• Home
  • Blogs
  • Google Professional-Cloud-Network-Engineer Exam Info and Free Practice Test ExamPrepAway [Q63-Q87]

Google Professional-Cloud-Network-Engineer Exam Info and Free Practice Test ExamPrepAway [Q63-Q87]

Share

Google Professional-Cloud-Network-Engineer Exam Info and Free Practice Test | ExamPrepAway

Pass Google Professional-Cloud-Network-Engineer Premium Files Test Engine pdf - Free Dumps Collection


Who should take the Google Professional Cloud Network Engineer exam

Individuals should pursue the Google Professional Cloud Network Engineer Exam if they want to demonstrate their expertise and ability to design, plan, and prototype a GCP Network , implement a GCP Virtual Private Cloud (VPC), implement network security. It's perfect for network engineers, systems administrators or operations team members or simply any professional who wants in on this specific area of IT and cloud.


Earning the Google Professional-Cloud-Network-Engineer certification can open up many career opportunities for individuals in the field of cloud networking. This certification recognizes the skills and knowledge of professionals who can design, implement, and manage cloud network solutions. It can also help individuals differentiate themselves in a competitive job market and demonstrate their expertise to potential employers. Overall, the Google Professional-Cloud-Network-Engineer Exam is a valuable certification for anyone who wants to advance their career in cloud networking.

 

NEW QUESTION # 63
You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?

  • A. Dynamic routing using Cloud Router
  • B. Policy-based routing using a custom local traffic selector
  • C. Policy-based routing using the default local traffic selector
  • D. Route-based routing using default traffic selectors

Answer: B


NEW QUESTION # 64
You are configuring your Google Cloud environment to connect to your on-premises network. Your configuration must be able to reach Cloud Storage APIs and your Google Kubernetes Engine nodes across your private Cloud Interconnect network. You have already configured a Cloud Router with your Interconnect VLAN attachments. You now need to set up the appropriate router advertisement configuration on the Cloud Router. What should you do?

  • A. Configure the route advertisement to the default setting.
  • B. Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Advertise all visible subnets to the Cloud Router.
  • C. On the on-premises router, configure a static route for the storage API virtual IP address which points to the Cloud Router's link-local IP address.
  • D. Configure the route advertisement to the custom setting, and manually add prefix 199.36.153.8/30 to the list of advertisements. Leave all other options as their default settings.

Answer: D


NEW QUESTION # 65
You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?

  • A. gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
  • B. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE
  • C. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE
  • D. gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE

Answer: D

Explanation:
Once you have the exported file from your other provider, you can use the gcloud dns record-sets import command to import it into your managed zone.
To import record-sets, you use the dns record-sets import command. The --zone-file-format flag tells importto expect a BIND zone formatted file. If you omit this flag, import expects a YAML- formatted records file.
https://medium.com/@prashantapaudel/gcp-certification-series-2-4-planning-and-configuring- network-resources-8045ac2cc2ac


NEW QUESTION # 66
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?

  • A. Disable DNSSEC at your domain registar.
  • B. Transfer ownership of the domain to a new registar.
    Before disabling DNSSEC for a managed zone you want to use, you must deactivate DNSSEC at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.
  • C. Set the zone to the TRANSFER state.
  • D. Update the TTL for the zone.

Answer: A


NEW QUESTION # 67
You want to create a service in GCP using IPv6.
What should you do?

  • A. Configure a TCP Proxy with the designated IPv6 address.
  • B. Configure an internal load balancer with the designated IPv6 address.
  • C. Create the instance with the designated IPv6 address.
  • D. Configure a global load balancer with the designated IPv6 address.

Answer: D


NEW QUESTION # 68
You are migrating to Cloud DNS and want to import your BIND zone file.
Which command should you use?

  • A. gcloud dns record-sets import ZONE_FILE --zone MANAGED_ZONE
  • B. gcloud dns record-sets import ZONE_FILE --delete-all-existing --zone MANAGED ZONE
  • C. gcloud dns record-sets import ZONE_FILE --replace-origin-ns --zone MANAGED_ZONE
  • D. gcloud dns record-sets import ZONE_FILE --zone-file-format --zone MANAGED_ZONE

Answer: D

Explanation:
https://cloud.google.com/sdk/gcloud/reference/dns/record-sets/import


NEW QUESTION # 69
You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?

