[Jun 01, 2024] Free Google Cloud Platform Professional-Cloud-Network-Engineer Official Cert Guide PDF Download [Q55-Q77]

Rate this post

[Jun 01, 2024] Free Google Cloud Platform Professional-Cloud-Network-Engineer Official Cert Guide PDF Download

Google Professional-Cloud-Network-Engineer Official Cert Guide PDF

The Google Professional-Cloud-Network-Engineer exam for the Google Professional-Cloud-Network-Engineer certification tests the candidate’s knowledge and skills in several key areas. These include designing, implementing, and managing networks on the Google Cloud Platform, including virtual private clouds, subnets, and firewalls. Professional-Cloud-Network-Engineer exam also covers network security, load balancing, and network optimization techniques, as well as the use of Google Cloud Platform tools and services for network monitoring and management.

Google Professional-Cloud-Network-Engineer certification exam is designed for network professionals who are interested in working with Google Cloud technologies. Google Cloud Certified – Professional Cloud Network Engineer certification is intended for individuals who have experience in designing, implementing, and managing network solutions on Google Cloud Platform. Professional-Cloud-Network-Engineer exam covers a range of topics including networking fundamentals, network security, and network architecture.

NEW QUESTION 55
You are using a 10-Gbps direct peering connection to Google together with the gsutil tool to upload files to Cloud Storage buckets from on-premises servers. The on-premises servers are 100 milliseconds away from the Google peering point. You notice that your uploads are not using the full 10-Gbps bandwidth available to you. You want to optimize the bandwidth utilization of the connection.
What should you do on your on-premises servers?

Tune TCP parameters on the on-premises servers.

Remove the -m flag from the gsutil command to enable single-threaded transfers.

Compress files using utilities like tar to reduce the size of data being sent.

Use the perfdiag parameter in your gsutil command to enable faster performance: gsutil perfdiag gs://[BUCKET NAME].

NEW QUESTION 56
You need to create the network infrastructure to deploy a highly available web application in the us-east1 and us-west1 regions.
The application runs on Compute Engine instances, and it does not require the use of a database. You want to follow Google-recommended practices. What should you do?

Create one VPC with one subnet in each region.
Create a regional network load balancer in each region with a static IP address.
Enable Cloud CDN on the load balancers.
Create an A record in Cloud DNS with both IP addresses for the load balancers.

Create one VPC with one subnet in each region.
Create a global load balancer with a static IP address.
Enable Cloud CDN and Google Cloud Armor on the load balancer.
Create an A record using the IP address of the load balancer in Cloud DNS.

Create one VPC in each region, and peer both VPCs.
Create a global load balancer.
Enable Cloud CDN on the load balancer.
Create a CNAME for the load balancer in Cloud DNS.

Create one VPC with one subnet in each region.
Create an HTTP(S) load balancer with a static IP address.
Choose the standard tier for the network.
Enable Cloud CDN on the load balancer.
Create a CNAME record using the load balancer’s IP address in Cloud DNS.

NEW QUESTION 57
You want to deploy a VPN Gateway to connect your on-premises network to GCP. You are using a non BGP-capable on-premises VPN device. You want to minimize downtime and operational overhead when your network grows. The device supports only IKEv2, and you want to follow Google-recommended practices.
What should you do?

* Create a Cloud VPN instance.* Create a policy-based VPN tunnel per subnet.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Create the appropriate static routes.

* Create a Cloud VPN instance.* Create a policy-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.

* Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to match your local and remote networks.* Configure the appropriate static routes.

* Create a Cloud VPN instance.* Create a route-based VPN tunnel.* Configure the appropriate local and remote traffic selectors to 0.0.0.0/0.* Configure the appropriate static routes.

NEW QUESTION 58
You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.
How should you design this topology?

Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC-native cluster and specify those ranges.

Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC-native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.

Use gcloud container clusters create [CLUSTER NAME]–enable-ip-alias to create a VPC-native cluster.

Use gcloud container clusters create [CLUSTER NAME] to create a VPC-native cluster.

NEW QUESTION 59
You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?

Manually patch some of the instances, and then perform a rolling restart on the instance group.

Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.

Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.

Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.

NEW QUESTION 60
You have deployed a new internal application that provides HTTP and TFTP services to on-premises hosts. You want to be able to distribute traffic across multiple Compute Engine instances, but need to ensure that clients are sticky to a particular instance across both services.
Which session affinity should you choose?

