• Home
  • Articles
  • [Q15-Q39] Pass Your Google Cloud Platform Professional-Cloud-Network-Engineer Exam Easily with Accurate PDF Questions [Dec 09, 2021]

[Q15-Q39] Pass Your Google Cloud Platform Professional-Cloud-Network-Engineer Exam Easily with Accurate PDF Questions [Dec 09, 2021]

Share

Pass Your Google Cloud Platform Professional-Cloud-Network-Engineer Exam Easily with Accurate PDF Questions [Dec 09, 2021]

Professional-Cloud-Network-Engineer Certification Exam Dumps Questions in here


Career Prospects and Salary Outlook

It is impossible to deny the fact that the Cloud Network Engineers are in high demand today. Thus, depending on your career level, you can take up the following job titles: a Network Engineer, a Junior Network Engineer, or a Cloud Engineer. The salary outlook for these positions is an average of $103,000 per annum.

 

NEW QUESTION 15
You created a new VPC for your development team. You want to allow access to the resources in this VPC via SSH only.
How should you configure your firewall rules?

  • A. Create a single firewall rule to allow port 22 with priority 1000.
  • B. Create a single firewall rule to allow port 3389 with priority 1000.
  • C. Create two firewall rules: one to block all traffic with priority 0, and another to allow port 22 with priority 1000.
  • D. Create two firewall rules: one to block all traffic with priority 65536, and another to allow port 3389 with priority 1000.

Answer: A

 

NEW QUESTION 16
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

  • A. Dedicated Interconnect
  • B. Cloud NAT
  • C. Shared VPC
  • D. VPC peering
  • E. Cloud VPN

Answer: A,E

Explanation:
https://cloud.google.com/vpc/docs/vpc

 

NEW QUESTION 17
You have an application that is running in a managed instance group. Your development team has released an updated instance template which contains a new feature which was not heavily tested. You want to minimize impact to users if there is a bug in the new template.
How should you update your instances?

  • A. Using the new instance template, perform a rolling update across all instances in the instance group. Verify the new feature once the rollout completes.
  • B. Manually patch some of the instances, and then perform a rolling restart on the instance group.
  • C. Perform a canary update by starting a rolling update and specifying a target size for your instances to receive the new template. Verify the new feature on the canary instances, and then roll forward to the rest of the instances.
  • D. Deploy a new instance group and canary the updated template in that group. Verify the new feature in the new canary instance group, and then update the original instance group.

Answer: C

Explanation:
https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups#starting_a_canary_update
https://cloud.google.com/compute/docs/instance-groups/rolling-out-updates-to-managed-instance-groups

 

NEW QUESTION 18
You are disabling DNSSEC for one of your Cloud DNS-managed zones. You removed the DS records from your zone file, waited for them to expire from the cache, and disabled DNSSEC for the zone. You receive reports that DNSSEC validating resolves are unable to resolve names in your zone.
What should you do?

  • A. Disable DNSSEC at your domain registar.
  • B. Update the TTL for the zone.
  • C. Transfer ownership of the domain to a new registar.
  • D. Set the zone to the TRANSFER state.

Answer: A

Explanation:
Before disabling DNSSEC for a managed zone you want to use, you must deactivate DNSSEC at your domain registrar to ensure that DNSSEC-validating resolvers can still resolve names in the zone.
https://cloud.google.com/dns/docs/dnssec-config

 

NEW QUESTION 19
You are creating a new application and require access to Cloud SQL from VPC instances without public IP addresses.
Which two actions should you take? (Choose two.)

  • A. Create a custom static route to allow the traffic to reach the Cloud SQL API.
  • B. Enable Private Google Access.
  • C. Create a private connection to a service producer.
  • D. Activate the Cloud Datastore API in your project.
  • E. Activate the Service Networking API in your project.

Answer: C,E

Explanation:
Explanation/Reference: https://cloud.google.com/sql/docs/mysql/private-ip

 

NEW QUESTION 20
You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.
What should you do?

  • A. Delete the legacy network and recreate it to allow transitive peering.
  • B. Configure VPC peering in a full mesh.
  • C. Alter the routing table to resolve the asymmetric route.
  • D. Create network tags to allow connectivity between all three VPCs.

