• Home
  • Articles
  • The Google Professional-Cloud-Network-Engineer Questions & Practice Test are Available On-Demand [Q41-Q65]

The Google Professional-Cloud-Network-Engineer Questions & Practice Test are Available On-Demand [Q41-Q65]

Share

The Google Professional-Cloud-Network-Engineer Questions & Practice Test are Available On-Demand

Valid Professional-Cloud-Network-Engineer Exam Dumps Ensure you a HIGH SCORE

NEW QUESTION 41
You have a web application that is currently hosted in the us-central1 region. Users experience high latency when traveling in Asia. You've configured a network load balancer, but users have not experienced a performance improvement. You want to decrease the latency.
What should you do?

  • A. Configure an HTTP load balancer, and direct the traffic to it.
  • B. Configure a policy-based route rule to prioritize the traffic.
  • C. Configure Dynamic Routing for the subnet hosting the application.
  • D. Configure the TTL for the DNS zone to decrease the time between updates.

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/load-balancing/docs/tutorials/optimize-app-latency

 

NEW QUESTION 42
Your on-premises data center has 2 routers connected to your GCP through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with the same ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* The VPN logs have no-proposal-chosen lines when the VPNs are connecting.
* BGP session is not established between one on-premises router and the Cloud Router.
What is the most likely cause of this problem?

  • A. You do not have a load balancer to load-balance the network traffic.
  • B. A firewall is blocking the traffic across the second VPN connection.
  • C. BGP sessions are not established between both on-premises routers and the Cloud Router.
  • D. One of the VPN sessions is configured incorrectly.

Answer: A

 

NEW QUESTION 43
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

  • A. Turn on Private Services Access at the VPC level.
  • B. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.
  • C. Turn on Private Google Access at the VPC level.
  • D. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
  • E. Turn on Private Google Access at the subnet level.

Answer: A,D

Explanation:
Explanation/Reference: https://cloud.google.com/vpc/docs/private-access-options

 

NEW QUESTION 44
You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?

  • A. /25
  • B. /22
  • C. /23
  • D. /21

Answer: B

Explanation:
https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips#cluster_sizing_secondary_range_pods Reference:
https://cloud.google.com/kubernetes-engine/docs/how-to/flexible-pod-cidr
https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips#defaults_limits

 

NEW QUESTION 45
You have a storage bucket that contains the following objects:
- folder-a/image-a-1.jpg
- folder-a/image-a-2.jpg
- folder-b/image-b-1.jpg
- folder-b/image-b-2.jpg
Cloud CDN is enabled on the storage bucket, and all four objects have been successfully cached. You want to remove the cached copies of all the objects with the prefix folder-a, using the minimum number of commands.
What should you do?

  • A. Issue a cache invalidation command with pattern /folder-a/*.
  • B. Add an appropriate lifecycle rule on the storage bucket.
  • C. Disable Cloud CDN on the storage bucket. Wait 90 seconds. Re-enable Cloud CDN on the storage bucket.
  • D. Make sure that all the objects with prefix folder-a are not shared publicly.

Answer: D

 

NEW QUESTION 46
You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?

  • A. Grant the compute.instanceAdmin to your user account.
  • B. Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.
  • C. Grant the read-only privilege to the service account for the Cloud Storage bucket.
  • D. Grant the iam.serviceAccountUser to your user account.

Answer: D

Explanation:
https://cloud.google.com/compute/docs/access/iam

 

NEW QUESTION 47
Your company has a security team that manages firewalls and SSL certificates. It also has a networking team that manages the networking resources. The networking team needs to be able to read firewall rules, but should not be able to create, modify, or delete them.
How should you set up permissions for the networking team?

  • A. Assign members of the networking team the compute.networkViewer role, and add the compute.networks.use permission.
  • B. Assign members of the networking team the compute.networkAdmin role.
  • C. Assign members of the networking team a custom role with only the compute.networks.* and the compute.firewalls.list permissions.
  • D. Assign members of the networking team the compute.networkUser role.

Answer: B

Explanation:
Explanation/Reference: https://cloud.google.com/compute/docs/access/iam

 

NEW QUESTION 48
You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect.
What should you do?

  • A. Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.
  • B. Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.
  • C. Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.
  • D. Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.

