Cloud CDN | Google Cloud

NEW QUESTION # 27
You need to create a new VPC network that allows instances to have IP addresses in both the 10.1.1.0/24 network and the 172.16.45.0/24 network.
What should you do?

• A. Configure global load balancing to point 172.16.45.0/24 to the correct instance.
• B. Create unique DNS records for each service that sends traffic to the desired IP address.
• C. Configure an alias-IP range of 172.16.45.0/24 on the virtual instances within the VPC subnet of 10.1.1.0/24.
• D. Use VPC peering to allow traffic to route between the 10.1.0.0/24 network and the 172.16.45.0/24 network.

Answer: B

Explanation:
Explanation/Reference:

NEW QUESTION # 28
You ate planning to use Terraform to deploy the Google Cloud infrastructure for your company, The design must meet the following requirements
* Each Google Cloud project must represent an Internal project that your team Will work on
* After an Internal project is finished, the infrastructure must be deleted
* Each Internal project must have Its own Google Cloud project owner to manage the Google Cloud resources.
* You have 10-100 projects deployed at a time
While you are writing the Terraform code, you need to ensure that the deployment is simple and the code is reusable With centralized management What should you do?

• A. Create a Shared VPC and service project for each internal project
• B. Create a Single project and Single VPC for each internal project
• C. Create a Single project and additional VPCs for each internal project
• D. Create a Single Shared VPC and attach each Google Cloud project as a service project

Answer: A

Explanation:
The correct answer is D because it meets the following requirements:
Each internal project has its own Google Cloud project, which can be easily created and deleted by Terraform using the google_project resource1.
Each internal project has its own Google Cloud project owner, which can be assigned by Terraform using the google_project_iam_member resource1.
The deployment is simple and the code is reusable with centralized management, because the Shared VPC allows you to connect multiple service projects to a single host project that contains the network resources2. This way, you can use Terraform modules to create and manage the network resources in the host project, and then reference them in the service projects3.
Option A is incorrect because it does not create separate Google Cloud projects for each internal project, which makes it harder to delete the infrastructure and assign project owners. Option B is incorrect because it does not create separate Google Cloud projects for each internal project, and also because it attaches the service projects to a Shared VPC, which is not recommended for short-lived projects2. Option C is incorrect because it does not use a Shared VPC, which means that each internal project has to create and manage its own network resources, which increases complexity and reduces reusability.
Reference:
google_project - Terraform Registry
Managing infrastructure as code with Terraform, Cloud Build, and GitOps | Google Cloud Automating your automation by Creating Google Cloud Projects Automatically

NEW QUESTION # 29
You have deployed an HTTP(s) load balancer, but health checks to port 80 on the Compute Engine virtual machine instance are failing, and no traffic is sent to your instances. You want to resolve the problem. Which commands should you run?

• A. gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --destination-ranges 130.211.0.0/22,35.191.0.0/16 --direction EGRESS
• B. gcloud compute health-checks update http health-check --unhealthy-threshold 10
• C. gcloud compute instances add-access-config instance-1
• D. gcloud compute firewall-rules create allow-lb --network load-balancer --allow tcp --source-ranges 130.211.0.0/22,35.191.0.0/16 --direction INGRESS

Answer: C

NEW QUESTION # 30
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.
Which level of permissions should you request?

• A. Service Project Admin privileges from the Shared VPC Admin.
• B. Shared VPC Admin privileges from the Organization Admin.
• C. Security Admin privileges from the Shared VPC Admin.
• D. Organization Admin privileges from the Organization Admin.

Answer: C

Explanation:
A Shared VPC Admin can define a Security Admin by granting an IAM member the Security Admin (compute.securityAdmin) role to the host project. Security Admins manage firewall rules and SSL certificates.

NEW QUESTION # 31
A database virtual machine on Google Compute Engine has an ext4-formatted persistent disk for data files. The database is about to run out of storage space How can you remediate the problem with the least amount of downtime?

• A. In the Cloud Platform Console, create a snapshot of the persistent disk, restore the snapshot to a new larger disk, unmount the old disk, mount the new disk, and restart the database service.
• B. In the Cloud Platform Console, increase the size of the persistent disk and verify the new space is ready to use with the fdisk command in Linux.
• C. Shut down the virtual machine, use the Cloud Platform Console to increase the persistent disk size, then restart the virtual machine.
• D. In the Cloud Platform Console, create a new persistent disk attached to the virtual machine, format and mount it, and configure the database service to move the files to the new disk.
• E. In the Cloud Platform Console, increase the size of the persistent disk and use the resize2fs command in Linux.