  • A. Enable logging on the VM Instances that receive traffic.
  • B. Enable logging on the default Deny Any Firewall Rule.
  • C. Create a logging sink forwarding all firewall logs with no filters.
  • D. Create an explicit Deny Any rule and enable logging on the new rule.

Answer: D

Explanation:
https://cloud.google.com/vpc/docs/firewall-rules-logging#egress_deny_example You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported. Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections. You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules. Log entries are written from the perspective of virtual machine (VM) instances. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created according to the connection logging limits on a best effort basis. The number of connections that can be logged in a given interval is based on the machine type. Changes to firewall rules can be viewed in VPC audit logs. https://cloud.google.com/vpc/docs/firewall-rules-logging#specifications


NEW QUESTION # 70
Your organization requires that metrics from all applications be retained for 5 years for future analysis in possible legal proceedings. Which approach should you use?

  • A. Grant the security team access to the logs in each Project.
  • B. Configure Stackdriver Monitoring for all Projects, and export to BigQuery.
  • C. Configure Stackdriver Monitoring for all Projects with the default retention policies.
  • D. Configure Stackdriver Monitoring for all Projects, and export to Google Cloud Storage.

Answer: D

Explanation:
B and D can be quickly ruled out because none of them is good solution for the requirements
"retained for 5 years"
Between A and C, the different is where to store, BigQuery or Cloud Storage. Since the main concern is extended storing period, C (Correct Answer) is better answer, and the "retained for 5 years for future analysis" further qualifies it, for example, using Coldline storage class.
With regards of BigQuery, while it is also a low-cost storage, but the main purpose is for analysis.
Also, logs in Cloud Storage is easy to transport to BigQuery whenever needed.


NEW QUESTION # 71
You are increasing your usage of Cloud VPN between on-premises and GCP, and you want to support more traffic than a single tunnel can handle. You want to increase the available bandwidth using Cloud VPN.
What should you do?

  • A. Add a second on-premises VPN gateway with a different public IP address.
    Create a second tunnel on the existing Cloud VPN gateway that forwards the same IP range, but points at the new on-premises gateway IP.
  • B. Add a second Cloud VPN gateway in a different region than the existing VPN gateway.
    Create a new tunnel on the second Cloud VPN gateway that forwards the same IP range, but points to the existing on-premises VPN gateway IP address.
  • C. Double the MTU on your on-premises VPN gateway from 1460 bytes to 2920 bytes.
  • D. Create two VPN tunnels on the same Cloud VPN gateway that point to the same destination VPN gateway IP address.

Answer: D

Explanation:
https://cloud.google.com/vpn/docs/concepts/classic-topologies


NEW QUESTION # 72
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?

  • A. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
  • B. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
  • C. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
  • D. Open the Cloud Shell SSH into the instance using gcloud compute ssh.

Answer: D


NEW QUESTION # 73
You have an application running on Compute Engine that uses BigQuery to generate some results that are stored in Cloud Storage. You want to ensure that none of the application instances have external IP addresses.
Which two methods can you use to accomplish this? (Choose two.)

  • A. Create a Cloud NAT, and route the application traffic via NAT gateway.
  • B. Enable Private Google Access on the VPC.
  • C. Enable Private Services Access on the VPC.
  • D. Create network peering between your VPC and BigQuery.
  • E. Enable Private Google Access on all the subnets.

Answer: A,E

Explanation:
https://cloud.google.com/nat/docs/overview#interaction-pga Specifications https://cloud.google.com/vpc/docs/configure-private-google-access#specifications


NEW QUESTION # 74
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.
What should you do?

  • A. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
  • B. Assign each user the editor role.
  • C. Assign each user the compute.networkAdmin role.
  • D. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.

Answer: A

Explanation:
https://cloud.google.com/interconnect/docs/how-to/dedicated/creating-vlan-attachments


NEW QUESTION # 75
You want to use Cloud Interconnect to connect your on-premises network to a GCP VPC. You cannot meet Google at one of its point-of-presence (POP) locations, and your on-premises router cannot run a Border Gateway Protocol (BGP) configuration.
Which connectivity model should you use?