Answer: B

Explanation:
https://cloud.google.com/vpc/docs/using-vpc-peering

 

NEW QUESTION 21
You want to establish a dedicated connection to Google that can access Cloud SQL via a public IP address and that does not require a third-party service provider.
Which connection type should you choose?

  • A. Direct Peering
  • B. Partner Interconnect
  • C. Dedicated Interconnect
  • D. Carrier Peering

Answer: A

Explanation:
When established, Direct Peering provides a direct path from your on-premises network to Google services, including Google Cloud products that can be exposed through one or more public IP addresses. Traffic from Google's network to your on-premises network also takes that direct path, including traffic from VPC networks in your projects. Google Cloud customers must request that direct egress pricing be enabled for each of their projects after they have established Direct Peering with Google. For more information, see Pricing.

 

NEW QUESTION 22
You are designing a Google Kubernetes Engine (GKE) cluster for your organization. The current cluster size is expected to host 10 nodes, with 20 Pods per node and 150 services. Because of the migration of new services over the next 2 years, there is a planned growth for 100 nodes, 200 Pods per node, and 1500 services. You want to use VPC-native clusters with alias IP ranges, while minimizing address consumption.
How should you design this topology?

  • A. Create a subnet of size/28 with 2 secondary ranges of: /24 for Pods and /24 for Services. Create a VPC- native cluster and specify those ranges. When the services are ready to be deployed, resize the subnets.
  • B. Create a subnet of size/25 with 2 secondary ranges of: /17 for Pods and /21 for Services. Create a VPC- native cluster and specify those ranges.
  • C. Use gcloud container clusters create [CLUSTER NAME]--enable-ip-aliasto create a VPC-native cluster.
  • D. Use gcloud container clusters create [CLUSTER NAME]to create a VPC-native cluster.

Answer: A

Explanation:
Explanation/Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters

 

NEW QUESTION 23
Your company is working with a partner to provide a solution for a customer. Both your company and the partner organization are using GCP. There are applications in the partner's network that need access to some resources in your company's VPC. There is no CIDR overlap between the VPCs.
Which two solutions can you implement to achieve the desired results without compromising the security? (Choose two.)

  • A. VPC peering
  • B. Cloud NAT
  • C. Dedicated Interconnect
  • D. Shared VPC
  • E. Cloud VPN

Answer: A,E

Explanation:
Google Cloud VPC Network Peering allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.

 

NEW QUESTION 24
You need to centralize the Identity and Access Management permissions and email distribution for the WebServices Team as efficiently as possible.
What should you do?

  • A. Create a new Custom Role for all members of the WebServices Team.
  • B. Create a Google Group for the WebServices Team.
  • C. Create a G Suite Domain for the WebServices Team.
  • D. Create a new Cloud Identity Domain for the WebServices Team.

Answer: B

 

NEW QUESTION 25
You need to configure a static route to an on-premises resource behind a Cloud VPN gateway that is configured for policy-based routing using the gcloud command.
Which next hop should you choose?

  • A. The IP address of the Cloud VPN gateway
  • B. The IP address of the instance on the remote side of the VPN tunnel
  • C. The name and region of the Cloud VPN tunnel
  • D. The default internet gateway

Answer: C

Explanation:
Reference:
https://cloud.google.com/vpn/docs/how-to/creating-static-vpns

 

NEW QUESTION 26
You need to establish network connectivity between three Virtual Private Cloud networks, Sales, Marketing, and Finance, so that users can access resources in all three VPCs. You configure VPC peering between the Sales VPC and the Finance VPC. You also configure VPC peering between the Marketing VPC and the Finance VPC. After you complete the configuration, some users cannot connect to resources in the Sales VPC and the Marketing VPC. You want to resolve the problem.
What should you do?

  • A. Delete the legacy network and recreate it to allow transitive peering.
  • B. Configure VPC peering in a full mesh.
  • C. Alter the routing table to resolve the asymmetric route.
  • D. Create network tags to allow connectivity between all three VPCs.

Answer: B

 

NEW QUESTION 27
You work for a university that is migrating to GCP.
These are the cloud requirements:
* On-premises connectivity with 10 Gbps
* Lowest latency access to the cloud
* Centralized Networking Administration Team
New departments are asking for on-premises connectivity to their projects. You want to deploy the most cost-efficient interconnect solution for connecting the campus to Google Cloud.
What should you do?