None

Client IP

Client IP and protocol

Client IP, port and protocol

NEW QUESTION 61
You have the networking configuration shown in the diagram. A pair of redundant Dedicated Interconnect connections (int-Igal and int-Iga2) terminate on the same Cloud Router. The Interconnect connections terminate on two separate on-premises routers. You are advertising the same prefixes from the Border Gateway Protocol (BGP) sessions associated with the Dedicated Interconnect connections. You need to configure one connection as Active for both ingress and egress traffic. If the active Interconnect connection fails, you want the passive Interconnect connection to automatically begin routing all traffic Which two actions should you take to meet this requirement? (Choose Two)

Configure the advertised route priority > 10,200 on the active Interconnect connection.

Advertise a lower MED on the passive Interconnect connection from the on-premises router

Configure the advertised route priority as 200 for the BGP session associated with the active Interconnect connection.

Configure the advertised route priority as 200 for the BGP session associated with the passive Interconnect connection.

Advertise a lower MED on the active Interconnect connection from the on-premises router

This answer meets the requirement of configuring one connection as Active for both ingress and egress traffic, and enabling automatic failover to the passive connection in case of failure. The reason is:
The advertised route priority is a value that Cloud Router uses to set the route priority when advertising routes to your on-premises router. The lower the value, the higher the priority1. By setting the advertised route priority as 200 for the active connection, you ensure that it has a higher priority than the passive connection, which has the default value of 1001. This way, your on-premises router will prefer the routes from the active connection over the passive one for ingress traffic.
The MED (Multi-Exit Discriminator) is a value that your on-premises router uses to indicate its preference for receiving traffic from Cloud Router. The lower the value, the higher the preference2. By advertising a lower MED on the active connection from your on-premises router, you ensure that Cloud Router will prefer sending traffic to the active connection over the passive one for egress traffic.
If the active connection fails, Cloud Router will stop receiving routes from it and will start using the routes from the passive connection for egress traffic. Similarly, your on-premises router will stop receiving routes with priority 200 from the active connection and will start using the routes with priority 100 from the passive connection for ingress traffic. This achieves automatic failover without any manual intervention.
Option A is incorrect because setting the advertised route priority > 10,200 on the active connection would deprioritize it globally in your VPC network, which is not what you want1. Option B is incorrect because advertising a lower MED on the passive connection would make Cloud Router prefer sending traffic to it over the active one, which is not what you want2. Option D is incorrect because setting the advertised route priority as 200 for both connections would make them equally preferred by your on-premises router, which is not what you want1.
Reference:
Update the base route priority | Cloud Router | Google Cloud
Configuring BGP sessions | Cloud Router | Google Cloud

NEW QUESTION 62
You are designing a Partner Interconnect hybrid cloud connectivity solution with geo-redundancy across two metropolitan areas. You want to follow Google-recommended practices to set up the following region/metro pairs:
(region 1/metro 1)
(region 2/metro 2)
What should you do?

Create a Cloud Router in region 1 with two VLAN attachments connected to metro1-zone1-x.
Create a Cloud Router in region 2 with two VLAN attachments connected to metro1-zone2-x.

Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x.
Create a Cloud Router in region 2 with two VLAN attachments connected to metro2-zone2-x.

Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone2-x.
Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone2-x.

Create a Cloud Router in region 1 with one VLAN attachment connected to metro1-zone1-x and one VLAN attachment connected to metro1-zone2-x.
Create a Cloud Router in region 2 with one VLAN attachment connected to metro2-zone1-x and one VLAN attachment to metro2-zone2-x.

NEW QUESTION 63
You are developing an HTTP API hosted on a Compute Engine virtual machine instance that must be invoked only by multiple clients within the same Virtual Private Cloud (VPC). You want clients to be able to get the IP address of the service. What should you do?

Reserve a static external IP address and assign it to an HTTP(S) load balancing service’s forwarding rule. Clients should use this IP address to connect to the service.

Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal/.

Reserve a static external IP address and assign it to an HTTP(S) load balancing service’s forwarding rule. Then, define an A record in Cloud DNS. Clients should use the name of the A record to connect to the service.

Ensure that clients use Compute Engine internal DNS by connecting to the instance name with the url https://[API_NAME]/[API_VERSION]/.

NEW QUESTION 64
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:
* Your ISP is a Google Partner Interconnect provider.
* Your on-premises VPN device’s internet uplink and downlink speeds are 10 Gbps.
* A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses.
* Most of the data transfer will be from GCP to the on-premises environment.
* The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.
* Cost and the complexity of the solution should be minimal.
How should you provision the connectivity solution?