Answer: E

Explanation:
A (Correct answer) - In the Cloud Platform Console, increase the size of the persistent disk and use the resize2fs command in Linux.
Here are the steps: In the Cloud Platform Console, increase the size of the persistent disk; after indicating size increase in console, to make the new size effective, you have two options: restart the VM or configure in the VM's operating systems, Windows or Linux.

NEW QUESTION # 32
You want to use Partner Interconnect to connect your on-premises network with your VPC. You already have an Interconnect partner.
What should you first?

• A. Log in to your partner's portal and request the VLAN attachment there.
• B. Create a Partner Interconnect type VLAN attachment in the GCP Console and retrieve the pairing key.
• C. Ask your Interconnect partner to provision a physical connection to Google.
• D. Run gcloud compute interconnect attachments partner update <attachment> / -- region <region> --admin-enabled.

Answer: C

Explanation:
Reference:
https://cloudplatform.googleblog.com/2018/06/Partner-Interconnect-now-generally-available.html

NEW QUESTION # 33
You have a Cloud Storage bucket in Google Cloud project XYZ. The bucket contains sensitive dat a. You need to design a solution to ensure that only instances belonging to VPCs under project XYZ can access the data stored in this Cloud Storage bucket. What should you do?

• A. Configure Private Service Connect to privately access Cloud Storage from all VPCs under project XYZ.
• B. Configure a VPC Service Controls perimeter around project XYZ, and include storage.googleapis.com as a restricted service in the service perimeter.
• C. Configure Cloud Storage with projectPrivate Access Control List (ACL) that gives permission to the project team based on their roles.
• D. Configure Private Google Access to privately access the Cloud Storage service using private IP addresses.

Answer: C

NEW QUESTION # 34
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do?

• A. Configure a policy-based route rule to prioritize the traffic.
• B. Configure an HTTP load balancer, and direct the traffic to it.
• C. Configure the TTL for the DNS zone to decrease the time between updates.
• D. Configure Dynamic Routing for the subnet hosting the application.

Answer: B

Explanation:
https://cloud.google.com/load-balancing/docs/tutorials/optimize-app-latency

NEW QUESTION # 35
You want to create a service in GCP using IPv6.
What should you do?

• A. Create the instance with the designated IPv6 address.
• B. Configure a global load balancer with the designated IPv6 address.
• C. Configure an internal load balancer with the designated IPv6 address.
• D. Configure a TCP Proxy with the designated IPv6 address.

Answer: B

Explanation:
https://cloud.google.com/load-balancing/docs/load-balancing-overview mentions to use global load balancer for IPv6 termination.

NEW QUESTION # 36
Your organization uses a hub-and-spoke architecture with critical Compute Engine instances in your Virtual Private Clouds (VPCs). You are responsible for the design of Cloud DNS in Google Cloud. You need to be able to resolve Cloud DNS private zones from your on-premises data center and enable on-premises name resolution from your hub-and-spoke VPC design. What should you do?

• A. Configure a private DNS zone in the hub VPC, and configure DNS forwarding to the on-premises server.
  Configure DNS peering from the spoke VPCs to the hub VPC.
• B. Configure a DNS policy in the hub VPC, and configure the on-premises DNS as an alternate DNS server.
  Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.
• C. Configure a DNS policy in the hub VPC to allow inbound query forwarding from the spoke VPCs.
  Configure the spoke VPCs with a private zone, and set up DNS peering to the hub VPC.
• D. Configure a DNS policy in the spoke VPCs, and configure your on-premises DNS as an alternate DNS server.
  Configure the hub VPC with a private zone, and set up DNS peering to each of the spoke VPCs.

Answer: D

NEW QUESTION # 37
......

How to study the Google Professional Cloud Network Engineer Exam

Preparation of certification exams could be covered with two resource types . The first one are the study guides, reference books and study forums that are elaborated and appropriate for building information from ground up. Apart from them video tutorials and lectures are a good option to ease the pain of through study and are relatively make the study process more interesting nonetheless these demand time and concentration from the learner. Smart candidates who wish to create a solid foundation altogether examination topics and connected technologies typically mix video lectures with study guides to reap the advantages of each but practice exams or practice exam engines is one important study tool which goes typically unnoted by most candidates. Practice exams are designed with our experts to make exam prospects test their knowledge on skills attained in course, as well as prospects become comfortable and familiar with the real exam environment.Statistics have indicated exam anxiety plays much bigger role of students failure in exam than the fear of the unknown. PDF4Test expert team recommends preparing some notes on these topics along with it don't forget to practice Google Professional Cloud Network Engineer Exam exam dumps which had been written by our expert team, each of these can assist you loads to clear this exam with excellent marks.

 

Professional-Cloud-Network-Engineer Dumps Full Questions with Free PDF Questions to Pass: https://prep4sure.pdf4test.com/Professional-Cloud-Network-Engineer-actual-dumps.html