  • A. Use Shared VPC, and deploy the VLAN attachments and Interconnect in the host project.
  • B. Use standalone projects, and deploy the VLAN attachments in the individual projects. Connect the VLAN attachment to the standalone projects' Interconnects.
  • C. Use Shared VPC, and deploy the VLAN attachments in the service projects. Connect the VLAN attachment to the Shared VPC's host project.
  • D. Use standalone projects and deploy the VLAN attachments and Interconnects in each of the individual projects.

Answer: A

Explanation:
https://cloud.google.com/interconnect/docs/how-to/dedicated/using-interconnects-other-projects Using Cloud Interconnect with Shared VPC You can use Shared VPC to share your VLAN attachment in a project with other VPC networks. Choosing Shared VPC is preferable if you need to create many projects and would like to prevent individual project owners from managing their connectivity back to your on-premises network. In this scenario, the host project contains a common Shared VPC network usable by VMs in service projects. Because VMs in the service projects use this network, Service Project Admins don't need to create other VLAN attachments or Cloud Routers in the service projects. In this scenario, you must create VLAN attachments and Cloud Routers for a Cloud Interconnect connection only in the Shared VPC host project. The combination of a VLAN attachment and its associated Cloud Router are unique to a given Shared VPC network. https://cloud.google.com/network-connectivity/docs/interconnect/how-to/enabling-multiple-networks-access-same-attachment#using_with
https://cloud.google.com/vpc/docs/shared-vpc

 

NEW QUESTION 28
A database virtual machine on Google Compute Engine has an ext4-formatted persistent disk for data files. The database is about to run out of storage space How can you remediate the problem with the least amount of downtime?

  • A. In the Cloud Platform Console, increase the size of the persistent disk and verify the new space is ready to use with the fdisk command in Linux.
  • B. In the Cloud Platform Console, increase the size of the persistent disk and use the resize2fs command in Linux.
  • C. In the Cloud Platform Console, create a new persistent disk attached to the virtual machine, format and mount it, and configure the database service to move the files to the new disk.
  • D. In the Cloud Platform Console, create a snapshot of the persistent disk, restore the snapshot to a new larger disk, unmount the old disk, mount the new disk, and restart the database service.
  • E. Shut down the virtual machine, use the Cloud Platform Console to increase the persistent disk size, then restart the virtual machine.

Answer: B

Explanation:
A (Correct answer) - In the Cloud Platform Console, increase the size of the persistent disk and use the resize2fs command in Linux.
Here are the steps: In the Cloud Platform Console, increase the size of the persistent disk; after indicating size increase in console, to make the new size effective, you have two options: restart the VM or configure in the VM's operating systems, Windows or Linux.

 

NEW QUESTION 29
You are trying to update firewall rules in a shared VPC for which you have been assigned only Network Admin permissions. You cannot modify the firewall rules. Your organization requires using the least privilege necessary.
Which level of permissions should you request?

  • A. Organization Admin privileges from the Organization Admin.
  • B. Service Project Admin privileges from the Shared VPC Admin.
  • C. Shared VPC Admin privileges from the Organization Admin.
  • D. Security Admin privileges from the Shared VPC Admin.

Answer: D

 

NEW QUESTION 30
Your organization is deploying a single project for 3 separate departments. Two of these departments require network connectivity between each other, but the third department should remain in isolation. Your design should create separate network administrative domains between these departments. You want to minimize operational overhead.
How should you design the topology?

  • A. Create a single project, and deploy specific firewall rules. Use network tags to isolate access between the departments.
  • B. Create a Shared VPC Host Project and the respective Service Projects for each of the 3 separate departments.
  • C. Create 3 separate VPCs, and use Cloud VPN to establish connectivity between the two appropriate VPCs.
  • D. Create 3 separate VPCs, and use VPC peering to establish connectivity between the two appropriate VPCs.

Answer: B

Explanation:
Use Shared VPC to connect to a common VPC network. Resources in those projects can communicate with each other securely and efficiently across project boundaries using internal IPs. You can manage shared network resources, such as subnets, routes, and firewalls, from a central host project, enabling you to apply and enforce consistent network policies across the projects.
With Shared VPC and IAM controls, you can separate network administration from project administration. This separation helps you implement the principle of least privilege. For example, a centralized network team can administer the network without having any permissions into the participating projects. Similarly, the project admins can manage their project resources without any permissions to manipulate the shared network.
Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

 

NEW QUESTION 31
Your company is running out of network capacity to run a critical application in the on-premises data center. You want to migrate the application to GCP. You also want to ensure that the Security team does not lose their ability to monitor traffic to and from Compute Engine instances.
Which two products should you incorporate into the solution? (Choose two.)