  • A. Direct Peering
  • B. Dedicated Interconnect
  • C. Partner Interconnect with a layer 3 partner
  • D. Partner Interconnect with a layer 2 partner

Answer: C

Explanation:
https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview For Layer 3 connections, your service provider establishes a BGP session between your Cloud Routers and their edge routers for each VLAN attachment. You don't need to configure BGP on your on-premises router. Google and your service provider automatically set the correct configurations.
https://cloud.google.com/network-connectivity/docs/interconnect/concepts/partner-overview#connectivity-type


NEW QUESTION # 76
You have an HA VPN connection with two tunnels running in active/passive mode between your Virtual Private Cloud (VPC) and on-premises network. Traffic over the connection has recently increased from 1 gigabit per second (Gbps) to 4 Gbps, and you notice that packets are being dropped. You need to configure your VPN connection to Google Cloud to support 4 Gbps. What should you do?

  • A. Configure the maximum transmission unit (MTU) to its highest supported value.
  • B. Configure the remote autonomous system number (ASN) to 4096.
  • C. Configure a second set of active/passive VPN tunnels.
  • D. Configure a second Cloud Router to scale bandwidth in and out of the VPC.

Answer: C


NEW QUESTION # 77
You have the following private Google Kubernetes Engine (GKE) cluster deployment:

You have a virtual machine (VM) deployed in the same VPC in the subnetwork kubernetes-management with internal IP address 192.168.40 2/24 and no external IP address assigned. You need to communicate with the cluster master using kubectl. What should you do?

  • A. Add an external IP address to the VM, and add this IP address in the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 35.224.37.17.
  • B. Add the network 192.168.40.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2.
  • C. Add the network 192.168.38.0/28 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2
  • D. Add the network 192.168.36.0/24 to the masterAuthorizedNetworksConfig. Configure kubectl to communicate with the endpoint 192.168.38.2

Answer: B


NEW QUESTION # 78
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?

  • A. Disable DNSSEC at your domain registar.
  • B. Set the zone to the TRANSFER state.
  • C. Update the TTL for the zone.
  • D. Transfer ownership of the domain to a new registar.

Answer: A

Explanation:
Before disabling DNSSEC for a managed zone you want to use, you must deactivate DNSSEC at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.
https://cloud.google.com/dns/docs/dnssec-config


NEW QUESTION # 79
You are maintaining a Shared VPC in a host project. Several departments within your company have infrastructure in different service projects attached to the Shared VPC and use Identity and Access Management (IAM) permissions to manage the cloud resources in those projects. VPC Network Peering is also set up between the Shared VPC and a common services VPC that is not in a service project. Several users are experiencing failed connectivity between certain instances in different Shared VPC service projects and between certain instances and the internet. You need to validate the network configuration to identify whether a misconfiguration is the root cause of the problem. What should you do?

  • A. Use Secure Shell (SSH) to connect to the affected Compute Engine instances, and run a series of PING tests to the other affected endpoints and the 8.8.8.8 IPv4 address.
  • B. Enable VPC Flow Logs for all VPCs, and review the logs in Cloud Logging for the affected instances.
  • C. Run Connectivity Tests from Network Intelligence Center to check connectivity between the affected endpoints in your network and the internet.
  • D. Review the VPC audit logs in Cloud Logging for the affected instances.

Answer: C


NEW QUESTION # 80
Your end users are located in close proximity to us-east1 and europe-west1. Their workloads need to communicate with each other. You want to minimize cost and increase network efficiency.
How should you design this topology?

  • A. Create 1 VPC with 2 regional subnets. Deploy workloads in these subnets and have them communicate using private RFC1918 IP addresses.
  • B. Create 1 VPC with 2 regional subnets. Create a global load balancer to establish connectivity between the regions.
  • C. Create 2 VPCs, each with their own regions and individual subnets. Create 2 VPN gateways to establish connectivity between these regions.
  • D. Create 2 VPCs, each with their own region and individual subnets. Use external IP addresses on the instances to establish connectivity between these regions.