Provision a Partner Interconnect through your ISP.

Provision a Dedicated Interconnect instead of a VPN.

Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.

Use network compression over your VPN to increase the amount of data you can send over your VPN.

NEW QUESTION 65
Your company’s security team wants to limit the type of inbound traffic that can reach your web servers to protect against security threats. You need to configure the firewall rules on the web servers within your Virtual Private Cloud (VPC) to handle HTTP and HTTPS web traffic for TCP only. What should you do?

Create an allow on match ingress firewall rule with the target tag “web-server” to allow all IP addresses for TCP port 80.

Create an allow on match egress firewall rule with the target tag “web-server” to allow all IP addresses for TCP port 80.

Create an allow on match ingress firewall rule with the target tag “web-server” to allow all IP addresses for TCP ports 80 and 443.

Create an allow on match egress firewall rule with the target tag “web-server” to allow web server IP addresses for TCP ports 60 and 443.

NEW QUESTION 66
You are a network administrator at your company planning a migration to Google Cloud and you need to finish the migration as quickly as possible, To ease the transition, you decided to use the same architecture as your on-premises network’ a hub-and-spoke model. Your on-premises architecture consists of over 50 spokes. Each spoke does not have connectivity to the other spokes, and all traffic IS sent through the hub for security reasons. You need to ensure that the Google Cloud architecture matches your on-premises architecture. You want to implement a solution that minimizes management overhead and cost, and uses default networking quotas and limits. What should you do?

Connect all the spokes to the hub with Cloud VPN.

Connect all the spokes to the hub with VPC Network Peering.

Connect all the spokes to the hub With Cloud VPN. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes

Connect all the spokes to the hub with VPC Network Peering. Use a third-party network appliance as a default gateway to prevent connectivity between the spokes.

NEW QUESTION 67
You have enabled HTTP(S) load balancing for your application, and your application developers have reported that HTTP(S) requests are not being distributed correctly to your Compute Engine Virtual Machine instances. You want to find data about how the request are being distributed.
Which two methods can accomplish this? (Choose two.)

On the Load Balancer details page of the GCP Console, click on the Monitoring tab, select your backend service, and look at the graphs.

In Stackdriver Error Reporting, look for any unacknowledged errors for the Cloud Load Balancers service.

In Stackdriver Monitoring, select Resources > Metrics Explorer and search for https/request_bytes_count metric.

In Stackdriver Monitoring, select Resources > Google Cloud Load Balancers and review the Key Metrics graphs in the dashboard.

In Stackdriver Monitoring, create a new dashboard and track the https/backend_request_count metric for the load balancer.

NEW QUESTION 68
You create a Google Kubernetes Engine private cluster and want to use kubectl to get the status of the pods. In one of your instances you notice the master is not responding, even though the cluster is up and running.
What should you do to solve the problem?

Assign a public IP address to the instance.

Create a route to reach the Master, pointing to the default internet gateway.

Create the appropriate firewall policy in the VPC to allow traffic from Master node IP address to the instance.

Create the appropriate master authorized network entries to allow the instance to communicate to the master.

NEW QUESTION 69
You are responsible for enabling Private Google Access for the virtual machine (VM) instances in your Virtual Private Cloud (VPC) to access Google APIs. All VM instances have only a private IP address and need to access Cloud Storage. You need to ensure that all VM traffic is routed back to your on-premises data center for traffic scrubbing via your existing Cloud Interconnect connection. However, VM traffic to Google APIs should remain in the VPC. What should you do?

Delete the default route in your VPC.
Create a private Cloud DNS zone for googleapis.com, create a CNAME for *.googleapis.com to restricted googleapis.com, and create an A record for restricted googleapis com that resolves to the addresses in 199.36.153.4/30.
Create a static route in your VPC for the range 199.36.153.4/30 with the default internet gateway as the next hop.

Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
Create a public Cloud DNS zone with a CNAME for *.google.com to private googleapis com, create a CNAME for * googleapis.com to private googleapis com, and create an A record for Private googleapis.com that resolves to the addresses in 199.36.153 8/30.
Create a static route in your VPC for the range 199 .36.153.8/30 with the default internet gateway as the next hop.

Configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP) with a lower priority (MED) than the default VPC route.
Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to private googleapis com, and create an A record for private.googleapis.com that resolves to the addresses in 199 .36.153.8/30.
Create a static route in your VPC for the range 199.36. 153.8/30 with the default internet gateway as the next hop.