  • A. Stackdriver Trace
  • B. VPC flow logs
  • C. Compute Engine instance system logs
  • D. Cloud Audit logs
  • E. Firewall logs

Answer: A,D

 

NEW QUESTION 32
You want to apply a new Cloud Armor policy to an application that is deployed in Google Kubernetes Engine (GKE). You want to find out which target to use for your Cloud Armor policy.
Which GKE resource should you use?

  • A. GKE Pod
  • B. GKE Node
  • C. GKE Ingress
  • D. GKE Cluster

Answer: A

Explanation:
https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-armor-backendconfig

 

NEW QUESTION 33
Your on-premises data center has 2 routers connected to your Google Cloud environment through a VPN on each router. All applications are working correctly; however, all of the traffic is passing across a single VPN instead of being load-balanced across the 2 connections as desired.
During troubleshooting you find:
* Each on-premises router is configured with a unique ASN.
* Each on-premises router is configured with the same routes and priorities.
* Both on-premises routers are configured with a VPN connected to a single Cloud Router.
* BGP sessions are established between both on-premises routers and the Cloud Router.
* Only 1 of the on-premises router's routes are being added to the routing table.
What is the most likely cause of this problem?

  • A. A firewall is blocking the traffic across the second VPN connection.
  • B. The on-premises routers are configured with the same routes.
  • C. The ASNs being used on the on-premises routers are different.
  • D. You do not have a load balancer to load-balance the network traffic.

Answer: C

Explanation:
https://cloud.google.com/network-connectivity/docs/router/support/troubleshooting#ecmp

 

NEW QUESTION 34
You are using a third-party next-generation firewall to inspect traffic. You created a custom route of 0.0.0.0/0 to route egress traffic to the firewall. You want to allow your VPC instances without public IP addresses to access the BigQuery and Cloud Pub/Sub APIs, without sending the traffic through the firewall.
Which two actions should you take? (Choose two.)

  • A. Turn on Private Services Access at the VPC level.
  • B. Turn on Private Google Access at the VPC level.
  • C. Turn on Private Google Access at the subnet level.
  • D. Create a set of custom static routes to send traffic to the internal IP addresses of Google APIs and services via the default internet gateway.
  • E. Create a set of custom static routes to send traffic to the external IP addresses of Google APIs and services via the default internet gateway.

Answer: A,D

Explanation:
https://cloud.google.com/vpc/docs/private-access-options

 

NEW QUESTION 35
You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?

  • A. Create an explicit Deny Any rule and enable logging on the new rule.
  • B. Create a logging sink forwarding all firewall logs with no filters.
  • C. Enable logging on the VM Instances that receive traffic.
  • D. Enable logging on the default Deny Any Firewall Rule.

Answer: A

Explanation:
https://cloud.google.com/vpc/docs/firewall-rules-logging#egress_deny_example You can only enable Firewall Rules Logging for rules in a Virtual Private Cloud (VPC) network. Legacy networks are not supported. Firewall Rules Logging only records TCP and UDP connections. Although you can create a firewall rule applicable to other protocols, you cannot log their connections. You cannot enable Firewall Rules Logging for the implied deny ingress and implied allow egress rules. Log entries are written from the perspective of virtual machine (VM) instances. Log entries are only created if a firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created according to the connection logging limits on a best effort basis. The number of connections that can be logged in a given interval is based on the machine type. Changes to firewall rules can be viewed in VPC audit logs. https://cloud.google.com/vpc/docs/firewall-rules-logging#specifications

 

NEW QUESTION 36
You work for a organization called cloudtech5 . Your organization has decided to implement continuous integration and delivery (CI/CD) pipeline on Google Cloud Platform using only hosted products and the popular GitOps methodology . The architecture includes many microservices that are updated frequently and rolled back . Please select the products that should be used.