Answer: A

Explanation:
VPC Network Peering enables you to peer VPC networks so that workloads in different VPC networks can communicate in private RFC 1918 space. Traffic stays within Google's network and doesn't traverse the public internet.


NEW QUESTION # 81
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)

  • A. Firewall logs
  • B. Stackdriver Trace
  • C. VPC flow logs
  • D. Cloud Audit logs
  • E. Compute Engine instance system logs

Answer: B,D

Explanation:
https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations


NEW QUESTION # 82
You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.
Which next hop should you choose?

  • A. The name and region of the Cloud VPN tunnel
  • B. The default internet gateway
  • C. The IP address of the Cloud VPN gateway
  • D. The IP address of the instance on the remote side of the VPN tunnel

Answer: A

Explanation:
Reference:
https://cloud.google.com/vpn/docs/how-to/creating-static-vpns


NEW QUESTION # 83
You work for a organization called cloudtech5 . Your organization has decided to implement continuous integration and delivery (CI/CD) pipeline on Google Cloud Platform using only hosted products and the popular GitOps methodology . The architecture includes many microservices that are updated frequently and rolled back . Please select the products that should be used.

  • A. Cloud Source repositories, Jenkins on Compute Engine , Container Registry , Google Kubernetes Engine.
  • B. Cloud Storage , Cloud Dataflow,Compute Engine.
  • C. BitBucket , Cloud Build , Container Registry , Google Kubernetes Engine.
  • D. Cloud Source repositories, Cloud Build ,Container Registry,Google Kubernetes Engine

Answer: D

Explanation:
Option A is the Correct choice because , Cloud Source repositories is a a fully featured, scalable, private Git repository hosted on Google Cloud . Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure. Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives. Container Registry is a private container image registry that runs on Google Cloud Platform. Google Kuberenetes Engine is ideal for deploying small services that can be updated and rolled back quickly.
Option B is Incorrect because , BitBucket isn't Google Cloud hosted service but it can be used to achieve the same results .
Option C is Incorrect because Jenkins on Compute Engine isn't Google hosted product , Cloud build is the right choice because it is a service managed by Google Cloud .
Option D is Incorrect because , the objective is to implement CI/CD pipeline not data processing pipeline .


NEW QUESTION # 84
You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments.
What should you do?

  • A. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
  • B. Assign each user the editor role.
  • C. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
  • D. Assign each user the compute.networkAdmin role.

Answer: C


NEW QUESTION # 85
Your company has separate Virtual Private Cloud (VPC) networks in a single region for two departments: Sales and Finance. The Sales department's VPC network already has connectivity to on-premises locations using HA VPN, and you have confirmed that the subnet ranges do not overlap. You plan to peer both VPC networks to use the same HA tunnels for on-premises connectivity, while providing internet connectivity for the Google Cloud workloads through Cloud NAT. Internet access from the on-premises locations should not flow through Google Cloud. You need to propagate all routes between the Finance department and on-premises locations. What should you do?

  • A. Peer the two VPCs, and use Cloud Router's custom route advertisements to announce the peered VPC network ranges to the on-premises locations.
  • B. Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router's custom route advertisements to announce the peered VPC network ranges to the on-premises locations.
  • C. Peer the two VPCs, and use the default configuration for the Cloud Routers.
  • D. Peer the two VPCs. Configure VPC Network Peering to export custom routes from Sales and import custom routes on Finance's VPC network. Use Cloud Router's custom route advertisements to announce a default route to the on-premises locations.

Answer: C


NEW QUESTION # 86
You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?

  • A. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.
  • B. Create a single firewall rule to allow port 3389 with priority 1000.
  • C. Create a single firewall rule to allow port 22 with priority 1000.
  • D. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.

Answer: C


NEW QUESTION # 87
......


The Google Professional Cloud Network Engineer exam helps the specialists use the Google Cloud Platform for managing and implementing network architectures.

 

Updated Official licence for Professional-Cloud-Network-Engineer Certified by Professional-Cloud-Network-Engineer Dumps PDF: https://ucertify.examprepaway.com/Google/braindumps.Professional-Cloud-Network-Engineer.ete.file.html

Related Blogs

more
Google Professional-Cloud-Network-Engineer Certification Practice Exam