Delete the default route in your VPC and configure your on-premises router to advertise 0.0.0.0/0 via Border Gateway Protocol (BGP).
Create a private Cloud DNS zone for googleapis.com, create a CNAME for * googieapis.com to Private googleapis.com, and create an A record for private.googleapis.com that resolves to the addresses in 199.36.153.8/30.
Create a static route in your VPC for the range 199.36.153.8/30 with the default internet gateway as the next hop.

NEW QUESTION 70
Your company has recently installed a Cloud VPN tunnel between your on-premises data center and your Google Cloud Virtual Private Cloud (VPC). You need to configure access to the Cloud Functions API for your on-premises servers. The configuration must meet the following requirements:
Certain data must stay in the project where it is stored and not be exfiltrated to other projects.
Traffic from servers in your data center with RFC 1918 addresses do not use the internet to access Google Cloud APIs.
All DNS resolution must be done on-premises.
The solution should only provide access to APIs that are compatible with VPC Service Controls.
What should you do?

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
Configure your on-premises firewalls to allow traffic to the restricted.googleapis.com addresses.

Create an A record for restricted.googleapis.com using the 199.36.153.4/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
Remove the default internet gateway from the VPC where your Cloud VPN tunnel terminates.

Create an A record for private.googleapis.com using the 199.36.153.8/30 address range.
Create a CNAME record for *.googleapis.com that points to the A record.
Configure your on-premises routers to use the Cloud VPN tunnel as the next hop for the addresses you used in the A record.
Configure your on-premises firewalls to allow traffic to the private.googleapis.com addresses.

NEW QUESTION 71
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
* Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
* The subnetwork logs are not excluded from Stackdriver.
* The instance that is hosting the application can communicate outside the subnet.
* Other instances within the subnet can communicate outside the subnet.
* The external resource initiates communication.
What is the most likely cause of the missing log lines?

The traffic is matching the expected ingress rule.

The traffic is matching the expected egress rule.

The traffic is not matching the expected ingress rule.

The traffic is not matching the expected egress rule.

NEW QUESTION 72
You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC-native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?

/21

/22

/23

/25

NEW QUESTION 73
You want Cloud CDN to serve the https://www.example.com/images/spacetime.png static image file that is hosted in a private Cloud Storage bucket, You are using the VSE ORIG.-X_NZADERS cache mode You receive an HTTP 403 error when opening the file In your browser and you see that the HTTP response has a Cache-control: private, max-age=O header How should you correct this Issue?

Configure a Cloud Storage bucket permission that gives the Storage Legacy Object Reader role

Change the cache mode to cache all content.

Increase the default time-to-live (TTL) for the backend service.

Enable negative caching for the backend bucket

NEW QUESTION 74
You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?
gcloud dns record-sets import ZONE_FILE –zone MANAGED_ZONE

gcloud dns record-sets import ZONE_FILE –replace-origin-ns –zone

MANAGED_ZONE
gcloud dns record-sets import ZONE_FILE –zone-file-format –zone MANAGED_ZONE

gcloud dns record-sets import ZONE_FILE –delete-all-existing –zone

MANAGED_ZONE

NEW QUESTION 75
Your organization requires that metrics from all applications be retained for 5 years for future analysis in possible legal proceedings. Which approach should you use?

Configure Stackdriver Monitoring for all Projects, and export to BigQuery.

Configure Stackdriver Monitoring for all Projects with the default retention policies.

Configure Stackdriver Monitoring for all Projects, and export to Google Cloud Storage.

Grant the security team access to the logs in each Project.

NEW QUESTION 76
You have setup a shared VPC and you have created three projects; Host Project, Service Project-1 and Service Project-2. You have created two subnets, subnet-1 in us-west1 and subnet-
2 in us-central1 in the Host Project. Only subnet-1 has been shared with Service Project -1 but when you go to VPC networks in Service Project-1 you also see subnet-2 which hasn’t been shared with Service Project-1. Please select the correct option from below why is subnet-2 available to Service Project-1. Note Host Project is the Host Project in the shared VPC, Service Project-1 and Service project-2 are the Service Projects in the shared VPC.

The current user has Shared VPC Admin role and with Shared VPC Admin role all the networks are available.

It is a bug in Google Cloud, please report it.

By default all subnets are available.

Remove Shared Network admin role to the current user.

NEW QUESTION 77
You want to create a service in GCP using IPv6.
What should you do?

Create the instance with the designated IPv6 address.

Configure a TCP Proxy with the designated IPv6 address.

Configure a global load balancer with the designated IPv6 address.

Configure an internal load balancer with the designated IPv6 address.