Free Google Professional-Cloud-Network-Engineer Exam Questions

Question 1

You need to restrict access to your Google Cloud load-balanced application so that only specific IP addresses can connect. What should you do?

A : Create a secure perimeter using the Access Context Manager feature of VPC Service Controls and restrict access to the source IP range of the allowed clients and Google health check IP ranges.

B : Create a secure perimeter using VPC Service Controls, and mark the load balancer as a service restricted to the source IP range of the allowed clients and Google health check IP ranges.

C : Tag the backend instances "application," and create a firewall rule with target tag "application" and the source IP range of the allowed clients and Google health check IP ranges.

D : Label the backend instances "application," and create a firewall rule with the target label "application" and the source IP range of the allowed clients and Google health check IP ranges.

Answer: C

Question 2

You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs?

A : resource.type= “gce_router”

B : resource.type= “gce_network_region”

C : resource.type= “vpn_tunnel”

D : resource.type= “vpn_gateway”

Answer: C

Question 3

You configured Cloud VPN with dynamic routing via Border Gateway Protocol (BGP). You added a custom route to advertise a network that is reachable over the VPN tunnel. However, the on-premises clients still cannot reach the network over the VPN tunnel. You need to examine the logs in Cloud Logging to confirm that the appropriate routers are being advertised over the VPN tunnel. Which filter should you use in Cloud Logging to examine the logs?

A : resource.type= “gce_router”

B : resource.type= “gce_network_region”

C : resource.type= “vpn_tunnel”

D : resource.type= “vpn_gateway”

Answer: C

Question 4

You have several VMs across multiple VPCs in your cloud environment that require access to internetendpoints. These VMs cannot have public IP addresses due to security policies, so you plan to use CloudNAT to provide outbound internet access. Within your VPCs, you have several subnets in each region. Youwant to ensure that only specific subnets have access to the internet through Cloud NAT. You want to avoidany unintentional configuration issues caused by other administrators and align to Google-recommendedpractices. What should you do?

A : Deploy Cloud NAT in each VPC and configure a custom source range that includes the allowed subnets. Configure Cloud NAT rules to only permit the allowed subnets to egress through Cloud NAT.

B : Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet (0.0.0.0/0). Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet (0.0.0.0 /0). Deploy Cloud NAT and configure all primary and secondary subnet source ranges.

C : Create a firewall rule in each VPC at priority 500 that targets all instances in the network and denies egress to the internet (0.0.0.0/0). Create a firewall rule at priority 300 that targets all instances in the network, has a source filter that maps to the allowed subnets, and allows egress to the internet (0.0.0.0 /0). Deploy Cloud NAT and configure a custom source range that includes the allowed subnets.

D : Create a constraints/compute.restrictCloudNATUsage organizational policy constraint. Attach the constraint to a folder that contains the associated projects. Configure the allowedValues to only contain the subnets that should have internet access. Deploy Cloud NAT and select only the allowed subnets.

Answer: D

Question 5

You recently deployed two network virtual appliances in us-central1. Your network appliances provide connectivity to your on-premises network, 10.0.0.0/8. You need to configure the routing for your Virtual Private Cloud (VPC). Your design must meet the following requirements: All access to your on-premises network must go through the network virtual appliances. Allow on-premises access in the event of a single network virtual appliance failure. Both network virtual appliances must be used simultaneously. Which method should you use to accomplish this?

A : Configure two routes for 10.0.0.0/8 with different priorities, each pointing to separate network virtual appliances.

B : Configure an internal HTTP(S) load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal HTTP(S) load balancer as the next hop.

C : Configure a network load balancer for the two network virtual appliances. Configure a route for 10.0.0.0 /8 with the network load balancer as the next hop.

D : Configure an internal TCP/UDP load balancer with the two network virtual appliances as backends. Configure a route for 10.0.0.0/8 with the internal load balancer as the next hop.

Answer: B