Answer: A

Explanation:
https://link.springer.com/chapter/10.1007/978-1-4842-1004-8_4

 

NEW QUESTION 49
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with a unique ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* BGP sessions are established between both on-premises routers and the Cloud Router.
* Only 1 of the on-premises router's routes are being added to the routing table.
What is the most likely cause of this problem?

  • A. The on-premises routers are configured with the same routes.
  • B. You do not have a load balancer to load-balance the network traffic.
  • C. A firewall is blocking the traffic across the second VPN connection.
  • D. The ASNs being used on the on-premises routers are different.

Answer: D

Explanation:
https://cloud.google.com/network-connectivity/docs/router/support/troubleshooting#ecmp

 

NEW QUESTION 50
You need to define an address plan for a future new GKE cluster in your VPC. This will be a VPC native cluster, and the default Pod IP range allocation will be used. You must pre-provision all the needed VPC subnets and their respective IP address ranges before cluster creation. The cluster will initially have a single node, but it will be scaled to a maximum of three nodes if necessary. You want to allocate the minimum number of Pod IP addresses.
Which subnet mask should you use for the Pod IP address range?

  • A. /25
  • B. /23
  • C. /22
  • D. /21

Answer: A

Explanation:
Reference:
https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips

 

NEW QUESTION 51
You want to implement an IPSec tunnel between your on-premises network and a VPC via Cloud VPN. You need to restrict reachability over the tunnel to specific local subnets, and you do not have a device capable of speaking Border Gateway Protocol (BGP).
Which routing option should you choose?

  • A. Dynamic routing using Cloud Router
  • B. Policy-based routing using a custom local traffic selector
  • C. Route-based routing using default traffic selectors
  • D. Policy-based routing using the default local traffic selector

Answer: B

 

NEW QUESTION 52
You are deploying a global external TCP load balancing solution and want to preserve the source IP address of the original layer 3 payload.
Which type of load balancer should you use?

  • A. HTTP(S) load balancer
  • B. Internal load balancer
  • C. TCP/SSL proxy load balancer
  • D. Network load balancer

Answer: D

Explanation:
Reference:
https://cloud.google.com/load-balancing/docs/network

 

NEW QUESTION 53
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with a unique ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* BGP sessions are established between both on-premises routers and the Cloud Router.
* Only 1 of the on-premises router's routes are being added to the routing table.
What is the most likely cause of this problem?

  • A. The on-premises routers are configured with the same routes.
  • B. You do not have a load balancer to load-balance the network traffic.
  • C. A firewall is blocking the traffic across the second VPN connection.
  • D. The ASNs being used on the on-premises routers are different.

Answer: B

 

NEW QUESTION 54
Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it is a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.
Which two steps should you take? (Choose two.)

  • A. Create a global HTTP(s) load balancer and move your application backend to this load balancer.
  • B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic.
  • C. Use Cloud Armor to blacklist the attacker's IP addresses.
  • D. Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.
  • E. SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.

Answer: B,E

 

NEW QUESTION 55
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?

  • A. Disable DNSSEC at your domain registar.
  • B. Transfer ownership of the domain to a new registar.
  • C. Update the TTL for the zone.
  • D. Set the zone to the TRANSFER state.

Answer: A

Explanation:
Before disabling DNSSEC for a managed zone you want to use, you must deactivate DNSSEC at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.
https://cloud.google.com/dns/docs/dnssec-config

 

NEW QUESTION 56
Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that the caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it as a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.
Which two steps should you take? (Choose two.)

  • A. Create a global HTTP(s) load balancer and move your application backend to this load balancer.
  • B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic.
  • C. Use Cloud Armor to blacklist the attacker's IP addresses.
  • D. Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.
  • E. SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.

Answer: B,E

 

NEW QUESTION 57
You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.
Which next hop should you choose?

  • A. The default internet gateway
  • B. The name and region of the Cloud VPN tunnel
  • C. The IP address of the Cloud VPN gateway
  • D. The IP address of the instance on the remote side of the VPN tunnel

Answer: B

Explanation:
Reference:
https://cloud.google.com/vpn/docs/how-to/creating-static-vpns

 

NEW QUESTION 58
Your company is running out of network capacity to run a critical application in the on-premises data center.
You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)

  • A. Stackdriver Trace
  • B. VPC flow logs
  • C. Cloud Audit logs
  • D. Compute Engine instance system logs
  • E. Firewall logs

Answer: A,C

Explanation:
Explanation/Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

 

NEW QUESTION 59
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:
* Your ISP is a Google Partner Interconnect provider.
* Your on-premises VPN device's internet uplink and downlink speeds are 10 Gbps.
* A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of 500 Mbps due to packet losses.
* Most of the data transfer will be from GCP to the on-premises environment.
* The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.
* Cost and the complexity of the solution should be minimal.
How should you provision the connectivity solution?