  • A. BitBucket , Cloud Build , Container Registry , Google Kubernetes Engine.
  • B. Cloud Storage , Cloud Dataflow,Compute Engine.
  • C. Cloud Source repositories, Cloud Build ,Container Registry,Google Kubernetes Engine
  • D. Cloud Source repositories, Jenkins on Compute Engine , Container Registry , Google Kubernetes Engine.

Answer: C

Explanation:
Option A is the Correct choice because , Cloud Source repositories is a a fully featured, scalable, private Git repository hosted on Google Cloud . Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure. Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives. Container Registry is a private container image registry that runs on Google Cloud Platform. Google Kuberenetes Engine is ideal for deploying small services that can be updated and rolled back quickly.
Option B is Incorrect because , BitBucket isn't Google Cloud hosted service but it can be used to achieve the same results .
Option C is Incorrect because Jenkins on Compute Engine isn't Google hosted product , Cloud build is the right choice because it is a service managed by Google Cloud .
Option D is Incorrect because , the objective is to implement CI/CD pipeline not data processing pipeline .

 

NEW QUESTION 37
Your software team is developing an on-premises web application that requires direct connectivity to Compute Engine Instances in GCP using the RFC 1918 address space. You want to choose a connectivity solution from your on-premises environment to GCP, given these specifications:
* Your ISP is a Google Partner Interconnect provider.
* Your on-premises VPN device's internet uplink and downlink speeds are 10 Gbps.
* A test VPN connection between your on-premises gateway and GCP is performing at a maximum speed of
500 Mbps due to packet losses.
* Most of the data transfer will be from GCP to the on-premises environment.
* The application can burst up to 1.5 Gbps during peak transfers over the Interconnect.
* Cost and the complexity of the solution should be minimal.
How should you provision the connectivity solution?

  • A. Provision a Partner Interconnect through your ISP.
  • B. Provision a Dedicated Interconnect instead of a VPN.
  • C. Use network compression over your VPN to increase the amount of data you can send over your VPN.
  • D. Create multiple VPN tunnels to account for the packet losses, and increase bandwidth using ECMP.

Answer: D

 

NEW QUESTION 38
You are adding steps to a working automation that uses a service account to authenticate. You need to drive the automation the ability to retrieve files from a Cloud Storage bucket. Your organization requires using the least privilege possible.
What should you do?

  • A. Grant the cloud-platform privilege to the service account for the Cloud Storage bucket.
  • B. Grant the read-only privilege to the service account for the Cloud Storage bucket.
  • C. Grant the compute.instanceAdmin to your user account.
  • D. Grant the iam.serviceAccountUser to your user account.

Answer: D

Explanation:
https://cloud.google.com/compute/docs/access/iam

 

NEW QUESTION 39
......


Optimize Network Resources

  • Optimize for Efficiency and Cost: This part measures the individuals’ skills in automation, bandwidth utilization, cost optimization, and VPN versus interconnect.
  • Optimize Traffic Flow: This subject area requires an understanding of load balancer & CDN location, accommodating workload improvements, regional versus global dynamic routing, and expanding the subnet CIDR ranges within service;

Implement GCP VPCs

  • Configure VPCs: This subject area requires that the candidates have the ability to configure GCP virtual private Cloud resources; configure VPC peering; create shared VPCs and explain the process of sharing subnets with the other projects;
  • Configure & Maintain Google Kubernetes Engine Clusters: This subsection covers the skills in using private clusters, clustered with the shared VPC, VPC-native clustered with the use of alias IPs and including authorized networks for cluster master access;
  • Configure & Manage Firewall Rules: This part will measure one’s knowledge of priority, firewall logs, ingress & egress rules, network protocols, and target service accounts & network tags.

 

Updated Professional-Cloud-Network-Engineer Exam Practice Test Questions: https://pass4sure.practicedump.com/Professional-Cloud-Network-Engineer-exam-questions.html

Related Articles

more
Google Professional-Cloud-Network-Engineer Certification Practice Exam

Copyright © 2026 PracticeDump NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimer:
SAP, Microsoft, Google, Amazon, Certiport, Qualtrics are Registered Trade Mark.
PracticeDump offers only Probable Questions and Answers.
PracticeDump offer learning materials and practice tests created by subject matter experts to assist and help learner prepare for those exams.
All Certification Brands used on the website are owned by the respective brand owners.
PracticeDump does not own or claim any ownership on any of the brands.
The site pass4sure.practicedump.com is in no way affiliated with SAP SE.