  • A. Provision a Dedicated Interconnect instead of a VPN.
  • B. Provision a Partner Interconnect through your ISP.
  • C. Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.
  • D. Use network compression over your VPN to increase the amount of data you can send over your VPN.

Answer: C

 

NEW QUESTION 60
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)
GetIamPolicy() via REST API

  • A. setIamPolicy() via REST API
  • B. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername --
  • C. role roles/editor
    gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --
  • D. role roles/editor
  • E. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

Answer: D,E

Explanation:
Explanation/Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access

 

NEW QUESTION 61
You have recently been put in charge of managing identity and access management for your organization. You have several projects and want to use scripting and automation wherever possible. You want to grant the editor role to a project member.
Which two methods can you use to accomplish this? (Choose two.)

  • A. GetIamPolicy() via REST API
  • B. setIamPolicy() via REST API
  • C. gcloud pubsub add-iam-policy-binding Sprojectname --member user:Susername -- role roles/editor
  • D. gcloud projects add-iam-policy-binding Sprojectname --member user:Susername --role roles/editor
  • E. Enter an email address in the Add members field, and select the desired role from the drop-down menu in the GCP Console.

Answer: D,E

Explanation:
https://cloud.google.com/iam/docs/granting-changing-revoking-access

 

NEW QUESTION 62
You are deploying a global external TCP load balancing solution and want to preserve the source IP address of the original layer 3 payload.
Which type of load balancer should you use?

  • A. Network load balancer
  • B. HTTP(S) load balancer
  • C. Internal load balancer
  • D. TCP/SSL proxy load balancer

Answer: D

Explanation:
By default TCP/SSL proxy load balancer original client IP address and port information is not preserved, but it can be preserved using the PROXY protocol: https://cloud.google.com/load-balancing/docs/tcp#target-proxies
https://medium.com/google-cloud/preserving-client-ips-through-google-clouds-global-tcp-and-ssl-proxy-load-balancers-3697d76feeb1

 

NEW QUESTION 63
All the instances in your project are configured with the custom metadata enable-oslogin value set to FALSE and to block project-wide SSH keys. None of the instances are set with any SSH key, and no project-wide SSH keys have been configured. Firewall rules are set up to allow SSH sessions from any IP address range. You want to SSH into one instance.
What should you do?

  • A. Generate a new SSH key pair. Verify the format of the public key and add it to the project. SSH into the instance using a third-party tool like putty or ssh.
  • B. Set the custom metadata enable-oslogin to TRUE, and SSH into the instance using a third-party tool like putty or ssh.
  • C. Generate a new SSH key pair. Verify the format of the private key and add it to the instance. SSH into the instance using a third-party tool like putty or ssh.
  • D. Open the Cloud Shell SSH into the instance using gcloud compute ssh.

Answer: D

 

NEW QUESTION 64
You are using the gcloud command line tool to create a new custom role in a project by coping a predefined role. You receive this error message:
INVALID_ARGUMENT: Permission resourcemanager.projects.list is not valid What should you do?

  • A. Add the resourcemanager.projects.get permission, and try again.
  • B. Try again with a different role with a new name but the same permissions.
  • C. Remove the resourcemanager.projects.list permission, and try again.
  • D. Add the resourcemanager.projects.setIamPolicy permission, and try again.

Answer: C

 

NEW QUESTION 65
......


Conclusion

Your chances to pass the Google Professional Cloud Network Engineer certification exam are higher if you follow an organized training routine. Thus, you can choose from different preparation resources found online. For example, you can start with the learning path provided by Google and get exposed to different areas dedicated to the Google Cloud platform and network processes. Also, you can complete your knowledge with the study guides and books available on Amazon. In all, with the comprehensive materials, we’ve covered above, you’ll easily clear the upcoming validation.

 

Professional-Cloud-Network-Engineer Exam Practice Questions prepared by Google Professionals: https://torrentpdf.practicedump.com/Professional-Cloud-Network-Engineer-exam-questions.html

Related Articles

more
Google Professional-Cloud-Network-Engineer Certification Practice Exam

Copyright © 2026 PracticeDump NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy